125 matches found
CVE-2025-70146
Missing authentication in multiple administrative action scripts under /admin/ in ProjectWorlds Online Time Table Generator 1.0 allows remote attackers to perform unauthorized administrative operations e.g.,adding records, deleting records via direct HTTP requests to affected endpoints without a...
PT-2026-7851
The FastDup – Fastest WordPress Migration & Duplicator plugin for WordPress is vulnerable to unauthorized backup creation and download due to a missing capability check on REST API endpoints in all versions up to, and including, 2.7.1. This makes it possible for authenticated attackers, with...
CVE-2026-26215 manga-image-translator Shared API Unsafe Deserialization RCE
manga-image-translator version beta-0.3 and prior in shared API mode contains an unsafe deserialization vulnerability that can lead to unauthenticated remote code execution. The FastAPI endpoints /simpleexecute/method and /execute/method deserialize attacker-controlled request bodies using...
CVE-2026-26215 manga-image-translator Shared API Unsafe Deserialization RCE
manga-image-translator version beta-0.3 and prior in shared API mode contains an unsafe deserialization vulnerability that can lead to unauthenticated remote code execution. The FastAPI endpoints /simpleexecute/method and /execute/method deserialize attacker-controlled request bodies using...
Exploit for CVE-2026-0770
CVE-2026-0770 - Langflow Remote Code Execution Summary La...
CVE-2025-15548
CVE-2025-15548 affects TP-Link VX800v v1.0, where the web interface endpoints transmit sensitive data over unencrypted HTTP due to missing application-layer encryption. This permits a network-adjacent attacker to intercept traffic and compromise confidentiality. Affected product/version: VX800v v...
CVE-2025-66698
An issue in Semantic machines v5.4.8 allows attackers to bypass authentication via sending a crafted HTTP request to various API endpoints...
pretix has Broken Access Control Allowing Cross-User File Access via UUID
Multiple API endpoints allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only...
EUVD-2025-198047
Insufficient permission validation on multiple REST API endpoints in Checkmk 2.2.0, 2.3.0, and 2.4.0 before version 2.4.0p16 allows low-privileged users to perform unauthorized actions or obtain sensitive information...
CVE-2025-27368
CVE-2025-27368 affects IBM OpenPages 9.0 and 9.1, where insufficient access control on certain OpenPages REST endpoints allows an authenticated user to view system metadata beyond their authorization. The issue stems from weaker than expected REST endpoint security, enabling information disclosur...
CVE-2025-34305 IPFire < v2.29 Stored XSS via Multiple Methods in cleanhtml()
IPFire versions prior to 2.29 Core Update 198 contain multiple stored cross-site scripting XSS vulnerabilities caused by a bug in the cleanhtml function /var/ipfire/header.pl that fails to apply HTML-entity encoding to user input. When an authenticated user submits data to affected endpoints - fo...
Moodle 安全漏洞
Moodle is a free e-learning software platform open-sourced by Moodle, also known as a course management system, learning management system, or virtual learning environment. A security vulnerability exists in Moodle that stems from mobile and web service authentication endpoints that do not...
CVE-2025-60427
LibreTime 3.0.0-alpha.10 (and possibly earlier) is affected by Broken Access Control. A user with the DJ role can access analytics data via the Web UI and direct API calls because the backend does not verify role-based permissions for analytics endpoints, allowing unauthorized retrieval of statio...
XSS-Payloads-to-Bypass-WAFs
PoC exploit for XSS payloads to bypass WAFs, specifically target...
EUVD-2019-7846
Malware in sbrugna...
Improper Authentication
Overview Affected versions of this package are vulnerable to Improper Authentication via the Manager web UI endpoints /api/v1/jobs and /preheats. An attacker can gain unauthorized access to create, delete, or modify jobs, and initiate preheat jobs by sending unauthenticated requests to these...
Scanners-Box
This is a collection of open-source scanners from the GitHub platform, including subdomain enumeration, database vulnerability scanners, weak password or information leak scanners, port scanners, fingerprint scanners, and other large-scale scanners. The collection is maintained by We5ter and...
CVE-2025-58459
Jenkins global-build-stats Plugin 322.v22f4db18e2dd and earlier does not perform permission checks in its REST API endpoints, allowing attackers with Overall/Read permission to enumerate graph IDs...
CVE-2024-53945
The KuWFi 4G AC900 LTE router 1.0.13 is vulnerable to command injection on the HTTP API endpoints /goform/formMultiApnSetting and /goform/atCmd. An authenticated attacker can execute arbitrary OS commands with root privileges via shell metacharacters in parameters such as pincode and cmds...
CVE-2025-51458
SQL Injection in editorsqlrun and queryex in eosphoros-ai DB-GPT 0.7.0 allows remote attackers to execute arbitrary SQL statements via crafted input passed to the /v1/editor/sql/run or /v1/editor/chart/run endpoints, interacting with apieditorv1.editorsqlrun, editorchartrun, and...