PT-2026-32686

Name of the Vulnerable Software and Affected Versions Snipe-IT version 8.4.0 Description Improper authorization in the '/api/v1/users/id' endpoint allows authenticated attackers with the users.edit permission to modify sensitive authentication and account-state fields of other non-admin users by...

PT-2026-26556

SQLBot is an intelligent data query system based on a large language model and RAG. Versions prior to 1.7.0 contain a Server-Side Request Forgery SSRF vulnerability that allows an attacker to retrieve arbitrary system and application files from the server. An attacker can exploit the...

CVE-2026-3795

A security flaw has been discovered in doramart DoraCMS 3.0.x. Impacted is the function createFileBypath of the file /DoraCMS/server/app/router/api/v1.js. Performing a manipulation results in path traversal. The attack can be initiated remotely. The exploit has been released to the public and may...

CVE-2026-23702

An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by sending malicious input injected into the server username field of the import preconfiguration action in the API V1 route...

CVE-2026-23702

An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by sending malicious input injected into the server username field of the import preconfiguration action in the API V1 route...

CVE-2026-25721

CVE-2026-25721 affects XWEB Pro ≤ 1.12.1. An authenticated user can exploit OS command injection via the restore action in API V1 by injecting input into the server username and/or password fields, enabling remote code execution. Red Hat and ENISA references corroborate the weakness. Remediation ...

CVE-2025-65795

Incorrect access control in the /api/v1/user endpoint of usememos memos v0.25.2 allows unauthorized attackers to create arbitrary accounts via a crafted request...

CVE-2025-65795

Converging sources confirm CVE-2025-65795 affects usememos/memos v0.25.2, due to incorrect access control on /api/v1/user, enabling unauthenticated creation of arbitrary accounts. The OSV/GHSA entries and Red Hat/NVD mirrors all describe the same root cause and impact. The Snyk advisory additiona...

MAL-2025-3922 Malicious code in twitter-api-v1 (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware e845c35069d8dc1f87dbd947c508662a7462d951bfd0ccd915be80cb99502a96 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in twitter-api-v1 (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware e845c35069d8dc1f87dbd947c508662a7462d951bfd0ccd915be80cb99502a96 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

CVE-2024-7456 SQL Injection in lunary-ai/lunary

A SQL injection vulnerability exists in the /api/v1/external-users route of lunary-ai/lunary version v1.4.2. The order by clause of the SQL query uses sql.unsafe without prior sanitization, allowing for SQL injection. The orderByClause variable is constructed without server-side validation or...

GO-2023-2020 Alertmanager UI is vulnerable to stored XSS via the /api/v1/alerts endpoint in github.com/prometheus/alertmanager

Alertmanager UI is vulnerable to stored XSS via the /api/v1/alerts endpoint in github.com/prometheus/alertmanager...

GHSA-2JCH-QC96-9F5G Flowise Cross-site Scripting in api/v1/chatflows/id

Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected cross-site scripting vulnerability occurs in the api/v1/chatflows/id endpoint. If the default configuration is used unauthenticated, an attacker may be able to craft a...

GHSA-858C-QXVX-RG9V Flowise Cross-site Scripting in /api/v1/chatflows-streaming/id

Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected cross-site scripting vulnerability occurs in the /api/v1/chatflows-streaming/id endpoint. If the default configuration is used unauthenticated, an attacker may be able...

CVE-2024-5674 Newsletter - API v1 and v2 addon for Newsletter <= 2.4.5 - Missing Authorization to Email Subscribers Management

The Newsletter - API v1 and v2 addon plugin for WordPress is vulnerable to unauthorized subscribers management due to PHP type juggling issue on the checkapikey function in all versions up to, and including, 2.4.5. This makes it possible for unauthenticated attackers to list, create or delete...

CVE-2024-5674 Newsletter - API v1 and v2 addon for Newsletter <= 2.4.5 - Missing Authorization to Email Subscribers Management

The Newsletter - API v1 and v2 addon plugin for WordPress is vulnerable to unauthorized subscribers management due to PHP type juggling issue on the checkapikey function in all versions up to, and including, 2.4.5. This makes it possible for unauthenticated attackers to list, create or delete...

RHEL 6 : openstack-glance (Unpatched Vulnerability)

The remote Redhat Enterprise Linux 6 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. - openstack-glance: API v1 copyfrom reveals network details CVE-2017-7200 - A vulnerability was found in...

Flowise vulnerable to code injection via api/v1

An issue in FlowiseAI Inc Flowise prior to v1.8.1 allows a remote attacker to execute arbitrary code via a crafted script to the api/v1 component...

CVE-2024-31621

An issue in FlowiseAI Inc Flowise v.1.6.2 and before allows a remote attacker to execute arbitrary code via a crafted script to the api/v1 component...

CVE-2024-31621

CVE-2024-31621 affects Flowise Flowise v1.6.2 and earlier, with multiple sources describing an authentication bypass (notably in Flowise = 1.6.6 / 1.8.1+ per other reports). If exploitation details are present, they confirm remote code execution via /api/v1; otherwise, exploitation specifics are ...