1402 matches found
SUSE CVE-2017-18890
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows an attacker to create a button that, when pressed by a user, launches an API request...
WordPress plugin Popupkit 安全漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A security...
CVE-2025-59955 Coolify leaksensitive information `email_change_code` in `/api/v1/teams/{team_id | current}/members` API endpoint
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify versions prior to and including v4.0.0-beta.420.8 have an information disclosure vulnerability in the /api/v1/teams/teamid/members and /api/v1/teams/current/members API endpoints allows...
PT-2026-1275
Name of the Vulnerable Software and Affected Versions Xinhu Rainrock RockOA versions up to 2.7.1 Description A security issue exists in Xinhu Rainrock RockOA. The issue involves cross site scripting, potentially allowing remote attacks. The issue is related to the manipulation of the callback...
PT-2026-1142
Name of the Vulnerable Software and Affected Versions Cloudflare affected versions not specified Description A buffer overflow exists in a simulated API. The issue is identified with a hypothetical identifier. The risk assessment is medium overall, and mitigation is suggested with patches. The...
CVE-2025-69286 RAGFlow has Predictable Token Generation Leading to Authentication Bypass Vulnerability
RAGFlow is an open-source RAG Retrieval-Augmented Generation engine. In versions prior to 0.22.0, the use of an insecure key generation algorithm in the API key and beta assistant/agent share auth token generation process allows these tokens to be mutually derivable. Specifically, both tokens are...
CVE-2025-13029 Knowband Mobile App Builder for wooCommerce < 3.0.0 – Unauthenticated Arbitrary User Deletion
The Knowband Mobile App Builder WordPress plugin before 3.0.0 does not have authorisation when deleting users via its REST API, allowing unauthenticated attackers to delete arbitrary users...
EUVD-2024-55371
Akuvox Smart Intercom S539 contains an improper access control vulnerability that allows users with 'User' privileges to modify API access settings and configurations. Attackers can exploit this vulnerability to escalate privileges and gain unauthorized access to administrative functionalities...
CVE-2024-58337
Akuvox Smart Intercom S539 contains an improper access control vulnerability that allows users with 'User' privileges to modify API access settings and configurations. Attackers can exploit this vulnerability to escalate privileges and gain unauthorized access to administrative functionalities...
CVE-2024-58337 Akuvox Smart Intercom S539 Improper Access Control via ServicesHTTPAPI
Akuvox Smart Intercom S539 contains an improper access control vulnerability that allows users with 'User' privileges to modify API access settings and configurations. Attackers can exploit this vulnerability to escalate privileges and gain unauthorized access to administrative functionalities...
EUVD-2025-205817
Discourse is an open source discussion platform. Prior to versions 3.5.3, 2025.11.1, and 2025.12.0, an attacker who knows part of a username can find the user and their full name via UI or API, even when enablenames is disabled. Versions 3.5.3, 2025.11.1, and 2025.12.0 contain a fix...
GO-2025-4268 Gitea mishandles access to a private resource upon receiving an API token with scope limited to public resources in code.gitea.io/gitea
Gitea mishandles access to a private resource upon receiving an API token with scope limited to public resources in code.gitea.io/gitea...
PT-2025-54254
Name of the Vulnerable Software and Affected Versions Tinycontrol LAN Controller version 1.58a Description An authentication bypass allows unauthenticated attackers to change admin passwords. This is achieved by sending a crafted API request to the /stm.cgi endpoint with a specially crafted...
PT-2025-54189
Discourse is an open source discussion platform. Prior to versions 3.5.3, 2025.11.1, and 2025.12.0, an attacker who knows part of a username can find the user and their full name via UI or API, even when enable names is disabled. Versions 3.5.3, 2025.11.1, and 2025.12.0 contain a fix...
EUVD-2025-205432
IBM API Connect 10.0.8.0 through 10.0.8.5, and 10.0.11.0 could allow a remote attacker to bypass authentication mechanisms and gain unauthorized access to the application...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization due to mishandling access control to private resources. An attacker can gain unauthorized access to private resources by using an API token that is restricted to public resources. Remediation Upgrade...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization due to mishandling access control to private resources. An attacker can gain unauthorized access to private resources by using an API token that is restricted to public resources. Remediation Upgrade...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization due to mishandling access control to private resources. An attacker can gain unauthorized access to private resources by using an API token that is restricted to public resources. Remediation Upgrade...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization due to mishandling access control to private resources. An attacker can gain unauthorized access to private resources by using an API token that is restricted to public resources. Remediation Upgrade...
CVE-2025-66377
CVE-2025-66377 affects Pexip Infinity prior to 39.0. A missing authentication for a critical function in a product-internal API allows an attacker who already has code execution on one node to impact the operation of other nodes in the installation. This is not listed as exploitable in the provid...