CVE-2026-23488

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the /api/v1/comment/create endpoint has an unauthorized access vulnerability, allowing attackers to post comments on any note including private notes without authorization, even if the note has not been publicly shared. The...

CVE-2026-23488 Blinko: multiple interfaces in the comment feature allow unauthorized access

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the /api/v1/comment/create endpoint has an unauthorized access vulnerability, allowing attackers to post comments on any note including private notes without authorization, even if the note has not been publicly shared. The...

CVE-2026-23488

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the /api/v1/comment/create endpoint has an unauthorized access vulnerability, allowing attackers to post comments on any note including private notes without authorization, even if the note has not been publicly shared. The...

EUVD-2025-206358

An issue in continuous.software aangine v.2025.2 allows a remote attacker to obtain sensitive information via the excel-integration-service template download module, integration-persistence-service job listing module, portfolio-item-service data retrieval module endpoints...

CVE-2020-10808

Vesta Control Panel VestaCP through 0.9.8-26 allows Command Injection via the schedule/backup Backup Listing Endpoint. The attacker must be able to create a crafted filename on the server, as demonstrated by an FTP session that renames .bashlogout to a .bashlogout' substring followed by shell...

CVE-2021-24319

The Bello - Directory & Listing WordPress theme before 1.6.0 did not properly sanitise its postexcerpt parameter before outputting it back in the shop/my-account/bello-listing-endpoint/ page, leading to a Cross-Site Scripting issue...

PT-2024-12517 · Modern Campus · Modern Campus - Omni Cms

Name of the Vulnerable Software and Affected Versions: Modern Campus - Omni CMS version 2023.1 Description: A Directory Traversal issue allows a remote, unauthenticated attacker to enumerate file system information via the dir parameter to "listing.php" or "rss.php" API endpoints. Recommendations...

CVE-2023-2732

The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.2. This is due to insufficient verification on the user being supplied during the add listing REST API request through the plugin. This makes it possible for unauthenticated attackers ...

PT-2023-21067 · WordPress · Mstore Api

Name of the Vulnerable Software and Affected Versions: MStore API plugin for WordPress versions up to, and including, 3.9.2 Description: The issue is related to insufficient verification of the user being supplied during the "add listing" REST API request through the plugin. This allows...

Bello < 1.6.0 - Authenticated Cross-Site Scripting (XSS) and XFS

The theme did not properly sanitise its postexcerpt parameter before outputting it back in the shop/my-account/bello-listing-endpoint/ page, leading to a Cross-Site Scripting issue PoC -- Payloads: $ -- PoC | Authenticated XFS | My Listings: ! POST...

CVE-2020-10808

Vesta Control Panel VestaCP through 0.9.8-26 allows Command Injection via the schedule/backup Backup Listing Endpoint. The attacker must be able to create a crafted filename on the server, as demonstrated by an FTP session that renames .bashlogout to a .bashlogout' substring followed by shell...

CVE-2020-10808

Vesta Control Panel VestaCP through 0.9.8-26 allows Command Injection via the schedule/backup Backup Listing Endpoint. The attacker must be able to create a crafted filename on the server, as demonstrated by an FTP session that renames .bashlogout to a .bashlogout' substring followed by shell...

PT-2020-12337 · Vestacp · Vesta Control Panel

Name of the Vulnerable Software and Affected Versions: Vesta Control Panel VestaCP versions 0.9.8-26 and earlier Description: The issue allows Command Injection via the "schedule/backup Backup Listing Endpoint". An attacker must be able to create a crafted filename on the server. This can be...