CVE-2024-11602 CORS Vulnerability in feast-dev/feast

A Cross-Origin Resource Sharing CORS vulnerability exists in feast-dev/feast version 0.40.0. The CORS configuration on the agentscope server does not properly restrict access to only trusted origins, allowing any external domain to make requests to the API. This can bypass intended security...

CVE-2024-9439 Remote Code Execution in transformeroptimus/superagi

SuperAGI is vulnerable to remote code execution in the latest version. The agent template update API allows attackers to control certain parameters, which are then fed to the eval function without any sanitization or checks in place. This vulnerability can lead to full system compromise...

CVE-2024-11042 Arbitrary File Delete in invoke-ai/invokeai

In invoke-ai/invokeai version v5.0.2, the web API POST /api/v1/images/delete is vulnerable to Arbitrary File Deletion. This vulnerability allows unauthorized attackers to delete arbitrary files on the server, potentially including critical or sensitive system files such as SSH keys, SQLite...

PT-2025-12284 · Superagi · Superagi

Name of the Vulnerable Software and Affected Versions: SuperAGI affected versions not specified Description: SuperAGI is vulnerable to remote code execution. The agent template update API allows attackers to control certain parameters, which are then fed to the eval function without any...

PT-2025-12117 · Unknown · Transformeroptimus/Superagi

Name of the Vulnerable Software and Affected Versions: transformeroptimus/superagi version v0.0.14 Description: An IDOR Insecure Direct Object Reference vulnerability exists, allowing attackers to view, edit, and delete other users' information without proper authorization. The application fails ...

CVE-2025-25711

An issue in dtp.ae tNexus Airport View v.2.8 allows a remote attacker to escalate privileges via the ProfileID value to the /tnexus/rest/admin/updateUser API endpoint...

The Rising Threat of API Attacks: How to Secure Your APIs in 2025

API attacks are constantly on the rise, with a recent alarming study showing that 59% of organizations give…...

CVE-2025-27913

Passbolt API before 5, if the server is misconfigured with an incorrect installation process and disregarding of Health Check results, can send email messages with a domain name taken from an attacker-controlled HTTP Host header...

Linux Distros Unpatched Vulnerability : CVE-2025-0451

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Inappropriate implementation in Extensions API in Google Chrome prior to 133.0.6943.53 allowed a remote attacker who convinced a user to engage in specific UI...

CVE-2025-27622

Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing config.xml of agents via REST API or CLI, allowing attackers with Agent/Extended Read permission to view encrypted values of secrets...

Linux Distros Unpatched Vulnerability : CVE-2021-34337

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An issue was discovered in Mailman Core before 3.3.5. An attacker with access to the REST API could use timing attacks to determine the value of the configured...

CVE-2024-47259

Girishunawane, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API dynamicoverlay.cgi did not have a sufficient input validation allowing for a possible command injection leading to being able to transfer files to the Axis device with the purpose to exhaust system resources. Ax...

CVE-2024-12434

The SureMembers plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.10.6 via the REST API. This makes it possible for unauthenticated attackers to extract sensitive data including restricted content...

CVE-2024-13796

CVE-2024-13796 relates to the WordPress plugin “Post Grid and Gutenberg Blocks – ComboBlocks” (versions

CVE-2025-21810

In the Linux kernel, the following vulnerability has been resolved: driver core: class: Fix wild pointer dereferences in API classdeviternext There are a potential wild pointer dereferences issue regarding APIs classdeviterinit|next|exit, as explained by below typical usage: // All members of @it...

DORA: Strengthening Digital Resilience Through API Security

The Digital Operational Resilience Act DORA is one of the most significant cybersecurity regulations for financial institutions in the European Union EU. Failure to comply can have massive consequences, including financial penalties and forced operational downtime, meaning achieving DORA complian...

Overcoming Security Challenges in Real-Time APIs

Speed is everything in the modern business world. Our attention spans are shorter than ever, consumers demand short and seamless interactions, and the slightest delay in service delivery can see organizations fall far behind their competitors. This is why real-time APIs are so important; they...

Introducing Akamai Managed Service for API Security

...

CVE-2025-24897 Misskey CSRF vulnerability due to insecure configuration of authentication cookie attributes

Misskey is an open source, federated social media platform. Starting in version 12.109.0 and prior to version 2025.2.0-alpha.0, due to a lack of CSRF protection and the lack of proper security attributes in the authentication cookies of Bull's dashboard, some of the APIs of bull-board may be...

AI Security is API Security: What CISOs and CIOs Need to Know

Just when CIOs and CISOs thought they were getting a grip on API security, AI came along and shook things up. In the past few years, a huge number of organizations have adopted AI, realizing innumerable productivity, operational, and efficiency benefits. However, they’re also having to deal with...