CVE-2023-34422

A valid, authenticated LXCA user with elevated privileges may be able to delete folders in the LXCA filesystem through a specifically crafted web API call due to insufficient input validation...

CVE-2023-34421

A valid, authenticated LXCA user with elevated privileges may be able to replace filesystem data through a specifically crafted web API call due to insufficient input validation...

CVE-2023-30612

Cloud hypervisor is a Virtual Machine Monitor for Cloud workloads. This vulnerability allows users to close arbitrary open file descriptors in the Cloud Hypervisor process via sending malicious HTTP request through the HTTP API socket. As a result, the Cloud Hypervisor process can be easily...

CVE-2023-34420

A valid, authenticated LXCA user with elevated privileges may be able to execute command injections through crafted calls to a specific web API...

CVE-2023-33237

TN-5900 Series firmware version v3.3 and prior is vulnerable to improper-authentication vulnerability. This vulnerability arises from inadequate authentication measures implemented in the web API handler, allowing low-privileged APIs to execute restricted actions that only high-privileged APIs ar...

CVE-2022-33138

A vulnerability has been identified in SIMATIC MV540 H All versions V3.3, SIMATIC MV540 S All versions V3.3, SIMATIC MV550 H All versions V3.3, SIMATIC MV550 S All versions V3.3, SIMATIC MV560 U All versions V3.3, SIMATIC MV560 X All versions V3.3. Affected devices do not perform authentication f...

CVE-2022-46764

A SQL injection issue in the web API in TrueConf Server 5.2.0.10225 fixed in 5.2.6.10025 allows remote unauthenticated attackers to execute arbitrary SQL commands, ultimately leading to remote code execution...

CVE-2022-21377

Vulnerability in the Primavera Portfolio Management product of Oracle Construction and Engineering component: Web API. Supported versions that are affected are 18.0.0.0-18.0.3.0, 19.0.0.0-19.0.1.2 and 20.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access v...

CVE-2021-37415

Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs without authentication...

CVE-2019-13516

In OSIsoft PI Web API and prior, the affected product is vulnerable to a direct attack due to a cross-site request forgery protection setting that has not taken effect...

CVE-2019-13515

OSIsoft PI Web API 2018 and prior may allow disclosure of sensitive information...

CVE-2019-5430

In UniFi Video 3.10.0 and prior, due to the lack of CSRF protection, it is possible to abuse the Web API to make changes on the server configuration without the user consent, requiring the attacker to lure an authenticated user to access on attacker controlled page...

CVE-2019-12612

An issue was discovered in Bitdefender BOX firmware versions before 2.1.37.37-34 that allows an attacker to pass arbitrary code to the BOX appliance via the web API. In order to exploit this vulnerability, an attacker needs presence in Bitdefender BOX setup network and Bitdefender BOX be in setup...

CVE-2013-4859

INSTEON Hub 2242-222 lacks Web and API authentication...

CVE-2025-4646

Incorrect Authorization vulnerability in Centreon web API Token creation form modules allows Privilege Escalation.This issue affects web: from 24.04.0 before 24.04.10, from 24.10.0 before 24.10.4...

CVE-2025-32961

The Cuba JPA web API enables loading and saving any entities defined in the application data model by sending simple HTTP requests. Prior to version 1.1.1, the input parameter, which consists of a file path and name, can be manipulated to return the Content-Type header with text/html if the name...

CVE-2025-32961

The Cuba JPA web API enables loading and saving any entities defined in the application data model by sending simple HTTP requests. Prior to version 1.1.1, the input parameter, which consists of a file path and name, can be manipulated to return the Content-Type header with text/html if the name...

CVE-2025-32961 CUBA JPA Web API Vulnerable to Cross-Site Scripting (XSS) in the /download Endpoint

The Cuba JPA web API enables loading and saving any entities defined in the application data model by sending simple HTTP requests. Prior to version 1.1.1, the input parameter, which consists of a file path and name, can be manipulated to return the Content-Type header with text/html if the name...

CVE-2025-32961

The CVE-2025-32961 issue affects the Cuba JPA Web API (Cuba Platform add-on) prior to version 1.1.1, where an attacker could manipulate the input parameter (string with a file path/name) to cause the server to return a Content-Type of text/html for names ending in .html. This can enable execution...

CVE-2025-32961 CUBA JPA Web API Vulnerable to Cross-Site Scripting (XSS) in the /download Endpoint

The Cuba JPA web API enables loading and saving any entities defined in the application data model by sending simple HTTP requests. Prior to version 1.1.1, the input parameter, which consists of a file path and name, can be manipulated to return the Content-Type header with text/html if the name...