24 matches found
CVE-2026-57994 phpMyFAQ - Information Disclosure of Inactive FAQ Content via Public API Endpoints
phpMyFAQ before 4.1.5 applies inconsistent active=yes and publication-date filtering across its public FAQ API endpoints, allowing unauthenticated attackers to retrieve inactive draft or review-only FAQ content. Specifically, GET /api/v3.1/faq/categoryId/faqId returns the inactive FAQ title and...
mail/mailpit -- memory-exhaustion DoS via unbounded JSON body
Mailpit author reports: Sibling-endpoint memory-exhaustion DoS via unbounded JSON body on /api/v1/messages, /api/v1/tags, and /api/v1/message/id/release...
CVE-2026-46365 phpMyFAQ - Missing Authorization in Tag Deletion Endpoint
phpMyFAQ before 4.1.2 contains a missing authorization vulnerability in the DELETE /admin/api/content/tags/tagId endpoint that allows any authenticated user to delete tags. Any logged-in user, including regular frontend users, can delete arbitrary tags by sending a DELETE request with a valid...
phpMyFAQ 安全漏洞
phpMyFAQ is a multilingual, fully database-driven FAQ system developed by Thorsten Rinne. Versions of phpMyFAQ prior to 4.1.2 contained a security vulnerability. This vulnerability stemmed from the lack of authorization for the DELETE /admin/api/content/tags/tagId endpoint. As a result, any...
CVE-2026-3023
Non-relational SQL injection vulnerability NoSQLi in the Wakyma web application, specifically in the endpoint 'vets.wakyma.com/pets/print-tags'. This vulnerability could allow an authenticated user to alter a POST request to the affected endpoint for the purpose of injecting NoSQL commands,...
CVE-2026-3023
Non-relational SQL injection vulnerability NoSQLi in the Wakyma web application, specifically in the endpoint 'vets.wakyma.com/pets/print-tags'. This vulnerability could allow an authenticated user to alter a POST request to the affected endpoint for the purpose of injecting NoSQL commands,...
CVE-2026-3023
Non-relational SQL injection vulnerability NoSQLi in the Wakyma web application, specifically in the endpoint 'vets.wakyma.com/pets/print-tags'. This vulnerability could allow an authenticated user to alter a POST request to the affected endpoint for the purpose of injecting NoSQL commands,...
CVE-2026-3023 Non-relational SQL injection vulnerability (NoSQLi) in the Wakyma application web
Non-relational SQL injection vulnerability NoSQLi in the Wakyma web application, specifically in the endpoint 'vets.wakyma.com/pets/print-tags'. This vulnerability could allow an authenticated user to alter a POST request to the affected endpoint for the purpose of injecting NoSQL commands,...
CVE-2026-3023 Non-relational SQL injection vulnerability (NoSQLi) in the Wakyma application web
Non-relational SQL injection vulnerability NoSQLi in the Wakyma web application, specifically in the endpoint 'vets.wakyma.com/pets/print-tags'. This vulnerability could allow an authenticated user to alter a POST request to the affected endpoint for the purpose of injecting NoSQL commands,...
CVE-2026-3023
CVE-2026-3023 affects the Wakyma web application, specifically the endpoint VetS.wakyma.com/pets/print-tags. The issue is a NoSQL injection (NoSQLi) in a POST request that authenticated users can abuse to inject NoSQL commands, enabling listing of pets and owner names. Multiple connected entries ...
Wakyma 安全漏洞
Wakyma is a pet management application developed by the Spanish company Wakyma. There is a security vulnerability in Wakyma, which stems from a non-relational database injection in the endpoint vets.wakyma.com/pets/print-tags. This vulnerability could allow authenticated users to list pets and...
PT-2026-25672
Name of the Vulnerable Software and Affected Versions Wakyma affected versions not specified Description A non-relational SQL injection NoSQLi issue exists in the Wakyma web application. An authenticated user can modify a POST request sent to the ''vets.wakyma.com/pets/print-tags'' endpoint to...
EUVD-2025-26573
Malicious code in bioql PyPI...
Cross Site Scripting (XSS)
mautic/core is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to unsanitized user-supplied input in the “Tags” field of the /s/ajax?action=lead:addLeadTags endpoint being reflected in the server response, which allows an attacker to execute arbitrary JavaScript in the victim’s...
Conventional Changelog 参数注入漏洞
Conventional Changelog is an open source update log generation tool from Conventional Changelog. A parameter injection vulnerability exists in Conventional Changelog versions prior to 2.0.0 that stems from not cleaning or validating user input in the getTags API, which could lead to a parameter...
CVE-2025-9823
SummaryA Cross-Site Scripting XSS vulnerability allows an attacker to execute arbitrary JavaScript in the context of another user’s session. This occurs because user-supplied input is reflected back in the server’s response without proper sanitization or escaping, potentially enabling malicious...
GHSA-9V8P-M85M-F7MM Mautic vulnerable to reflected XSS in lead:addLeadTags - Quick Add
Summary A Cross-Site Scripting XSS vulnerability allows an attacker to execute arbitrary JavaScript in the context of another user’s session. This occurs because user-supplied input is reflected back in the server’s response without proper sanitization or escaping, potentially enabling malicious...
Mautic vulnerable to reflected XSS in lead:addLeadTags - Quick Add
Summary A Cross-Site Scripting XSS vulnerability allows an attacker to execute arbitrary JavaScript in the context of another user’s session. This occurs because user-supplied input is reflected back in the server’s response without proper sanitization or escaping, potentially enabling malicious...
CVE-2025-9823
SummaryA Cross-Site Scripting XSS vulnerability allows an attacker to execute arbitrary JavaScript in the context of another user’s session. This occurs because user-supplied input is reflected back in the server’s response without proper sanitization or escaping, potentially enabling malicious...
CVE-2025-9823 Reflected XSS in lead:addLeadTags - Quick Add
SummaryA Cross-Site Scripting XSS vulnerability allows an attacker to execute arbitrary JavaScript in the context of another user’s session. This occurs because user-supplied input is reflected back in the server’s response without proper sanitization or escaping, potentially enabling malicious...