CVE-2026-25888 Chartbrew: Remote Code Execution (RCE) via Vulnerable API

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.1, there is a remote code execution vulnerability via a vulnerable API. This issue has been patched in version 4.8.1...

PT-2026-23786

Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.0.13 Description Flowise incorrectly trusts HTTP clients that set the header x-request-from: internal, bypassing authorization checks for all /api/v1/ endpoints. This allows an authenticated tenant session to invoke...

Zabbix 安全漏洞

Zabbix is a set of open-source monitoring systems developed by Zabbix Inc. This system supports network monitoring, server monitoring, cloud monitoring, and application monitoring. Zabbix has security vulnerabilities; these vulnerabilities stem from authenticated users with template/host write...

PT-2026-23761

The HUMN-1 AI Website Scanner & Human Certification by Winston AI plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the winston disconnect function in all versions up to, and including, 0.0.3. This makes it possible for authenticated...

chartbrew 代码注入漏洞

Chartbrew is an open-source data visualization and dashboard building tool developed by Chartbrew. Versions of Chartbrew prior to 4.8.1 contained a code injection vulnerability. This vulnerability stemmed from the faulty API, which allowed remote code execution...

Gokapi 访问控制错误漏洞

Gokapi is a lightweight, self-hosted alternative to Firefox sending by Marc Bulling. Versions of Gokapi prior to 2.2.3 contained an access control vulnerability. This vulnerability stemmed from the ability of users without the permission to create or modify files to create temporary API keys with...

Gokapi has privilege escalation with auth token

Impact A registered user without privileges to create or modify file requests is able to create a short-lived API key that has the permission to do so. The user must be registered with Gokapi. If you do not have any other users with access to the admin/upload menu, you are not impacted. Patches...

CVE-2026-26196 Gogs: Access tokens get exposed through URL params in API requests

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, gogs api still accepts tokens in url params like token and accesstoken, which can leak through logs, browser history, and referrers. This issue has been patched in version 0.14.2...

[SECURITY] Fedora 42 Update: coturn-4.9.0-1.fc42

The Coturn TURN Server is a VoIP media traffic NAT traversal server and gatew ay. It can be used as a general-purpose network traffic TURN server/gateway, too. This implementation also includes some extra features. Supported RFCs: TURN specs: - RFC 5766 - base TURN specs - RFC 6062 - TCP relaying...

PT-2026-23446

Name of the Vulnerable Software and Affected Versions Octopus Server affected versions not specified Description An issue existed in Octopus Server where a new API key could be created from an existing access token. This allowed the new API key to have a longer lifetime than the original access...

PT-2026-23604

Name of the Vulnerable Software and Affected Versions Gokapi versions prior to 2.2.3 Description Gokapi is a self-hosted file sharing server that supports automatic expiration and encryption. A registered user lacking the necessary permissions to create or modify file requests can generate a...

CVE-2026-27801

Vaultwarden (unofficial Bitwarden server) is affected by CVE-2026-27801 where versions 1.34.3 and earlier permit a 2FA bypass on protected actions due to faulty rate-limit enforcement. An authenticated attacker can perform protected actions (e.g., access a user’s API key or delete vaults and orga...

CVE-2025-59785

Improper validation of API end-point in 2N Access Commander version 3.4.2 and prior allows attacker to bypass password policy for backup file encryption. This vulnerability can only be exploited after authenticating with administrator privileges...

CVE-2025-59783

CVE-2025-59783 affects the API endpoint for user synchronization in 2N Access Commander 3.4.1 . The root cause is insufficient input validation, enabling an OS command injection . Exploitation requires authentication with administrator privileges . The CVSS 4.0 base score is 8.8 (HIGH) with netwo...

PT-2026-22932

Name of the Vulnerable Software and Affected Versions 2N Access Commander versions prior to 3.4.3 Description A flaw exists in the validation of an API endpoint in 2N Access Commander that could allow an attacker to bypass the password policy for backup file encryption. Successful exploitation...

PT-2026-22931

Name of the Vulnerable Software and Affected Versions 2N Access Commander versions prior to 3.4.2 Description The 2N Access Commander software contains a flaw related to insufficient validation of data written to logs. Specifically, certain parameters received through the API are included in log...

GHSA-JQWG-75QF-VMF9 SiYuan's direct SQL Query API accessible to Reader-level users enables unauthorized database access

Summary /api/query/sql allows users to run SQL directly, but it only checks basic auth, not admin rights, any logged-in user, even readers, can run any SQL query on the database. Details The vulnerable endpoint is in kernel/api/sql.go go func SQLc gin.Context ret := gulu.Ret.NewResult defer...

CVE-2026-28286 ZimaOS: Unauthorized Creation of Files/Folders in Restricted System Directories via API

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.2-beta3, the application enforces restrictions in the frontend/UI to prevent users from creating files or folders in internal OS paths. However, when interacting directly with the API, th...

EUVD-2026-9208

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, an authenticated user with Editor role can inject arbitrary HTML into Rich Text cells by bypassing the TipTap editor and sending raw HTML via the API. This issue has been patched in version 0.301.3...

CVE-2025-15597

A vulnerability has been found in Dataease SQLBot up to 1.4.0. This affects an unknown function of the file backend/apps/system/api/assistant.py of the component API Endpoint. Such manipulation leads to improper access controls. It is possible to launch the attack remotely. The exploit has been...