735 matches found
EUVD-2025-16634
Malicious code in bioql PyPI...
EUVD-2025-16205
Malicious code in bioql PyPI...
EUVD-2022-44074
Malicious code in bioql PyPI...
EUVD-2025-14304
Malicious code in bioql PyPI...
EUVD-2022-46982
Malicious code in bioql PyPI...
EUVD-2022-41796
Malicious code in bioql PyPI...
EUVD-2022-50988
Malicious code in bioql PyPI...
EUVD-2025-7022
Malicious code in bioql PyPI...
EUVD-2025-23523
Malicious code in bioql PyPI...
CVE-2025-59827 FlagForgeCTF is Missing Authorization in main-v2
Flag Forge is a Capture The Flag CTF platform. In version 2.1.0, the /api/admin/assign-badge endpoint lacks proper access control, allowing any authenticated user to assign high-privilege badges e.g., Staff to themselves. This could lead to privilege escalation and impersonation of administrative...
Debunking API Security Myths
I recently sat down with Tejpal Garwhal, Application Security and DevSecOps Leader, for a conversation debunking some of the most common API security myths. From zombie endpoints to the limits of WAFS and gateways, we covered what’s really happening on the ground; and what security teams need to ...
HAX CMS API Lacks Authorization Checks
Summary The HAX CMS API endpoints do not perform authorization checks when interacting with a resource. Both the JS and PHP versions of the CMS do not verify that a user has permission to interact with a resource before performing a given operation. Details The API endpoints within the HAX CMS...
CVE-2025-53940
Quiet is an alternative to team chat apps like Slack, Discord, and Element that does not require trusting a central server or running one's own. In versions 6.1.0-alpha.4 and below, Quiet's API for backend/frontend communication was using an insecure, not constant-time comparison function for tok...
CISO Spotlight: Andrew Storms on Trust, AI, and Why CISOs Need to Be Optimists
Andrew Storms, VP of Security at Replicated, has spent three decades on the frontlines of cybersecurity. From building Unix systems in the early ‘90s to leading incident response and AI security strategies today, he has seen the CISO role evolve from back-office function to boardroom mainstay. In...
CVE-2025-31513
An issue was discovered in AlertEnterprise Guardian 4.1.14.2.2.1. One can elevate to administrator privileges via the IsAdminApprover parameter in a Request%20Building%20Access requestSubmit API call. The vendor has stated that the system is protected by updating to a version equal to or greater...
CVE-2025-53528
Cadwyn creates production-ready community-driven modern Stripe-like API versioning in FastAPI. In versions before 5.4.3, the version parameter of the "/docs" endpoint is vulnerable to a Reflected XSS Cross-Site Scripting attack. This XSS would notably allow an attacker to execute JavaScript code ...
CVE-2025-34140 ETQ Reliance CG/NXG API Authorization Bypass via ;localized-text URI Suffix
An authorization bypass vulnerability exists in ETQ Reliance legacy CG and NXG SaaS platforms. By appending a specific URI suffix to certain API endpoints, an unauthenticated attacker can bypass access control checks and retrieve limited sensitive resources. The root cause was a misconfiguration ...
CVE-2025-31512
AlertEnterprise Guardian 4.1.14.2.2.1 contains a bypass of manager approval via the isAddedByApprover parameter in the Request Building Access requestSubmit API call. Affected product: AlertEnterprise Guardian (v4.1.14.2.2.1). Root cause: isAddedByApprover can be exploited to bypass approvals. Re...
Fail-Open Architecture for Secure Inline Protection on Azure
Every inline deployment introduces a tradeoff: enhanced inspection versus increased risk of downtime. Inline protection is important, especially for APIs, which are now the most targeted attack surface, but so is consistent uptime and performance. This is where a fail-open architecture comes in...
PT-2025-29528 · Directus · Directus
Name of the Vulnerable Software and Affected Versions: Directus versions 9.0.0 through 11.8.99 Description: Directus is a real-time API and App dashboard for managing SQL database content. The exact Directus version number is exposed by the /server/specs/oas endpoint without authentication in...