PT-2026-34571

Statamic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.20 and 6.13.0, manipulating query parameters on Control Panel and REST API endpoints, or arguments in GraphQL queries, could result in the loss of content, assets, and user accounts. The Control Panel...

CVE-2025-59706

In N2W before 4.3.2 and 4.4.0 before 4.4.1, improper validation of API request parameters enables remote code execution...

CVE-2025-59784 Log Pollution - Control Characters Not Escaped

2N Access Commander version 3.4.1 and prior is vulnerable to log pollution. Certain parameters sent over API may be included in the logs without prior validation or sanitisation. This vulnerability can only be exploited after authenticating with administrator privileges...

CVE-2025-67840

Multiple authenticated OS command injection vulnerabilities exist in the Cohesity formerly Stone Ram TranZman 4.0 Build 14614 through TZM1757588060SEP2025FULL.depot web application API endpoints including Scheduler and Actions pages. The appliance directly concatenates user-controlled parameters...

EUVD-2019-19411

ArangoDB Community Edition 3.4.2-1 contains multiple cross-site scripting vulnerabilities in the Aardvark web admin interface index.html through search, user management, and API parameters. Attackers can inject scripts via parameters in /db/system/admin/aardvark/index.html to execute JavaScript i...

CVE-2022-37190

CuppaCMS 1.0 is vulnerable to Remote Code Execution RCE. An authenticated user can control both parameters action and function from "/api/index.php...

Release Information for Veeam Backup for Microsoft 365 8.3

More Recent Version Available Please find the latest version of Veeam Backup for Microsoft 365 here: Veeam Downloads - Latest Version Build Numbers and Versions of Veeam Backup for Microsoft 365 Requirements This release can be used to: upgrade an existing v7, v8, v8.1, or v8.2 deployment of Veea...

EUVD-2020-8131

Malware in sbrugna...

EUVD-2022-31219

Malicious code in bioql PyPI...

EUVD-2024-51953

Malicious code in bioql PyPI...

Chatbots, APIs, and the Hidden Risks Inside Your Application Stack

What happens when a legacy application quietly slips under the radar and ends up at the center of a security incident involving AI and APIs? For one global organization, this scenario played out in real time when an unusual chatbot behavior sparked a closer look into their recruitment platform,...

CVE-2025-28076

Multiple SQL injection vulnerabilities in EasyVirt DCScope = 8.6.4 and CO2Scope = 1.3.4 allows remote authenticated attackers to execute arbitrary SQL commands via the 1 timeago, 2 user, 3 filter, 4 target, 5 p1, 6 p2, 7 p3, 8 p4, 9 p5, 10 p6, 11 p7, 12 p8, 13 p9, 14 p10, 15 p11, 16 p12, 17 p13, ...

PT-2025-16193 · Crushftp · Crushftp

Name of the Vulnerable Software and Affected Versions: CrushFTP versions 9.x through 11.3.1 Description: The issue allows for Server-Side Request Forgery SSRF via the host and port parameters in a command=telnetSocket request to the "/WebInterface/function/" URI. This vulnerability can be exploit...

CVE-2024-12580

A vulnerability in danny-avila/librechat prior to version 0.7.6 allows for logs debug injection. The parameters sessionId, fileId, userId, and fileid in the /code/download/:sessionId/:fileId and /download/:userId/:fileid APIs are not validated or filtered, leading to potential log injection...

CVE-2024-12580

A vulnerability in danny-avila/librechat prior to version 0.7.6 allows for logs debug injection. The parameters sessionId, fileId, userId, and fileid in the /code/download/:sessionId/:fileId and /download/:userId/:fileid APIs are not validated or filtered, leading to potential log injection...

CVE-2024-12580

This CVE affects danny-avila/librechat prior to version 0.7.6. The vulnerability arises from unvalidated, unfiltered parameters in the code/download/:sessionId/:fileId and /download/:userId/:file_id APIs, enabling potential logs debug injection. Consequences stated include distortion of monitorin...

CVE-2024-50368

A CWE-78 "Improper Neutralization of Special Elements used in an OS Command 'OS Command Injection'" was discovered affecting the following devices manufactured by Advantech: EKI-6333AC-2G = 1.6.3, EKI-6333AC-2GD = v1.6.3 and EKI-6333AC-1GPO = v1.2.1. The source of the vulnerability relies on...

CVE-2024-53354

Multiple SQL injection vulnerabilities in EasyVirt DCScope = 8.6.0 and CO2Scope = 1.3.0 allows remote authenticated attackers to execute arbitrary SQL commands via the 1 user parameter to /api/management/findfilterlist; the 2 user or 3 filter parameter to /api/audit/findmetawatcher; the 4 user...

CVE-2024-10552 Flexmls® IDX Plugin <= 3.14.26 - Authenticated (Contributor+) Stored Cross-Site Scripting via API parameters

The Flexmls® IDX Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘apikey’ and 'apisecret' parameters in all versions up to, and including, 3.14.26 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2024-10552

The CVE-2024-10552 entry concerns the Flexmls IDX Plugin for WordPress, with a Stored Cross-Site Scripting (XSS) vulnerability in the api_key and api_secret parameters present in all versions up to 3.14.26. The root cause is insufficient input sanitization and output escaping, enabling authentica...