CVE-2026-8694 Improper access control on the API documentation endpoint in PowerShell Universal

Improper access control in Devolutions PowerShell Universal 2026.1.7 and earlier allows an unauthenticated remote attacker to obtain the OpenAPI specification of user-defined REST endpoints...

EUVD-2026-36438

Improper access control in Devolutions PowerShell Universal 2026.1.7 and earlier allows an unauthenticated remote attacker to obtain the OpenAPI specification of user-defined REST endpoints...

CVE-2026-8694 Improper access control on the API documentation endpoint in PowerShell Universal

Improper access control in Devolutions PowerShell Universal 2026.1.7 and earlier allows an unauthenticated remote attacker to obtain the OpenAPI specification of user-defined REST endpoints...

CVE-2026-8694

CVE-2026-8694 involves an improper access control flaw in Devolutions PowerShell Universal up to version 2026.1.7, where an unauthenticated remote attacker can obtain the OpenAPI specification of user-defined REST endpoints. The affected component is the OpenAPI/REST endpoint documentation expose...

websec-sql-injection

WebSec SQL Injection Учебный backend-проект по безопасности в...

Server-side Request Forgery (SSRF)

Overview @frontmcp/adapters is an Adapters for the FrontMCP framework Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the initialize process. An attacker can access internal network resources or sensitive local files by submitting a crafted OpenAPI...

Arbitrary Command Injection

Overview Affected versions of this package are vulnerable to Arbitrary Command Injection via improper handling of the summary field during server generation logic. An attacker can execute arbitrary code by injecting malicious input into the OpenAPI specification, which is then incorporated withou...

GHSA-MWR6-3GP8-9JMJ orval MCP client is vulnerable to a code injection attack.

Impact The MCP server generation logic relies on string manipulation that incorporates the summary field from the OpenAPI specification without proper validation or escaping. This allows an attacker to "break out" of the string literal and inject arbitrary code. Here is an example OpenAPI with th...

CVE-2026-22785 orval MCP client is vulnerable to a code injection attack.

orval generates type-safe JS clients TypeScript from any valid OpenAPI v3 or Swagger v2 specification. Prior to 7.18.0, the MCP server generation logic relies on string manipulation that incorporates the summary field from the OpenAPI specification without proper validation or escaping. This allo...

WuppieFuzz: Coverage-Guided, Stateful REST API Fuzzing

Many business processes currently depend on web services, often using REST APIs for communication. REST APIs expose web service functionality through endpoints, allowing easy client interaction over the Internet. To reduce the security risk resulting from exposed endpoints, thorough testing is...

CVE-2025-62256

Liferay Portal 7.4.0 through 7.4.3.109, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.7, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions does not properly restrict access to OpenAPI in certain circumstances, which allows remote attackers...

API Specifications: Why, When, and How to Enforce Them

APIs facilitate communication between different software applications and power a wide range of everyday digital experiences, from weather apps to streaming services and everything in between. They are also a critical ingredient of AI. However, if not structured and standardized properly, APIs ca...

[SECURITY] Fedora 36 Update: golang-github-googleapis-gnostic-0.5.3-7.fc36

This package contains a Go command line tool which converts JSON and YAML OpenAPI descriptions to and from equivalent Protocol Buffer representations. Protocol Buffers provide a language-neutral, platform-neutral, extensible mechanism for serializing structured data. gnostic's Protocol Buffer...

CVE-2017-1000207

A vulnerability in Swagger-Parser's version = 1.0.30 and Swagger codegen version = 2.2.2 yaml parsing functionality results in arbitrary code being executed when a maliciously crafted yaml Open-API specification is parsed. This in particular, affects the 'generate' and 'validate' command in...