CVE-2024-13995

Nagios XI versions prior to 2024R1.1.2 may confirmed in 2024R1.1 and 2024R1.1.1 disclose sensitive user account information including API keys and hashed passwords to authenticated users who should not have access to that data. Exposure of API keys or password hashes could lead to account...

CVE-2023-7322

Affected software: Nagios Log Server, versions prior to 2024R1. Vulnerability: incorrect authorization in API handling could allow authenticated but non-privileged users to read or modify resources via the API beyond their rights. Root cause: insufficient authorization checks on API endpoints. Im...

CVE-2025-11587 Call Now Button <= 1.5.3 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Settings Update

The Call Now Button – The 1 Click to Call Button for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the activate function in all versions up to, and including, 1.5.3. This makes it possible for authenticated attackers, with...

CVE-2023-7320

The WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 7.8.2, due to improper CORS handling on the Store API's REST endpoints allowing direct external access from any origin. This can allow unauthenticated attackers to extract...

CVE-2025-62368 Taiga Authenticated Remote Code Execution

Taiga is an open source project management platform. In versions 6.8.3 and earlier, a remote code execution vulnerability exists in the Taiga API due to unsafe deserialization of untrusted data. This issue is fixed in version 6.9.0...

CVE-2025-62367 Taiga Blind SQL Injection Time Based

Taiga is an open source project management platform. In versions 6.8.3 and earlier, Taiga API is vulnerable to time-based blind SQL injection allowing sensitive data disclosure via response timing. This issue is fixed in version 6.9.0...

CVE-2025-62259

Liferay Portal 7.4.0 through 7.4.3.109, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions does not limit access to APIs before a user has verified their email address, which allows remote...

CVE-2025-60982

IDOR vulnerability in Educare ERP 1.0 2025-04-22 allows unauthorized access to sensitive data via manipulated object references. Affected endpoints do not enforce proper authorization checks, allowing authenticated users to access or modify data belonging to other users by changing object...

GitLab 安全漏洞

GitLab is an open source, end-to-end software development platform from GitLab, Inc. with built-in version control, issue tracking, code review, CI/CD continuous integration and continuous delivery, and other features. A security vulnerability exists in GitLab CE and EE versions 11.7 through 18.3...

CVE-2025-60936

Emoncms 11.7.3 is vulnerable to Cross Site in the input handling mechanism. This vulnerability allows authenticated attackers with API access to inject malicious JavaScript code that executes when administrators view the application logs...

EUVD-2025-35612

Improper authorization in the temporary access workflow of Devolutions Server 2025.2.12.0 and earlier allows an authenticated basic user to self-approve or approve the temporary access requests of other users and gain unauthorized access to vaults and entries via crafted API requests...

CVE-2025-60427

LibreTime 3.0.0-alpha.10 and possibly earlier is vulnerable to Broken Access Control, where a user with the DJ role can access analytics data via the Web UI and direct API calls. The backend does not verify role-based permissions for analytics endpoints, allowing unauthorized retrieval of...

PT-2025-43136

Name of the Vulnerable Software and Affected Versions GitLab versions 3.8 through 8.5 Description Multiple vulnerabilities exist in GitLab, including improper access control, denial of service, and incorrect authorization. These issues impact the runner API. A search on Netlas.io using the provid...

CVE-2025-60279

A server-side request forgery SSRF vulnerability in Illia Cloud illia-Builder before v4.8.5 allows authenticated users to send arbitrary requests to internal services via the API. An attacker can leverage this to enumerate open ports based on response discrepancies and interact with internal...

EUVD-2025-34847

An Execution with Unnecessary Privileges vulnerability has been identified in Moxa’s network security appliances and routers. A flaw in the API authorization logic of the affected device allows an authenticated, low-privileged user to execute the administrative ping function, which is restricted ...

CVE-2025-6892

An Incorrect Authorization vulnerability has been identified in Moxa’s network security appliances and routers. A flaw in the API authentication mechanism allows unauthorized access to protected API endpoints, including those intended for administrative functions. This vulnerability can be...

EUVD-2025-34731

Mattermost has a Missing Authorization vulnerability...

F5 BIG-IP 安全漏洞

F5 BIG-IP is an application delivery platform that integrates network traffic management, application security management, and load balancing from F5 USA. A security vulnerability exists in F5 BIG-IP that stems from repeated undisclosed API calls that could cause the Traffic Management Microkerne...

EUVD-2025-34080

Omni manages Kubernetes on bare metal, virtual machines, or in a cloud. Prior to 1.1.5 and 1.0.2, Omni might leak sensitive information via an API...

CVE-2025-59975

An Uncontrolled Resource Consumption vulnerability in the HTTP daemon httpd of Juniper Networks Junos Space allows an unauthenticated network-based attacker flooding the device with inbound API calls to consume all resources on the system, leading to a Denial of Service DoS. After continuously...