PT-2026-40441

PowerSYSTEM Center REST API endpoint for devices allows a low privilege authenticated user to access information normally limited by operational permissions...

PT-2026-40425

Name of the Vulnerable Software and Affected Versions dalfox affected versions not specified Description A structural ordering error in the ParameterAnalysis function within pkg/scanning/parameterAnalysis.go allows an unauthenticated remote attacker to crash the dalfox server process. The issue...

Missing Authorization

Overview mantisbt/mantisbt is a mantis bug tracker. Affected versions of this package are vulnerable to Missing Authorization in the file visibility process. An attacker can access unauthorized file attachments by sending requests to the REST API or SOAP API endpoints. Remediation Upgrade...

GHSA-PW5X-2MF9-3XC8 MantisBT has a Private Bugnote Attachment Content Leak via REST API

A missing authorization check in MantisBT's file visibility function allows any authenticated user REPORTER+ to download attachments on private bugnotes they should not be able to access, via the REST API endpoint GET /api/rest/issues/id/files and SOAP API mcissueattachmentget endpoint. Impact -...

MantisBT has a Private Bugnote Attachment Content Leak via REST API

A missing authorization check in MantisBT's file visibility function allows any authenticated user REPORTER+ to download attachments on private bugnotes they should not be able to access, via the REST API endpoint GET /api/rest/issues/id/files and SOAP API mcissueattachmentget endpoint. Impact -...

MantisBT has an Authorization Bypass that Allows Uploading Attachments to Private Issues via REST API

Impact MantisBT allows an authenticated user to upload attachments to private Issues they are not authorized to access. Patches - b262b4d2835b81394d75356dead66e52a6275206 Workarounds None. Credits Thanks to Vishal Shukla for discovering and responsibly reporting the issue...

CVE-2026-8198 Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity <= 3.3.6 - Unauthenticated Information Disclosure via REST API

The Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity plugin for WordPress is vulnerable to Authentication Bypass to Information Disclosure in versions up to, and including, 3.3.6. This is due to a logic flaw in the verifyAuthorization method where requests without an...

CVE-2026-42137 Kirby: `pages.access/list` and `files.access/list` permissions are not consistently checked in the REST API and changes dialog

Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, pages.access/list and files.access/list permissions are not consistently checked in the Panel and REST API. This issue has been patched in versions 4.9.0 and 5.4.0...

CVE-2026-42137

Kirby CVE-2026-42137 affects the open-source Kirby CMS. Prior to versions 4.9.0 and 5.4.0, the Panel and REST API did not consistently enforce pages.access/list and files.access/list permissions, enabling missing authorization in some collections and related models. The issue has been fixed in Ki...

CVE-2026-8115

A security flaw has been discovered in gyoridavid short-video-maker up to 1.3.4. This affects an unknown part of the file src/server/routers/rest.ts of the component REST API. The manipulation of the argument req.params.tmpFile results in path traversal. The attack can be launched remotely. The...

EUVD-2026-28543

The Sky Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the sky-custom-scripts custom post type in all versions up to, and including, 3.3.2. This is due to the custom post type being registered with capabilitytype = 'post' and showinrest = true, combined with...

CVE-2026-7475

The Sky Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the sky-custom-scripts custom post type in all versions up to, and including, 3.3.2. This is due to the custom post type being registered with capabilitytype = 'post' and showinrest = true, combined with...

CVE-2026-7475

The Sky Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the sky-custom-scripts custom post type in all versions up to, and including, 3.3.2. This is due to the custom post type being registered with capabilitytype = 'post' and showinrest = true, combined with...

CVE-2026-8115 gyoridavid short-video-maker REST API rest.ts path traversal

A security flaw has been discovered in gyoridavid short-video-maker up to 1.3.4. This affects an unknown part of the file src/server/routers/rest.ts of the component REST API. The manipulation of the argument req.params.tmpFile results in path traversal. The attack can be launched remotely. The...

CVE-2026-8115

A security flaw has been discovered in gyoridavid short-video-maker up to 1.3.4. This affects an unknown part of the file src/server/routers/rest.ts of the component REST API. The manipulation of the argument req.params.tmpFile results in path traversal. The attack can be launched remotely. The...

Security Bulletin: IBM MQ is affected by a server-side request forgery vulnerability in IBM WebSphere Application Server Liberty (CVE-2026-1561)

Summary IBM WebSphere Application Server Liberty is used by IBM MQ as part of the IBM MQ Console and IBM MQ REST API functionality CVE-2026-1561 Vulnerability Details CVEID:CVE-2026-1561 DESCRIPTION: IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.3 IBM WebSphere Application...

Security Bulletin: IBM MQ is affected by a vulnerability in IBM WebSphere Application Server Liberty (CVE-2025-14914)

Summary A remote code execution vulnerability was identified in IBM WebSphere Application Server Liberty, which IBM MQ ships and uses to supply IBM MQ Console and IBM MQ REST API functionality CVE-2025-14914 Vulnerability Details CVEID:CVE-2025-14914 DESCRIPTION: IBM WebSphere Application Server...

Security Bulletin: IBM MQ is affected by a denial of service vulnerability in IBM WebSphere Application Server Liberty (CVE-2024-29371)

Summary IBM WebSphere Application Server Liberty is used by IBM MQ as part of the IBM MQ Console and IBM MQ REST API functionality CVE-2024-29371 Vulnerability Details CVEID:CVE-2024-29371 DESCRIPTION: In jose4j before 0.9.6, an attacker can cause a Denial-of-Service DoS condition by crafting a...

MAL-2026-3365 Malicious code in @b2bneo-rest/api-csf (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ea4a9f32d6857ac3e548ca117915efd6694039bbc344390f1758f12291776817 The package @b2bneo-rest/api-csf was found to contain malicious code. Source: ossf-package-analysis...

PT-2026-38600

Name of the Vulnerable Software and Affected Versions gyoridavid short-video-maker versions prior to 1.3.5 Description A path traversal flaw exists in the REST API component within the src/server/routers/rest.ts file. A remote attacker can exploit this by manipulating the req.params.tmpFile...