Category - API Security Blog

MainWP: Reflected XSS in “Create Category” Functionality of Post Creation Module

A reflected Cross-Site Scripting (XSS) vulnerability was identified in the "Create Category" feature of the post creation functionality. When a user entered a malicious JavaScript pa ...

August 05, 2025

Hemi VDP: WordPress Version Exposure via ███████ on hemi.xyz

The WordPress CMS version was exposed in the XML file at https://hemi.xyz███. This disclosure allowed attackers to fingerprint the CMS...Read More ...

August 05, 2025

MainWP: Reflected XSS in “Manage Tags” Notes Field

A reflected Cross-Site Scripting (XSS) vulnerability was discovered in the "Notes" input field under the Manage Tags section. Arbitrary input entered into this field was reflected ba ...

August 05, 2025

curl: Use-After-Free in OpenSSL Keylog Callback via SSL_get_ex_data() in libcurl

Vulnerability description not...Read More ...

August 05, 2025

Lichess: ImageId Format Injection in Image Upload Endpoint

The image upload endpoint in the Lichess application did not properly validate the 'rel' parameter, allowing an attacker to inject special characters that broke the expected format of the ge ...

August 05, 2025

Node.js: Windows Device Names Still Allow Path Traversal in UNC Paths After CVE-2025-27210 Fix

Vulnerability description not...Read More ...

August 05, 2025

Node.js: Windows Device Names (CON, PRN, AUX) Bypass Path Traversal Protection in path.normalize()

An incomplete fix has been identified for a vulnerability affecting Windows device names in the path.normalize() function in Node.js. The vulnerability allows path traversal protection to be bypassed ...

August 05, 2025

curl: Credential leak on redirect due to improper state clearing when parsing macdef in netrc.c

Vulnerability description not...Read More ...

August 05, 2025