CDAC e-Sushrut 安全漏洞

CDAC e-Sushrut is a system platform provided by the Indian CDAC company that facilitates hospital information management and medical process support. There is a security vulnerability in CDAC e-Sushrut, which stems from plaintext exposure of OTPs in API responses. This vulnerability could allow...

CVE-2026-6706

Improper access control in the vault documentation feature in Devolutions Server allows an authenticated attacker to read documentation content from unauthorized vaults via a crafted API request. This issue affects Server: from 2026.1.6.0 through 2026.1.14.0, through 2025.3.18.0...

CVE-2026-6706

CVE-2026-6706 involves an improper access control flaw in the vault documentation feature of Devolutions Server up to 2026.1.14.0. An authenticated attacker can read documentation content from unauthorized vaults via a crafted API request. Affected component: vault documentation feature; root cau...

The API Weak Spot: Study Shows AI Is Compounding Security Pressures

Nearly 90% of businesses faced API security incidents last year at an average cost of US$700,000. A new study shows how AI is increasing API risks...

EUVD-2026-25867

ProjeQtor versions 7.0 through 12.4.3 contain a missing authorization vulnerability in the objectDetail.php endpoint that allows authenticated users with guest-level privileges to retrieve sensitive data belonging to other users including password hashes and API keys. Attackers can bypass access...

EUVD-2026-25810

A vulnerability was detected in code-projects Invoice System in Laravel 1.0. This impacts an unknown function of the file /item of the component API Endpoint. Performing a manipulation results in improper authorization. It is possible to initiate the attack remotely. The exploit is now public and...

PT-2026-35388

A vulnerability was detected in code-projects Invoice System in Laravel 1.0. This impacts an unknown function of the file /item of the component API Endpoint. Performing a manipulation results in improper authorization. It is possible to initiate the attack remotely. The exploit is now public and...

The Governance Gap: How the EU AI Act Makes API Security a Compliance Imperative

Your legal team just handed you a 400-page document and said "figure out compliance." The EU AI Act is live, your organization falls under its scope, which is broader than many expect. Even non‑EU companies must comply if their AI systems are used, deployed, or produce effects within the European...

CVE-2026-6393

The BetterDocs plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 4.3.11. This is due to a missing capability check in the generateopenaicontentcallback function, which relies solely on a nonce rather than verifying user permissions. This makes it possible...

UBUNTU-CVE-2026-41305

PostCSS takes a CSS file and provides an API to analyze and modify its rules by transforming the rules into an Abstract Syntax Tree. Versions prior to 8.5.10 do not escape sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for embedding in HTML tags, in CSS...

EUVD-2026-25288

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Server-Side Request Forgery SSRF vulnerability exists in FlowiseAI's POST/GET API Chain components that allows unauthenticated attackers to force the server to make arbitrary HTTP requests t...

CVE-2026-41229

Froxlor is open source server administration software. Prior to version 2.3.6, PhpHelper::parseArrayToString writes string values into single-quoted PHP string literals without escaping single quotes. When an admin with changeserversettings permission adds or updates a MySQL server via the API, t...

Flowise 代码问题漏洞

Flowise is an open-source tool developed by FlowiseAI, designed for easily building LLM applications. Versions of Flowise prior to 3.1.0 contained code vulnerabilities. These vulnerabilities stemmed from an SSRF vulnerability in the POST/GET API Chain component, allowing unauthenticated attackers...

EUVD-2026-24744

Inadequate access control in the registration process in Fullstep V5, which could allow unauthenticated users to obtain a valid JWT token with which to interact with authenticated API resources. Successful exploitation of this vulnerability could allow an unauthenticated attacker to compromise th...

DEBIAN-CVE-2026-33611

An operator allowed to use the REST API can cause the Authoritative server to produce invalid HTTPS or SVCB record data, which can in turn cause LMDB database corruption, if using the LMDB backend...

EUVD-2026-24658

The CalJ plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.5. This is due to a missing capability check in the CalJSettingsPage class constructor, which processes the 'save-obtained-key' operation directly from POST data without verifying that the...

WeKan 安全漏洞

WeKan is an open-source dashboard application developed by WeKan. Versions of WeKan prior to 8.35 contained security vulnerabilities. These vulnerabilities stemmed from insufficient authorization checks for Integration REST API endpoints, which could allow authenticated dashboard members to perfo...

EUVD-2026-24278

Frappe HR is an open-source human resources management solution HRMS. Prior to versions 15.58.2 and 16.4.2, authenticated users can access unauthorized files by exploiting certain api endpoint. Versions 15.58.2 and 16.4.2 contain a patch. No known workarounds are available...

EUVD-2026-24165

Tekton Pipelines: Git resolver API mode leaks system-configured API token to user-controlled serverURL...

CVE-2026-40584 RansomLook - Improper Filtering of Private Location Entries in API Endpoints Leads to Information Exposure

RansomLook is a tool to monitor Ransomware groups and markets and extract their victims. Prior to 1.9.0, the API in the affected application improperly filters private location entries in website/web/api/genericapi.py. Because the code removes elements from a list while iterating over it, entries...