CVE-2025-61119

CVE-2025-61119 affects Kanova Android App v1.0.27 (package com.karelane) by Karely L.L.C. The issue is improper access control that allows attackers to manipulate API request parameters to access user details and group information (including entry codes). Documented impact includes privacy breach...

CVE-2025-62368

Taiga is an open source project management platform. In versions 6.8.3 and earlier, a remote code execution vulnerability exists in the Taiga API due to unsafe deserialization of untrusted data. This issue is fixed in version 6.9.0...

API Attack Awareness: Business Logic Abuse — Exploiting the Rules of the Game

As Cybersecurity Awareness Month continues, we wanted to dive even deeper into the attack methods affecting APIs. We’ve already reviewed Broken Object Level Authentication BOLA, injection attacks, and authentication flaws; this week, we’re exploring business logic abuse BLA. Unlike technical flaw...

CVE-2025-62259

Liferay Portal 7.4.0 through 7.4.3.109, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions does not limit access to APIs before a user has verified their email address, which allows remote...

CVE-2025-62524

PILOS Platform for Interactive Live-Online Seminars is a frontend for BigBlueButton. PILOS before 4.8.0 exposes the PHP version via the X-Powered-By header, enabling attackers to fingerprint the server and assess potential exploits. This information disclosure vulnerability originates from PHP’s...

CVE-2025-62367

Taiga (open source project management platform) – CVE-2025-62367 affects Taiga API in versions 6.8.3 and earlier, where a time-based blind SQL injection can disclose sensitive data via response timing. Root cause: improper handling of API input enabling blind SQL injection. Impact: potential expo...

CVE-2025-59461

A remote unauthenticated attacker may use the unauthenticated C++ API to access or modify sensitive data and disrupt services...

CVE-2025-41090 Improper Access Control in CCN-CERT microCLAUDIA

microCLAUDIA in v3.2.0 and prior has an improper access control vulnerability. This flaw allows an authenticated user to perform unauthorized actions on other organizations' systems by sending direct API requests. To do so, the attacker can use organization identifiers obtained through a...

CVE-2025-34293

GN4 Publishing System versions prior to 2.6 contain an insecure direct object reference IDOR vulnerability via the API. Authenticated requests to the API's object endpoints allow an authenticated user to request arbitrary user IDs and receive sensitive account data for those users, including the...

EUVD-2025-35966

Insertion of Sensitive Information Into Sent Data vulnerability in airesvsg ACF to REST API acf-to-rest-api allows Retrieve Embedded Sensitive Data.This issue affects ACF to REST API: from n/a through = 3.3.4...

PT-2025-43925

Name of the Vulnerable Software and Affected Versions affected versions not specified Description A remote, unauthenticated attacker may be able to access or modify sensitive data and disrupt services by leveraging the unauthenticated C++ API. Recommendations At the moment, there is no informatio...

CVE-2023-37749

Incorrect access control in the REST API endpoint of HubSpot v1.29441 allows unauthenticated attackers to view users' data without proper authorization...

CVE-2025-11172

The Check Plagiarism plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the chkplagminepluginwpse10500adminaction function in all versions up to, and including, 2.0. This makes it possible for authenticated attackers, with Subscriber-level...

CVE-2025-34293 GN4 Publishing System Insecure Direct Object Reference (IDOR) Information Disclosure

GN4 Publishing System versions prior to 2.6 contain an insecure direct object reference IDOR vulnerability via the API. Authenticated requests to the API's object endpoints allow an authenticated user to request arbitrary user IDs and receive sensitive account data for those users, including the...

CVE-2025-60936

Emoncms 11.7.3 is vulnerable to Cross Site in the input handling mechanism. This vulnerability allows authenticated attackers with API access to inject malicious JavaScript code that executes when administrators view the application logs...

CVE-2025-43995

Dell Storage Center - Dell Storage Manager, versions 20.1.21, contains an Improper Authentication vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Protection mechanism bypass. Authentication Bypass in DSM Data Collector. An...

PT-2025-43627

Name of the Vulnerable Software and Affected Versions Emoncms version 11.7.3 Description Emoncms version 11.7.3 contains a cross-site scripting issue in the input handling mechanism. Authenticated attackers with API access can inject malicious JavaScript code. This code executes when administrato...

CVE-2025-60936

Emoncms 11.7.3 is vulnerable to Cross Site in the input handling mechanism. This vulnerability allows authenticated attackers with API access to inject malicious JavaScript code that executes when administrators view the application logs...

CVE-2025-60803

Antabot White-Jotter up to commit 9bcadc was discovered to contain an unauthenticated remote code execution RCE vulnerability via the component /api/aaa;/../register...

CVE-2025-11957

Improper authorization in the temporary access workflow of Devolutions Server 2025.2.12.0 and earlier allows an authenticated basic user to self-approve or approve the temporary access requests of other users and gain unauthorized access to vaults and entries via crafted API requests...