59 matches found
CVE-2026-20797
A stack based buffer overflow exists in an API route of XWEB Pro version 1.12.1 and prior, enabling unauthenticated attackers to cause stack corruption and a termination of the program...
CVE-2026-20797 Copeland XWEB and XWEB Pro Stack-based Buffer Overflow
A stack based buffer overflow exists in an API route of XWEB Pro version 1.12.1 and prior, enabling unauthenticated attackers to cause stack corruption and a termination of the program...
CVE-2026-25164
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the REST API route table in apis/routes/restroutesstandard.inc.php does not call RestConfig::requestauthorizationcheck for the document and insurance routes. Other...
GHSA-RJV5-9PX2-FQW6 Gogs has authorization bypass in repository deletion API
Summary The DELETE /api/v1/repos/:owner/:repo endpoint lacks necessary permission validation middleware. Consequently, any user with read access including read-only collaborators can delete the entire repository. This vulnerability stems from the API route configuration only utilizing the...
Gogs has authorization bypass in repository deletion API
Summary The DELETE /api/v1/repos/:owner/:repo endpoint lacks necessary permission validation middleware. Consequently, any user with read access including read-only collaborators can delete the entire repository. This vulnerability stems from the API route configuration only utilizing the...
Missing Authentication for Critical Function
Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function due to the lack of JWT authentication middleware and RBAC authorization checks in the routing configuration for /api/v1/jobs endpoint. An attacker can view, update, and delete jobs by sending...
CVE-2025-3232
A remote unauthenticated attacker may be able to bypass authentication by utilizing a specific API route to execute arbitrary OS commands...
CVE-2025-3232 Mitsubishi Electric Europe smartRTU Missing Authentication for Critical Function
A remote unauthenticated attacker may be able to bypass authentication by utilizing a specific API route to execute arbitrary OS commands...
CVE-2025-12677
The KiotViet Sync plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.5 via the registerapiroute function in kiotvietsync/includes/publicactions/WebHookAction.php. This makes it possible for unauthenticated attackers to extract the webhoo...
CVE-2025-12677
The KiotViet Sync plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.5 via the registerapiroute function in kiotvietsync/includes/publicactions/WebHookAction.php. This makes it possible for unauthenticated attackers to extract the webhoo...
CVE-2025-12677 KiotViet Sync <= 1.8.5 - Unauthenticated Webhook Key Exposure
The KiotViet Sync plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.5 via the registerapiroute function in kiotvietsync/includes/publicactions/WebHookAction.php. This makes it possible for unauthenticated attackers to extract the webhoo...
EUVD-2024-39193
Malicious code in bioql PyPI...
EUVD-2023-37363
Malicious code in bioql PyPI...
CVE-2025-44960
RUCKUS SmartZone SZ before 6.1.2p3 Refresh Build allows OS command injection via a certain parameter in an API route...
CVE-2022-24748
Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In versions prior to 6.4.8.2 it is possible to modify customers and to create orders without App Permission. This issue is a result of improper api route checking. Users are advised to upgra...
GHSA-9X4V-XFQ5-M8X5 Better Auth URL parameter HTML Injection (Reflected Cross-Site scripting)
Summary The better-auth /api/auth/error page was vulnerable to HTML injection, resulting in a reflected cross-site scripting XSS vulnerability. Details The value of error URL parameter was reflected as HTML on the error page:...
CVE-2024-7456
The CVE-2024-7456 issue affects lunary-ai/lunary v1.4.2, where the /api/v1/external-users route constructs an ORDER BY clause using sql.unsafe without server-side sanitization, enabling SQL injection. Impact per sources: potential complete data loss/modification/corruption. Public details across ...
CVE-2024-41944
CVE-2024-41944 : A SQL injection in the Xibo CMS, in the API endpoint report/data/proofofplayReport, allows an authenticated user to read/modify arbitrary data by injecting into the sortBy parameter. Affected versions: Xibo prior to 3.3.12 and prior to 4.0.14. Remediation: upgrade to version 3.3....
CVE-2024-41944 Sensitive Information Disclosure abusing SQL Injection in Xibo CMS proof of play report
Xibo is a content management system CMS. An SQL injection vulnerability was discovered in the report/data/proofofplayReport API route inside the CMS. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially crafted values in to the...
CVE-2024-41804 Xibo allows Sensitive Information Disclosure abusing SQL Injection in Xibo CMS DataSet Column Formula
Xibo is a content management system CMS. An SQL injection vulnerability was discovered in the API route inside the CMS responsible for Adding/Editing DataSet Column Formulas. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially...