CVE-2021-36686

CVE-2021-36686 is an XSS vulnerability in YMFE YApi 1.9.1, exploitable via the /interface/api edit page. The issue affects the web interface code path used to edit API definitions; the precise root cause is described as a Cross Site Scripting flaw. The CVE entry notes that PoC exploits exist (exp...

CVE-2021-27884

The vulnerability CVE-2021-27884 affects YMFE YApi up to version 1.9.2, where JWT signing secret is generated using Math.random() in Node.js. This weak randomness allows an attacker to recreate other users’ JWTs by exploiting predictable secret generation. Connected advisories (GHSA-2H3H-VW8R-82R...

CVE-2018-17574

CVE-2018-17574 affects YMFE YApi 1.3.23 with a stored XSS vulnerability in the project name field. The issue is described across multiple sources (NVD entry and related advisories) as a stored cross-site scripting flaw in YMFE YApi 1.3.23; CVSS v3.0 base score 5.4 (MEDIUM), CVSS v2 base score 3.5...

CVE-2025-70058

CVE-2025-70058 affects YMFE yapi v1.12.0. The root cause is improper TLS/SSL certificate validation caused by Axios HTTPS agent configuration that sets rejectUnauthorized to false, enabling MITM-like interception. Documented in multiple sources (YAPI-related advisories and NVD/Red Hat entries). T...

CVE-2025-70060

The CVE-2025-70060 entry concerns YMFE yapi v1.12.0 with a CWE-79 weakness (Improper Neutralization of Input During Web Page Generation). The connected sources consistently identify this as a input handling flaw in the web page generation process for YMFE yapi, without detailing exploited vectors...

CVE-2025-70059

CVE-2025-70059 affects YMFE yapi v1.12.0, with the root cause described as CWE-400 Uncontrolled Resource Consumption leading to denial of service. The connected sources consistently report this DoS impact for YMFE yapi 1.12.0. No remediation or patched version is identified in the supplied docume...