WSO2 API Manager和WSO2 API Control Plane 安全漏洞

WSO2 API Manager and WSO2 API Control Plane are products of WSO2, Inc. WSO2 API Manager is an API lifecycle management solution and WSO2 API Control Plane is a control panel. A security vulnerability exists in WSO2 API Manager and WSO2 API Control Plane that stems from a lack of authentication an...

fortinet FortiOS Resource Management Error Vulnerability (CNVD-2025-24143)

FortiOS is Fortinet's network operating system that provides firewall, VPN and network security features. A security vulnerability exists in Fortinet FortiOS that stems from an API interface that does not validate return values. An attacker could use this vulnerability to trigger a null pointer...

Teedy 访问控制错误漏洞

Teedy is an open source, lightweight document management system for individuals and businesses open-sourced by Teedy France. An access control error vulnerability exists in Teedy 1.11 and earlier versions, which stems from improper access control of the API endpoint component in file/api/file, an...

CVE-2025-59203 Windows State Repository API Server File Information Disclosure Vulnerability

...

EUVD-2025-34158

A vulnerability has been identified in SiPass integrated All versions V3.0. Affected server applications contains a broken access control vulnerability. The authorization mechanism lacks sufficient server-side checks, allowing an attacker to execute a specific API request. Successful exploitation...

PT-2025-41836

Name of the Vulnerable Software and Affected Versions SAP Application Server for ABAP affected versions not specified Description An authenticated attacker can store malicious JavaScript payloads. These payloads could be executed in a victim user's browser when accessing the affected functionalit...

CVE-2025-61688

CVE-2025-61688 affects Omni, a tool for managing Kubernetes on bare metal, VMs, or cloud environments. Public documents confirm an information leak via an API in Omni older than specific releases. The vulnerability is described consistently across sources as leaking sensitive information through ...

Omni vulnerable to information leak via API

Impact Omni might leak sensitive information via an API. Patches v1.1.5, v1.0.2 and v1.2.0 contain the patch. Workarounds None. References None...

CVE-2025-9553 API Key manager - Critical - Unsupported - SA-CONTRIB-2025-103

Vulnerability in Drupal API Key manager.This issue affects API Key manager:...

PT-2025-41384

Name of the Vulnerable Software and Affected Versions IBM Aspera Faspex versions 5.0.0 through 5.0.13.1 Description A privileged user could potentially cause a denial of service due to improperly validated API input, leading to excessive resource consumption. The issue stems from insufficient...

GHSA-WR9H-G72X-MWHM vLLM is vulnerable to timing attack at bearer auth

Summary The API key support in vLLM performed validation using a method that was vulnerable to a timing attack. This could potentially allow an attacker to discover a valid API key using an approach more efficient than brute force. Details...

Covert Timing Channel

Overview vllm is an A high-throughput and memory-efficient inference and serving engine for LLMs Affected versions of this package are vulnerable to Covert Timing Channel via the apiserver component. An attacker can gain unauthorized access by exploiting differences in response times during API k...

CVE-2025-40676

Insecure Direct Object Reference IDOR in Negotiator v3.15.2 from Biobanking and Biomolecular Resources - European Research Infrastructure BBMRI-ERIC. This vulnerability allows an attacker to access or modify unauthorised resources by manipulating requests that use the 'userID' parameter in...

EUVD-2011-5250

Malware in sbrugna...

EUVD-2025-32895

Nagios Log Server before 2024R1.3.2 allows authenticated users with read-only API access to stop the Elasticsearch service via a /nagioslogserver/index.php/api/system/stop?subsystem=elasticsearch call. The service stops even though "message": "Could not stop elasticsearch" is in the API response...

vLLM 安全漏洞

vLLM is a vLLM open source high throughput and memory efficient inference and service engine for LLM. A security vulnerability exists in versions prior to vLLM 0.11.0rc2, which stems from a timing attack vulnerability in the API key authentication method that could lead to authentication bypass...

EUVD-2025-32501

A user with the appropriate authorization can create any number of user accounts via an API endpoint using a POST request. There are no quotas, checking mechanisms or restrictions to limit the creation...

CVE-2025-58578 Unlimited user creation by authorized users

A user with the appropriate authorization can create any number of user accounts via an API endpoint using a POST request. There are no quotas, checking mechanisms or restrictions to limit the creation...

CVE-2025-58578

The CVE-2025-58578 describes an API misuse where an authorized user can create an unlimited number of user accounts via a POST endpoint due to no quotas or validation. Public documents across Red Hat, NVD, CVE lists, and SICK-related advisories confirm the core issue (unbounded account creation) ...

PT-2025-40949

Name of the Vulnerable Software and Affected Versions YoSmart YoLink versions through 2025-10-02 Description The YoSmart YoLink API constructs an endpoint URL using a device's MAC address and an MD5 hash of non-secret information, including a key starting with cf50. The API endpoint is derived fr...