Total
54 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-20122 | 1 Cisco | 1 Catalyst Sd-wan Manager | 2026-03-04 | N/A | 5.4 MEDIUM |
|
A vulnerability in the API of Cisco Catalyst SD-WAN Manager could allow an authenticated, remote attacker to overwrite arbitrary files on the local file system. To exploit this vulnerability, the attacker must have valid read-only credentials with API access on the affected system.
This vulnerability is due to improper file handling on the API interface of an affected system. An attacker could exploit this vulnerability by uploading a malicious file on the local file system. A successful expl ...
Show More |
|||||
| CVE-2026-20126 | 1 Cisco | 1 Catalyst Sd-wan Manager | 2026-03-04 | N/A | 8.8 HIGH |
|
A vulnerability in Cisco Catalyst SD-WAN Manager could allow an authenticated, local attacker with low privileges to gain root privileges on the underlying operating system.
This vulnerability is due to an insufficient user authentication mechanism in the REST API. An attacker could exploit this vulnerability by sending a request to the REST API of the affected system. A successful exploit could allow the attacker to gain root privileges on the underlying operating system.
|
|||||
| CVE-2026-22922 | 1 Apache | 1 Airflow | 2026-02-11 | N/A | 6.5 MEDIUM |
|
Apache Airflow versions 3.1.0 through 3.1.6 contain an authorization flaw that can allow an authenticated user with custom permissions limited to task access to view task logs without having task log access.
Users are recommended to upgrade to Apache Airflow 3.1.7 or later, which resolves this issue.
|
|||||
| CVE-2025-63291 | 1 Alteryx | 1 Alteryx Server | 2026-01-12 | N/A | 5.4 MEDIUM |
|
When processing API requests, the Alteryx server 2022.1.1.42654 and 2024.1 used MongoDB object IDs to uniquely identify the data being requested by the caller. The Alteryx server did not check whether the authenticated user had permission to access the specified MongoDB object ID. By specifying particlar MongoDB object IDs, callers could obtain records for other users without proper authorization. Records retrievable using this attack included administrative API keys and private studio api keys.
|
|||||
| CVE-2025-1161 | 2025-12-12 | N/A | 7.1 HIGH | ||
|
Incorrect Use of Privileged APIs vulnerability in NomySoft Information Technology Training and Consulting Inc. Nomysem allows Privilege Escalation.This issue affects Nomysem: through May 2025.
|
|||||
| CVE-2024-32008 | 2025-11-12 | N/A | 7.8 HIGH | ||
|
A vulnerability has been identified in Spectrum Power 4 (All versions < V4.70 SP12 Update 2). The affected application is vulnerable to a local privilege escalation due to an exposed debug interface on the localhost. This allows any local user to gain code execution as administrative application user.
|
|||||
| CVE-2025-54769 | 1 Xorux | 1 Lpar2rrd | 2025-11-03 | N/A | 8.8 HIGH |
|
An authenticated, read-only user can upload a file and perform a directory traversal to have the uploaded file placed in a location of their choosing. This can be used to overwrite existing PERL modules within the application to achieve remote code execution (RCE) by an attacker.
|
|||||
| CVE-2025-54768 | 1 Xorux | 1 Lpar2rrd | 2025-11-03 | N/A | 5.3 MEDIUM |
|
An API endpoint that should be limited to web application administrators is hidden from, but accessible by, lower-level read only web application users. The endpoint can be used to download logs from the appliance configuration, exposing sensitive information.
|
|||||
| CVE-2025-54767 | 1 Xorux | 1 Lpar2rrd | 2025-11-03 | N/A | 6.5 MEDIUM |
|
An authenticated, read-only user can kill any processes running on the Xormon Original virtual appliance as the lpar2rrd user.
|
|||||
| CVE-2025-54766 | 1 Xorux | 1 Xormon | 2025-11-03 | N/A | 5.3 MEDIUM |
|
An API endpoint that should be limited to web application administrators is hidden from, but accessible by, lower-level read only web application users. The endpoint can be used to export the appliance configuration, exposing sensitive information.
|
|||||
| CVE-2025-54765 | 1 Xorux | 1 Xormon | 2025-11-03 | N/A | 5.3 MEDIUM |
|
An API endpoint that should be limited to web application administrators is hidden from, but accessible by, lower-level read only web application users. The endpoint can be used to import the appliance configuration, allowing an attacker to control the configuration of the appliance, to include granting themselves administrative level permissions.
|
|||||
| CVE-2025-5997 | 2025-07-29 | N/A | 8.8 HIGH | ||
|
Incorrect Use of Privileged APIs vulnerability in Beamsec PhishPro allows Privilege Abuse.This issue affects PhishPro: before 7.5.4.2.
|
|||||
| CVE-2025-7344 | 2025-07-22 | N/A | 8.8 HIGH | ||
|
The EAI developed by Digiwin has a Privilege Escalation vulnerability, allowing remote attackers with regular privileges to elevate their privileges to administrator level via a specific API.
|
|||||
| CVE-2025-0589 | 3 Linux, Microsoft, Octopus | 3 Linux Kernel, Windows, Octopus Server | 2025-07-02 | N/A | 5.3 MEDIUM |
|
In affected versions of Octopus Deploy where customers are using Active Directory for authentication it was possible for an unauthenticated user to make an API request against two endpoints which would retrieve some data from the associated Active Directory. The requests when crafted correctly would return specific information from user profiles (Email address/UPN and Display name) from one endpoint and group information ( Group ID and Display name) from the other. This vulnerability does not ex ...
Show More |
|||||
| CVE-2025-23375 | 1 Dell | 1 Powerprotect Data Manager | 2025-05-13 | N/A | 7.8 HIGH |
|
Dell PowerProtect Data Manager Reporting, version(s) 19.17, contain(s) an Incorrect Use of Privileged APIs vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges.
|
|||||
| CVE-2022-26323 | 2025-04-17 | N/A | N/A | ||
|
Incorrect Use of Privileged APIs vulnerability in OpenText™ Operations Bridge Manager, OpenText™ Operations Bridge Suite (Containerized), OpenText™ UCMDB ( Classic and Containerized) allows Privilege Escalation.
The vulnerability could allow authenticated attackers to elevate user privileges. This issue affects Operations Bridge Manager: through 2021.05; Operations Bridge Suite (Containerized): through 2021.05; UCMDB ( Classic and Containerized): through 2021.05.
|
|||||
| CVE-2025-2311 | 2025-03-21 | N/A | 9.0 CRITICAL | ||
|
Incorrect Use of Privileged APIs, Cleartext Transmission of Sensitive Information, Insufficiently Protected Credentials vulnerability in Sechard Information Technologies SecHard allows Authentication Bypass, Interface Manipulation, Authentication Abuse, Harvesting Information via API Event Monitoring.This issue affects SecHard: before 3.3.0.20220411.
|
|||||
| CVE-2023-4009 | 1 Mongodb | 1 Ops Manager Server | 2025-02-13 | N/A | 7.2 HIGH |
|
In MongoDB Ops Manager v5.0 prior to 5.0.22 and v6.0 prior to 6.0.17 it is possible for an authenticated user with project owner or project user admin access to generate an API key with the privileges of org owner resulting in privilege escalation.
|
|||||
| CVE-2024-46978 | 1 Xwiki | 1 Xwiki | 2025-02-07 | N/A | 6.5 MEDIUM |
|
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible for any user knowing the ID of a notification filter preference of another user, to enable/disable it or even delete it. The impact is that the target user might start loosing notifications on some pages because of this. This vulnerability is present in XWiki since 13.2-rc-1. This vulnerability has been patched in XWiki 14.10.21, 15.5.5, 15.10.1, 16.0-rc-1. The patch consists in ...
Show More |
|||||
| CVE-2023-29507 | 1 Xwiki | 1 Xwiki | 2025-02-06 | N/A | 9.1 CRITICAL |
|
XWiki Commons are technical libraries common to several other top level XWiki projects. The Document script API returns directly a DocumentAuthors allowing to set any authors to the document, which in consequence can allow subsequent executions of scripts since this author is used for checking rights. The problem has been patched in XWiki 14.10 and 14.4.7 by returning a safe script API.
|
|||||
| CVE-2024-53007 | 2025-01-31 | N/A | 6.4 MEDIUM | ||
|
Bentley Systems ProjectWise Integration Server before 10.00.03.288 allows unintended SQL query execution by an authenticated user via an API call.
|
|||||
| CVE-2023-4993 | 1 Utarit | 1 Solipay Mobile | 2025-01-23 | N/A | 7.5 HIGH |
|
Incorrect Use of Privileged APIs vulnerability in Utarit Information Technologies SoliPay Mobile App allows Collect Data as Provided by Users.This issue affects SoliPay Mobile App: before 5.0.8.
|
|||||
| CVE-2024-37018 | 2024-12-16 | N/A | 9.1 CRITICAL | ||
|
The OpenDaylight 0.15.3 controller allows topology poisoning via API requests because an application can manipulate the path that is taken by discovery packets.
|
|||||
| CVE-2024-22042 | 1 Siemens | 1 Unicam Fx | 2024-12-16 | N/A | 7.8 HIGH |
|
A vulnerability has been identified in Unicam FX (All versions). The windows installer agent used in affected product contains incorrect use of privileged APIs that trigger the Windows Console Host (conhost.exe) as a child process with SYSTEM privileges. This could be exploited by an attacker to perform a local privilege escalation attack.
|
|||||
| CVE-2024-8785 | 1 Progress | 1 Whatsup Gold | 2024-12-09 | N/A | 9.8 CRITICAL |
|
In WhatsUp Gold versions released before 2024.0.1, a remote unauthenticated attacker could leverage NmAPI.exe to create or change an existing registry value in registry path HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Ipswitch\.
|
|||||
| CVE-2024-11068 | 1 Dlink | 2 Dsl6740c, Dsl6740c Firmware | 2024-11-24 | N/A | 9.8 CRITICAL |
|
The D-Link DSL6740C modem has an Incorrect Use of Privileged APIs vulnerability, allowing unauthenticated remote attackers to modify any user’s password by leveraging the API, thereby granting access to Web, SSH, and Telnet services using that user’s account.
|
|||||
| CVE-2023-6522 | 2024-11-21 | N/A | 7.2 HIGH | ||
|
Incorrect Use of Privileged APIs vulnerability in ExtremePacs Extreme XDS allows Collect Data as Provided by Users.This issue affects Extreme XDS: before 3914.
|
|||||
| CVE-2023-6151 | 1 Eskom | 1 E-belediye | 2024-11-21 | N/A | 7.5 HIGH |
|
Incorrect Use of Privileged APIs vulnerability in ESKOM Computer e-municipality module allows Collect Data as Provided by Users.This issue affects e-municipality module: before v.105.
|
|||||
| CVE-2023-6150 | 1 Eskom | 1 E-belediye | 2024-11-21 | N/A | 7.5 HIGH |
|
Incorrect Use of Privileged APIs vulnerability in ESKOM Computer e-municipality module allows Collect Data as Provided by Users.This issue affects e-municipality module: before v.105.
|
|||||
| CVE-2023-4972 | 1 Yepas | 1 Digital Yepas | 2024-11-21 | N/A | 9.8 CRITICAL |
|
Incorrect Use of Privileged APIs vulnerability in Yepas Digital Yepas allows Collect Data as Provided by Users.This issue affects Digital Yepas: before 1.0.1.
|
|||||
| CVE-2023-28062 | 1 Dell | 1 Powerprotect Data Manager | 2024-11-21 | N/A | 8.8 HIGH |
|
Dell PPDM versions 19.12, 19.11 and 19.10, contain an improper access control vulnerability. A remote authenticated malicious user with low privileges could potentially exploit this vulnerability to bypass intended access restrictions and perform unauthorized actions.
|
|||||
| CVE-2023-20136 | 1 Cisco | 1 Secure Workload | 2024-11-21 | N/A | 4.3 MEDIUM |
|
A vulnerability in the OpenAPI of Cisco Secure Workload could allow an authenticated, remote attacker with the privileges of a read-only user to execute operations that should require Administrator privileges. The attacker would need valid user credentials.
This vulnerability is due to improper role-based access control (RBAC) of certain OpenAPI operations. An attacker could exploit this vulnerability by issuing a crafted OpenAPI function call with valid credentials. A successful exploit coul ...
Show More |
|||||
| CVE-2022-4805 | 1 Usememos | 1 Memos | 2024-11-21 | N/A | 4.3 MEDIUM |
|
Incorrect Use of Privileged APIs in GitHub repository usememos/memos prior to 0.9.1.
|
|||||
| CVE-2022-4796 | 1 Usememos | 1 Memos | 2024-11-21 | N/A | 8.1 HIGH |
|
Incorrect Use of Privileged APIs in GitHub repository usememos/memos prior to 0.9.1.
|
|||||
| CVE-2022-4687 | 1 Usememos | 1 Memos | 2024-11-21 | N/A | 8.1 HIGH |
|
Incorrect Use of Privileged APIs in GitHub repository usememos/memos prior to 0.9.0.
|
|||||
| CVE-2022-2023 | 1 Trudesk Project | 1 Trudesk | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Incorrect Use of Privileged APIs in GitHub repository polonel/trudesk prior to 1.2.4.
|
|||||
| CVE-2022-24821 | 1 Xwiki | 1 Xwiki | 2024-11-21 | 5.5 MEDIUM | 6.8 MEDIUM |
|
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Simple users can create global SSX/JSX without specific rights: in theory only users with Programming Rights should be allowed to create SSX or JSX that are executed everywhere on a wiki. But a bug allow anyone with edit rights to actually create those. This issue has been patched in XWiki 13.10-rc-1, 12.10.11 and 13.4.6. There's no easy workaround for this issue, administrators should upgrad ...
Show More |
|||||
| CVE-2022-24073 | 1 Navercorp | 1 Whale | 2024-11-21 | 5.8 MEDIUM | 7.1 HIGH |
|
The Web Request API in Whale browser before 3.12.129.18 allowed to deny access to the extension store or redirect to any URL when users access the store.
|
|||||
| CVE-2022-24071 | 1 Navercorp | 1 Whale | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
A Built-in extension in Whale browser before 3.12.129.46 allows attackers to compromise the rendering process which could lead to controlling browser internal APIs.
|
|||||
| CVE-2022-23720 | 1 Pingidentity | 1 Pingid Integration For Windows Login | 2024-11-21 | 4.4 MEDIUM | 7.5 HIGH |
|
PingID Windows Login prior to 2.8 does not alert or halt operation if it has been provisioned with the full permissions PingID properties file. An IT administrator could mistakenly deploy administrator privileged PingID API credentials, such as those typically used by PingFederate, into PingID Windows Login user endpoints. Using sensitive full permissions properties file outside of a privileged trust boundary leads to an increased risk of exposure or discovery, and an attacker could leverage the ...
Show More |
|||||