WordPress plugin Popupkit 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A security...

CVE-2025-59955 Coolify leaksensitive information `email_change_code` in `/api/v1/teams/{team_id | current}/members` API endpoint

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify versions prior to and including v4.0.0-beta.420.8 have an information disclosure vulnerability in the /api/v1/teams/teamid/members and /api/v1/teams/current/members API endpoints allows...

PT-2026-1275

Name of the Vulnerable Software and Affected Versions Xinhu Rainrock RockOA versions up to 2.7.1 Description A security issue exists in Xinhu Rainrock RockOA. The issue involves cross site scripting, potentially allowing remote attacks. The issue is related to the manipulation of the callback...

PT-2026-1142

Name of the Vulnerable Software and Affected Versions Cloudflare affected versions not specified Description A buffer overflow exists in a simulated API. The issue is identified with a hypothetical identifier. The risk assessment is medium overall, and mitigation is suggested with patches. The...

CVE-2025-69286 RAGFlow has Predictable Token Generation Leading to Authentication Bypass Vulnerability

RAGFlow is an open-source RAG Retrieval-Augmented Generation engine. In versions prior to 0.22.0, the use of an insecure key generation algorithm in the API key and beta assistant/agent share auth token generation process allows these tokens to be mutually derivable. Specifically, both tokens are...

CVE-2025-13029 Knowband Mobile App Builder for wooCommerce < 3.0.0 – Unauthenticated Arbitrary User Deletion

The Knowband Mobile App Builder WordPress plugin before 3.0.0 does not have authorisation when deleting users via its REST API, allowing unauthenticated attackers to delete arbitrary users...

EUVD-2024-55371

Akuvox Smart Intercom S539 contains an improper access control vulnerability that allows users with 'User' privileges to modify API access settings and configurations. Attackers can exploit this vulnerability to escalate privileges and gain unauthorized access to administrative functionalities...

CVE-2024-58337

Akuvox Smart Intercom S539 contains an improper access control vulnerability that allows users with 'User' privileges to modify API access settings and configurations. Attackers can exploit this vulnerability to escalate privileges and gain unauthorized access to administrative functionalities...

CVE-2024-58337 Akuvox Smart Intercom S539 Improper Access Control via ServicesHTTPAPI

Akuvox Smart Intercom S539 contains an improper access control vulnerability that allows users with 'User' privileges to modify API access settings and configurations. Attackers can exploit this vulnerability to escalate privileges and gain unauthorized access to administrative functionalities...

EUVD-2025-205817

Discourse is an open source discussion platform. Prior to versions 3.5.3, 2025.11.1, and 2025.12.0, an attacker who knows part of a username can find the user and their full name via UI or API, even when enablenames is disabled. Versions 3.5.3, 2025.11.1, and 2025.12.0 contain a fix...

GO-2025-4268 Gitea mishandles access to a private resource upon receiving an API token with scope limited to public resources in code.gitea.io/gitea

Gitea mishandles access to a private resource upon receiving an API token with scope limited to public resources in code.gitea.io/gitea...

PT-2025-54254

Name of the Vulnerable Software and Affected Versions Tinycontrol LAN Controller version 1.58a Description An authentication bypass allows unauthenticated attackers to change admin passwords. This is achieved by sending a crafted API request to the /stm.cgi endpoint with a specially crafted...

PT-2025-54189

Discourse is an open source discussion platform. Prior to versions 3.5.3, 2025.11.1, and 2025.12.0, an attacker who knows part of a username can find the user and their full name via UI or API, even when enable names is disabled. Versions 3.5.3, 2025.11.1, and 2025.12.0 contain a fix...

EUVD-2025-205432

IBM API Connect 10.0.8.0 through 10.0.8.5, and 10.0.11.0 could allow a remote attacker to bypass authentication mechanisms and gain unauthorized access to the application...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization due to mishandling access control to private resources. An attacker can gain unauthorized access to private resources by using an API token that is restricted to public resources. Remediation Upgrade...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization due to mishandling access control to private resources. An attacker can gain unauthorized access to private resources by using an API token that is restricted to public resources. Remediation Upgrade...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization due to mishandling access control to private resources. An attacker can gain unauthorized access to private resources by using an API token that is restricted to public resources. Remediation Upgrade...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization due to mishandling access control to private resources. An attacker can gain unauthorized access to private resources by using an API token that is restricted to public resources. Remediation Upgrade...

CVE-2025-66377

CVE-2025-66377 affects Pexip Infinity prior to 39.0. A missing authentication for a critical function in a product-internal API allows an attacker who already has code execution on one node to impact the operation of other nodes in the installation. This is not listed as exploitable in the provid...

CVE-2025-3232

CVE-2025-3232 affects Mitsubishi Electric Europe smartRTU, where a remote unauthenticated attacker can bypass authentication via a specific API route and execute arbitrary OS commands. The Red Hat/NVD/EUVD/NVD-derived records consistently describe an access-control failure enabling command execut...