492 matches found
CVE-2025-7901
Summary (CVE-2025-7901) : The vulnerability affects yangzongzhuan RuoYi versions up to 4.8.1, specifically in the Swagger UI component accessed via /swagger-ui/index.html. The root cause is manipulation of the configUrl parameter in Swagger UI, which can lead to cross‑site scripting. The issue ma...
RuoYi 代码注入漏洞
RuoYi is a backend management system for individual developers of RuoYi in China. A code injection vulnerability exists in RuoYi 4.8.1 and earlier versions, which originates from cross-site scripting due to incorrect manipulation of the parameter configUrl in the file /swagger-ui/index.html...
PT-2025-30206
Name of the Vulnerable Software and Affected Versions yangzongzhuan RuoYi versions up to 4.8.1 Description A problematic issue exists in yangzongzhuan RuoYi related to the processing of the /swagger-ui/index.html file within the Swagger UI component. Manipulation of the configUrl argument can lea...
MAL-2025-4926 Malicious code in mh-swagger-api (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 4c511d3eda3b228d180191f4caee04bad5746d8134a082644b776b462f4b2eb7 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in mh-swagger-api (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 4c511d3eda3b228d180191f4caee04bad5746d8134a082644b776b462f4b2eb7 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
VulnCheck KEV: CVE-2024-7314
anji-plus AJ-Report is affected by an authentication bypass vulnerability. A remote and unauthenticated attacker can append ";swagger-ui" to HTTP requests to bypass authentication and execute arbitrary Java on the victim server. Exploitation evidence was observed by the Shadowserver Foundation on...
CVE-2024-25712
http-swagger before 1.2.6 allows XSS via PUT requests, because a file that has been uploaded via httpSwagger.WrapHandler and webdav.memFile can subsequently be accessed via a GET request. NOTE: this is independently fixable with respect to CVE-2022-24863, because if a solution continued to allow...
CVE-2024-22207
fastify-swagger-ui is a Fastify plugin for serving Swagger UI. Prior to 2.1.0, the default configuration of @fastify/swagger-ui without baseDir set will lead to all files in the module's directory being exposed via http routes served by the module. The vulnerability is fixed in v2.1.0. Setting th...
CVE-2024-13700
The Embed Swagger UI plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpsgui' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...
CVE-2021-39910
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.6 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. GitLab was vulnerable to HTML Injection through the Swagger UI feature...
CVE-2019-17495
A Cascading Style Sheets CSS injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite RPO technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. In other words, this product intentionally allows th...
CVE-2018-25031
Swagger UI 4.1.2 and earlier could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions. Note: This was originally claimed to be resolved in 4.1.3. However, third parti...
U.S. Dept Of Defense: Swagger UI Injection via Config URL - `███`
A Swagger UI injection vulnerability was identified on a specific endpoint. The issue allowed an attacker to inject custom JSON configuration into the Swagger UI, potentially leading to unspecified consequences...
The vulnerability of the Swagger UI interactive console of the SAP Commerce platform allows attackers to influence the confidentiality, integrity, and accessibility of the protected information.
The vulnerability of the Swagger UI interactive console of the SAP Commerce platform is related to the lack of protective measures for the website structure. Exploiting this vulnerability allows a malicious actor to influence the confidentiality, integrity, and accessibility of the protected...
CVE-2025-27434 Cross-Site Scripting (XSS) vulnerability in SAP Commerce (Swagger UI)
Due to insufficient input validation, SAP Commerce Swagger UI allows an unauthenticated attacker to inject the malicious code from remote sources, which can be leveraged by an attacker to execute a cross-site scripting XSS attack. This could lead to a high impact on the confidentiality, integrity...
Security Bulletin:Vulnerabiilties in swagger-ui and Bootstrap affect watsonx.data
Summary swagger-ui is vulnerable to conduct spoofing attacks. Bootstrap is vulnerable to cross-site scripting. These could affect watsonx.data. Vulnerability Details CVEID:CVE-2018-25031 DESCRIPTION: swagger-ui could allow a remote attacker to conduct spoofing attacks. By persuading a victim to...
The vulnerability of the Grafana monitoring and surveillance platform’s interface allows attackers to perform cross-site scripting attacks (XSS).
The vulnerability of the Grafana monitoring and observation platform’s interface is related to the lack of measures taken to protect the website structure during the processing of the /swagger endpoint. Exploiting this vulnerability allows a malicious actor to perform cross-site scripting attacks...
CVE-2022-39258
mailcow is a mailserver suite. A vulnerability innversions prior to 2022-09 allows an attacker to craft a custom Swagger API template to spoof Authorize links. This could redirect a victim to an attacker controller place to steal Swagger authorization credentials or create a phishing page to stea...
CVE-2024-54181
IBM WebSphere Automation 1.7.5 could allow a remote privileged user, who has authorized access to the swagger UI, to execute arbitrary code. Using specially crafted input, the user could exploit this vulnerability to execute arbitrary code on the system...
CVE-2024-13700
The CVE concerns the WordPress plugin Embed Swagger UI (WordPress) up to version 1.0.0, where a Stored Cross-Site Scripting flaw exists in the wpsgui shortcode due to insufficient input sanitization and output escaping. Exploitation requires authentication at contributor level or higher; an attac...