CVE-2026-43885

WWBN AVideo is an open source video platform. In versions up to and including 29.0, an unauthenticated user can read APISecret from objects/plugins.json.php and use it to call protected API endpoints e.g. userslist without logging in. Commit 1c36f229d0a103528fb9f64d0a1cc0e1e8f5999b contains an...

CVE-2026-43885

WWBN AVideo is an open source video platform. In versions up to and including 29.0, an unauthenticated user can read APISecret from objects/plugins.json.php and use it to call protected API endpoints e.g. userslist without logging in. Commit 1c36f229d0a103528fb9f64d0a1cc0e1e8f5999b contains an...

CVE-2026-43885 WWBN AVideo: Exposure of Sensitive Information to an Unauthorized Actor and Missing Authorization

WWBN AVideo is an open source video platform. In versions up to and including 29.0, an unauthenticated user can read APISecret from objects/plugins.json.php and use it to call protected API endpoints e.g. userslist without logging in. Commit 1c36f229d0a103528fb9f64d0a1cc0e1e8f5999b contains an...

PT-2026-27633

Name of the Vulnerable Software and Affected Versions Ech0 versions prior to 4.2.0 Description The GET /api/allusers API endpoint is publicly accessible, allowing remote unauthenticated user enumeration and exposure of user profile metadata. The route is registered under public routes in...

UBUNTU-CVE-2020-36968

M/Monit 3.7.4 contains an authentication vulnerability that allows authenticated attackers to retrieve user password hashes through an administrative API endpoint. Attackers can send requests to the /api/1/admin/users/list and /api/1/admin/users/get endpoints to extract MD5 password hashes for al...

CVE-2020-36968

CVE-2020-36968 affects M/Monit 3.7.4. An authentication vulnerability allows authenticated attackers to retrieve user password hashes by calling administrative API endpoints /api/1/admin/users/list and /api/1/admin/users/get, extracting MD5 hashes for all users. Multiple connected sources (Debian...

EUVD-2010-0374

Malware in sbrugna...

EUVD-2022-45961

Malicious code in bioql PyPI...

CVE-2025-59687

IMPAQTR Aurora before 1.36 allows Insecure Direct Object Reference attacks against the users list, organization details, bookmarks, and notifications of an arbitrary organization...

CVE-2025-59687

The CVE describes an Insecure Direct Object Reference vulnerability in IMPAQTR Aurora pre-1.36. Affected product: IMPAQTR Aurora. Vulnerable component: the data access to users list, organization details, bookmarks, and notifications for an arbitrary organization due to improper access control of...

CVE-2024-4447

In the System → Maintenance tool, the Logged Users tab surfaces sessionId data for all users via the Direct Web Remoting API UserSessionAjax.getSessionList.dwr calls. While this is information that would and should be available to admins who possess "Sign In As" powers, admins who otherwise lack...

PT-2024-34599 · Lunary Ai · Lunary

Name of the Vulnerable Software and Affected Versions: lunary-ai/lunary version 1.2.4 Description: An account takeover issue exists due to the exposure of password recovery tokens in API responses. When a user initiates the password reset process, the recovery token is included in the response of...

PT-2024-23081 · Unknown · Evolution Controller

Name of the Vulnerable Software and Affected Versions: Evolution Controller versions 2.04.560.31.03.2024 and below Description: The Web interface of Evolution Controller contains poorly configured access control on the "MOBILE GET USERS LIST" endpoint, allowing an unauthenticated attacker to...

ManageEngine SupportCenter Plus < 11.0 Build 11025

The version of ManageEngine SupportCenter Plus installed on the remote host is prior to 11.0 Build 11025. It is, therefore, affected by a vulnerability as referenced in the support-centercve-2022-42903 advisory. - Zoho ManageEngine SupportCenter Plus through 11024 allows low-privileged users to...

Code injection

Zoho ManageEngine SupportCenter Plus through 11024 allows low-privileged users to view the organization users list...

CVE-2022-42903

Zoho ManageEngine SupportCenter Plus through 11024 allows low-privileged users to view the organization users list...

CVE-2022-42903

Zoho ManageEngine SupportCenter Plus through 11024 allows low-privileged users to view the organization users list...

CVE-2022-42903

Summary: CVE-2022-42903 affects Zoho ManageEngine SupportCenter Plus up to version 11.0 Build 11024. The issue allows low-privileged users to view the organization users list, indicating an access-control exposure. Affected product/versions (per provided documents): Zoho ManageEngine SupportCente...

Rocket.Chat 信息泄露漏洞

Rocket.Chat is an open source team chat software. An information disclosure vulnerability exists in Rocket.Chat versions prior to 4.7.5, which stems from allowing the "users.list" REST endpoint to fetch query parameters from JSON and run Users.findqueryFromClientSide, which can be exploited by an...

MediaWiki GlobalNewFiles 输入验证错误漏洞

GlobalNewFiles is an extension of the MediaWiki Foundation that provides a special page to view all files of a wiki farm globally. An input validation error vulnerability exists in GlobalNewFiles, which stems from the fact that the list of users of the special GlobalNewFiles page is vulnerable to...