PT-2025-16414

Name of the Vulnerable Software and Affected Versions The product name cannot be determined. Description An unauthenticated attacker can infer the existence of usernames in the system by querying an API. Recommendations At the moment, there is no information about a newer version that contains a...

PT-2025-16488

Name of the Vulnerable Software and Affected Versions The product name cannot be determined. Description Unauthenticated attackers can query an API endpoint and get device details. Recommendations At the moment, there is no information about a newer version that contains a fix for this...

The vulnerability of the application software interface of the Cisco Meeting Management subsystem allows a perpetrator to escalate their privileges.

The vulnerability of the application programming interface of the Cisco Meeting Management subsystem relates to the improper handling of insufficient privileges. Exploiting this vulnerability allows a malicious actor to enhance their privileges through specially created requests...

The vulnerability of the FortiSIEM security management system, related to insufficient protection of operational data, allows a attacker to obtain the database password.

The vulnerability of the FortiSIEM security management system is related to insufficient protection of operational data. Exploiting this vulnerability can allow a malicious actor, operating remotely, to obtain database passwords through specially created API requests...

CVE-2025-3135

A vulnerability classified as critical was found in fcbazzm ics-park Smart Park Management System 2.1. This vulnerability affects unknown code of the file /api/system/dept/update. The manipulation leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the...

UBUNTU-CVE-2024-36465

A low privilege regular Zabbix user with API access can use SQL injection vulnerability in include/classes/api/CApiService.php to execute arbitrary SQL commands via the groupBy parameter...

raven 输入验证错误漏洞

raven is a simple, open source team messaging platform from Commit Open Source. An input validation error vulnerability exists in versions of Raven prior to 2.1.10 that stems from allowing any logged in user to execute code via an API endpoint...

Tuleap 安全漏洞

Tuleap is an open source suite from Enalean Open Source designed to improve the management of software development and collaboration. A security vulnerability exists in Tuleap Community Edition prior to 16.5.99.1742392651 and Tuleap Enterprise Edition prior to 16.5-5, and prior to 16.4-8, which...

SUSE CVE-2025-25068

Mattermost versions 10.4.x = 10.4.2, 10.3.x = 10.3.3, 9.11.x = 9.11.8, 10.5.x = 10.5.0 fail to enforce MFA on plugin endpoints, which allows authenticated attackers to bypass MFA protections via API requests to plugin-specific routes...

Unitree Go 1 安全漏洞

Unitree Go 1 is a robotic dog from the Chinese company Unitree. Unitree Go 1 suffers from a security vulnerability that stems from an undocumented backdoor that could lead to full remote control of the device by the manufacturer or a person in possession of an API key...

WordPress Better WishList API plugin <= 1.1.4 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by 0xd4rk5id3 in WordPress Plugin Better WishList API versions = 1.1.4...

Improper Privilege Management

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Improper Privilege Management through the API endpoint http://0.0.0.0:8080/api/v1/users/uuidadministrator. An attacker, acting as an admin, can delete other administrators. This action is restricted by the us...

Composio 安全漏洞

Composio is a production-ready toolset for AI agents open-sourced by Composio. A security vulnerability exists in Composio version 0.5.10 that stems from the API not validating the value of the x-api-key header, which could lead to unauthorized access...

PT-2025-12330

Name of the Vulnerable Software and Affected Versions Nebula Informatics SecHard versions prior to 3.3.0.20220411 Description The issue is related to the incorrect use of privileged APIs, cleartext transmission of sensitive information, and insufficiently protected credentials. This allows for...

LogicalDOC 安全漏洞

LogicalDOC is a document management system developed using Java technology by LogicalDOC, Inc. in the United States. The system has features such as Lucene full-text search indexing and automatic import. LogicalDOC has a security vulnerability that stems from an API endpoint flaw that could allow...

WordPress Resido theme <= 3.6 - Missing Authorization to Unauthenticated Server-Side Request Forgery and API Key Settings Update vulnerability

Missing Authorization to Unauthenticated Server-Side Request Forgery and API Key Settings Update vulnerability discovered by Lucio Sá in WordPress Plugin Resido versions = 3.6...

GitLab Enterprise Edition 安全漏洞

GitLab Enterprise Edition EE is a content management system from the American company GitLab. A security vulnerability exists in GitLab Enterprise Edition versions 12.3 through prior to 17.7.7, 17.8 through prior to 17.8.5, and 17.9 through prior to 17.9.2, which stems from a vulnerability in...

Rising Technosoft CAP back office application 授权问题漏洞

Rising Technosoft CAP back office application is a back office application from Rising Technosoft India. The Rising Technosoft CAP back office application suffers from an authorization issue vulnerability that stems from a weak password reset mechanism implemented in the API endpoint that allows ...

CVE-2023-40723

An exposure of sensitive information to an unauthorized actor in Fortinet FortiSIEM version 6.7.0 through 6.7.4 and 6.6.0 through 6.6.3 and 6.5.0 through 6.5.1 and 6.4.0 through 6.4.2 and 6.3.0 through 6.3.3 and 6.2.0 through 6.2.1 and 6.1.0 through 6.1.2 and 5.4.0 and 5.3.0 through 5.3.3 and 5.2...

U.S. Dept Of Defense: Information Disclosure in API Endpoint /users

An endpoint /users was exposing sensitive user information, including id, first name, last name, email, role, and authdata, to unauthenticated users. This allowed anyone to retrieve private user details without authentication...