PT-2026-31682

Name of the Vulnerable Software and Affected Versions OpenPLC V3 affected versions not specified Description OpenPLC V3 is susceptible to an Initialization of a Resource with an Insecure Default issue. This could allow an attacker to bypass authentication and gain access to the system through an...

CVE-2026-1752 Incorrect Authorization in GitLab

GitLab has remediated an issue in GitLab EE affecting all versions from 11.3 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user with developer-role permissions to modify protected environment settings due to improper authorization checks in t...

CVE-2026-5803

A security flaw has been discovered in bigsk1 openai-realtime-ui up to 188ccde27fdf3d8fab8da81f3893468f53b2797c. The affected element is an unknown function of the file server.js of the component API Proxy Endpoint. Performing a manipulation of the argument Query results in server-side request...

CVE-2026-35476 InvenTree Affected by Privilege Escalation via API

InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, a non-staff authenticated user can elevate their account to a staff level via a POST request against their user account endpoint. The write permissions on the API endpoint are improperly configured, allowing any us...

CVE-2026-5600

A new API endpoint introduced in pretix 2025 that is supposed to return all check-in events of a specific event in fact returns all check-in events belonging to the respective organizer. This allows an API consumer to access information for all other events under the same organizer, even those th...

CVE-2025-14732 Elementor Website Builder <= 3.35.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via REST API

The Elementor Website Builder – More Than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widget parameters in all versions up to, and including, 3.35.5 due to insufficient input sanitization and output escaping. This makes it possible for...

VulGD: A LLM-Powered Dynamic Open-Access Vulnerability Graph Database

Software vulnerabilities continue to pose significant threats to modern information systems, requiring a timely and accurate risk assessment. Public repositories, such as the National Vulnerability Database and CVE details, are regularly updated, but predominantly utilize relational data models...

GenieACS has an unauthenticated access vulnerability via the NBI API endpoint

In GenieACS 1.2.13, an unauthenticated access vulnerability exists in the NBI API endpoint...

CVE-2026-39322 PolarLearn: Any password authenticates banned accounts and grants API access

PolarLearn is a free and open-source learning program. In 0-PRERELEASE-15 and earlier, POST /api/v1/auth/sign-in creates a valid session for banned accounts before verifying the supplied password. That session is then accepted across authenticated /api routes, enabling account data access and...

CVE-2026-39351

Frappe is a full-stack web application framework. Prior to 16.14.0 and 15.104.0, Frappe allows unrestricted Doctype access via API exploit...

CVE-2026-39351 Frappe allows unrestricted Doctype access via API exploit

Frappe is a full-stack web application framework. Prior to 16.14.0 and 15.104.0, Frappe allows unrestricted Doctype access via API exploit...

CVE-2026-39339 ChurchCRM has an API Authentication Bypass

ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical authentication bypass vulnerability in ChurchCRM's API middleware ChurchCRM/Slim/Middleware/AuthMiddleware.php allows unauthenticated attackers to access all protected API endpoints by including "api/public" anywhere...

CVE-2026-39339

ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical authentication bypass vulnerability in ChurchCRM's API middleware ChurchCRM/Slim/Middleware/AuthMiddleware.php allows unauthenticated attackers to access all protected API endpoints by including "api/public" anywhere...

CVE-2026-39339 ChurchCRM has an API Authentication Bypass

ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical authentication bypass vulnerability in ChurchCRM's API middleware ChurchCRM/Slim/Middleware/AuthMiddleware.php allows unauthenticated attackers to access all protected API endpoints by including "api/public" anywhere...

CVE-2026-39331

ChurchCRM prior to 7.1.0 has an API authorization bypass: an authenticated API user can modify any family’s state by altering the {familyId} in requests to /family/{familyId}/verify, /family/{familyId}/verify/url, /family/{familyId}/verify/now, /family/{familyId}/activate/{status}, and /family/{f...

EUVD-2026-19636

An issue that could allow a user with access to a credential to view sensitive fields through an API response has been resolved. This is an instance of CWE-200: Exposure of Sensitive Information to an Unauthorized Actor, and has an estimated CVSS score of...

EUVD-2026-19676

FTLDNS pihole-FTL provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, Pi-hole FTL supports a CLI password feature webserver.api.clipw that creates “CLI” API sessions intended to be read-only for configuration changes. While /api/config...

CVE-2026-35487

text-generation-webui is an open-source web interface for running Large Language Models. Prior to 4.3, an unauthenticated path traversal vulnerability in loadprompt allows reading any .txt file on the server filesystem. The file content is returned verbatim in the API response. This vulnerability...

CVE-2026-5375

An issue that could allow a user with access to a credential to view sensitive fields through an API response has been resolved. This is an instance of CWE-200: Exposure of Sensitive Information to an Unauthorized Actor, and has an estimated CVSS score of...

BIT-DISCOURSE-2026-32273 Discourse: XSS on category description update via API

Discourse is an open-source discussion platform. From versions 2026.1.0 to before 2026.1.3, and 2026.2.0 to before 2026.2.2, updating a category description via API is not sanitizing the description string, which can lead to XSS attacks. This issue has been patched in versions 2026.1.3, 2026.2.2,...