CVE-2026-1890 LeadConnector < 3.0.22 - Unauthenticated Rest Call

The LeadConnector WordPress plugin before 3.0.22 does not have authorization in a REST route, allowing unauthenticated users to call it and overwrite existing data...

EUVD-2020-25729

Malware in sbrugna...

EUVD-2020-26459

Malware in sbrugna...

CVE-2025-20371

CVE-2025-20371 affects Splunk Enterprise and Splunk Cloud Platform: unauthenticated SSRF that can cause REST API calls on behalf of an authenticated high-privilege user. Affected: Splunk Enterprise &lt; 10.0.1; also versions 9.2.8–9.4.4; Splunk Cloud Platform &lt; 9.3.2411.109, &lt; 9.3.2408.119,

CVE-2020-5242

openHAB before 2.5.2 allow a remote attacker to use REST calls to install the EXEC binding or EXEC transformation service and execute arbitrary commands on the system with the privileges of the user running openHAB. Starting with version 2.5.2 all commands need to be whitelisted in a local file...

PT-2024-7164 · Splunk · Splunk Enterprise

Name of the Vulnerable Software and Affected Versions: Splunk Enterprise versions prior to 9.3.1 Splunk Enterprise versions prior to 9.2.3 Splunk Enterprise versions prior to 9.1.6 Description: The software potentially exposes sensitive HTTP parameters to the internal index if the REST Calls log...

WordPress plugin InstaWP Connect security vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security...

Cross-site Scripting (XSS)

Overview Jellyfin.Common is an a Free Software Media System that puts you in control of managing and streaming your media. Affected versions of this package are vulnerable to Cross-site Scripting XSS due to improper escape of device id in raw HTML, which can be used to make arbitrary calls to the...

XWiki < 13.10.5, < 14.3 Improper Authorization Vulnerability (GHSA-jgc8-gvcx-9vfx)

Xwiki is prone to an improper authorization vulnerability. SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:xwiki:xwiki";...

Zephyr Project Manager < 3.2.5 - Unauthorised REST Calls to Stored XSS

The plugin does not have proper authorisation even when the Require Authorisation for REST API Requests is enabled in all its REST endpoints, allowing unauthenticated users to call them either directly. Furthermore, due to the lack of sanitisation and escaping, it could also allow them to perform...

Zephyr Project Manager < 3.2.5 - Unauthorised REST Calls to Stored XSS

The plugin does not have proper authorisation even when the Require Authorisation for REST API Requests is enabled in all its REST endpoints, allowing unauthenticated users to call them either directly. Furthermore, due to the lack of sanitisation and escaping, it could also allow them to perform...

WordPress Zephyr Project Manager plugin <= 3.2.42 - Unauthorized REST Calls to Stored Cross-Site Scripting (XSS) vulnerability

Unauthorized REST Calls to Stored Cross-Site Scripting XSS vulnerability discovered by WPScan in WordPress Zephyr Project Manager plugin versions = 3.2.42. Solution Update the WordPress Zephyr Project Manager plugin to the latest available version at least 3.2.5...

WordPress Student Result or Employee Database plugin <= 1.7.9 - Unauthorized REST Calls vulnerability

Unauthorized REST Calls vulnerability discovered by WPScanTeam in WordPress Student Result or Employee Database plugin versions = 1.7.9. Solution Update the WordPress Student Result or Employee Database plugin to the latest available version at least 1.8.0...

Student Result or Employee Database < 1.8.0 - Unauthorised REST Calls

The plugin has a flawed permission callback in its REST endpoints, allowing unauthenticated attackers to call them and add/edit/delete arbitrary student for example POST /wp-json/v2/ssradddata HTTP/1.1 Accept: / Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type:...

Zammad Access Control Error Vulnerability

Zammad is a Web-based open source helpdesk/customer support system. An access control error vulnerability exists in Zammad versions prior to 3.5.1. An attacker can exploit this vulnerability to bypass auditing and change Ticket Article data via REST API calls...

Security Bulletin: CVE-2020-4482 ADD SNAPSHOT STATUS REST CALL DOESN'T CHECK THE USER ROLE

Summary ADD SNAPSHOT STATUS REST CALL DOESN'T CHECK THE USER ROLE BEFORE ADDING THE STATUS TO SNAPSHOT Vulnerability Details CVEID: CVE-2020-4482 DESCRIPTION: IBM UrbanCode Deploy UCD could allow an authenticated user to bypass security. A user with access to a snapshot could apply unauthorized...

CVE-2020-5242

openHAB before 2.5.2 allow a remote attacker to use REST calls to install the EXEC binding or EXEC transformation service and execute arbitrary commands on the system with the privileges of the user running openHAB. Starting with version 2.5.2 all commands need to be whitelisted in a local file...

CVE-2020-5242

openHAB before 2.5.2 allow a remote attacker to use REST calls to install the EXEC binding or EXEC transformation service and execute arbitrary commands on the system with the privileges of the user running openHAB. Starting with version 2.5.2 all commands need to be whitelisted in a local file...

Design/Logic Flaw

openHAB before 2.5.2 allow a remote attacker to use REST calls to install the EXEC binding or EXEC transformation service and execute arbitrary commands on the system with the privileges of the user running openHAB. Starting with version 2.5.2 all commands need to be whitelisted in a local file...

CVE-2020-5242

openHAB prior to 2.5.2 is affected. A remote attacker can use REST calls to install the EXEC binding or EXEC transformation service and execute arbitrary commands with the privileges of the openHAB user. The root cause is lack of proper enforcement of command installation via REST until 2.5.2. Fi...