CVE-2025-63662

Insecure permissions in the /api/v1/agents API of GT Edge AI Platform before v2.0.10-dev allows unauthorized attackers to access sensitive information...

CVE-2025-41079

CVE-2025-41079 affects Seafile v12.0.10 and is a stored XSS vulnerability triggered by storing malicious payloads via the PUT /api/v2.1/user/ endpoint using the name parameter. The issue enables browser-side code execution when a victim loads affected content. Public details consistently referenc...

CVE-2025-63551

A Server-Side Request Forgery SSRF vulnerability, achievable through an XML External Entity XXE injection, exists in MetInfo Content Management System CMS thru 8.1. This flaw stems from a defect in the XML parsing logic, which allows an attacker to construct a malicious XML entity that forces the...

CVE-2025-41340

A lack of authorisation vulnerability has been detected in CanalDenuncia.app. This vulnerability allows an attacker to access other users' information by sending a POST through the parameters 'idtpdenuncia' and 'idsociedad' in '/backend/api/buscarTipoDenunciabyId.php'...

CVE-2025-60803

CVE-2025-60803 affects Antabot White-Jotter up to commit 9bcadc, with an unauthenticated remote code execution via the component /api/aaa;/../register. The issue is caused by the specific path handling in that component, enabling arbitrary code execution without authentication. Affected versions ...

CVE-2025-40649

Stored Cross-Site Scripting XSS in Biobanking and Biomolecular Resources Negotiator v3.15.2 - European Research Infrastructure BBMRI-ERIC, consisting of a stored XSS due to a lack of proper validation of user input by sending a POST request using parameter text in '/api/v3/negotiations//posts'...

EUVD-2022-34785

Malicious code in bioql PyPI...

CVE-2025-40645

Exposure of sensitive information in Viday. This vulnerability could allow an unauthenticated attacker to obtain sensitive information about customers by sending an HTTP GET request to “/api/reserva/web/clients” using the “phone” parameter...

CVE-2025-59686

Kazaar 1.25.12 allows /api/v1/org-id/orders/order-id/documents calls with a modified order-id...

PT-2025-40329

Name of the Vulnerable Software and Affected Versions Viday affected versions not specified Description An unauthenticated attacker can obtain sensitive customer information by sending an HTTP GET request to the /api/reserva/web/clients API endpoint. The vulnerability involves the exposure of...

CVE-2025-59843 FlagForgeCTF Exposes User Emails via Public /api/user/[username] API

Flag Forge is a Capture The Flag CTF platform. From versions 2.0.0 to before 2.3.2, the public endpoint /api/user/username returns user email addresses in its JSON response. The fix, intended for release in 2.3.1 but only available starting in version 2.3.2, removes email addresses from public AP...

PT-2025-39692

Name of the Vulnerable Software and Affected Versions Portabilis i-Educar versions up to 2.10 Description A weakness exists in Portabilis i-Educar up to version 2.10, related to improper authorization. The issue is triggered by manipulating the aluno id argument within an unknown function of the...

CVE-2025-29156

Cross Site Scripting vulnerability in petstore v.1.0.7 allows a remote attacker to execute arbitrary code via a crafted script to the /api/v3/pet...

PT-2025-39439

Name of the Vulnerable Software and Affected Versions petstore version 1.0.7 Description A Cross Site Scripting issue exists in petstore version 1.0.7. This allows a remote attacker to execute arbitrary code by providing a crafted script to the /api/v3/pet API endpoint. The attack vector involves...

CVE-2025-10399

A weakness has been identified in Korzh EasyQuery up to 7.4.0. This issue affects some unknown processing of the file /api/easyquery/models/nwind/fetch of the component Query Builder UI. This manipulation causes sql injection. The attack may be initiated remotely. The exploit has been made...

CVE-2025-51053

A Cross-site scripting XSS vulnerability in /apivedo/ in Vedo Suite version 2024.17 allows remote attackers to inject arbitrary Javascript or HTML code and potentially trigger code execution in victim's browser...

VulnCheck KEV: CVE-2025-48827

vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 allows unauthenticated users to invoke protected API controllers' methods when running on PHP 8.1 or later, as demonstrated by the /api.php?method=protectedMethod pattern, as exploited in the wild in May 2025...

CVE-2021-24638

The OMGF WordPress plugin before 4.5.4 does not escape or validate the handle parameter of the REST API, which allows unauthenticated users to perform path traversal and overwrite arbitrary CSS file with Google Fonts CSS, or download fonts uploaded on Google Fonts website...

VulnCheck KEV: CVE-2025-3248

Langflow contains a missing authentication vulnerability in the /api/v1/validate/code endpoint that allows a remote, unauthenticated attacker to execute arbitrary code via crafted HTTP requests...

Eclipse Open VSX 安全漏洞

Eclipse Open VSX is an open source registry of code extensions for Eclipse open source. A security vulnerability exists in Eclipse Open VSX versions v0.9.0 through v0.20.0, which stems from the /user/namespace/namespace/details API that allows a user to edit all namespace details, even if the use...