WordPress plugin LottieFiles – Lottie block for Gutenberg 信息泄露漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. WordPress plugin...

CVE-2025-14574

The weDocs plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.15 via the /wp-json/wp/v2/docs/settings REST API endpoint. This makes it possible for unauthenticated attackers to extract sensitive data including third party services API ke...

CVE-2026-22799

Emlog is an open source website building system. emlog v2.6.1 and earlier exposes a REST API endpoint /index.php?rest-api=upload for media file uploads. The endpoint fails to implement proper validation of file types, extensions, and content, allowing authenticated attackers with a valid API key ...

GO-2026-4295 Mattermost Server exposes sensitive user status information via REST API version 4 endpoint in github.com/mattermost/mattermost-server

Mattermost Server exposes sensitive user status information via REST API version 4 endpoint in github.com/mattermost/mattermost-server...

[SECURITY] Fedora 42 Update: coturn-4.7.0-4.fc42

The Coturn TURN Server is a VoIP media traffic NAT traversal server and gatew ay. It can be used as a general-purpose network traffic TURN server/gateway, too. This implementation also includes some extra features. Supported RFCs: TURN specs: - RFC 5766 - base TURN specs - RFC 6062 - TCP relaying...

CVE-2026-22799 emlog Arbitrary File Upload Vulnerability

Emlog is an open source website building system. emlog v2.6.1 and earlier exposes a REST API endpoint /index.php?rest-api=upload for media file uploads. The endpoint fails to implement proper validation of file types, extensions, and content, allowing authenticated attackers with a valid API key ...

CVE-2026-22251

wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, wlc supported providing unscoped API keys in the setting. This practice was discouraged for years, but the code was never removed. This might cause the API key to be leaked to different servers...

CVE-2026-22250

wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, the SSL verification would be skipped for some crafted URLs. This vulnerability is fixed in 1.17.0...

emlog 代码问题漏洞

emlog is emlog open source PHP and MySQL based CMS site building system . emlog v2.6.1 and previous versions of the code problem vulnerability , the vulnerability stems from the REST API endpoints do not implement proper validation of file types , extensions and content , which could lead to an...

CVE-2021-31818

Affected versions of Octopus Server are prone to an authenticated SQL injection vulnerability in the Events REST API because user supplied data in the API request isn’t parameterised correctly. Exploiting this vulnerability could allow unauthorised access to database tables...

CVE-2021-31856

A SQL Injection vulnerability in the REST API in Layer5 Meshery 0.5.2 allows an attacker to execute arbitrary SQL commands via the /experimental/patternfiles endpoint order parameter in GetMesheryPatterns in models/mesherypatternpersister.go...

CVE-2021-22865

An improper access control vulnerability was identified in GitHub Enterprise Server that allowed access tokens generated from a GitHub App's web authentication flow to read private repository metadata via the REST API without having been granted the appropriate permissions. To exploit this...

CVE-2022-37023

Apache Geode versions prior to 1.15.0 are vulnerable to a deserialization of untrusted data flaw when using REST API on Java 8 or Java 11. Any user wishing to protect against deserialization attacks involving REST APIs should upgrade to Apache Geode 1.15 and follow the documentation for details o...

CVE-2022-31702

vRealize Network Insight vRNI contains a command injection vulnerability present in the vRNI REST API. A malicious actor with network access to the vRNI REST API can execute commands without authentication...

CVE-2022-0680

The Plezi WordPress plugin before 1.0.3 has a REST endpoint allowing unauthenticated users to update the plzconfigurationtrackerenable option, which is then displayed in the admin panel without sanitisation and escaping, leading to a Stored Cross-Site Scripting issue...

CVE-2017-18895

An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows attackers to obtain sensitive information user statuses via a REST API version 4 endpoint...

CVE-2017-18896

An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows attackers to add DEBUG lines to the logs via a REST API version 3 logging endpoint...

CVE-2017-18889

An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. An attacker could create fictive system-message posts via webhooks and slash commands, in the v3 or v4 REST API...

CVE-2019-18464

In Progress MOVEit Transfer 10.2 before 10.2.6 2018.3, 11.0 before 11.0.4 2019.0.4, and 11.1 before 11.1.3 2019.1.3, multiple SQL Injection vulnerabilities have been found in the REST API that could allow an unauthenticated attacker to gain unauthorized access to the database. Depending on the...

CVE-2019-11185

The WP Live Chat Support Pro plugin through 8.0.26 for WordPress contains an arbitrary file upload vulnerability. This results from an incomplete patch for CVE-2018-12426. Arbitrary file upload is achieved by using a non-blacklisted executable file extension in conjunction with a whitelisted file...