EUVD-2026-9504

Vaultwarden has Unauthorized Access via Partial Update API on Another User’s Cipher...

CVE-2026-26975

Music Assistant is an open-source media library manager that integrates streaming services with connected speakers. Versions 2.6.3 and below allow unauthenticated network-adjacent attackers to execute arbitrary code on affected installations. The music/playlists/update API allows users to bypass...

CVE-2026-26975 Music Assistant Server Path Traversal in Playlist Update API Allows Remote Code Execution

Music Assistant is an open-source media library manager that integrates streaming services with connected speakers. Versions 2.6.3 and below allow unauthenticated network-adjacent attackers to execute arbitrary code on affected installations. The music/playlists/update API allows users to bypass...

EUVD-2026-5707

WeKan versions prior to 8.19 contain an authorization vulnerability where certain card update API paths validate only board read access rather than requiring write permission. This can allow users with read-only roles to perform card updates that should require write access...

CVE-2026-25565

WeKan versions prior to 8.19 contain an authorization vulnerability where certain card update API paths validate only board read access rather than requiring write permission. This can allow users with read-only roles to perform card updates that should require write access...

PT-2026-6928

Name of the Vulnerable Software and Affected Versions WeKan versions prior to 8.19 Description WeKan contains an authorization issue in certain card update API paths. These paths only validate read access to a board instead of requiring write permission. This allows users with read-only roles to...

CVE-2025-13093

The Devs CRM – Manage tasks, attendance and teams all together plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/wp-json/devs-crm/v1/bulk-update' REST-API endpoint in all versions up to, and including, 1.1.8. This makes it possible...

CVE-2025-8110

CVE-2025-8110 affects Gogs self-hosted Git service versions 0.13.3 and earlier, due to improper symbolic link handling in PutContents that allows a symlink to target outside the repository, enabling remote code execution. Root cause: API writes to file paths without validating symlinks. Impact: l...

CVE-2025-62780 changedetection.io vulnerable to stored XSS in Watch update via API

changedetection.io is a free open source web page change detection tool. A Stored Cross Site Scripting is present in changedetection.io Watch update API in versions prior to 0.50.34 due to insufficient security checks. Two scenarios are possible. In the first, an attacker can insert a new watch...

CVE-2025-11172 Check Plagiarism <= 2.0 - Missing Authorization to Authenticated (Subscriber+) Settings Update

The Check Plagiarism plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the chkplagminepluginwpse10500adminaction function in all versions up to, and including, 2.0. This makes it possible for authenticated attackers, with Subscriber-level...

CVE-2025-9428

Zohocorp ManageEngine Analytics Plus versions 6171 and prior are vulnerable to authenticated SQL Injection via the key update api...

EUVD-2025-35160

Zohocorp ManageEngine Analytics Plus versions 6171 and prior are vulnerable to authenticated SQL Injection via the key update api...

EUVD-2019-10988

Malware in sbrugna...

EUVD-2024-3608

Malicious code in bioql PyPI...

PT-2025-36457

Name of the Vulnerable Software and Affected Versions: Multi-Purpose Inventory Management System affected versions not specified Description: A stored Cross-Site Scripting XSS issue exists due to insufficient validation of user-supplied data. A remote user can exploit this by sending a POST reque...

PT-2025-35921

Name of the Vulnerable Software and Affected Versions: appRain CMF version 4.0.5 Description: A stored authenticated cross-site scripting XSS issue exists due to insufficient validation of user-supplied data. The vulnerability is triggered through the dataAddonlayouts and dataAddonlayouts except...

CVE-2025-51667

An issue was discovered in simple-admin-core v1.2.0 thru v1.6.7. The /sys-api/role/update interface in the simple-admin-core system has a limited SQL injection vulnerability, which may lead to partial data leakage or disruption of normal system operations...

[SECURITY] Fedora 42 Update: rust-icu_locid_transform-1.5.0-1.fc42

API for Unicode Language and Locale Identifiers canonicalization...

CVE-2025-3382

A vulnerability has been found in joey-zhou xiaozhi-esp32-server-java up to a14fe8115842ee42ab5c7a51706b8a85db5200b7 and classified as critical. This vulnerability affects the function update of the file /api/user/update. The manipulation of the argument state leads to sql injection. The attack c...

GO-2024-3356 Path Traversal in file update API in gogs in gogs.io/gogs

Path Traversal in file update API in gogs in gogs.io/gogs...