FUXA has an unauthenticated arbitrary tag value disclosure via /api/getTagValue

Summary An authorization bypass in the /api/getTagValue endpoint allows unauthenticated access to tag values when the referenced script does not exist. Details The issue is caused by the combination of these code paths: - server/api/apikeys/verify-api-or-token.js:45 sends requests without x-api-k...

EUVD-2020-7338

Malware in sbrugna...

EUVD-2025-18173

Malicious code in bioql PyPI...

EUVD-2023-53561

Malicious code in bioql PyPI...

EUVD-2025-5091

Malicious code in bioql PyPI...

EUVD-2022-32464

Malicious code in bioql PyPI...

EUVD-2022-38152

Malicious code in bioql PyPI...

EUVD-2023-46066

Malicious code in bioql PyPI...

CVE-2025-44960

RUCKUS SmartZone SZ before 6.1.2p3 Refresh Build allows OS command injection via a certain parameter in an API route...

Denial Of Service (DoS)

vllm is vulnerable to a Denial of service DoS. The vulnerability is due to improper handling of invalid jsonschema in the /v1/completions API’s Guided Param, which allows an attacker to cause a denial of service by crashing the server...

CVE-2024-52517

Nextcloud Server is a self hosted personal cloud system. After storing "Global credentials" on the server, the API returns them and adds them into the frontend again, allowing to read them in plain text when an attacker already has access to an active session of a user. It is recommended that the...

CVE-2024-2032

A race condition vulnerability exists in zenml-io/zenml versions up to and including 0.55.3, which allows for the creation of multiple users with the same username when requests are sent in parallel. This issue was fixed in version 0.55.5. The vulnerability arises due to insufficient handling of...

CVE-2022-29906

The admin API module in the QuizGame extension for MediaWiki through 1.37.2 before 665e33a68f6fa1167df99c0aa18ed0157cdf9f66 omits a check for the quizadmin user...

CVE-2025-46716

Sandboxie is a sandbox-based isolation software for 32-bit and 64-bit Windows NT-based operating systems. Starting in version 1.3.0 and prior to version 1.15.12, ApiSetSecureParam fails to sanitize incoming pointers, and implicitly trusts that the pointer the user has passed in is safe to read...

CVE-2019-19946

The API in Dradis Pro 3.4.1 allows any user to extract the content of a project, even if this user is not part of the project team...

CVE-2016-11075

An issue was discovered in Mattermost Server before 3.0.0. It allows attackers to obtain sensitive information about team URLs via an API...

CVE-2025-4427

An authentication bypass in the API component of Ivanti Endpoint Manager Mobile 12.5.0.0 and prior allows attackers to access protected resources without proper credentials via the API. Recent assessments: remmons-r7 at May 22, 2025 5:21am UTC reported: On May 13, 2025, Ivanti published an adviso...

PT-2025-15330 · Unknown · Fcj Venture Builder Appclientefiel

Name of the Vulnerable Software and Affected Versions: FCJ Venture Builder appclientefiel version 3.0.27 Description: A vulnerability was found in the FCJ Venture Builder appclientefiel, affecting an unknown functionality of the file /rest/cliente/ObterPedido/ of the component HTTP GET Request...

GraphQL query operations security can be bypassed

Summary Using the Relay special node type you can bypass the configured security on an operation. Details Here is an example of how to apply security configurations for the GraphQL operations: php ApiResource security: "isgranted'ROLEUSER'", operations: / ... / , graphQlOperations: new...

CVE-2024-13796

CVE-2024-13796 relates to the WordPress plugin “Post Grid and Gutenberg Blocks – ComboBlocks” (versions