CVE-2025-23222

An issue was discovered in Deepin dde-api-proxy through 1.0.19 in which unprivileged users can access D-Bus services as root. Specifically, dde-api-proxy runs as root and forwards messages from arbitrary local users to legacy D-Bus methods in the actual D-Bus services, and the actual D-Bus servic...

CVE-2025-60541

A Server-Side Request Forgery SSRF in the /api/proxy/ component of linshenkx prompt-optimizer v1.3.0 to v1.4.2 allows attackers to scan internal resources via a crafted request...

CVE-2025-60541

A Server-Side Request Forgery SSRF in the /api/proxy/ component of linshenkx prompt-optimizer v1.3.0 to v1.4.2 allows attackers to scan internal resources via a crafted request...

CVE-2025-60541

CVE-2025-60541 describes a Server-Side Request Forgery (SSRF) in the linshenkx prompt-optimizer, affecting versions 1.3.0 through 1.4.2. The vulnerability resides in the /api/proxy/ component and enables an attacker to scan internal resources via a crafted request. Public sources (NVD/Red Hat/EUV...

CVE-2025-43995

Dell Storage Center - Dell Storage Manager, versions 20.1.21, contains an Improper Authentication vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Protection mechanism bypass. Authentication Bypass in DSM Data Collector. An...

EUVD-2025-3151

Malicious code in bioql PyPI...

EUVD-2023-3268

Malicious code in bioql PyPI...

Papermark 安全漏洞

Papermark is a document analysis software by Marc Seitz, an individual developer. A security vulnerability exists in Papermark 0.20.0 and prior versions, which stems from improperly restricting access via the POST /api/file/s3/get-presigned-get-url-proxy API, which could allow an authenticated...

dde-api-proxy 安全漏洞

dde-api-proxy is a proxy program from Deepin open source. A security vulnerability exists in dde-api-proxy version 1.0.19, which stems from the fact that an unprivileged user can access the D-Bus service as root...

CVE-2025-23222

An issue was discovered in Deepin dde-api-proxy through 1.0.19 in which unprivileged users can access D-Bus services as root. Specifically, dde-api-proxy runs as root and forwards messages from arbitrary local users to legacy D-Bus methods in the actual D-Bus services, and the actual D-Bus servic...

CVE-2025-23222

Deepin dde-api-proxy (v1.0.19 and earlier) exposes a local privilege-escalation flaw: the daemon runs as root and forwards local user D-Bus requests to legacy D-Bus services, which do not detect the proxy context. This can allow unprivileged users to access D-Bus methods that should be restricted...

PT-2025-4860 · Deepin · Dde-Api-Proxy

Name of the Vulnerable Software and Affected Versions: Deepin dde-api-proxy versions 1.0.0 through 1.0.19 Description: The issue allows unprivileged users to access D-Bus services as root because dde-api-proxy runs as root and forwards messages from arbitrary local users to legacy D-Bus methods i...

CVE-2024-6424 Server-Side Request Forgery vulnerability in MESbook

External server-side request vulnerability in MESbook 20221021.03 version, which could allow a remote, unauthenticated attacker to exploit the endpoint "/api/Proxy/Post?userName=&password=&uri=FILE|INTERNAL URL|IP/HOST" or "/api/Proxy/Get?userName=&password=&uri=ARCHIVO|URL INTERNA|IP/HOST" to re...

CVE-2024-32964 lobe-chat `/api/proxy` endpoint Server-Side Request Forgery vulnerability

Lobe Chat is a chatbot framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. Prior to 0.150.6, lobe-chat had an unauthorized Server-Side Request Forgery vulnerability in the /api/proxy endpoint. An attacker can construct malicious requests to cause...

PT-2024-17983 · WordPress · Leadconnector

Name of the Vulnerable Software and Affected Versions: LeadConnector plugin for WordPress versions up to, and including, 1.7 Description: The issue is related to a missing capability check on the lc public api proxy function, which allows unauthenticated attackers to delete arbitrary posts,...

Improper Access Control

github.com/rancher/rancher is vulnerable to Improper Access Control. The vulnerability is due to the API proxy not dropping the impersonation header before sending the request to the Kubernetes API, allowing an authenticated user to impersonate any user on a cluster...

PT-2024-19422 · Hewlett Packard · Hpe Msa Storage

Name of the Vulnerable Software and Affected Versions: HPE MSA storage products affected versions not specified Description: A potential security issue has been identified in VSS Provider and CAPI Proxy software for certain HPE MSA storage products. This issue could be exploited to gain elevated...

CVE-2023-49799 Server-Side Request Forgery in nuxt-api-party

nuxt-api-party is an open source module to proxy API requests. nuxt-api-party attempts to check if the user has passed an absolute URL to prevent the aforementioned attack. This has been recently changed to use the regular expression ^https?://, however this regular expression can be bypassed by ...

CVE-2023-49799

The CVE-2023-49799 entry concerns the nuxt-api-party module, where a regex-based absolute-URL check (^https?://) can be bypassed by absolute URLs with leading whitespace (e.g., a leading newline). This can allow requests to bypass the whitelist, enabling Server-Side Request Forgery (SSRF) and pot...

Cross site request forgery (csrf)

Cozy version 2 has XSS allowing remote attackers to obtain administrative access via JavaScript code in the url parameter to the /api/proxy URI, as demonstrated by an XMLHttpRequest call with an 'email:"email protected"' request, which can be followed by a password reset...