CVE-2025-20214

A vulnerability in the Network Configuration Access Control Module NACM of Cisco IOS XE Software could allow an authenticated, remote attacker to obtain unauthorized read access to configuration or operational data. This vulnerability exists because a subtle change in inner API call behavior caus...

CVE-2025-20187

A vulnerability in the application data endpoints of Cisco Catalyst SD-WAN Manager, formerly Cisco SD-WAN vManage, could allow an authenticated, remote attacker to write arbitrary files to an affected system. This vulnerability is due to improper validation of requests to APIs. An attacker could...

“Your privacy is a promise we don’t break”: Dating app Raw exposes sensitive user data

Any app that hands over user data is a concern, but leaky dating apps are especially worrying given the sensitivity of the data involved. A relatively new app called Raw that aims to rewrite the rules of dating is the latest to trip over its coattails by exposing user data to…well, anyone who ask...

Qualcomm Chipsets 访问控制错误漏洞

Qualcomm Chipsets are a family of chipsets from Qualcomm Incorporated USA. An access control error vulnerability exists in Qualcomm Chipsets that stems from improper API restrictions when mapping memory into the address space of a protected virtual machine, which could lead to memory corruption...

KHC-INVITATION-AUTOMATION 访问控制错误漏洞

KHC-INVITATION-AUTOMATION is an open source tool from Krypto Hashers to automatically invite GitHub followers to join your organization. An Access Control Error Vulnerability exists in KHC-INVITATION-AUTOMATION version 1.2, which stems from a lack of access control in the API response and could...

PlayEdu 代码问题漏洞

PlayEdu is an industry-leading online training solution from the China PlayEdu team. A code issue vulnerability exists in PlayEdu 1.8 and earlier versions, which stems from a server-side request forgery due to incorrect operation of the parameter Avatar in the file /api/backend/v1/user/create...

CVE-2025-3968

A vulnerability was found in codeprojects News Publishing Site Dashboard 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /api.php. The manipulation of the argument catid leads to sql injection. The attack can be initiated remotely. The exploit has been...

Moodle 信息泄露漏洞

Moodle is Moodle open source set of free e-learning software platform, also known as course management system, learning management system or virtual learning environment. Moodle suffers from an information disclosure vulnerability that originates from a specific API call that discloses sensitive...

dify 安全漏洞

dify is an open source LLM application development platform from LangGenius Open Source. A security vulnerability exists in versions of dify prior to 0.6.12, which stems from the fact that a normal user can enable or disable the app via the API...

PT-2025-16414

Name of the Vulnerable Software and Affected Versions The product name cannot be determined. Description An unauthenticated attacker can infer the existence of usernames in the system by querying an API. Recommendations At the moment, there is no information about a newer version that contains a...

PT-2025-16488

Name of the Vulnerable Software and Affected Versions The product name cannot be determined. Description Unauthenticated attackers can query an API endpoint and get device details. Recommendations At the moment, there is no information about a newer version that contains a fix for this...

PT-2025-16346

Name of the Vulnerable Software and Affected Versions Edimax AC1200 Wave 2 Dual-Band Gigabit Router BR-6478AC version V3 1.0.15 Description A command injection issue was discovered via the groupname at the "/boafrm/formDiskCreateGroup" API endpoint. This allows for potential exploitation...

CVE-2025-3135

A vulnerability classified as critical was found in fcbazzm ics-park Smart Park Management System 2.1. This vulnerability affects unknown code of the file /api/system/dept/update. The manipulation leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the...

UBUNTU-CVE-2024-36465

A low privilege regular Zabbix user with API access can use SQL injection vulnerability in include/classes/api/CApiService.php to execute arbitrary SQL commands via the groupBy parameter...

raven 输入验证错误漏洞

raven is a simple, open source team messaging platform from Commit Open Source. An input validation error vulnerability exists in versions of Raven prior to 2.1.10 that stems from allowing any logged in user to execute code via an API endpoint...

Tuleap 安全漏洞

Tuleap is an open source suite from Enalean Open Source designed to improve the management of software development and collaboration. A security vulnerability exists in Tuleap Community Edition prior to 16.5.99.1742392651 and Tuleap Enterprise Edition prior to 16.5-5, and prior to 16.4-8, which...

SUSE CVE-2025-25068

Mattermost versions 10.4.x = 10.4.2, 10.3.x = 10.3.3, 9.11.x = 9.11.8, 10.5.x = 10.5.0 fail to enforce MFA on plugin endpoints, which allows authenticated attackers to bypass MFA protections via API requests to plugin-specific routes...

Unitree Go 1 安全漏洞

Unitree Go 1 is a robotic dog from the Chinese company Unitree. Unitree Go 1 suffers from a security vulnerability that stems from an undocumented backdoor that could lead to full remote control of the device by the manufacturer or a person in possession of an API key...

WordPress Better WishList API plugin <= 1.1.4 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by 0xd4rk5id3 in WordPress Plugin Better WishList API versions = 1.1.4...

Improper Privilege Management

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Improper Privilege Management through the API endpoint http://0.0.0.0:8080/api/v1/users/uuidadministrator. An attacker, acting as an admin, can delete other administrators. This action is restricted by the us...