CVE-2023-22813

A device API endpoint was missing access controls on Western Digital My Cloud OS 5 iOS and Anroid Mobile Apps, My Cloud Home iOS and Android Mobile Apps, SanDisk ibi iOS and Android Mobile Apps, My Cloud OS 5 Web App, My Cloud Home Web App and the SanDisk ibi Web App. Due to a permissive CORS...

CVE-2023-28345

An issue was discovered in Faronics Insight 10.0.19045 on Windows. The Insight Teacher Console application exposes the teacher's Console password in cleartext via an API endpoint accessible from localhost. Attackers with physical access to the Teacher Console can open a web browser, navigate to t...

CVE-2023-1609

A vulnerability was found in Zhong Bang CRMEB Java up to 1.3.4. It has been rated as problematic. This issue affects the function save of the file /api/admin/store/product/save. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to...

CVE-2023-46646

Improper access control in all versions of GitHub Enterprise Server allows unauthorized users to view private repository names via the "Get a check run" API endpoint. This vulnerability did not allow unauthorized access to any repository content besides the name. This vulnerability affected GitHu...

CVE-2023-2299

The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to unauthorized medication of data via the /wp-json/vcita-wordpress/v1/actions/auth REST-API endpoint in versions up to, and including, 4.4.2 due to a missing capability check on the processAction...

CVE-2025-48741

CVE-2025-48741 affects StrangeBee TheHive. A Broken Access Control flaw allows remote, authenticated, and unprivileged users to retrieve alerts, cases, logs, observables, or tasks via a specific API endpoint. Affected ranges and fixes: 5.2.0–5.2.15 → upgrade to 5.2.16+, 5.3.0–5.3.10 → upgrade to ...

PT-2025-22806 · Unknown · Phpgurukul Restaurant Table Booking System

Name of the Vulnerable Software and Affected Versions: PHPGURUKUL Restaurant Table Booking System using PHP and MySQL version 1.0 Description: The issue is related to a SQL injection vulnerability. This vulnerability can be exploited via the searchdata parameter at the "/rtbs/check-status.php" AP...

PT-2025-22638 · Cyberdava · Cyberdava

Name of the Vulnerable Software and Affected Versions: CyberDAVA versions prior to 1.1.20 Description: A privilege escalation issue allows a low-privileged user to escalate their privilege by abusing the API endpoint "/api/v2/users/user//role/ROLE/" due to the lack of access control, potentially...

The vulnerability of the set_ws_action function in the /dws/api/ section of the Tenda DAP-1520 router’s software allows a hacker to execute arbitrary code.

The vulnerability of the setwsaction function in the /dws/api/ endpoint of the Tenda DAP-1520 router’s software is related to buffer overflow in dynamic memory. Exploiting this vulnerability could allow a remote attacker to execute arbitrary code by using the host parameter...

CVE-2022-41232

A cross-site request forgery CSRF vulnerability in Jenkins Build-Publisher Plugin 1.22 and earlier allows attackers to replace any config.xml file on the Jenkins controller file system with an empty file by providing a crafted file name to an API endpoint...

CVE-2022-25506

FreeTAKServer-UI v1.9.8 was discovered to contain a SQL injection vulnerability via the API endpoint /AuthenticateUser...

CVE-2022-3798

A vulnerability classified as critical has been found in IBAX go-ibax. Affected is an unknown function of the file /api/v2/open/tablesInfo. The manipulation leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-2126...

CVE-2022-39833

FileCloud Versions 20.2 and later allows remote attackers to potentially cause unauthorized remote code execution and access to reported API endpoints via a crafted HTTP request...

CVE-2021-24385

The Filebird Plugin 4.7.3 introduced a SQL injection vulnerability as it is making SQL queries without escaping user input data from a HTTP post request. This is a major vulnerability as the user input is not escaped and passed directly to the getcol function and it allows SQL injection. The Rest...

CVE-2021-39888

In all versions of GitLab EE starting from 13.10 before 14.1.7, all versions starting from 14.2 before 14.2.5, and all versions starting from 14.3 before 14.3.1 a specific API endpoint may reveal details about a private group and other sensitive info inside issue and merge request templates...

CVE-2021-39875

In all versions of GitLab CE/EE since version 13.6, it is possible to see pending invitations of any public group or public project by visiting an API endpoint...

CVE-2021-24731

The Registration Forms – User profile, Content Restriction, Spam Protection, Payment Gateways, Invitation Codes WordPress plugin before 3.7.1.6 does not properly escape user data before using it in a SQL statement in the wp-json/pie/v1/login REST API endpoint, leading to an SQL injection...

CVE-2021-21471

In CLA-Assistant, versions before 2.8.5, due to improper access control an authenticated user could access API endpoints which are not intended to be used by the user. This could impact the integrity of the application...

CVE-2021-24170

The REST API endpoint getusers in the User Profile Picture WordPress plugin before 2.5.0 returned more information than was required for its functionality to users with the uploadfiles capability. This included password hashes, hashed user activation keys, usernames, emails, and other less...

CVE-2020-2191

Jenkins Self-Organizing Swarm Plug-in Modules Plugin 3.20 and earlier does not check permissions on API endpoints that allow adding and removing agent labels...