How Exposed Endpoints Increase Risk Across LLM Infrastructure

As more organizations run their own Large Language Models LLMs, they are also deploying more internal services and Application Programming Interfaces APIs to support those models. Modern security risks are being introduced less from the models themselves and more from the infrastructure that...

Jenkins Publish to Bitbucket Plugin is missing a permissions check

Jenkins Publish to Bitbucket Plugin 0.4 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP URL using attacker-specified credentials IDs obtained through another method, capturing...

EUVD-2022-4310

Malicious code in bioql PyPI...

EUVD-2024-0959

Malicious code in bioql PyPI...

The Scratch Channel 输入验证错误漏洞

The Scratch Channel is a project site of The Scratch Channel open source. An input validation error vulnerability exists in The Scratch Channel versions 1 and 1.1, which stems from insufficient validation of article publishing endpoint permissions, and could lead to unauthorized publishing of...

CVE-2020-2191

Jenkins Self-Organizing Swarm Plug-in Modules Plugin 3.20 and earlier does not check permissions on API endpoints that allow adding and removing agent labels...

io.jmix.localfs:jmix-localfs affected by DoS in the Local File Storage

Impact The local file storage implementation does not restrict the size of uploaded files. An attacker could exploit this by uploading excessively large files, potentially causing the server to run out of space and return HTTP 500 error, resulting in a denial of service. The severity of the...

GHSA-JX4G-3XQM-62VH io.jmix.localfs:jmix-localfs has a Path Traversal in Local File Storage

Impact Attackers could manipulate the FileRef parameter to access files on the system where the Jmix application is deployed, provided the application server has the necessary permissions. This can be accomplished either by modifying the FileRef directly in the database or by supplying a harmful...

CVE-2025-22143

CVE-2025-22143 describes a reflected cross-site scripting (XSS) vulnerability in WeGIA, a web manager for charitable institutions. The flaw exists in the listar_permissoes.php endpoint and affects the msg_e parameter, enabling an attacker to inject malicious scripts. Multiple sources confirm the ...

GHSA-8PV9-QH96-9HC6 Jenkins does not perform a permission check in an HTTP endpoint

Jenkins 2.470 and earlier, LTS 2.452.3 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to access other users' "My Views". Attackers with global View/Configure and View/Delete permissions are also able to change other users' "...

PT-2024-20789 · Unknown · Goanywhere Mft

Name of the Vulnerable Software and Affected Versions: GoAnywhere MFT versions prior to 7.4.2 Description: A path traversal issue exists, allowing attackers to circumvent endpoint-specific permission checks in the GoAnywhere Admin and Web Clients. Recommendations: For versions prior to 7.4.2,...

plugin: missing permission checks in Blue Ocean Plugin

Jenkins Blue Ocean Plugin 1.25.3 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified HTTP server...