Meeting NIST API Security Guidelines with Wallarm

On March 25, 2025, NIST released the initial public draft of NIST SP 800-228, "Guidelines for API Protection for Cloud-Native Systems." The document provides a comprehensive framework for securing APIs in cloud-enabled environments. However, for organizations looking to align with these objective...

The API Security Challenge in AI: Preventing Resource Exhaustion and Unauthorized Access

Agentic AI is transforming business. Organizations are increasingly integrating AI agents into core business systems and processes, using them as intermediaries between users and these internal systems. As a result, these organizations are improving efficiency, automating routine tasks, and drivi...

GHSA-CGFJ-HJ93-RMH2 Shopware allows Denial Of Service via password length

Impact It's possible to pass long passwords that leads to Denial Of Service via forms in Storefront forms or Store-API. Patches Update to Shopware 6.6.10.3 or 6.5.8.17 Workarounds For older versions of 6.4, corresponding security measures are also available via a plugin. For the full range of...

PT-2025-15330 · Unknown · Fcj Venture Builder Appclientefiel

Name of the Vulnerable Software and Affected Versions: FCJ Venture Builder appclientefiel version 3.0.27 Description: A vulnerability was found in the FCJ Venture Builder appclientefiel, affecting an unknown functionality of the file /rest/cliente/ObterPedido/ of the component HTTP GET Request...

Unauthorized API Access

Directus is vulnerable to unauthorized API access by suspended users. The vulnerability is due to missing session validation due to the absence of a check in verifySessionJWT to confirm if a user is still active and authorized...

CVE-2024-57868

Web::API 2.8 and earlier for Perl uses the rand function as the default source of entropy, which is not cryptographically secure, for cryptographic functions. Specifically Web::API uses the Data::Random library which specifically states that it is "Useful mostly for test programs". Data::Random...

CVE-2025-32357

In Zammad 6.4.x before 6.4.2, an authenticated agent with knowledge base permissions was able to use the Zammad API to fetch knowledge base content that they have no permission for...

GraphQL query operations security can be bypassed

Summary Using the Relay special node type you can bypass the configured security on an operation. Details Here is an example of how to apply security configurations for the GraphQL operations: php ApiResource security: "isgranted'ROLEUSER'", operations: / ... / , graphQlOperations: new...

📄 ollama 0.6.4 Server-Side Request Forgery

ollama versions 0.6.4 and below suffer from a server-side request forgery vulnerability. Exploit Title: ollama 0.6.4 - SSRF Date: 2025-04-03 Exploit Author: sud0 Vendor Homepage: https://ollama.com/ Software Link: https://github.com/ollama/ollama/releases Version: =0.6.4 Tested on: CentOS 8 impor...

CVE-2024-36465

A low privilege regular Zabbix user with API access can use SQL injection vulnerability in include/classes/api/CApiService.php to execute arbitrary SQL commands via the groupBy parameter...

CVE-2025-30369

Zulip is an open-source team collaboration tool. The API for deleting an organization custom profile field is supposed to be restricted to organization administrators, but its handler failed to check that the field belongs to the same organization as the user. Therefore, an administrator of any...

Unsolved Challenge: Why API Access Control Vulnerabilities Remain a Major Security Risk

Despite advancements in API security, access control vulnerabilities, such as broken object-level authentication BOLA and broken function-level authentication BFLA, remain almost impossible to detect. This blog will explore why these vulnerabilities are so difficult to detect, the limitations of...

BIT-MATTERMOST-2025-25068

Mattermost versions 10.4.x = 10.4.2, 10.3.x = 10.3.3, 9.11.x = 9.11.8, 10.5.x = 10.5.0 fail to enforce MFA on plugin endpoints, which allows authenticated attackers to bypass MFA protections via API requests to plugin-specific routes...

Enhancing Public Sector Cybersecurity with Akamai API Security

Learn how Akamai's API security solution helps federal agencies identify, protect, and monitor API traffic in real time...

Directus's webhook trigger flows can leak sensitive data

Describe the Bug In Directus, when a Flow with the "Webhook" trigger and the "Data of Last Operation" response body encounters a ValidationError thrown by a failed condition operation, the API response includes sensitive data. This includes environmental variables, sensitive API keys, user...

CVE-2025-30353 Directus's webhook trigger flows can leak sensitive data

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.5.0, when a Flow with the "Webhook" trigger and the "Data of Last Operation" response body encounters a ValidationError thrown by a failed condition operation, the A...

AI Agents and API Security: The Hidden Risks Lurking in Your Business Logic

Modern organizations are becoming increasingly reliant on agentic AI, and for good reason: AI agents can dramatically improve efficiency and automate mission-critical functions like customer support, sales, operations, and even security. However, this deep integration into business processes...

CVE-2025-23204 GraphQl securityAfterResolver not called

API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Starting in version 3.3.8, a security check that gets called after GraphQl resolvers is always replaced by another one as there's no break in a clause. As this falls back to security, the impact is there only when...

CVE-2024-7039

In open-webui/open-webui version v0.3.8, there is an improper privilege management vulnerability. The application allows an attacker, acting as an admin, to delete other administrators via the API endpoint http://0.0.0.0:8080/api/v1/users/uuidadministrator. This action is restricted by the user...

CVE-2024-12215

CVE-2024-12215 — Kedro 0.19.8 : The pull_package() API path can execute the tarball’s setup.py via project_wheel_metadata(), enabling remote code execution (RCE) by running arbitrary commands on the victim’s machine. The vulnerability affects kedro-org/kedro and is documented with RCE impact and ...