This page collects WhisperX intelligence signals tagged #API Security. It is designed for humans, search engines, and AI agents: each item links to a canonical source-backed record with sector, source, timestamp, credibility, and exportable structured data.
A critical security vulnerability has been discovered in a game server's API, exposing the complete historical dataset of player votes, scores, and session identifiers to anyone on the internet. The `/api/export/votes.csv` endpoint lacks any form of authentication, allowing uncredentialed access to download the entire ...
A critical security misconfiguration has been identified in a production backend, where the CORS (Cross-Origin Resource Sharing) policy is set to allow requests from any origin. The vulnerability, documented in GitHub issue #222, stems from the use of `app.use(cors())` with no configuration in the main application file...
A critical security flaw in a library management system's API allows any attacker to bypass access controls and retrieve the entire dataset of borrow records simply by sending an invalid query parameter. The vulnerability, classified as HIGH severity, resides in the `BorrowController.java` file where a silent exception...
A critical stored cross-site scripting (XSS) vulnerability has been identified in the EmpCloud API, allowing attackers to inject and persistently store malicious JavaScript code within the platform's policy management system. The flaw resides in the `POST /api/v1/policies` endpoint, which accepts and stores raw HTML an...
A critical security flaw in EmpCloud's API allows attackers to inject and store malicious JavaScript code directly into the platform's announcement system. The vulnerability, a classic Cross-Site Scripting (XSS) issue, was discovered in the `POST /api/v1/announcements` endpoint. During testing, raw HTML and JavaScript ...
A critical vulnerability in the Ergo blockchain platform's liquidity provider API allows malicious actors to manipulate displayed Annual Percentage Yield (APY) calculations. The `/api/lp/apy` endpoint, defined in `lp_routes.py`, fails to validate user-controlled query parameters `avg_bet_size` and `bets_per_block`. Thi...
A significant security testing gap has been identified in an open-source security tool: it currently lacks the ability to detect XML External Entity (XXE) injection vulnerabilities. This omission leaves a critical blind spot, particularly for API-focused security assessments where XML payloads are common in SOAP servic...
A critical Denial-of-Service (DoS) vulnerability was discovered in a Convex database function, where a malicious actor could trigger a massive bandwidth spike by submitting an arbitrarily large number to an unvalidated `limit` parameter. The flaw, located in the `questionsLibrary.ts` file, allowed an input like `limit:...
A critical security gap in a Supabase-backed application leaves user chat history and session analytics vulnerable to direct database access. The system stores sensitive user data in two tables—`learning_sessions` (full chat history) and `analytics_events` (session metadata)—without verified Row Level Security (RLS) po...
A critical security vulnerability has been identified within the mcpgateway component, where the `/servers/{id}/message` API endpoint fails to validate the provided `server_id` against the database. This flaw allows the endpoint to process requests for non-existent servers, creating a potential vector for unauthorized ...
A critical Server-Side Request Forgery (SSRF) vulnerability has been identified within the Policai Australian AI Policy Tracker's administrative API. The `/api/admin/analyse-url` endpoint performs a server-side `fetch()` on any user-supplied URL without validation, allowing authenticated attackers to probe internal inf...
A critical security vulnerability has been identified in the PPOM for WooCommerce plugin, exposing sensitive store data to unauthenticated users. The plugin's entire REST API, comprising seven distinct endpoints, is configured with a blanket `'permission_callback' => '__return_true'`. This configuration effectively byp...
A GitHub repository for the British Columbia government's forestry client API has publicly documented a fix for a vulnerability identified as CVE-2026-33871. The issue, logged in the official 'bcgov/nr-forest-client-api' repository, shows a direct link between a code change and a specific, future-dated Common Vulnerabi...
A security scan has flagged multiple API endpoints on a local development server for exposing session management tokens. The automated tool identified responses containing tokens, specifically `csrf_token` parameters, which are used for session management and cross-site request forgery protection. This finding is signi...
A critical security vulnerability in a web application's API allows any authenticated user to impersonate any other user, granting unauthorized access to create, delete, and query personal favorites. The flaw, a classic Broken Object Level Authorization (BOLA/IDOR) issue, stems from a fundamental authentication bypass ...
A critical access control vulnerability has been identified in the Athena platform's machine-to-machine (M2M) client registration system. The flaw allows any authenticated administrator to bypass the intended security controls and assign arbitrary, potentially dangerous OAuth2 scopes to new M2M clients. This server-sid...
A critical vulnerability in a GitHub-hosted API allowed anonymous users to spoof their IP addresses and completely bypass daily scan quotas, risking abuse of external services and uncontrolled costs. The flaw stemmed from a misconfigured proxy setup that trusted all incoming traffic, making it trivial for attackers to ...
A critical SQL injection vulnerability in a core financial API endpoint allows attackers to bypass all access controls and exfiltrate the entire transaction database. The flaw resides in the `/api/v1/transactions` endpoint, where the `account_id` parameter is directly concatenated into a SQL query without any parameter...
A critical security vulnerability exists within the WhisperX frontend codebase, where API responses are accepted without any runtime validation. The application uses TypeScript's `as` assertions, which are compile-time only, to cast incoming data. This creates a dangerous blind trust scenario where any malformed, compr...
A critical SQL injection vulnerability in a core financial API endpoint allows attackers to bypass all access controls and exfiltrate the entire transaction database. The flaw resides in the `/api/v1/transactions` endpoint, where the `account_id` parameter is passed directly into an SQL query without any parameterizati...