CVE-2025-49584

CVE-2025-49584 (XWiki) affects XWiki Platform versions 10.9–16.4.6, 16.5.0-rc-1–16.10.2, and 17.0.0-rc-1. The REST API can disclose the titles of pages whose reference is known when an XClass with a page property is accessible, potentially leaking page names. Impact on confidentiality is task-dep...

CVE-2024-0680

The WP Private Content Plus plugin for WordPress is vulnerable to information disclosure in all versions up to, and including, 3.6. This is due to the plugin not properly restricting access to posts via the REST API when a page has been made private. This makes it possible for unauthenticated...

CVE-2024-0682

The Page Restrict plugin for WordPress is vulnerable to information disclosure in all versions up to, and including, 2.5.5. This is due to the plugin not properly restricting access to posts via the REST API when a page has been made private. This makes it possible for unauthenticated attackers t...

CVE-2024-5333

The Events Calendar WordPress plugin before 6.8.2.1 is missing access checks in the REST API, allowing for unauthenticated users to access information about password protected events...

CVE-2021-25036

The All in One SEO WordPress plugin before 4.1.5.3 is affected by a Privilege Escalation issue, which was discovered during an internal audit by the Jetpack Scan team, and may grant bad actors access to protected REST API endpoints they shouldn’t have access to. This could ultimately enable users...

PT-2025-18795 · Hashicorp +1 · Vault Community +3

Name of the Vulnerable Software and Affected Versions: Vault Community versions prior to 1.19.3 Vault Enterprise versions prior to 1.19.3, 1.18.9, 1.17.16, 1.16.20 Description: The Key/Value kv Version 2 plugin in Vault Community and Vault Enterprise may unintentionally expose sensitive informati...

CVE-2025-27623

A flaw was found in Jenkins. Affected versions of Jenkins do not redact encrypted values of secrets when accessing the config.xml of views via REST API or CLI. This flaw allows attackers with view/read permission to view encrypted values of secrets...

Jenkins reveals encrypted values of secrets stored in agent configuration to users with Agent/Extended Read permission

Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing config.xml of views via REST API or CLI. This allows attackers with View/Read permission to view encrypted values of secrets. Jenkins 2.500, LTS 2.492.2 redacts the encrypted values of...

Jenkins reveals encrypted values of secrets stored in agent configuration to users with Agent/Extended Read permission

Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing config.xml of agents via REST API or CLI. This allows attackers with Agent/Extended Read permission to view encrypted values of secrets. Jenkins 2.500, LTS 2.492.2 redacts the encrypted...

CVE-2025-27622

CVE-2025-27622 affects Jenkins 2.499 and earlier, and LTS 2.492.1 and earlier, where encrypted values of secrets stored in agent configuration (config.xml) are not redacted when accessed via REST API or CLI. An attacker with Agent/Extended Read permission can view these encrypted secret values. T...

CVE-2025-27622

Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing config.xml of agents via REST API or CLI, allowing attackers with Agent/Extended Read permission to view encrypted values of secrets...

CVE-2025-27622

Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing config.xml of agents via REST API or CLI, allowing attackers with Agent/Extended Read permission to view encrypted values of secrets...

PT-2025-9859 · Jenkins +1 · Jenkins +1

Name of the Vulnerable Software and Affected Versions: Jenkins versions 2.499 and earlier Jenkins LTS versions 2.492.1 and earlier Description: The issue allows attackers with Agent/Extended Read permission to view encrypted values of secrets when accessing config.xml of agents via REST API or CL...

Exploit for Missing Authentication for Critical Function in Really-Simple-Plugins Really_Simple_Security

WordPress CVE-2024-10924 Exploit 📌 Overview This repository...

CVE-2024-5333

The Events Calendar WordPress plugin before 6.8.2.1 is missing access checks in the REST API, allowing for unauthenticated users to access information about password protected events...

CVE-2024-5333

The Events Calendar WordPress plugin before 6.8.2.1 is missing access checks in the REST API, allowing for unauthenticated users to access information about password protected events...

PT-2024-35723

Name of the Vulnerable Software and Affected Versions The Events Calendar WordPress plugin versions prior to 6.8.2.1 Description The issue is related to missing access checks in the REST API, allowing unauthenticated users to access information about password-protected events. Recommendations For...

CVE-2024-50357

FutureNet NXR series routers provided by Century Systems Co., Ltd. have REST-APIs, which are configured as disabled in the initial factory default configuration. But, REST-APIs are unexpectedly enabled when the affected product is powered up, provided either http-server GUI or Web authentication ...

CVE-2024-39715

A code injection vulnerability that allows a low-privileged user with REST API access granted to remotely upload arbitrary files to the VSPC server using REST API, leading to remote code execution on VSPC server...

CVE-2024-39715

CVE-2024-39715 describes a code injection vulnerability in Veeam Service Provider Console (VSPC) where a low-privileged user with REST API access can remotely upload arbitrary files to the VSPC server, leading to remote code execution. The description is consistent across multiple sources (NVD, R...