874 matches found
UBUNTU-CVE-2025-58122
Insufficient permission validation in Checkmk 2.4.0 before version 2.4.0p16 allows low-privileged users to modify notification parameters via the REST API, which could lead to unauthorized actions or information disclosure...
CVE-2025-20349
A vulnerability in the REST API of Cisco Catalyst Center could allow an authenticated, remote attacker to execute arbitrary commands in a restricted container as the root user. This vulnerability is due to insufficient validation of user-supplied input in REST API request parameters. An attacker...
CVE-2025-11923
The LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes plugin for WordPress is vulnerable to privilege escalation. This is due to the plugin not properly validating a user's identity prior to allowing them to modify their own role via the REST API. The permission check in the...
CVE-2025-11923 LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes - Various Versions - Authenticated (Student+) Privilege Escalation
The LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes plugin for WordPress is vulnerable to privilege escalation. This is due to the plugin not properly validating a user's identity prior to allowing them to modify their own role via the REST API. The permission check in the...
EUVD-2025-60948
The EasyCommerce – AI-Powered, Fast & Beautiful WordPress Ecommerce Plugin plugin for WordPress is vulnerable to Privilege Escalation in versions 0.9.0-beta2 to 1.5.0. This is due to the /easycommerce/v1/orders REST API endpoint not properly restricting the ability for users to select roles durin...
CVE-2025-11451
The Auto Amazon Links – Amazon Associates Affiliate Plugin plugin for WordPress is vulnerable to arbitrary files reads in all versions up to, and including, 5.4.3 via the '/wp-json/wp/v2/aalajaxunitloading' RST API endpoint. This makes it possible for unauthenticated attackers to read the content...
SUSE CVE-2025-62714
Karmada Dashboard is a general-purpose, web-based control panel for Karmada which is a multi-cluster management project. Prior to version 0.2.0, there is an authentication bypass vulnerability in the Karmada Dashboard API. The backend API endpoints e.g., /api/v1/secret, /api/v1/service did not...
VulnCheck KEV: CVE-2025-11749
The AI Engine plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.1.3 via the /mcp/v1/ REST API endpoint that exposes the 'Bearer Token' value when 'No-Auth URL' is enabled. This makes it possible for unauthenticated attackers to extract th...
EUVD-2025-37421
The Folderly plugin for WordPress is vulnerable to unauthorized modification of data due to an insufficient capability check on the /wp-json/folderly/v1/config/clear-all-data REST API endpoint in all versions up to, and including, 0.3. This makes it possible for authenticated attackers, with...
CVE-2025-12038 Folderly <= 0.3 - Incorrect Authorization to Authenticated (Author+) Term Deletion
The Folderly plugin for WordPress is vulnerable to unauthorized modification of data due to an insufficient capability check on the /wp-json/folderly/v1/config/clear-all-data REST API endpoint in all versions up to, and including, 0.3. This makes it possible for authenticated attackers, with...
Malicious code in react-web-api (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware c4085854cc31bff9ffd272cf1faf16a2cbe3d67d700b330ef7d21108bdd0f05e Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
EUVD-2025-36849
Malicious code in react-web-api npm...
Malicious Package
Overview react-web-api is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
MAL-2025-49038 Malicious code in react-web-api (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware c4085854cc31bff9ffd272cf1faf16a2cbe3d67d700b330ef7d21108bdd0f05e Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
CVE-2025-34133
Wimi Teamwork versions prior to 7.38.17 contains a cross-site request forgery CSRF vulnerability in its API. The API accepts any authenticated request that contains a JSON field named 'csrftoken' without validating the field’s value; only the presence of the field is checked. An attacker can craf...
Cross-site Scripting (XSS)
org.apache.geode, geode-web-api is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper sanitization of user input in the web API REST interface, which allows an attacker to inject malicious scripts and execute arbitrary code on the returned page, potentially leading to...
WordPress SureForms plugin information disclosure vulnerability
WordPress SureForms plugin is a visual form builder plugin designed for WordPress , support drag and drop operation , no programming foundation to quickly build responsive forms . An information disclosure vulnerability exists in the WordPress SureForms plugin, which stems from improper access...
CVE-2024-44088
Malicious script injection 'Cross-site Scripting' vulnerability in Apache Geode web-api REST. This vulnerability allows an attacker that tricks a logged-in user into clicking a specially-crafted link to execute code on the returned page, which could lead to theft of the user's session information...
EUVD-2024-55032
Apache Geode web-api is vulnerable to Cross-site Scripting...
GHSA-W595-4975-GM3H Apache Geode web-api is vulnerable to Cross-site Scripting
Malicious script injection 'Cross-site Scripting' vulnerability in Apache Geode web-api REST. This vulnerability allows an attacker that tricks a logged-in user into clicking a specially-crafted link to execute code on the returned page, which could lead to theft of the user's session information...