Lucene search
+L

59 matches found

attackerkb
attackerkb
added 2026/02/27 1:3 a.m.7 views

CVE-2026-20797

A stack based buffer overflow exists in an API route of XWEB Pro version 1.12.1 and prior, enabling unauthenticated attackers to cause stack corruption and a termination of the program...

9.8CVSS6AI score0.00777EPSS
Exploits0References4
vulnrichment
vulnrichment
added 2026/02/27 1:3 a.m.2 views

CVE-2026-20797 Copeland XWEB and XWEB Pro Stack-based Buffer Overflow

A stack based buffer overflow exists in an API route of XWEB Pro version 1.12.1 and prior, enabling unauthenticated attackers to cause stack corruption and a termination of the program...

4.3CVSS6.1AI score0.00777EPSS
Exploits0References3
nvd
nvd
added 2026/02/25 7:43 p.m.7 views

CVE-2026-25164

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the REST API route table in apis/routes/restroutesstandard.inc.php does not call RestConfig::requestauthorizationcheck for the document and insurance routes. Other...

8.1CVSS0.0026EPSS
Exploits1References2
osv
osv
added 2026/02/06 7:47 p.m.6 views

GHSA-RJV5-9PX2-FQW6 Gogs has authorization bypass in repository deletion API

Summary The DELETE /api/v1/repos/:owner/:repo endpoint lacks necessary permission validation middleware. Consequently, any user with read access including read-only collaborators can delete the entire repository. This vulnerability stems from the API route configuration only utilizing the...

7.2CVSS5.9AI score0.00103EPSS
Exploits0References4
github
github
added 2026/02/06 7:47 p.m.9 views

Gogs has authorization bypass in repository deletion API

Summary The DELETE /api/v1/repos/:owner/:repo endpoint lacks necessary permission validation middleware. Consequently, any user with read access including read-only collaborators can delete the entire repository. This vulnerability stems from the API route configuration only utilizing the...

5.6AI score0.00103EPSS
Exploits0References4Affected Software1
snyk
snyk
added 2026/01/22 10:50 p.m.4 views

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function due to the lack of JWT authentication middleware and RBAC authorization checks in the routing configuration for /api/v1/jobs endpoint. An attacker can view, update, and delete jobs by sending...

9.8CVSS5.6AI score0.00713EPSS
Exploits1References2
nvd
nvd
added 2025/12/24 8:15 p.m.6 views

CVE-2025-3232

A remote unauthenticated attacker may be able to bypass authentication by utilizing a specific API route to execute arbitrary OS commands...

8.7CVSS0.00511EPSS
Exploits0References3
vulnrichment
vulnrichment
added 2025/12/24 7:55 p.m.2 views

CVE-2025-3232 Mitsubishi Electric Europe smartRTU Missing Authentication for Critical Function

A remote unauthenticated attacker may be able to bypass authentication by utilizing a specific API route to execute arbitrary OS commands...

8.7CVSS7.5AI score0.00511EPSS
Exploits0References3
redhatcve
redhatcve
added 2025/11/06 7:54 a.m.13 views

CVE-2025-12677

The KiotViet Sync plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.5 via the registerapiroute function in kiotvietsync/includes/publicactions/WebHookAction.php. This makes it possible for unauthenticated attackers to extract the webhoo...

5.3CVSS6.1AI score0.00249EPSS
Exploits0References1
nvd
nvd
added 2025/11/05 8:15 a.m.10 views

CVE-2025-12677

The KiotViet Sync plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.5 via the registerapiroute function in kiotvietsync/includes/publicactions/WebHookAction.php. This makes it possible for unauthenticated attackers to extract the webhoo...

5.3CVSS0.00249EPSS
Exploits0References2
cvelist
cvelist
added 2025/11/05 7:27 a.m.11 views

CVE-2025-12677 KiotViet Sync <= 1.8.5 - Unauthenticated Webhook Key Exposure

The KiotViet Sync plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.5 via the registerapiroute function in kiotvietsync/includes/publicactions/WebHookAction.php. This makes it possible for unauthenticated attackers to extract the webhoo...

5.3CVSS0.00249EPSS
Exploits0References2
euvd
euvd
added 2025/10/03 8:7 p.m.6 views

EUVD-2024-39193

Malicious code in bioql PyPI...

6.5CVSS6.6AI score0.00435EPSS
Exploits0References3
euvd
euvd
added 2025/10/03 8:7 p.m.6 views

EUVD-2023-37363

Malicious code in bioql PyPI...

6.5CVSS6.6AI score0.00621EPSS
Exploits0References3
osv
osv
added 2025/08/04 5:15 p.m.12 views

CVE-2025-44960

RUCKUS SmartZone SZ before 6.1.2p3 Refresh Build allows OS command injection via a certain parameter in an API route...

8.8CVSS5.8AI score0.01772EPSS
Exploits0References4
redhatcve
redhatcve
added 2025/05/22 10:30 p.m.12 views

CVE-2022-24748

Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In versions prior to 6.4.8.2 it is possible to modify customers and to create orders without App Permission. This issue is a result of improper api route checking. Users are advised to upgra...

7.5CVSS6.6AI score0.00747EPSS
Exploits0References1
osv
osv
added 2025/02/05 9:49 p.m.3 views

GHSA-9X4V-XFQ5-M8X5 Better Auth URL parameter HTML Injection (Reflected Cross-Site scripting)

Summary The better-auth /api/auth/error page was vulnerable to HTML injection, resulting in a reflected cross-site scripting XSS vulnerability. Details The value of error URL parameter was reflected as HTML on the error page:...

5.1CVSS6AI score
Exploits0References4
cve
cve
added 2024/11/01 12:5 p.m.95 views

CVE-2024-7456

The CVE-2024-7456 issue affects lunary-ai/lunary v1.4.2, where the /api/v1/external-users route constructs an ORDER BY clause using sql.unsafe without server-side sanitization, enabling SQL injection. Impact per sources: potential complete data loss/modification/corruption. Public details across ...

9.8CVSS10AI score0.01359EPSS
Exploits1References2Affected Software1
cve
cve
added 2024/07/30 4:24 p.m.88 views

CVE-2024-41944

CVE-2024-41944 : A SQL injection in the Xibo CMS, in the API endpoint report/data/proofofplayReport, allows an authenticated user to read/modify arbitrary data by injecting into the sortBy parameter. Affected versions: Xibo prior to 3.3.12 and prior to 4.0.14. Remediation: upgrade to version 3.3....

6.5CVSS6.7AI score0.00442EPSS
Exploits0References3
osv
osv
added 2024/07/30 4:24 p.m.19 views

CVE-2024-41944 Sensitive Information Disclosure abusing SQL Injection in Xibo CMS proof of play report

Xibo is a content management system CMS. An SQL injection vulnerability was discovered in the report/data/proofofplayReport API route inside the CMS. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially crafted values in to the...

6.5CVSS7.9AI score0.00442EPSS
Exploits0References5
cvelist
cvelist
added 2024/07/30 3:51 p.m.25 views

CVE-2024-41804 Xibo allows Sensitive Information Disclosure abusing SQL Injection in Xibo CMS DataSet Column Formula

Xibo is a content management system CMS. An SQL injection vulnerability was discovered in the API route inside the CMS responsible for Adding/Editing DataSet Column Formulas. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially...

6.5CVSS0.00435EPSS
Exploits0References3
Rows per page
Query Builder