OneUptime Unauthorized User Creation via API

Summary A low-permission user can create new accounts through a direct API request instead of being restricted to the intended interface. PoC A low-permission user sends a crafted API request to the user-creation endpoint and the system creates the account successfully. Impact This allows attacke...

CVE-2025-65966 OneUptime Unauthorized User Creation via API

OneUptime is a solution for monitoring and managing online services. In version 9.0.5598, a low-permission user can create new accounts through a direct API request instead of being restricted to the intended interface. This issue has been patched in version 9.1.0...

CVE-2025-65966 OneUptime Unauthorized User Creation via API

OneUptime is a solution for monitoring and managing online services. In version 9.0.5598, a low-permission user can create new accounts through a direct API request instead of being restricted to the intended interface. This issue has been patched in version 9.1.0...

WordPress Search Exclude plugin <= 2.5.7 – Missing Authorization to Authenticated (Contributor+) Search Settings Modification via REST API vulnerability

Missing Authorization to Authenticated Contributor+ Search Settings Modification via REST API vulnerability discovered by Lucas Montes Nirox in WordPress Plugin Search Exclude versions = 2.5.7...

CVE-2025-64061

Primakon Pi Portal 1.0.18 /api/v2/users endpoint is vulnerable to unauthorized data exposure due to deficient access control mechanisms. Any authenticated user, regardless of their privilege level including standard or low-privileged users, can make a GET request to this endpoint and retrieve a...

Primakon Pi Portal 安全漏洞

Primakon Pi Portal is a project, contract management platform from Primakon Croatia. A security vulnerability exists in Primakon Pi Portal version 1.0.18, which stems from a lack of authorization checking in the /api/v2/user/register endpoint, which could lead to unauthorized user registration...

Primakon Pi Portal 安全漏洞

Primakon Pi Portal is a project, contract management platform from Primakon Croatia. A security vulnerability exists in Primakon Pi Portal version 1.0.18, which stems from insufficient access control in the /api/v2/users endpoint and could lead to unauthorized data disclosure...

Malicious code in @lessondesk/api-client (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8c812dd964064f404443160aac0a9fddb5dccef95ecfb131a074fcf7176bd49f The package @lessondesk/api-client was found to contain malicious code. Source: ghsa-malware...

GNU Transport Layer Security Library 3.8.11

GnuTLS is a secure communications library implementing the SSL and TLS protocols and technologies around them. It provides a simple C language application programming interface API to access the secure communications protocols, as well as APIs to parse and write X.509, PKCS 12, OpenPGP, and other...

EUVD-2025-198178

OpenSTAManager has Authenticated SQL Injection in API via 'display' parameter...

CVE-2025-13315

Twonky Server 8.5.2 on Linux and Windows is vulnerable to an access control flaw. An unauthenticated attacker can bypass web service API authentication controls to leak a log file and read the administrator's username and encrypted password...

CVE-2025-36553

A buffer overflow vulnerability exists in the CvManager functionality of Dell ControlVault3 prior to 5.15.14.19 and Dell ControlVault3 Plus prior to 6.2.36.47. A specially crafted ControlVault API call can lead to memory corruption. An attacker can issue an api call to trigger this vulnerability...

UBUNTU-CVE-2025-58121

Insufficient permission validation on multiple REST API endpoints in Checkmk 2.2.0, 2.3.0, and 2.4.0 before version 2.4.0p16 allows low-privileged users to perform unauthorized actions or obtain sensitive information...

CVE-2025-58121

CVE-2025-58121 involves insufficient permission validation on multiple REST API endpoints in Checkmk, affecting versions 2.2.0, 2.3.0 and 2.4.0 prior to 2.4.0p16. The issue allows low-privilege users to perform unauthorized actions or access sensitive information. Remediation: upgrade to Checkmk ...

EUVD-2025-197893

A buffer overflow vulnerability exists in the CvManager functionality of Dell ControlVault3 prior to 5.15.14.19 and Dell ControlVault3 Plus prior to 6.2.36.47. A specially crafted ControlVault API call can lead to memory corruption. An attacker can issue an api call to trigger this vulnerability...

GO-2025-4091 Jellysweep uses uncontrolled data in image cache API endpoint in github.com/jon4hz/jellysweep

Jellysweep uses uncontrolled data in image cache API endpoint in github.com/jon4hz/jellysweep...

GO-2025-4090 lakeFS affected by unauthenticated access to API usage metrics in github.com/treeverse/lakefs

lakeFS affected by unauthenticated access to API usage metrics in github.com/treeverse/lakefs...

CVE-2025-13319 Authenticated SQL injection in API - Digi On-Prem Manager

An injection vulnerability has been discovered in the API feature in Digi On-Prem Manager, enabling an attacker with valid API tokens to inject SQL via crafted input. The API is not enabled by default, and a valid API token is required to perform the attack...

Nettec AS Digi On-Prem Manager 安全漏洞

Nettec AS Digi On-Prem Manager is a device management platform from Nettec AS, Norway. A security vulnerability exists in Nettec AS Digi On-Prem Manager that stems from a SQL injection vulnerability in the API functionality, which could lead to SQL injection attacks...

PT-2025-47024

Name of the Vulnerable Software and Affected Versions Screen SFT DAB 600/C firmware versions up to and including 1.9.3 Description The Screen SFT DAB 600/C firmware has an issue with access control on the user management API. Unauthenticated requests can retrieve structured user data, including...