CVE-2026-45296 OpenReplay: Cross-tenant information disclosure in app_apikey projectKey routes via missing tenant binding

OpenReplay is a self-hosted session replay suite. Prior to 1.26.0, OpenReplay's Python API exposes several appapikey routes that trust a caller-provided projectKey after validating only that the API key itself is valid and that the target projectKey exists. The authorization flow does not verify...

CVE-2026-23595

An authentication bypass in the application API allows an unauthorized administrative account to be created. A remote attacker could exploit this vulnerability to create privileged user accounts. Successful exploitation could allow an attacker to gain administrative access, modify system...

EUVD-2023-34332

Malicious code in bioql PyPI...

Malicious code in oneshot-application-api (npm)

The package oneshot-application-api was found to contain malicious code...

MAL-2025-28241 Malicious code in oneshot-application-api (npm)

The package oneshot-application-api was found to contain malicious code...

[SECURITY] Fedora 42 Update: nextcloud-31.0.5-1.fc42

NextCloud gives you universal access to your files through a web interface or WebDAV. It also provides a platform to easily view & sync your contacts, calendars and bookmarks across all your devices and enables basic editing rig ht on the web. NextCloud is extendable via a simple but powerful API...

HaoKeKeJi YiQiNiu Code Issue Vulnerability

HaoKeKeJi YiQiNiu is an application from HaoKeKeJi. A code issue vulnerability exists in HaoKeKeJi YiQiNiu version 3.1 and prior versions, which stems from a cross-site request forgery vulnerability in the httppost function of the /application/pay/controller/Api.php file...

Likeshop Code Issue Vulnerability

Likeshop is a complete solution for social commerce strategy from Likeshop open source. A code issue vulnerability exists in Likeshop 2.5.7.20210311 and earlier versions, which stems from the parameter file in the file server/application/api/controller/File.php that can lead to unrestricted uploa...

CVE-2023-2886

Missing Origin Validation in WebSockets vulnerability in CBOT Chatbot allows Content Spoofing Via Application API Manipulation. This issue affects Chatbot: before Core: v4.0.3.4 Panel: v4.0.3.7...

Input validation

Missing Origin Validation in WebSockets vulnerability in CBOT Chatbot allows Content Spoofing Via Application API Manipulation.This issue affects Chatbot: before Core: v4.0.3.4 Panel: v4.0.3.7...

CVE-2023-2886

The CVE-2023-2886 entry concerns CBOT Chatbot core software and its WebSockets origin validation. Affected: CBOT Chatbot Core prior to v4.0.3.4 and Panel prior to v4.0.3.7. Root cause: Missing Origin Validation in WebSockets, enabling content spoofing via the application API manipulation. Impact:...

CVE-2018-14893

CVE-2018-14893 concerns ZyXEL NSA325 V2 (firmware version 4.81) with a command injection vulnerability in the zyshclient component. The flaw permits an attacker to execute system commands via the web application API. Multiple sources (NVD, CVE records, CNVD) describe the same issue, identifying z...

CVE-2018-14893

A system command injection vulnerability in zyshclient in ZyXEL NSA325 V2 version 4.81 allows attackers to execute system commands via the web application API...

CVE-2018-14893

A system command injection vulnerability in zyshclient in ZyXEL NSA325 V2 version 4.81 allows attackers to execute system commands via the web application API...

Command injection

A system command injection vulnerability in zyshclient in ZyXEL NSA325 V2 version 4.81 allows attackers to execute system commands via the web application API...

Amanda 3.3.1 - amstar Command Injection Privilege Escalation

Amanda 3.3.1 - amstar Command Injection Privilege Escalation AMANDA, the Advanced Maryland Automatic Network Disk Archiver, is a backup solution that allows the IT administrator to set up a single master backup server to back up multiple hosts over network to tape drives/changers or disks or...