Mattermost Permission Issues Vulnerability

Mattermost is an open source collaboration platform from Mattermost, Inc. in the United States. Mattermost suffers from a privilege issue vulnerability that stems from insufficient privilege validation, which can be exploited by an attacker to add guest users via the API...

GHSA-H356-3MFW-X368 Mattermost Fails to Verify User's Permissions When Accessing Groups

Mattermost versions 10.5.x = 10.5.2, 9.11.x = 9.11.11 failed to properly verify a user's permissions when accessing groups, which allows an attacker to view group information via an API request...

CVE-2025-3446 Members Without Guest Invite Permissions Can Add Guests to Teams

Mattermost versions 10.6.x = 10.6.1, 10.5.x = 10.5.2, 10.4.x = 10.4.4, 9.11.x = 9.11.11 fail to check the correct permissions which allows authenticated users who only have permission to invite non-guest users to a team to add guest users to that team via the API to add a single user to a team...

Developer Leaks API Key for Private Tesla, SpaceX LLMs

In AI, as with so many advancing technologies, security often lags innovation. The xAI incident, during which a sensitive API key remained exposed for nearly two months, is a stark reminder of this disconnect. Such oversights not only jeopardize proprietary technologies but also highlight systemi...

CVE-2025-46737

SEL-5037 Grid Configurator contains an overly permissive Cross Origin Resource Sharing CORS configuration for a data gateway service in the application. This gateway service includes an API which is not properly configured to reject requests from unexpected sources...

CVE-2025-4427

An authentication bypass in the API component of Ivanti Endpoint Manager Mobile 12.5.0.0 and prior allows attackers to access protected resources without proper credentials via the API. Recent assessments: remmons-r7 at May 22, 2025 5:21am UTC reported: On May 13, 2025, Ivanti published an adviso...

CVE-2025-46737

CVE-2025-46737 relates to Schweitzer Engineering Laboratories SEL-5037 Grid Configurator. Connected PT Security entry specifies vulnerable versions: SEL-5037 Grid Configurator

PT-2025-20679 · Zong Yu · Zong Yu Parking Management System

Name of the Vulnerable Software and Affected Versions: ZONG YU Parking Management System affected versions not specified Description: The Parking Management System from ZONG YU has a Missing Authentication issue, allowing unauthenticated remote attackers to access specific APIs and operate system...

CVE-2025-45887

Yifang CMS v2.0.2 is vulnerable to Server-Side Request Forgery SSRF in /api/file/getRemoteContent...

PT-2025-20382 · Telemessage · Telemessage Archiving Backend

Name of the Vulnerable Software and Affected Versions: TeleMessage archiving backend versions through 2025-05-05 Description: The issue concerns the acceptance of API calls from the TM SGNL aka Archive Signal app to request an authentication token, using hardcoded credentials. The credentials use...

CVE-2025-46559 Misskey Directory Traversal Vulnerability in AiScript via `Mk:api`

Misskey is an open source, federated social media platform. Starting in version 12.31.0 and prior to version 2025.4.1, missing validation in Mk:api allows malicious AiScript code to access additional endpoints that it isn't designed to have access to. The missing validation allows malicious...

PT-2025-18714 · Sematell · Sematell Replyone

Name of the Vulnerable Software and Affected Versions: Sematell ReplyOne version 7.4.3.0 Description: The issue allows Server-Side Request Forgery SSRF through the application server API. This means an attacker could potentially manipulate the server into making unauthorized requests...

Security Bulletin: IBM Verify Gateway does not sufficiently guard against unauthorized API calls (CVE-2020-4847)

Summary When the IBM Verify Gateway IVG components make API calls, there is insufficient protection of tenant secrets. It's possible for an attacker to obtain the access token belonging to another tenant and issue an API while impersonating that tenant. As of v1.0.1 of IVG for RADIUS and IVG for...

The API Imperative: Securing Agentic AI and Beyond

We recently released The Rise of Agentic AI, our API ThreatStats report for Q1 2025, finding that evolving API threats are fueled by the rise of agentic AI systems, growing complexity in cloud-native infrastructure, and a surge in software supply chain risks, and uncovered patterns and actionable...

CVE-2025-32044

A flaw has been identified in Moodle where, on certain sites, unauthenticated users could retrieve sensitive user data—including names, contact information, and hashed passwords—via stack traces returned by specific API calls. Sites with PHP configured with zend.exceptionignoreargs = 1 in the...

Threat Replay Testing: Turning Attackers into Pen Testers

API security is no longer just a concern; it’s a critical priority for businesses. With APIs serving as the backbone of modern applications, they’ve become a primary target for attackers. While automated security testing tools help detect vulnerabilities, their limitations leave organizations...

Akamai API Security Enhancements

...

API Security Is Key to Cyber Resilience in Media and Entertainment

For media and entertainment companies, API expansion means a broader attack surface. Security needs to stay a step ahead...

Zabbix 7.0.0 - SQL Injection

Exploit Title: Zabbix 7.0.0 - SQL Injection Date: 06/12/2024 Exploit Author: Leandro Dias Barata @m4nb4 Vendor Homepage: https://www.zabbix.com/ Software Link: https://support.zabbix.com/browse/ZBX-25623 Version: 6.0.0 - 6.0.31 / 6.0.32rc1 6.4.0 - 6.4.16 / 6.4.17rc1 7.0.0 Tested on: Kali Linux...

Beyond Schema Enforcement: Imperva’s Approach to Delivering Holistic API Security

API security is gaining attention, yet many organizations struggle to move from identifying risks to mitigating them effectively. In their eagerness to strengthen their security posture, some rush to implement schema protection. However, the dynamic and often incomplete nature of API schemas soon...