PT-2025-17704 · Mattermost · Mattermost

Name of the Vulnerable Software and Affected Versions: Mattermost versions 9.11.x through 9.11.10 Mattermost versions 10.4.x through 10.4.2 Mattermost versions 10.5.x through 10.5.0 Description: The issue concerns the improper validation of permissions for the API endpoint...

CVE-2025-32969 org.xwiki.platform:xwiki-platform-rest-server allows SQL injection in query endpoint of REST API

XWiki is a generic wiki platform. In versions starting from 1.8 and prior to 15.10.16, 16.4.6, and 16.10.1, it is possible for a remote unauthenticated user to escape from the HQL execution context and perform a blind SQL injection to execute arbitrary SQL statements on the database backend,...

CVE-2025-42604

This vulnerability exists in Meon KYC solutions due to debug mode is enabled in certain API endpoints. A remote attacker could exploit this vulnerability by accessing certain unauthorized API endpoints leading to detailed error messages as response leading to disclosure of system related...

CVE-2025-42603 Information Disclosure Vulnerability in Meon KYC solutions

This vulnerability exists in the Meon KYC solutions due to transmission of sensitive data in plain text within the response payloads of certain API endpoints. An authenticated remote attacker could exploit this vulnerability by intercepting API response that contains unencrypted sensitive...

PT-2025-17615 · Unknown · Meon Kyc Solutions

Name of the Vulnerable Software and Affected Versions: Meon KYC solutions affected versions not specified Description: The issue exists due to debug mode being enabled in certain API endpoints, allowing a remote attacker to exploit this by accessing unauthorized API endpoints. This leads to...

CVE-2025-32950

Summary (CVE-2025-32950): Jmix (v1.0.0–v1.6.1 and v2.0.0–v2.3.4) is vulnerable to path traversal via the FileRef parameter. An attacker could read arbitrary files on the host if the application server has sufficient permissions, by modifying FileRef in the database or by supplying a crafted value...

CVE-2025-3850

CVE-2025-3850 affects YXJ2018 SpringBoot-Vue-OnlineExam 1.0. The issue is described as improper authentication within the component API processing, enabling remote exploitation with high attack complexity and reported public disclosure. Multiple connected sources reiterate the vulnerability again...

PT-2025-17577 · Cuba Jpa · Cuba Jpa

Name of the Vulnerable Software and Affected Versions: Cuba JPA versions prior to 1.1.1 Description: The Cuba JPA web API allows loading and saving entities defined in the application data model through simple HTTP requests. Prior to version 1.1.1, the input parameter, which includes a file path...

CVE-2025-43916

Sonos api.sonos.com through 2025-04-21, when the /login/v3/oauth endpoint is used, accepts a redirecturi containing userinfo in the authority component, which is not consistent with RFC 6819 section 5.2.3.5. An authorization code may be sent to an attacker-controlled destination. This might have...

CVE-2025-43916

Sonos api.sonos.com through 2025-04-21, when the /login/v3/oauth endpoint is used, accepts a redirecturi containing userinfo in the authority component, which is not consistent with RFC 6819 section 5.2.3.5. An authorization code may be sent to an attacker-controlled destination. This might have...

PT-2025-17436 · Opentext · Opentext Content Server

Name of the Vulnerable Software and Affected Versions: OpenText Content Server versions 20.2 through 24.4 Description: The issue is related to an Incorrect Authorization vulnerability in the OpenText Content Server REST API, allowing users without the appropriate permissions to remove external...

CVE-2025-43916

Sonos api.sonos.com through 2025-04-21, when the /login/v3/oauth endpoint is used, accepts a redirecturi containing userinfo in the authority component, which is not consistent with RFC 6819 section 5.2.3.5. An authorization code may be sent to an attacker-controlled destination. This might have...

CVE-2025-43955

TwsCachedXPathAPI in Convertigo through 8.3.4 does not restrict the use of commons-jxpath APIs...

CVE-2025-3801 songquanpeng one-api System Setting cross site scripting

A vulnerability was found in songquanpeng one-api up to 0.6.10. It has been classified as problematic. This affects an unknown part of the component System Setting Handler. The manipulation of the argument Homepage Content/About System/Footer leads to cross site scripting. It is possible to...

CVE-2025-43703

An issue was discovered in Ankitects Anki through 25.02. A crafted shared deck can result in attacker-controlled access to the internal API even though the attacker has no knowledge of an API key through approaches such as scripts or the SRC attribute of an IMG element. NOTE: this issue exists...

PT-2025-16926 · Unknown · Wisdom Master Pro

Name of the Vulnerable Software and Affected Versions: Wisdom Master Pro versions 5.0 through 5.2 Description: A missing authorization issue in the retrieve teacher Information function allows remote attackers to obtain partial user data by accessing the API functionality. Recommendations: For...

CVE-2025-30215 NATS-Server Fails to Authorize Certain Jetstream Admin APIs

NATS-Server is a High-Performance server for NATS.io, the cloud and edge native messaging system. In versions starting from 2.2.0 but prior to 2.10.27 and 2.11.1, the management of JetStream assets happens with messages in the $JS. subject namespace in the system account; this is partially expose...

CVE-2025-27892

Shopware prior to version 6.5.8.13 is affected by a SQL injection vulnerability in the /api/search/order endpoint. NOTE: this issue exists because of a CVE-2024-22406 and CVE-2024-42357 regression...

CVE-2025-31933

An unauthenticated attacker can check the existence of usernames in the system by querying an API...

CVE-2024-42189 HCL BigFix Web Reports might be subject to a Denial of Service (DoS) attack

HCL BigFix Web Reports might be subject to a Denial of Service DoS attack, due to a potentially weak validation of an API parameter...