CVE-2025-30040 Missing authentication in API returning request logs containing session IDs

The vulnerability allows unauthenticated users to download a file containing session ID data by directly accessing the "/cgi-bin/CliniNET.prd/utils/userlogxls.pl" endpoint...

CVE-2025-7841

CVE-2025-7841 affects the WordPress plugin “Sertifier Certificate & Badge Maker for WordPress – Tutor LMS.” A CSRF flaw exists due to missing/incorrect nonce validation on the sertifier_settings page, enabling unauthenticated attackers to update the plugin’s API key if a site admin is tricked int...

CVE-2025-52352

Aikaan IoT management platform v3.25.0325-5-g2e9c59796 provides a configuration to disable user sign-up in distributed deployments by hiding the sign-up option on the login page UI. However, the sign-up API endpoint remains publicly accessible and functional, allowing unauthenticated users to...

CVE-2024-50641

An authentication bypass vulnerability in PandoraNext-TokensTool v0.6.8 and before. An attacker can exploit this vulnerability to access API without any token...

CVE-2024-50644

zhisheng17 blog 3.0.1-SNAPSHOT has an authentication bypass vulnerability. An attacker can exploit this vulnerability to access API without any token...

CVE-2011-10026

Spreecommerce versions prior to 0.50.x contain a remote command execution vulnerability in the API's search functionality. Improper input sanitation allows attackers to inject arbitrary shell commands via the searchinstanceeval parameter, which is dynamically invoked using Ruby’s send method. Thi...

CVE-2025-9341 Garbage collection can delay for AES CBC Native support, resulting in heap exhaustion

Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle Inc. Bouncy Castle for Java FIPS bc-fips on All API modules, Legion of the Bouncy Castle Inc. Bouncy Castle for Java LTS bcprov-lts8on on All API modules allows Excessive Allocation. This vulnerability is associated wi...

Blog 安全漏洞

Blog is a personal blogging system by Xuzijia Individual Developers in China. A security vulnerability exists in Blog version 3.0.1-SNAPSHOT, which stems from an authentication bypass that could lead to unauthorized access to the API...

PT-2025-34446 · Unknown · Zhisheng17 Blog

Name of the Vulnerable Software and Affected Versions: zhisheng17 blog version 3.0.1-SNAPSHOT Description: The software contains an authentication bypass issue that allows an attacker to access the API without a token. Recommendations: At the moment, there is no information about a newer version...

CVE-2024-50644

CVE-2024-50644 affects zhisheng17 blog 3.0.1-SNAPSHOT. The provided documents describe an authentication bypass vulnerability that allows an attacker to access the API without a token. Affected component is the Blog software’s authentication mechanism; the root cause is an authentication bypass, ...

SUSE CVE-2025-44004

Mattermost Confluence Plugin version 1.5.0 fails to check the authorization of the user to the Mattermost instance which allows attackers to create a channel subscription without proper authorization via API call to the create channel subscription endpoint...

SUSE CVE-2025-54478

Mattermost Confluence Plugin version 1.5.0 fails to enforce authentication of the user to the Mattermost instance which allows unauthenticated attackers to edit channel subscriptions via API call to the edit channel subscription endpoint...

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF due to empty request bodies not being properly rejected. An attacker can cause users to perform unintended actions by tricking them into clicking malicious links through post actions. Remediation Upgrade...

CVE-2025-27215

An Improper Access Control could allow a malicious actor authenticated in the API of certain UniFi Connect Display Cast devices to make unsupported changes to the system. Affected Products: UniFi Connect Display Cast Version 1.10.3 and earlier UniFi Connect Display Cast Pro Version 1.0.89 and...

CVE-2025-27215

CVE-2025-27215 describes an improper access control in the API of UniFi Connect Display Cast devices that, when authenticated, allows a malicious actor to make unsupported changes to the system. Affected products and versions are: UniFi Connect Display Cast 1.10.3 and earlier; Cast Pro 1.0.89 and...

CVE-2025-27213

An Improper Access Control could allow a malicious actor authenticated in the API of certain UniFi Connect devices to enable Android Debug Bridge ADB and make unsupported changes to the system. Affected Products: UniFi Connect EV Station Pro Version 1.5.18 and earlier UniFi Connect Display Versio...

Exagrid EX10 安全漏洞

Exagrid EX10 is a backup storage server from Exagrid Corporation, USA. A security vulnerability exists in Exagrid EX10 version 7.0.1p02, which originates from the presence of XML external entity injection in the /init API endpoint, which could lead to information disclosure and elevation of...

Linux Distros Unpatched Vulnerability : CVE-2017-3650

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Vulnerability in the MySQL Server component of Oracle MySQL subcomponent: C API. Supported versions that are affected are 5.7.18 and earlier. Difficult to explo...

PT-2025-34269

Name of the Vulnerable Software and Affected Versions: PandoraNext-TokensTool versions 0.6.8 and earlier Description: An authentication bypass allows an attacker to access the API without a token. Recommendations: Update to a version later than 0.6.8...

CVE-2011-10026 Spreecommerce < 0.50.x API RCE

Spreecommerce versions prior to 0.50.x contain a remote command execution vulnerability in the API's search functionality. Improper input sanitation allows attackers to inject arbitrary shell commands via the searchinstanceeval parameter, which is dynamically invoked using Ruby’s send method. Thi...