CVE-2024-12766

parisneo/lollms-webui version V13 feather suffers from a Server-Side Request Forgery SSRF vulnerability in the POST /api/proxy REST API. Attackers can exploit this vulnerability to abuse the victim server's credentials to access unauthorized web resources by specifying the JSON parameter...

CVE-2024-12779 SSRF in infiniflow/ragflow

A Server-Side Request Forgery SSRF vulnerability exists in infiniflow/ragflow version 0.12.0. The vulnerability is present in the POST /v1/llm/addllm and POST /v1/conversation/tts endpoints. Attackers can specify an arbitrary URL as the apibase when adding an OPENAITTS model, and subsequently...

CVE-2024-12775

CVE-2024-12775 describes an SSRF in langgenius/dify v0.10.1, triggered via the test functionality of Create Custom Tool in REST API POST /console/api/workspaces/current/tool-provider/api/test/pre. The flaw allows an attacker to provide an arbitrary URL in the servers.url field of the OpenAI schem...

CVE-2024-12775 SSRF in langgenius/dify

langgenius/dify version 0.10.1 contains a Server-Side Request Forgery SSRF vulnerability in the test functionality for the Create Custom Tool option via the REST API POST /console/api/workspaces/current/tool-provider/api/test/pre. Attackers can set the url in the servers dictionary in OpenAI's...

CVE-2024-10553 Jdbc Deserialization in h2oai/h2o-3

A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitrary code via deserialization of untrusted data. The vulnerability exists in the endpoints POST /99/ImportSQLTable and POST /3/SaveToHiveTable, where user-controlled JDBC URLs are...

CVE-2024-10553

CVE-2024-10553 affects h2oai/h2o-3 REST API 3.46.0.4. The issue lies in endpoints POST /99/ImportSQLTable and POST /3/SaveToHiveTable, where user-controlled JDBC URLs are passed to DriverManager.getConnection, enabling deserialization of untrusted data if a MySQL or PostgreSQL driver is present i...

Malicious code in azure-rest-api-specs (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware e9b45f4b5db07c14af82f92638c97d70419c7936860274a00dbea1e18db0b58f Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2025-2543 Malicious code in azure-rest-api-specs (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware e9b45f4b5db07c14af82f92638c97d70419c7936860274a00dbea1e18db0b58f Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

PT-2025-12046

Name of the Vulnerable Software and Affected Versions: h2oai/h2o-3 versions 3.46.0.4 through 3.46.0.5 Description: A vulnerability in the h2oai/h2o-3 REST API allows unauthenticated remote attackers to execute arbitrary code via deserialization of untrusted data. The issue exists in the endpoints...

PT-2025-12145 · Unknown +1 · Langgenius/Dify +1

Name of the Vulnerable Software and Affected Versions: langgenius/dify version 0.10.1 Description: The issue is a Server-Side Request Forgery SSRF vulnerability in the test functionality for the Create Custom Tool option via the REST API endpoint POST...

The WikiManager REST API allows any user to create wikis

Impact Any user can exploit the WikiManager REST API to create a new wiki, where the user could become an administrator and so performs other attacks on the farm. Note that this REST API is not bundled in XWiki Standard by default: it needs to be installed manually through the extension manager...

XWiki uses the wrong wiki reference in AuthorizationManager

Impact It's possible for an user to get access to private information through the REST API - but could also be through another API - when a sub wiki is using "Prevent unregistered users to view pages". The vulnerability only affects subwikis, and it only concerns specific right options such as...

GHSA-GQ32-758C-3WM3 XWiki uses the wrong wiki reference in AuthorizationManager

Impact It's possible for an user to get access to private information through the REST API - but could also be through another API - when a sub wiki is using "Prevent unregistered users to view pages". The vulnerability only affects subwikis, and it only concerns specific right options such as...

CVE-2025-29924

XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, it's possible for an user to get access to private information through the REST API - but could also be through another API - when a sub wiki is using "Prevent unregistered users to view pages". The...

CVE-2025-29926

XWiki Platform is a generic wiki platform. Prior to 15.10.15, 16.4.6, and 16.10.0, any user can exploit the WikiManager REST API to create a new wiki, where the user could become an administrator and so performs other attacks on the farm. Note that this REST API is not bundled in XWiki Standard b...

CVE-2025-29926 The WikiManager REST API allows any user to create wikis

XWiki Platform is a generic wiki platform. Prior to 15.10.15, 16.4.6, and 16.10.0, any user can exploit the WikiManager REST API to create a new wiki, where the user could become an administrator and so performs other attacks on the farm. Note that this REST API is not bundled in XWiki Standard b...

CVE-2025-29926

CVE-2025-29926 affects XWiki Platform via the WikiManager REST API. In affected releases before fixes, any user could create a new wiki, potentially granting the user administrator privileges and enabling further farm-wide attacks. The REST API is not included in XWiki Standard by default and mus...

CVE-2025-29926 The WikiManager REST API allows any user to create wikis

XWiki Platform is a generic wiki platform. Prior to 15.10.15, 16.4.6, and 16.10.0, any user can exploit the WikiManager REST API to create a new wiki, where the user could become an administrator and so performs other attacks on the farm. Note that this REST API is not bundled in XWiki Standard b...

CVE-2025-29926 The WikiManager REST API allows any user to create wikis

XWiki Platform is a generic wiki platform. Prior to 15.10.15, 16.4.6, and 16.10.0, any user can exploit the WikiManager REST API to create a new wiki, where the user could become an administrator and so performs other attacks on the farm. Note that this REST API is not bundled in XWiki Standard b...

CVE-2025-29924 XWiki uses the wrong wiki reference in AuthorizationManager

XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, it's possible for an user to get access to private information through the REST API - but could also be through another API - when a sub wiki is using "Prevent unregistered users to view pages". The...