CVE-2026-24789 ZLAN Information Technology ZLAN5143D Missing Authentication for Critical Function

An unprotected API endpoint allows an attacker to remotely change the device password without providing authentication...

CVE-2025-14592

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to perform unauthorized operations by submitting GraphQL mutations through the GLQL API...

CVE-2026-2200

A weakness has been identified in heyewei JFinalCMS 5.0.0. This affects an unknown function of the file /admin/admin/save of the component API Endpoint. Executing a manipulation can lead to cross site scripting. The attack can be launched remotely. The exploit has been made available to the publi...

CVE-2026-2200 heyewei JFinalCMS API Endpoint save cross site scripting

A weakness has been identified in heyewei JFinalCMS 5.0.0. This affects an unknown function of the file /admin/admin/save of the component API Endpoint. Executing a manipulation can lead to cross site scripting. The attack can be launched remotely. The exploit has been made available to the publi...

CVE-2026-25729 DeepAudit Affected by User Enumeration via Broken Access Control

DeepAudit is a multi-agent system for code vulnerability discovery. In 3.0.4 and earlier, there is an improper access control vulnerability in the /api/v1/users/ endpoint allows any authenticated user to enumerate all users in the system and retrieve sensitive information including email addresse...

CVE-2026-1294

The All In One Image Viewer Block plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.2 due to missing authorization and URL validation on the image-proxy REST API endpoint. This makes it possible for unauthenticated attackers to make web...

PT-2026-6774

Name of the Vulnerable Software and Affected Versions OpenSTAManager versions 2.9.8 and earlier Description OpenSTAManager contains a critical Error-Based SQL Injection issue within the Scadenzario Payment Schedule module’s bulk operations handler. The application does not properly validate that...

PT-2026-6794

Name of the Vulnerable Software and Affected Versions DeepAudit versions prior to 3.0.5 Description An improper access control issue exists in DeepAudit versions 3.0.4 and earlier. The /api/v1/users/ API endpoint allows any authenticated user to enumerate all users within the system. This allows...

DeepAudit 安全漏洞

DeepAudit is an automated vulnerability auditing tool developed by lintsinghua’s individual developers. Versions of DeepAudit 3.0.4 and earlier contain security vulnerabilities. These vulnerabilities stem from improper access control on the /api/v1/users endpoint, which may allow any authenticate...

Odoo - Cross-Site Scripting

Odoo is a business suite that has features for many business-critical areas, such as e-commerce, billing, or CRM. Versions before the 16.0 release are vulnerable to CVE-2023-1434 and is caused by an incorrect content type being set on an API endpoint. id: CVE-2023-1434 info: name: Odoo - Cross-Si...

Prototype Pollution

nocodb is vulnerable to prototype pollution. The vulnerability is due to improper handling of user-controlled input in the /api/v2/meta/connection/test endpoint, which allows an authenticated attacker with org-level-creator permissions to pollute object prototypes and cause application-wide...

GO-2026-4343 SiYuan has a Reflected Cross-Site Scripting (XSS) via /api/icon/getDynamicIcon in github.com/siyuan-note/siyuan/kernel

SiYuan has a Reflected Cross-Site Scripting XSS via /api/icon/getDynamicIcon in github.com/siyuan-note/siyuan/kernel...

CVE-2026-0963 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Crafty Controller

An input neutralization vulnerability in the File Operations API Endpoint component of Crafty Controller allows a remote, authenticated attacker to perform file tampering and remote code execution via path traversal...

Crafty Controller path traversal vulnerability

Crafty Controller is a Minecraft server control panel/launcher for Arcadia. Crafty Controller has a path traversal vulnerability, which stems from an input validation flaw in the File Operations API Endpoint component. This vulnerability could allow authenticated remote attackers to manipulate...

CVE-2020-37002

Ajenti 2.1.36 contains an authentication bypass vulnerability that allows remote attackers to execute arbitrary commands after successful login. Attackers can leverage the /api/terminal/create endpoint to send a netcat reverse shell payload targeting a specified IP and port...

EUVD-2020-30907

Tea LaTex 1.0 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary shell commands through the /api.php endpoint. Attackers can craft a malicious LaTeX payload with shell commands that are executed when processed by the application's tex2png API...

CVE-2020-37012

CVE-2020-37012 - Tea LaTex 1.0 Remote Code Execution Affected: Tea LaTex 1.0. The vulnerability is a remote code execution flaw that allows unauthenticated attackers to run arbitrary shell commands by crafting a malicious LaTeX payload and submitting it to the tex2png-based API action exposed at ...

CVE-2026-24124

Dragonfly is an open source P2P-based file distribution and image acceleration system. In versions 2.4.1-rc.0 and below, the Job API endpoints /api/v1/jobs lack JWT authentication middleware and RBAC authorization checks in the routing configuration. This allows any unauthenticated user with acce...

CVE-2026-24036 Horilla Exposes Unpublished Job Disclosures through Unauthenticated API

Horilla is a free and open source Human Resource Management System HRMS. Versions 1.4.0 and above expose unpublished job postings through the /recruitment/recruitment-details// endpoint without authentication. The response includes draft job titles, descriptions and application link allowing...

CVE-2026-0663

Denial-of-service vulnerability in M-Files Server versions before 26.1.15632.3 allows an authenticated attacker with vault administrator privileges to crash the M-Files Server process by calling a vulnerable API endpoint...