EUVD-2026-12544

In affected versions of Octopus Server it was possible for a low privileged user to manipulate an API request to change the signing key expiration and revocation time frames via an API endpoint that had incorrect permission validation. It was not possible to expose the signing keys using this...

CVE-2026-3237

In affected versions of Octopus Server it was possible for a low privileged user to manipulate an API request to change the signing key expiration and revocation time frames via an API endpoint that had incorrect permission validation. It was not possible to expose the signing keys using this...

PT-2026-25975

Name of the Vulnerable Software and Affected Versions Cockpit versions 2.13.4 and earlier Description Cockpit is a headless content management system. Instances running version 2.13.4 or earlier with API access enabled are susceptible to a SQL Injection issue in the MongoLite Aggregation Optimize...

PT-2026-25859

Name of the Vulnerable Software and Affected Versions SiYuan versions 3.6.0 and below Description SiYuan, a personal knowledge management system, contains an authorization bypass that allows authenticated users, including those with the Reader role, to execute arbitrary SQL statements against the...

SUSE CVE-2017-18915

An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. After a restart of a server, an attacker might suddenly gain API Endpoint access...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the E2E Metadata Parser API endpoint, which processes unbounded request bodies without size restrictions. An authenticated user can cause the server to run out of memory and disru...

CVE-2026-32142 shopware/commercial: `/api/_info/config` route exposes information about licenses

Shopware is an open commerce platform. /api/info/config route exposes information about licenses. This vulnerability is fixed in 7.8.1 and 6.10.15...

Command Injection

Overview openakita is a 全能自进化AI Agent - 基于Ralph Wiggum模式，永不放弃 Affected versions of this package are vulnerable to Command Injection via the run function in the Chat API Endpoint component when processing the Message argument. An attacker can execute arbitrary operating system commands by supplyin...

CVE-2026-3964

A weakness has been identified in OpenAkita up to 1.24.3. This impacts the function run of the file src/openakita/tools/shell.py of the component Chat API Endpoint. Executing a manipulation of the argument Message can lead to os command injection. The attack is restricted to local execution. The...

CVE-2026-3964

OpenAkita up to v1.24.3 contains a local os command injection in the Chat API Endpoint, specifically in the file src/openakita/tools/shell.py (function run). An attacker can manipulate the Message argument to execute commands on the host. Public exploit exists; exploitation is local and requires ...

CVE-2026-3964 OpenAkita Chat API Endpoint shell.py run os command injection

A weakness has been identified in OpenAkita up to 1.24.3. This impacts the function run of the file src/openakita/tools/shell.py of the component Chat API Endpoint. Executing a manipulation of the argument Message can lead to os command injection. The attack is restricted to local execution. The...

EUVD-2026-11296

Shopware: Unauthenticated data extraction possible through store-api.order endpoint...

CVE-2026-31861

Cloud CLI aka Claude Code UI is a desktop and mobile UI for Claude Code, Cursor CLI, Codex, and Gemini-CLI. Prior to 1.24.0, The /api/user/git-config endpoint constructs shell commands by interpolating user-supplied gitName and gitEmail values into command strings passed to childprocess.exec. The...

CVE-2026-30928

Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, the /api/4/config REST API endpoint returns the entire parsed Glances configuration file glances.conf via self.config.asdict with no filtering of sensitive values. The configuration file contains credentials for all...

UBUNTU-CVE-2026-30928

Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, the /api/4/config REST API endpoint returns the entire parsed Glances configuration file glances.conf via self.config.asdict with no filtering of sensitive values. The configuration file contains credentials for all...

CVE-2026-30928 Glances Exposes Unauthenticated Configuration Secrets

Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, the /api/4/config REST API endpoint returns the entire parsed Glances configuration file glances.conf via self.config.asdict with no filtering of sensitive values. The configuration file contains credentials for all...

CVE-2026-30928

CVE-2026-30928 affects Glances prior to 4.5.1, where the REST endpoint /api/4/config exposes the full glances.conf (including credentials) with no filtering. This can leak backend credentials (databases, API tokens, JWT keys, SSL passwords) to an attacker with API access. The issue is fixed in 4....

PT-2026-24191

Name of the Vulnerable Software and Affected Versions OneUptime affected versions not specified Description The 'resend-verification-code' endpoint in OneUptime allows an authenticated user to trigger a verification code resend for any UserWhatsApp record by its itemId. A critical flaw exists...

EUVD-2026-10393

SiYuan: Authorization Bypass Allows Low-Privilege Publish User to Modify Notebook Content via /api/block/appendHeadingChildren...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization in the /api/block/appendHeadingChildren endpoint. An attacker can alter notebook content and compromise data integrity by sending crafted requests to this endpoint using a low-privilege authenticated account...