Server-Side Request Forgery (SSRF)

Langflow is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to insufficient validation and filtering of user-supplied URLs in the API Request component, which allows an attacker to send crafted requests to internal or restricted network resources and retrieve their...

CVE-2026-23595

An authentication bypass in the application API allows an unauthorized administrative account to be created. A remote attacker could exploit this vulnerability to create privileged user accounts. Successful exploitation could allow an attacker to gain administrative access, modify system...

PT-2026-20609

Name of the Vulnerable Software and Affected Versions Breeze - WordPress Cache Plugin versions through 2.2.21 Description The Breeze - WordPress Cache Plugin is affected by an issue allowing unauthorized cache clearing. The REST API endpoint /wp-json/breeze/v1/clear-all-cache is registered withou...

Pi-hole Web Interface 安全漏洞

The Pi-hole Web Interface is an open-source dashboard web interface developed by Pi-hole. Versions of the Pi-hole Web Interface 6.0 and later contain security vulnerabilities. These vulnerabilities stem from a storage-type HTML injection vulnerability in the API settings page’s activity session...

CVE-2026-2676 GoogTech sms-ssm API LoginInterceptor.java preHandle improper authorization

A weakness has been identified in GoogTech sms-ssm up to e8534c766fd13f5f94c01dab475d75f286918a8d. Affected by this issue is the function preHandle of the file LoginInterceptor.java of the component API Interface. Executing a manipulation can lead to improper authorization. The attack may be...

PT-2026-20382

The Brevo - Email, SMS, Web Push, Chat, and more. plugin for WordPress is vulnerable to authorization bypass due to type juggling in all versions up to, and including, 3.3.0. This is due to the use of loose comparison == instead of strict comparison === when validating the installation ID in the...

CVE-2026-23598 Unauthenticated Information Disclosure in application API allows sensitive system information exposure

Vulnerabilities in the API error handling of an HPE Aruba Networking 5G Core server API could allow an unauthenticated remote attacker to obtain sensitive information. Successful exploitation could allow an attacker to access details such as user accounts, roles, and system configuration, as well...

Inside Modern API Attacks: What We Learn from the 2026 API ThreatStats Report

API security has been a growing concern for years. However, while it was always seen as important, it often came second to application security or hardening infrastructure. In 2025, the picture changed. Wallarm’s 2026 API ThreatStats Report revealed that APIs are now the primary attack surface fo...

HPE Aruba Networking Private 5G Core 安全漏洞

HPE Aruba Networking Private 5G Core is a 5G core solution provided by the American company HPE. There are security vulnerabilities in HPE Aruba Networking Private 5G Core, which stem from an authentication bypass in the application API. This vulnerability may allow the creation of unauthorized...

EUVD-2025-206979

Mattermost versions 10.11.x = 10.11.9 fail to enforce invite permissions when updating team settings, which allows team administrators without proper permissions to bypass restrictions and add users to their team via API requests. Mattermost Advisory ID: MMSA-2025-00561...

CVE-2025-14573

Mattermost versions 10.11.x = 10.11.9 fail to enforce invite permissions when updating team settings, which allows team administrators without proper permissions to bypass restrictions and add users to their team via API requests. Mattermost Advisory ID: MMSA-2025-00561...

CVE-2025-14573

Mattermost advisory MMSA-2025-00561 describes a vulnerability in Mattermost versions 10.11.x ≤ 10.11.9 where invite permissions are not enforced when updating team settings. This allows team administrators lacking proper permissions to bypass restrictions and add users to their team via API reque...

CVE-2019-25367 ArangoDB Community Edition 3.4.2-1 XSS via aardvark admin interface

ArangoDB Community Edition 3.4.2-1 contains multiple cross-site scripting vulnerabilities in the Aardvark web admin interface index.html through search, user management, and API parameters. Attackers can inject scripts via parameters in /db/system/admin/aardvark/index.html to execute JavaScript i...

PT-2026-7993

Name of the Vulnerable Software and Affected Versions HPESBNW05002 rev.1 Description An authentication bypass in the application API allows the creation of an unauthorized administrative account. A remote attacker could exploit this to create privileged user accounts, potentially gaining...

SUSE-SU-2026:0483-1 Security update for zabbix

This update for zabbix fixes the following issues: - CVE-2024-36469: Introduced clamping for mitigation of timing attacks. bsc1240676 - CVE-2024-42325: Restricted access to user fields using user.get API method for users of User and Admin type, and restricted access to alert entities using...

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the /api/users endpoint. An attacker can access sensitive information by sending a specially crafted request. Remediation There is no fixed version for...

UBUNTU-CVE-2025-14594

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.11 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to view certain pipeline values by querying the API...

PT-2026-7522

Name of the Vulnerable Software and Affected Versions GitLab CE/EE versions 17.11 through 18.6.5 GitLab CE/EE versions 18.7 through 18.7.3 GitLab CE/EE versions 18.8 through 18.8.3 Description An authenticated user could potentially view certain pipeline values by querying the API under specific...

Silicon Labs Simplicity Device Manager Tool 安全漏洞

The Silicon Labs Simplicity Device Manager Tool is a hardware enumeration, configuration, and fault-diagnosis tool developed by Silicon Labs, Inc. The tool has a security vulnerability caused by reflective cross-site scripting in multiple API endpoints. This vulnerability could allow attackers to...

CVE-2026-25958

Cube is a semantic layer for building data applications. From 0.27.19 to before 1.5.13, 1.4.2, and 1.0.14, it is possible to make a specially crafted request with a valid API token that leads to privilege escalation. This vulnerability is fixed in 1.5.13, 1.4.2, and 1.0.14...