1. Waymo Expansion Test
Waymo raises 16 billion dollars and expands to four new cities.
WhisperX tag archive
#API
This page collects WhisperX intelligence signals tagged #API. It is designed for humans, search engines, and AI agents: each item links to a canonical source-backed record with sector, source, timestamp, credibility, and exportable structured data.
Latest Signals (20)
2. Test Post from WhisperX Bot
This is a test post to verify the API is working correctly.
3. Security Flaw: Swagger UI Configuration Persists Bearer Tokens in Browser Storage
A security misconfiguration in a custom Swagger UI setup is actively storing sensitive bearer tokens in browser storage, creating a persistent window for credential theft. The configuration explicitly enables `persistAuthorization: true`, which saves authentication tokens across page reloads. This design flaw directly ...
4. Shesha Framework Exposes Critical Privilege Escalation Flaw: Any Authenticated User Can Rewrite Security Policies
A severe authorization flaw in the Shesha application framework grants any authenticated user—including those with minimal privileges—the ability to view and modify all endpoint security policies. The vulnerability resides in the `PermissionedObjectAppService`, the core API responsible for managing endpoint permissions...
5. Aegis Security Flaw: Unauthenticated Key Management Endpoints Open When Auth is Disabled
A critical security vulnerability exists in the Aegis server, exposing its authentication key management endpoints to unauthenticated access when the system's primary authentication is disabled. The flaw is a bootstrap vulnerability: before an administrator configures any master tokens or API keys, any client that can ...
6. AI Security Flaw: Newline Characters Enable Prompt Injection in Image Generation API
A critical vulnerability in an AI image generation service allows attackers to bypass safety controls by injecting malicious instructions via simple newline characters. The flaw stems from the use of Python's `.format()` method to insert user-supplied prompts into a fixed template. When a user includes newline characte...
7. Critical PCI Violation: Full Credit Card Numbers Exposed in Payment API Response
A critical security vulnerability has exposed full, unmasked credit card numbers in a payment processing API response. The flaw directly violates core PCI DSS requirements by transmitting sensitive cardholder data without protection, creating a severe risk of data exposure and potential financial fraud. The vulnerabil...
8. SECURITY: ICE/TURN Server Credentials Exposed via Unauthenticated API Endpoint
A critical security vulnerability allows any unauthenticated client to retrieve the credentials for a TURN server directly from a public API endpoint. The `/api/voice/ice` endpoint returns the username and password for the TURN (Traversal Using Relays around NAT) server without requiring any form of authentication. Thi...
9. SECURITY: Unauthenticated File Download Endpoint Exposes All Uploaded Files
A critical security vulnerability allows any unauthenticated user to download all files uploaded to the system. The file download endpoint `/api/files/` lacks the mandatory authentication middleware, creating a direct path for anonymous data access. This authentication bypass stands in stark contrast to all other file ...
10. SECURITY: Server-Wide Analytics Data Exposed to All Authenticated Users via Privilege Escalation Flaw
A critical privilege escalation vulnerability allows any registered user to access sensitive, server-wide analytics data. The security flaw resides in the application's API endpoints, which are protected only by basic authentication checks, not by the required admin-level authorization. This exposes internal metrics in...
11. HIGH-SEVERITY STORED XSS IN ANNOUNCEMENTS API — SCRIPT TAGS STORED & RETURNED VERBATIM
A critical security vulnerability has been identified in the announcements API, where both the title and body fields accept and store raw HTML and JavaScript payloads without sanitization. During E2E testing, payloads like `<script>alert(1)</script>` and `<img onerror=alert(1) src=x>` were stored verbatim. When retriev...
12. Uniblock Secures $5.2M to Power Unified Blockchain Infrastructure for 3,000+ Projects
Uniblock has closed a $5.2 million funding round, positioning its unified API as critical infrastructure for a sprawling, multi-chain ecosystem. The platform’s core function is to abstract away the complexity of navigating over 300 distinct blockchains, handling routing and automatic failover through a single integrati...
13. P0 Security Breach: /api/auth/me Endpoint Exposes Critical deviceSecret Credential
A critical security flaw has been identified in a backend authentication endpoint, exposing a sensitive device credential to multiple attack vectors. The `/api/auth/me` API endpoint is returning the `deviceSecret` in its JSON response, a credential described as functionally equivalent to a session token for device-scop...
14. Critical Security Gap: Navigation Site Exposed to DDoS and API Abuse Without Rate Limiting or Helmet
A public navigation site's Express server is operating without fundamental security protections, leaving it vulnerable to abuse, DDoS attacks, and data exfiltration. The server currently lacks any rate limiting, allowing API endpoints to be hammered with unlimited requests, and is missing essential security headers tha...
15. HMCTS DFR-4256: Playwright/Axe-Core Overhaul Replaces Legacy Jest Tests, Adds API-Driven Case Factory
The HMCTS Digital team has executed a major overhaul of its testing framework, replacing legacy Jest-based accessibility tests with a new Playwright/Axe-core integration. The core change introduces an API-driven case creation factory designed to eliminate manual setup steps and reduce environment-driven test flakiness,...
16. Security Scan Flags Session Management Tokens in Local API Endpoints
A security scan has flagged multiple API endpoints for exposing session management tokens, a finding that highlights potential authentication and session handling vulnerabilities in a local development environment. The automated tool 'zap-unauth-api' identified the tokens within HTTP responses, specifically noting a `c...
17. SEC-20: Critical Auth Flaw in Taskdeck API — Any User Can Change Another User's Password
A critical security vulnerability in the Taskdeck API allows any authenticated user to change the password of any other user. The flaw resides in the `AuthController.ChangePassword` endpoint, which accepts a `UserId` parameter in the request body and passes it directly to the underlying authentication service without v...
18. Critical Command Injection in Reports API Exposes Servers to Full Compromise
A critical security vulnerability in a common reports API endpoint allows authenticated attackers to execute arbitrary system commands on the server, leading to potential full compromise. The flaw, classified as OS Command Injection (CWE-78), resides in code that passes unsanitized user input directly to a dangerous sy...
19. FinSpark API Exposed: Path Traversal Flaw Lets Attackers Write to Server Filesystem
A critical path traversal vulnerability in the FinSpark API allows attackers to write arbitrary files anywhere on the server filesystem. The flaw is in the document upload endpoint, where the system blindly trusts the `file.filename` provided by the client. By submitting a filename like `../../etc/cron.d/backdoor`, an ...
20. Anthropic Cuts Off Subscription Access for Third-Party AI Harnesses Like OpenClaw
Anthropic is severing a key access point for developers, announcing that Claude subscription credits will no longer be valid for use with third-party harnesses, starting with OpenClaw. This policy shift effectively walls off the subscription-based API, forcing users of external tools to pay extra for the same underlyin...