236 matches found
UniFi Access - Broken Access Control
UniFi Access Application 3.3.22 through 3.4.31 contains a broken authentication caused by misconfiguration exposing management API without proper authentication, letting attackers on management network access management functions, exploit requires network access. id: CVE-2025-52665 info: name:...
phpMyFAQ 安全漏洞
phpMyFAQ is a multilingual, fully database-driven FAQ system developed by Thorsten Rinne. Versions of phpMyFAQ prior to 4.1.3 contained security vulnerabilities. These vulnerabilities stemmed from an insecure direct object reference in the management API’s user password endpoint. As a result,...
F5 BIG-IP 命令注入漏洞
F5 BIG-IP is an application delivery platform developed by F5 Networks in the United States. It integrates functions such as network traffic management, application security management, and load balancing. F5 BIG-IP has a command injection vulnerability, which originates from the iControl REST an...
PT-2026-40127
The mem0 1.0.0 server lacks authentication and authorization controls for its memory management API endpoints. Critical functions such as updating memory records PUT /memories/memory id are exposed without any verification of the requester's identity or permissions. A remote attacker can exploit...
CVE-2026-31240
The mem0 1.0.0 server lacks authentication and authorization controls for its memory management API endpoints. Critical functions such as updating memory records PUT /memories/memoryid are exposed without any verification of the requester's identity or permissions. A remote attacker can exploit...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization via the 3gpp-pfd-management API. An attacker can create, read, and delete transaction state by sending requests with forged or arbitrary bearer tokens, even if the service is not declared in the configuration...
CVE-2026-20195
A vulnerability in an identity management API endpoint of Cisco ISE could allow an unauthenticated, remote attacker to enumerate valid user accounts on an affected device. This vulnerability exists because error messages are observed when the affected API endpoint is called. An attacker could...
CVE-2026-20195
A vulnerability in an identity management API endpoint of Cisco ISE could allow an unauthenticated, remote attacker to enumerate valid user accounts on an affected device. This vulnerability exists because error messages are observed when the affected API endpoint is called. An attacker could...
CVE-2026-5175
Improper access control in the multi-factor authentication MFA management API in Devolutions Server allows an authenticated attacker to delete their own configured MFA factors and reduce account protection to password-only authentication via crafted HTTP requests. This issue affects Server: from...
CLEANSTART-2026-IS43446 Security fixes for ghsa-25qh-j22f-pwp8, ghsa-389x-839f-4rhx, ghsa-3p8m-j85q-pgmj, ghsa-4g8c-wm8x-jfhw, ghsa-5jpm-x58v-624v, ghsa-72hv-8253-57qq, ghsa-84h7-rjj3-6jx4, ghsa-fghv-69vj-qj49, ghsa-jq43-27x9-3v86, ghsa-pwqr-wmgm-9rr8, ghsa-qqpg-mvqg-649v, ghsa-w9fj-cfpg-grvv, ghsa-xq3w-v528-46rv applied in versions: 0.1.109-r0, 0.1.109-r1, 0.1.111-r2
Multiple security vulnerabilities affect the management-api-for-apache-cassandra-5.0 package. These issues are resolved in later releases. See references for individual vulnerability details...
PT-2026-29542
Improper access control in the multi-factor authentication MFA management API in Devolutions Server allows an authenticated attacker to delete their own configured MFA factors and reduce account protection to password-only authentication via crafted HTTP requests. This issue affects Server: from...
Sulu 安全漏洞
Sulu is a scalable Symfony framework based on PHP, developed by the Austrian company Sulu. Versions of Sulu from 1.0.0 to 2.6.22 and from 3.0.0 to 3.0.5 contained security vulnerabilities due to improper permission checks. These vulnerabilities could allow unauthorized access to contact...
GO-2026-4832 NATS JetStream has an authorization bypass through its Management API in github.com/nats-io/nats-server
NATS JetStream has an authorization bypass through its Management API in github.com/nats-io/nats-server...
CVE-2026-33222 NATS JetStream has an authorization bypass through its Management API
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, users with JetStream admin API access to restore one stream could restore to other stream names, impacting data which should have been protected against them...
CVE-2026-33222
CVE-2026-33222 relates to an authorization bypass in NATS JetStream via its Management API. The GitHub advisory states that users with JetStream admin API access to restore one stream could restore to other stream names, potentially exposing or corrupting data that should have been protected. Aff...
CVE-2026-20114
A vulnerability in the Lobby Ambassador web-based management API of Cisco IOS XE Software could allow an authenticated, remote attacker to elevate their privileges and access management APIs that would not normally be available for Lobby Ambassador users. This vulnerability exists because...
Cisco IOS XE Software 安全漏洞
Cisco IOS XE Software is a network operating system developed by the American company Cisco. There is a security vulnerability in Cisco IOS XE Software, which stems from insufficient validation of API endpoint parameters. This vulnerability could allow authenticated remote attackers to gain...
CVE-2026-32131
CVE-2026-32131 affects Zitadel's Management API prior to versions 3.4.8 and 4.12.2. An authenticated user with a low-privilege token (e.g., project.read, project.grant.read, or project.app.read) could retrieve management-plane information for other organizations by specifying a different tenant’s...
EUVD-2026-11410
ZITADEL is an open source identity management platform. Prior to 3.4.8 and 4.12.2, a vulnerability in Zitadel's Management API has been reported, which allowed authenticated users holding a valid low-privilege token e.g., project.read, project.grant.read, or project.app.read to retrieve...
PT-2026-24854
🚨 CVE-2026-32131 ZITADEL is an open source identity management platform. Prior to 3.4.8 and 4.12.2, a vulnerability in Zitadel's Management API has been reported, which allowed authenticated users holding a valid low-privilege token e.g., project.read, project.grant.read, or project.app.read to...