CVE-2019-4325

"HCL AppScan Enterprise makes use of broken or risky cryptographic algorithm to store REST API user details."...

CVE-2019-12498

The WP Live Chat Support plugin before 8.0.33 for WordPress accepts certain REST API calls without invoking the wplcapipermissioncheck protection mechanism...

CVE-2017-1000226

Stop User Enumeration 1.3.8 allows user enumeration via the REST API...

Malicious code in rest-api-orchestrator (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware e20a9fa0a651580cbe0e418726dea2ca91f1a44a78c7bb29619bcd10bd0e8fbb Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

CVE-2019-10716

An Information Disclosure issue in Verodin Director 3.5.3.1 and earlier reveals usernames and passwords of integrated security technologies via a /integrations.json JSON REST API request...

CVE-2016-15028

A vulnerability was found in ICEPAY REST-API-NET 0.9. It has been declared as problematic. Affected by this vulnerability is the function RestClient of the file Classes/RestClient.cs of the component Checksum Validation. The manipulation leads to improper validation of integrity check value. The...

CVE-2009-3354

Multiple unspecified vulnerabilities in the Rest API module for Drupal have unknown impact and attack vectors...

CVE-2024-8988

The PeepSo Core: File Uploads plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.4.6.0 via the filedownload REST API endpoint due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to...

PT-2025-21653 · WordPress · Wordpress Eventin

Name of the Vulnerable Software and Affected Versions: Eventin versions n/a through 4.0.26 Description: A critical privilege escalation flaw has been discovered in the Eventin WordPress plugin, allowing unauthenticated attackers to gain full admin access without the need for a login. This issue...

PT-2025-21142 · WordPress · Peepso Core

Name of the Vulnerable Software and Affected Versions: PeepSo Core: File Uploads plugin for WordPress versions up to, and including, 6.4.6.0 Description: The issue allows unauthenticated attackers to download files uploaded by other users, potentially exposing sensitive information, due to missin...

Information Disclosure

github.com/hashicorp/vault is vulnerable to information disclosure. The vulnerability is due to insufficient input validation or improper handling of malformed payloads, which allows an attacker to expose sensitive information by triggering logging of secret data during secret creation or update...

[SECURITY] Fedora 41 Update: incus-6.12-1.fc41

Container hypervisor based on LXC Incus offers a REST API to remotely manage containers over the network, using an image based work-flow and with support for live migration. This package contains the Incus daemon...

[SECURITY] Fedora 42 Update: incus-6.12-1.fc42

Container hypervisor based on LXC Incus offers a REST API to remotely manage containers over the network, using an image based work-flow and with support for live migration. This package contains the Incus daemon...

CVE-2025-3471

The SureForms WordPress plugin before 1.4.4 does not have proper authorisation check when updating its settings via the REST API, which could allow Contributor and above roles to perform such action...

PT-2025-18795 · Hashicorp +1 · Vault Community +3

Name of the Vulnerable Software and Affected Versions: Vault Community versions prior to 1.19.3 Vault Enterprise versions prior to 1.19.3, 1.18.9, 1.17.16, 1.16.20 Description: The Key/Value kv Version 2 plugin in Vault Community and Vault Enterprise may unintentionally expose sensitive informati...

CVE-2025-46554 XWiki missing authorization when accessing the wiki level attachments list and metadata via REST API

XWiki is a generic wiki platform. In versions starting from 1.8.1 to before 14.10.22, from 15.0-rc-1 to before 15.10.12, from 16.0.0-rc-1 to before 16.4.3, and from 16.5.0-rc-1 to before 16.7.0, anyone can access the metadata of any attachment in the wiki using the wiki attachment REST endpoint...

CVE-2025-46554 XWiki missing authorization when accessing the wiki level attachments list and metadata via REST API

XWiki is a generic wiki platform. In versions starting from 1.8.1 to before 14.10.22, from 15.0-rc-1 to before 15.10.12, from 16.0.0-rc-1 to before 16.4.3, and from 16.5.0-rc-1 to before 16.7.0, anyone can access the metadata of any attachment in the wiki using the wiki attachment REST endpoint...

XWiki missing authorization when accessing the wiki level attachments list and metadata via REST API

Impact Anyone can access the metadata of any attachment in the wiki using the wiki attachment REST endpoint. It's not filtering the result depending on current user rights, a not authenticated user could exploit this even in a totally private wiki. To reproduce: remove view from guest on the whol...

GHSA-R5CR-XM48-97XP XWiki missing authorization when accessing the wiki level attachments list and metadata via REST API

Impact Anyone can access the metadata of any attachment in the wiki using the wiki attachment REST endpoint. It's not filtering the result depending on current user rights, a not authenticated user could exploit this even in a totally private wiki. To reproduce: remove view from guest on the whol...

CVE-2025-3471

The SureForms WordPress plugin before 1.4.4 does not have proper authorisation check when updating its settings via the REST API, which could allow Contributor and above roles to perform such action...