@medusajs/inventory (>=1.1.0-20230320210331 <=1.1.0-snapshot-20230320172940), @medusajs/medusa-oas-cli (>=0.2.0-20230320210331 <=2.11.4-preview-20251124000311) +2 more potentially affected by unknown CVE via @medusajs/medusa (>=2.0.0-next-20230310121604 <=2.11.4-preview-20251124000311)

@medusajs/medusa NPM version =2.0.0-next-20230310121604, =1.1.0-20230320210331, =0.2.0-20230320210331, =0.0.6, =0.0.2, =0.0.4 Source cves: unknown CVE Source advisory: SNYK:JS-MEDUSAJSMEDUSA-14137960...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization due to improper access control to OpenAPI. An attacker can retrieve sensitive OpenAPI YAML files by sending a specially crafted URL. Remediation Upgrade com.liferay:com.liferay.portal.security.auth.verifier to...

EUVD-2025-35684

Liferay Portal 7.4.0 through 7.4.3.109, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.7, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions does not properly restrict access to OpenAPI in certain circumstances, which allows remote attackers...

Liferay Portal和Liferay DXP 安全漏洞

Liferay Portal and Liferay DXP are both products of Liferay, Inc.Liferay Portal is a J2EE based portal solution. The solution uses technologies such as EJB as well as JMS and can be used as a Web publishing and sharing workspace, enterprise collaboration platform, social network, etc. Liferay DXP...

CVE-2025-11581

PowerJob (up to version 5.1.2) contains a security vulnerability in the OpenAPIController’s /openApi/runJob endpoint. The issue is due to missing authorization in that code path, allowing a remote attacker to manipulate the request without authentication. Multiple connected sources (NVD, Red Hat ...

EUVD-2018-0659

Malware in sbrugna...

EUVD-2023-32396

Malicious code in bioql PyPI...

OpenAPI Documentation for Spin Apps with Rust

Learn how to create, customize, and serve OpenAPI Documentation from within Spin apps written in Rust...

CVE-2023-23619

Modelina is a library for generating data models based on inputs such as AsyncAPI, OpenAPI, or JSON Schema documents. Versions prior to 1.0.0 are vulnerable to Code injection. This issue affects anyone who is using the default presets and/or does not handle the functionality themself. This issue...

CVE-2023-23857

Due to missing authentication check, SAP NetWeaver AS for Java - version 7.50, allows an unauthenticated attacker to attach to an open interface and make use of an open naming and directory API to access services which can be used to perform unauthorized operations affecting users and services...

DRUPAL-CONTRIB-2025-025

This module can be used to render Open API Documentation using the RapiDoc library. The module provides a custom formatter for link fields. Drupal core does not sufficiently sanitize link element attributes, which can lead to a Cross Site Scripting vulnerability XSS. A separate fix for Drupal cor...

Nozomi Networks Guardian/CMC 安全漏洞

Nozomi Networks Guardian/CMC is a centralized management console from Nozomi Networks, USA. A security vulnerability exists in Nozomi Networks Guardian/CMC versions prior to v23.4.1 that stems from an audit log of an OpenAPI request that may contain sensitive information, which could lead to...

PT-2024-5072 · Nozomi · Nozomi Central Management Console +1

Name of the Vulnerable Software and Affected Versions: Nozomi Guardian and Nozomi Central Management Console CMC affected versions not specified OpenAPI affected versions not specified Description: The issue is related to insufficient protection of audit records for OpenAPI requests, which may...

PT-2023-23343 · Steelseries · Steelseries Gg

Name of the Vulnerable Software and Affected Versions: SteelSeries GG version 36.0.0 Description: The issue allows attackers to exploit an open API listener to create a sub-application that will be executed automatically from a controlled location, due to a path traversal vulnerability...

CVE-2023-20136

A vulnerability in the OpenAPI of Cisco Secure Workload could allow an authenticated, remote attacker with the privileges of a read-only user to execute operations that should require Administrator privileges. The attacker would need valid user credentials. This vulnerability is due to improper...

Design/Logic Flaw

In SAP AS NetWeaver JAVA - versions SERVERCORE 7.50, J2EE-FRMW 7.50, CORE-TOOLS 7.50, an unauthenticated attacker can attach to an open interface and make use of an open naming and directory API to instantiate an object which has methods which can be called without further authorization and...

CVE-2023-28761 Missing Authentication check in SAP NetWeaver Enterprise Portal

In SAP NetWeaver Enterprise Portal - version 7.50, an unauthenticated attacker can attach to an open interface and make use of an open API to access a service which will enable them to access or modify server settings and data, leading to limited impact on confidentiality and integrity...

IBAX go-ibax SQL注入漏洞

IBAX go-ibax is a blockchain system platform from IBAX Corporation. IBAX go-ibax suffers from a SQL injection vulnerability that stems from unknown functionality in file/api/v2/open/tablesInfo, where manipulation of parameter callbacks leads to SQL injection...

Security Bulletin: Liberty for Java for IBM Cloud is vulnerable to spoofing attacks and clickjacking due to swagger-ui (CVE-2018-25031, CVE-2021-46708)

Summary There are multiple vulnerabilities in the swagger-ui library used by Liberty for Java for IBM Cloud with mpOpenAPI-1.0, mpOpenAPI-1.1, mpOpenAPI-2.0, mpOpenAPI-3.0, openapi-3.0 or the openapi-3.1 feature enabled. These vulnerabilities could allow spoofing attacks or clickjacking...

7Rapid Questions: Stephen Donnelly

At Rapid7, there's no shortage of passionate leaders looking to challenge convention and make an impact. Our "7Rapid Questions" series is a way to highlight some of the amazing work taking place behind the scenes, and the exciting growth opportunities available in our global offices. For this...