CVE-2024-0899

The s2Member – Best Membership Plugin for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 230815 via the API. This makes it possible for unauthenticated attackers ...

CVE-2024-2032

A race condition vulnerability exists in zenml-io/zenml versions up to and including 0.55.3, which allows for the creation of multiple users with the same username when requests are sent in parallel. This issue was fixed in version 0.55.5. The vulnerability arises due to insufficient handling of...

CVE-2024-33039

Memory corruption when PAL client calls PAL service APIs by passing a random value as handle and the handle is not validated by the service...

CVE-2023-39530

PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, it is possible to delete files from the server via the CustomerMessage API. Version 8.1.1 contains a patch for this issue. There are no known workarounds...

CVE-2023-29867

Zammad 5.3.x Fixed 5.4.0 is vulnerable to Incorrect Access Control. An authenticated attacker could gain information about linked accounts of users involved in their tickets using the Zammad API...

CVE-2022-1003

One of the API in Mattermost version 6.3.0 and earlier fails to properly protect the permissions, which allows the system administrators to combine the two distinct privileges/capabilities in a way that allows them to override certain restricted configurations like EnableUploads...

CVE-2022-43719

Two legacy REST API endpoints for approval and request access are vulnerable to cross site request forgery. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0...

CVE-2022-29906

The admin API module in the QuizGame extension for MediaWiki through 1.37.2 before 665e33a68f6fa1167df99c0aa18ed0157cdf9f66 omits a check for the quizadmin user...

CVE-2021-21246

OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the REST UserResource endpoint performs a security check to make sure that only administrators can list user details. However for the /users/id endpoint there are no security checks enforced so it is possible to retrieve...

CVE-2021-30487

In the topic moving API in Zulip Server 3.x before 3.4, organization administrators were able to move messages to streams in other organizations hosted by the same Zulip installation...

CVE-2021-23014

On versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.3, and 14.1.x before 14.1.4, BIG-IP Advanced WAF and ASM are missing authorization checks for file uploads to a specific directory within the REST API which might allow Authenticated users with guest privileges to upload files. Note: Software...

CVE-2025-46716

Sandboxie is a sandbox-based isolation software for 32-bit and 64-bit Windows NT-based operating systems. Starting in version 1.3.0 and prior to version 1.15.12, ApiSetSecureParam fails to sanitize incoming pointers, and implicitly trusts that the pointer the user has passed in is safe to read...

CVE-2020-15394

The REST API in Zoho ManageEngine Applications Manager before build 14740 allows an unauthenticated SQL Injection via a crafted request, leading to Remote Code Execution...

Attackers Abuse TikTok and Instagram APIs

It must be the season for API security incidents. Hot on the heels of a developer leaking an API key for private Tesla and SpaceX LLMs, researchers have now discovered a set of tools for validating account information via API abuse, leveraging undocumented TikTok and Instagram APIs. The tools, an...

CVE-2019-10692

In the wp-google-maps plugin before 7.11.18 for WordPress, includes/class.rest-api.php in the REST API does not sanitize field names before a SELECT statement...

CVE-2019-10118

Snipe-IT before 4.6.14 has XSS, as demonstrated by logmeta values and the user's last name in the API...

CVE-2019-19946

The API in Dradis Pro 3.4.1 allows any user to extract the content of a project, even if this user is not part of the project team...

CVE-2019-10686

An SSRF vulnerability was found in an API from Ctrip Apollo through 1.4.0-SNAPSHOT. An attacker may use it to do an intranet port scan or raise a GET request via /system-info/health because the %23 substring is mishandled...

CVE-2016-11075

An issue was discovered in Mattermost Server before 3.0.0. It allows attackers to obtain sensitive information about team URLs via an API...

Mattermost Server 9.11.x < 9.11.12 / 10.5.x < 10.5.3 Multiple Vulnerabilities (MMSA-2025-00455, MMSA-2025-00456)

The version of Mattermost Server installed on the remote host is prior to 9.11.12 or 10.5.3. It is, therefore, affected by multiple vulnerabilities as referenced in the MMSA-2025-0045500456 advisory. - Mattermost versions 10.5.x = 10.5.2, 9.11.x = 9.11.11 failed to properly verify a user's...