Zoho ManageEngine OpManager - SQL Injection

Zoho ManageEngine OpManager before 12.3 Build 123196 does not require authentication for /oputilsServlet requests, as demonstrated by a /oputilsServlet?action=getAPIKey request that can be leveraged against Firewall Analyzer to add an admin user via /api/json/v2/admin/addUser or conduct a SQL...

CubeCart 代码问题漏洞

CubeCart is an open-source e-commerce software developed by CubeCart. Versions of CubeCart prior to 6.7.0 had code vulnerabilities. These vulnerabilities stemmed from the REST API file manager endpoint, which allowed users with API keys to upload PHP source files to web-accessible directories...

CVE-2026-3334

The CMS Commander plugin for WordPress is vulnerable to SQL Injection via the 'orblogname', 'orblogdescription', and 'oradminemail' parameters in all versions up to, and including, 2.288. This is due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on th...

PT-2026-23064

Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden rs. Vaultwarden versions 1.34.3 and prior are susceptible to a 2FA bypass when performing protected actions. An attacker who gains authenticated access to a user’s account can exploit this bypass...

EUVD-2017-6286

Malware in sbrugna...

EUVD-2024-49011

Malicious code in bioql PyPI...

EUVD-2024-50958

Malicious code in bioql PyPI...

EUVD-2023-51896

Malicious code in bioql PyPI...

CVE-2025-47849

A privilege escalation vulnerability exists in Apache CloudStack versions 4.10.0.0 through 4.20.0.0 where a malicious Domain Admin user in the ROOT domain can get the API key and secret key of user-accounts of Admin role type in the same domain. This operation is not appropriately restricted and...

CVE-2025-47849 Apache CloudStack: Insecure access of user's API/Secret Keys in the same domain

A privilege escalation vulnerability exists in Apache CloudStack versions 4.10.0.0 through 4.20.0.0 where a malicious Domain Admin user in the ROOT domain can get the API key and secret key of user-accounts of Admin role type in the same domain. This operation is not appropriately restricted and...

CVE-2024-51493

OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.10.2 contain a vulnerability that allows an attacker that has gained temporary control over an authenticated victim's OctoPrint browser session to retrieve/recreate/delete the user...

CVE-2024-10092

The Download Monitor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajaxhandleapikeyactions function in all versions up to, and including, 5.0.12. This makes it possible for authenticated attackers, with Subscriber-level access and...

CVE-2025-2894

The Go1 also known as "The World's First Intelligence Bionic Quadruped Robot Companion of Consumer Level," contains an undocumented backdoor that can enable the manufacturer, and anyone in possession of the correct API key, complete remote control over the affected robotic device using the...

CVE-2025-2894

The Go1 also known as "The World's First Intelligence Bionic Quadruped Robot Companion of Consumer Level," contains an undocumented backdoor that can enable the manufacturer, and anyone in possession of the correct API key, complete remote control over the affected robotic device using the...

PT-2024-2594 · Elastic · Elasticsearch

Name of the Vulnerable Software and Affected Versions: Elasticsearch versions 8.10.0 through 8.12.x Description: The issue is related to an Incorrect Authorization problem in the API key based security model for Remote Cluster Security, which is currently in Beta. This allows a malicious user wit...

CVE-2023-30993

IBM Cloud Pak for Security CP4S 1.9.0.0 through 1.9.2.0 could allow an attacker with a valid API key for one tenant to access data from another tenant's account. IBM X-Force ID: 254136...

PT-2023-23102 · Ibm · Ibm Cloud Pak For Security

Name of the Vulnerable Software and Affected Versions: IBM Cloud Pak for Security CP4S versions 1.9.0.0 through 1.9.2.0 Description: The issue allows an attacker with a valid API key for one tenant to access data from another tenant's account. Recommendations: For versions 1.9.0.0 through 1.9.2.0...

CVE-2023-28640 Permissions bypass in Apiman could enable authenticated attacker to unpermitted API Key

Apiman is a flexible and open source API Management platform. Due to a missing permissions check, an attacker with an authenticated Apiman Manager account may be able to gain access to API keys they do not have permission for if they correctly guess the URL, which includes Organisation ID, Client...