Malicious Package

Overview apple-cktool-api-v2 is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

EUVD-2026-28206

A vulnerability has been found in PicoTronica e-Clinic Healthcare System ECHS 5.7. This affects an unknown function of the file /cdemos/echs/api/v2/ of the component Response Header Handler. Such manipulation leads to information disclosure. The attack may be performed from remote. The exploit ha...

📄 Langflow 1.8.4 Traversal / Remote Code Execution

This Metasploit module targets a path traversal vulnerability in Langflow versions 1.8.4 and below that allows attackers to write arbitrary files on the system through the /api/v2/files endpoint...

CVE-2026-33132

ZITADEL is an open source identity management platform. Versions prior to 3.4.9 and 4.0.0 through 4.12.2 allowed users to bypass organization enforcement during authentication. Zitadel allows applications to enforce an organzation context during authentication using scopes urn:zitadel:iam:org:id:...

CVE-2026-33132 ZITADEL is missing enforcement of organization scopes

ZITADEL is an open source identity management platform. Versions prior to 3.4.9 and 4.0.0 through 4.12.2 allowed users to bypass organization enforcement during authentication. Zitadel allows applications to enforce an organzation context during authentication using scopes urn:zitadel:iam:org:id:...

CVE-2025-64061

Primakon Pi Portal 1.0.18 /api/v2/users endpoint is vulnerable to unauthorized data exposure due to deficient access control mechanisms. Any authenticated user, regardless of their privilege level including standard or low-privileged users, can make a GET request to this endpoint and retrieve a...

CVE-2025-64061

The CVE-2025-64061 entry affects Primakon Pi Portal 1.0.18, where the /api/v2/users endpoint exposes an unfiltered list of all registered users due to deficient access control. Any authenticated user, including those with low privileges, can perform a GET request and retrieve user data, with pass...

MAL-2025-33394 Malicious code in skynet-api-v2 (npm)

The package skynet-api-v2 was found to contain malicious code...

CVE-2025-32896 Apache SeaTunnel: Unauthenticated insecure access

Summary Unauthorized users can perform Arbitrary File Read and Deserialization attack by submit job using restful api-v1. Details Unauthorized users can access /hazelcast/rest/maps/submit-job to submit job. An attacker can set extra params in mysql url to perform Arbitrary File Read and...

CVE-2024-10965

A vulnerability classified as problematic was found in emqx neuron up to 2.10.0. Affected by this vulnerability is an unknown functionality of the file /api/v2/schema of the component JSON File Handler. The manipulation leads to information disclosure. The attack can be launched remotely. The pat...

MAL-2025-2826 Malicious code in @uniqa/self-service-ms-api-v2 (npm)

--- -= Per source details. Do not edit below this line.=-...

PT-2024-16669 · Emq · Emqx Neuron

Name of the Vulnerable Software and Affected Versions: emqx neuron versions up to 2.10.0 Description: A vulnerability was found in emqx neuron, affecting an unknown functionality of the file "/api/v2/schema" of the component JSON File Handler. This leads to information disclosure and can be...

Hoverfly allows an arbitrary file read in the `/api/v2/simulation` endpoint (`GHSL-2023-274`)

Details The /api/v2/simulation POST handler allows users to create new simulation views from the contents of a user-specified file. This feature can be abused by an attacker to read arbitrary files from the Hoverfly server. go...

Malicious code in byted-rtc-robot-api-v2 (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 69373c46b5c735a1890c7a3b601ef30c64493d656302703ceccd4d153e3dab11 Collects basic information about the system, most probably a pentest or bug bounty. --- Category: PROBABLYPENTEST - Packages looking like typical pentest...

CVE-2024-5674 Newsletter - API v1 and v2 addon for Newsletter <= 2.4.5 - Missing Authorization to Email Subscribers Management

The Newsletter - API v1 and v2 addon plugin for WordPress is vulnerable to unauthorized subscribers management due to PHP type juggling issue on the checkapikey function in all versions up to, and including, 2.4.5. This makes it possible for unauthenticated attackers to list, create or delete...

Fedora 40 : PyDrive2 (2023-392085b92b)

The remote Fedora 40 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2023-392085b92b advisory. Automatic update for PyDrive2-1.18.0-1.fc40. Changelog Thu Dec 7 2023 Mikel Olasagasti Uranga - 1.18.0-1 - Update to 1.18.0 - Closes rhbz2253086 rhbz2253467...

CVE-2022-34267

An issue was discovered in RWS WorldServer before 11.7.3. Adding a token parameter with the value of 02 bypasses all authentication requirements. Arbitrary Java code can be uploaded and executed via a .jar archive to the ws-api/v2/customizations/api endpoint...

Fedora 38 : PyDrive2 (2023-21d2191c73)

The remote Fedora 38 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-21d2191c73 advisory. Update to 1.18 and security fix for CVE-2023-49297 Tenable has extracted the preceding description block directly from the Fedora security advisory...

Improper Authorization

modoboa is vulnerable to Missing Authorization. The vulnerability exists due to missing authorization checks on the /api/v2/parameters/core/ API endpoint which allows an attacker to gain sensitive information...

IBAX go-ibax vulnerable to SQL injection

A vulnerability, which was classified as critical, was found in IBAX go-ibax. This affects an unknown part of the file /api/v2/open/rowsInfo. The manipulation of the argument order leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public...