CVE-2023-45671

Frigate is an open source network video recorder. Prior to version 0.13.0 Beta 3, there is a reflected cross-site scripting vulnerability in any API endpoints reliant on the / base path as values provided for the path are not sanitized. Exploiting this vulnerability requires the attacker to both...

CVE-2021-41187

DHIS 2 is an information system for data capture, management, validation, analytics and visualization. A SQL injection security vulnerability has been found in specific versions of DHIS2. This vulnerability affects the API endpoints for /api/trackedEntityInstances and api/events in DHIS2. The...

GHSA-WGVP-JJ4W-88HF Mattermost Incorrect Authorization vulnerability

Mattermost versions 10.5.x = 10.5.5, 9.11.x = 9.11.15, 10.8.x = 10.8.0, 10.7.x = 10.7.2, 10.6.x = 10.6.5 fail to properly validate channel membership when retrieving playbook run metadata, allowing authenticated users who are playbook members but not channel members to access sensitive informatio...

PT-2025-27355 · Unknown · Langchain-Chatchat

Name of the Vulnerable Software and Affected Versions: Langchain-Chatchat versions up to 0.3.1 Description: A problematic vulnerability was found in Langchain-Chatchat, affecting unknown code of the file "/v1/files?purpose=assistants". This issue leads to path traversal and can be initiated...

PT-2025-19776 · Xinguan · Xinguan

Name of the Vulnerable Software and Affected Versions: Xinguan version 0.0.1-SNAPSHOT Description: The issue is related to incorrect access control in the "/system/user/findUserList" API endpoint, which allows attackers to access sensitive information by sending a crafted payload. Recommendations...

PT-2025-18053 · Playedu · Playedu

Name of the Vulnerable Software and Affected Versions: playeduxyz PlayEdu versions 1.8 and earlier Description: A problem was found in the processing of the "/api/backend/v1/user/create" file of the User Avatar Handler component. The manipulation of the Avatar argument leads to server-side reques...

CVE-2024-9418

CVE-2024-9418 affects transformeroptimus/superagi v0.0.14, where the API endpoint /api/users/get/{id} returns plaintext user passwords. This flaw enables an attacker to retrieve another user’s password, enabling potential account takeover. Connected reports confirm the issue and the affected comp...

PT-2025-5840 · Douphp · Douphp

Name of the Vulnerable Software and Affected Versions: DouPHP version 1.8 Release 20231203 Description: The issue allows attackers to execute arbitrary code via a crafted payload injected into the description parameter in "/admin/article.php" API endpoint. This enables attackers to perform...

PT-2024-34601 · Gibbon · Gibbon

Name of the Vulnerable Software and Affected Versions: Gibbon versions prior to 28.0.00 Description: The issue allows a remote attacker to obtain sensitive information via the email parameter found in the "/Gibbon/modules/User Admin/user manage editProcess.php" API endpoint. Recommendations: For...

PT-2024-38043 · Unknown · Open-Webui

Name of the Vulnerable Software and Affected Versions: open-webui version v0.3.8 Description: The issue is related to improper privilege management in the API endpoints "GET /api/v1/documents/" and "POST /rag/api/v1/doc". This allows a lower-privileged user to access and overwrite files managed b...

PT-2024-20239 · Unknown · Novel-Plus

Name of the Vulnerable Software and Affected Versions: Novel-Plus versions 4.3.0-RC1 and prior Description: A SQL injection issue exists, allowing an attacker to pass specially crafted offset, limit, and sort parameters to perform SQL injection via the "/novel/userFeedback/list" API endpoint...