1450 matches found
CVE-2026-39331
ChurchCRM prior to 7.1.0 has an API authorization bypass: an authenticated API user can modify any family’s state by altering the {familyId} in requests to /family/{familyId}/verify, /family/{familyId}/verify/url, /family/{familyId}/verify/now, /family/{familyId}/activate/{status}, and /family/{f...
EUVD-2026-19636
An issue that could allow a user with access to a credential to view sensitive fields through an API response has been resolved. This is an instance of CWE-200: Exposure of Sensitive Information to an Unauthorized Actor, and has an estimated CVSS score of...
EUVD-2026-19676
FTLDNS pihole-FTL provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, Pi-hole FTL supports a CLI password feature webserver.api.clipw that creates “CLI” API sessions intended to be read-only for configuration changes. While /api/config...
CVE-2026-35487
text-generation-webui is an open-source web interface for running Large Language Models. Prior to 4.3, an unauthenticated path traversal vulnerability in loadprompt allows reading any .txt file on the server filesystem. The file content is returned verbatim in the API response. This vulnerability...
CVE-2026-5375
An issue that could allow a user with access to a credential to view sensitive fields through an API response has been resolved. This is an instance of CWE-200: Exposure of Sensitive Information to an Unauthorized Actor, and has an estimated CVSS score of...
BIT-DISCOURSE-2026-32273 Discourse: XSS on category description update via API
Discourse is an open-source discussion platform. From versions 2026.1.0 to before 2026.1.3, and 2026.2.0 to before 2026.2.2, updating a category description via API is not sanitizing the description string, which can lead to XSS attacks. This issue has been patched in versions 2026.1.3, 2026.2.2,...
[SECURITY] Fedora 42 Update: nextcloud-33.0.1-1.fc42
NextCloud gives you universal access to your files through a web interface or WebDAV. It also provides a platform to easily view & sync your contacts, calendars and bookmarks across all your devices and enables basic editing rig ht on the web. NextCloud is extendable via a simple but powerful API...
PT-2026-30975
Frappe is a full-stack web application framework. Prior to 16.14.0 and 15.104.0, Frappe allows unrestricted Doctype access via API exploit...
ChurchCRM 安全漏洞
ChurchCRM is an open-source CRM system developed for churches. Versions of ChurchCRM prior to 7.1.0 contained security vulnerabilities. These vulnerabilities stemmed from authentication bypasses in the API middleware, allowing unverified attackers to access all protected API endpoints...
CVE-2026-5708 Improper Control of User-Modifiable Attributes in RES CreateSession API
Unsanitized control of user-modifiable attributes in the session creation component in AWS Research and Engineering Studio RES prior to version 2026.03 could allow an authenticated remote user to escalate privileges, assume the virtual desktop host instance profile permissions, and interact with...
CVE-2026-35046 Tandoor has a Stored CSS Injection via <style> Tag in Recipe Instructions (API-Level)
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, Tandoor Recipes allows authenticated users to inject arbitrary tags into recipe step instructions. The bleach.clean sanitizer explicitly whitelists the tag, causing the backend to...
CVE-2026-5599
A user with API access and "manage users" permission in any venueless world is able to trigger deletion of user accounts in other worlds...
PT-2026-30436
A user with API access and "manage users" permission in any venueless world is able to trigger deletion of user accounts in other worlds...
venueless 安全漏洞
Venueless is an open-source online activity platform developed by Venueless. There are security vulnerabilities in Venueless, stemming from improper permission management. These vulnerabilities could allow users with API access and the “Manage Users” permission to delete user accounts from other...
CVE-2026-0664
The Royal Addons for Elementor plugin for WordPress is affected by a Stored Cross-Site Scripting (XSS) flaw via the button_text parameter in versions up to 1.7.1049, caused by insufficient input sanitization and output escaping. Authenticated attackers with contributor+ privileges can inject scri...
CVE-2026-25197
A specific endpoint allows authenticated users to pivot to other user profiles by modifying the id number in the API call...
CVE-2026-25197
A specific endpoint allows authenticated users to pivot to other user profiles by modifying the id number in the API call...
CVE-2026-20160
A vulnerability in Cisco Smart Software Manager On-Prem SSM On-Prem could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected SSM On-Prem host. This vulnerability is due to the unintentional exposure of an internal service. An...
Bulwark Webmail 安全漏洞
Bulwark Webmail is an open-source, self-hosted webmail client developed by Bulwark Mail. Versions of Bulwark Webmail prior to 1.4.10 contained a security vulnerability. This vulnerability occurred because the GET /api/auth/session endpoint included the user’s plaintext password in the JSON...
CVE-2026-4989
Improper input validation in the gateway health check feature in Devolutions Server allows a low-privileged authenticated user to perform server-side request forgery SSRF, potentially leading to information disclosure, via a crafted API request. This issue affects Server: from 2026.1.1 through...