CVE-2026-42071 MantisBT: Private Bugnote Attachment Content Leak via REST API

Mantis Bug Tracker MantisBT is an open source issue tracker. From 2.23.0 to 2.28.1, a missing authorization check in MantisBT's file visibility function allows any authenticated user REPORTER+ to download attachments on private bugnotes they should not be able to access, via the REST API endpoint...

EUVD-2026-10889

Parse Server: Classes GraphQLConfig and Audience master key bypass via generic class routes...

PT-2026-7859

FreePBX is an open-source web-based graphical user interface GUI that manages Asterisk. Prior to 17.0.5 and 16.0.17, FreePBX module api PBX API is vulnerable to privilege escalation by authenticated users with REST/GraphQL API access. This vulnerability allows an attacker to forge a valid JWT wit...

EUVD-2021-14535

Malware in sbrugna...

PT-2024-16088 · WordPress · Wp Project Manager

Name of the Vulnerable Software and Affected Versions: The WP Project Manager versions up to, and including, 2.6.13 Description: The issue is related to Insecure Direct Object Reference, which affects the plugin due to missing validation on the user id user-controlled key in the Abstract Permissi...

CVE-2024-0965

The Simple Page Access Restriction plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.21 via the REST API. This makes it possible for unauthenticated attackers to bypass the plugin's page restriction and view page content...

PT-2023-28578 · F5 · Big-Ip

Name of the Vulnerable Software and Affected Versions: BIG-IP affected versions not specified Description: The issue occurs when a non-admin user is assigned an administrator role via an iControl REST PUT request and later the user's role is reverted back to a non-admin role via the Configuration...

Exploit for Missing Authentication for Critical Function in F5 Big-Ip_Access_Policy_Manager

PoC exploit for CVE-2022-1388, a vulnerability in the BIG-IP iCo...

CVE-2020-16168

Origin Validation Error in temi Robox OS prior to 120, temi Android app up to 1.3.7931 allows remote attackers to access the REST API and MQTT broker used by the temi and send it custom data/requests via unspecified vectors...

360fly 4K Identity Bypass Vulnerability

360Fly is a famous camera manufacturer. The 360fly 4K suffers from an identity bypass vulnerability that allows an unauthenticated attacker to exploit the vulnerability to cause a Wi-Fi password change and full access to REST...

Default credentials

360fly 4K cameras allow unauthenticated Wi-Fi password changes and complete access with REST by using the Bluetooth Low Energy pairing procedure, which is available at any time and does not require a password. This affects firmware 2.1.4. Exploitation can use the 360fly Android or iOS application...

CVE-2017-8403

360fly 4K cameras allow unauthenticated Wi-Fi password changes and complete access with REST by using the Bluetooth Low Energy pairing procedure, which is available at any time and does not require a password. This affects firmware 2.1.4. Exploitation can use the 360fly Android or iOS application...

CVE-2016-6068

IBM UrbanCode Deploy could allow an authenticated user with access to the REST endpoints to access API and CLI getResource secured role properties...