EUVD-2024-2636

Malicious code in bioql PyPI...

CVE-2025-32802

Kea configuration and API directives can be used to overwrite arbitrary files, subject to permissions granted to Kea. Many common configurations run Kea as root, leave the API entry points unsecured by default, and/or place the control sockets in insecure paths. This issue affects Kea versions...

CVE-2025-32801

Kea configuration and API directives can be used to load a malicious hook library. Many common configurations run Kea as root, leave the API entry points unsecured by default, and/or place the control sockets in insecure paths. This issue affects Kea versions 2.4.0 through 2.4.1, 2.6.0 through...

CVE-2025-32802 Insecure handling of file paths allows multiple local attacks

Kea configuration and API directives can be used to overwrite arbitrary files, subject to permissions granted to Kea. Many common configurations run Kea as root, leave the API entry points unsecured by default, and/or place the control sockets in insecure paths. This issue affects Kea versions...

New Self-Spreading Malware Infects Docker Containers to Mine Dero Cryptocurrency

Misconfigured Docker API instances have become the target of a new malware campaign that transforms them into a cryptocurrency mining botnet. The attacks, designed to mine for Dero currency, is notable for its worm-like capabilities to propagate the malware to other exposed Docker instances and...

CVE-2024-33309

An issue in TVS Motor Company Limited TVS Connet Android v.4.5.1 and iOS v.5.0.0 allows a remote attacker to obtain sensitive information via an insecure API endpoint. NOTE: this is disputed as discussed in the msn-official/CVE-Evidence repository...

InvokeAI 5.0 Code Injection

InvokeAI version 5.0 suffers from a remote code execution vulnerability. ============================================================================================================================================= | Title : InvokeAI v5.0 PHP Code Injection Vulnerability | | Author : indoushka | ...

AI Security is API Security: What CISOs and CIOs Need to Know

Just when CIOs and CISOs thought they were getting a grip on API security, AI came along and shook things up. In the past few years, a huge number of organizations have adopted AI, realizing innumerable productivity, operational, and efficiency benefits. However, they’re also having to deal with...

Mars: Customer Data Exposure via Insecure Endpoint of coupon

A security vulnerability was identified in the Royal Canin Greece website. An insecure API endpoint was exposed that allowed unauthorized access to customer information without requiring authentication. The endpoint related to coupon functionality and revealed sensitive customer data, including...

CVE-2024-33309

An issue in TVS Motor Company Limited TVS Connet Android v.4.5.1 and iOS v.5.0.0 allows a remote attacker to obtain sensitive information via an insecure API endpoint. NOTE: this is disputed as discussed in the msn-official/CVE-Evidence repository...

TVS Motor Connect Mobile Application 安全漏洞

TVS Motor Connect Mobile Application is an application by TVS Motor India to experience the products and services of TVS Motor Company. A security vulnerability exists in TVS Motor Connect Mobile Application Android v.4.5.1 and iOS v.5.0.0, which stems from a vulnerability that allows a remote...

CVE-2024-33309

An issue in TVS Motor Company Limited TVS Connet Android v.4.5.1 and iOS v.5.0.0 allows a remote attacker to obtain sensitive information via an insecure API endpoint. NOTE: this is disputed as discussed in the msn-official/CVE-Evidence repository...

CVE-2024-33309

An issue in TVS Motor Company Limited TVS Connet Android v.4.5.1 and iOS v.5.0.0 allows a remote attacker to obtain sensitive information via an insecure API endpoint. NOTE: this is disputed as discussed in the msn-official/CVE-Evidence repository...

Rockwell Automation Enhanced HIM Cross-Site Request Forgery Vulnerability

The Rockwell Automation Enhanced HIM is an advanced human interface module from Rockwell Automation. It is a device used to interact with Rockwell Automation control systems, providing a more intuitive and convenient interface for operation and monitoring. A cross-site request forgery vulnerabili...

SUSE CVE-2019-3682

The docker-kubic package in SUSE CaaS Platform 3.0 before 17.09.1ce-7.6.1 provided access to an insecure API locally on the Kubernetes master node...

CVE-2022-25901

A Regular Expression Denial of Service ReDoS vulnerability was found in cookiejar via the Cookie.parse function and other aspects of the API, which uses an insecure regular expression for parsing cookie values. Applications could be stalled for extended periods of time if untrusted input is passe...

usememos/memos makes Incorrect Use of Privileged APIs

In usememos/memos 0.9.0 and prior, a user with login permission can delete all notes of the whole application via API DELETE https://demo.usememos.com/api/memo/$idnote. The vulnerability will lose all user notes data throughout the system, causing damage to user data...

CVE-2022-44016

An issue was discovered in Simmeth Lieferantenmanager before 5.6. An attacker can download arbitrary files from the web server by abusing an API call: /DS/LMAPI/api/ConfigurationService/GetImages with an '"ImagesPath":"C:\"' value...

Design/Logic Flaw

In Progress Ipswitch WhatsUp Gold 21.0.0 through 21.1.1, and 22.0.0, it is possible for an unauthenticated attacker to invoke an API transaction that would allow them to relay encrypted WhatsUp Gold user credentials to an arbitrary host...

CVE-2021-39888

In all versions of GitLab EE starting from 13.10 before 14.1.7, all versions starting from 14.2 before 14.2.5, and all versions starting from 14.3 before 14.3.1 a specific API endpoint may reveal details about a private group and other sensitive info inside issue and merge request templates...