This page collects WhisperX intelligence signals tagged #api-security. It is designed for humans, search engines, and AI agents: each item links to a canonical source-backed record with sector, source, timestamp, credibility, and exportable structured data.
The YUDDHA platform's autonomous security agent, KAVACH, has flagged and patched a HIGH-severity zero-trust violation on a critical `/api` endpoint. The violation was identified as a template-level failure, indicating a systemic security gap where a repository scan could not locate the source code, leaving the endpoint...
The YUDDHA platform's autonomous security system, KAVACH, has auto-generated and verified a HIGH-severity patch for a zero-trust violation on a critical `/api` endpoint. This automated response, verified by the Mistral model and sandbox testing, indicates a significant lapse in the core principle of 'never trust, alway...
An autonomous security system has flagged and patched a critical zero-trust violation within the YUDDHA platform's core API. The violation, classified as CRITICAL severity, was discovered in the `/api` endpoint, specifically targeting PII data. The patch, auto-generated and verified by the KAVACH autonomous defender, w...
The YUDDHA platform's autonomous security system, KAVACH, has automatically generated and verified a critical patch for a zero-trust violation. The vulnerability, classified as CRITICAL, was found in the real source code of the `/api` endpoint, specifically targeting PII data. The autonomous defender identified the fla...
The YUDDHA platform's autonomous security system, KAVACH, has automatically generated and verified a HIGH-severity patch for a critical zero-trust violation discovered in the platform's `/api` endpoint. The violation was identified directly within the real source code of the `server.ts` file, indicating a concrete arch...
The YUDDHA platform's autonomous security system, KAVACH, has automatically generated and verified a HIGH-severity patch for a critical zero-trust violation discovered in its source code. The violation was identified in the `/api` endpoint, specifically within the `server.ts` file, and was flagged as originating from r...
The YUDDHA platform's autonomous security system, KAVACH, has automatically generated and verified a HIGH-severity patch for a critical zero-trust violation discovered in its source code. The violation was identified in the `/api` endpoint, specifically within the `server.ts` file, and was flagged as originating from r...
The YUDDHA platform's autonomous security system, KAVACH, has automatically generated and verified a HIGH-severity patch for a critical zero-trust violation. The flaw was discovered in the real source code of the platform's `/api` endpoint, specifically within the `server.ts` file. This is not a theoretical vulnerabili...
A security investigation has uncovered a systemic gap in request validation across multiple API endpoints. A recently removed duplicate route stub for `POST /wallets` was found to lack `payloadSizeLimiter` middleware, prompting a broader audit that revealed inconsistent application of payload size controls across the c...
A low-severity security vulnerability in the organization's invitation API allows internal invite identifiers to be exposed through error responses. When the system detects a duplicate invite attempt for an email address that already carries a pending invite within the same organization, the API returns the existing in...
A critical vulnerability has been identified in the platform's API layer, allowing unauthenticated or unauthorized users to read and modify sensitive resources across multiple endpoint categories. The flaw, catalogued as H-004, affects at least eight separate route groups including notes, agent-groups, features, chatro...
Security researchers have identified a broken access control vulnerability in Apache Superset, the widely deployed open-source business intelligence platform. The flaw, classified under OWASP A01:2021, stems from API endpoints missing required @has_access permission decorators, potentially allowing unauthorized users t...
A security disclosure flags multiple state-mutating REST API endpoints under `/api/v1/` for lacking Cross-Site Request Forgery (CSRF) protection when default configurations are in use. The vulnerability, classified as high severity, affects dashboard save, chart update, and dataset delete operations—core administrative...
A critical security gap has been identified in the Cal.com platform's Google Calendar webhook endpoint, potentially exposing users to unauthorized calendar manipulation. The vulnerability, classified as HIGH severity, exists in the `/api/webhook/google-calendar` route, where incoming webhook requests bypass essential s...
A critical security flaw has been identified in the `/api/booking/create` endpoint of miconsu.app, leaving the booking system entirely unprotected. Security researchers note the endpoint lacks any session verification, allowing anonymous users to submit booking requests without authentication. The vulnerability permits...
A critical security misconfiguration has rendered all core property management endpoints inoperative while simultaneously exposing the system to unauthorized access. Developers on the Casazen platform discovered that authorization checks have been disabled across six distinct API routes handling property creation, upda...
A critical security vulnerability in the `/api/admin/dashboard` endpoint was discovered exposing sensitive credentials, including a Stripe API key and complete database login information with passwords, directly in JSON responses. The flaw, classified as sensitive data exposure, affected the file `src/routes/admin.js` ...
A medium-severity mass assignment vulnerability has been identified in the ExpenseTracker application, exposing a critical flaw in how user input is processed during expense creation. The vulnerability allows attackers to manipulate sensitive fields that should remain server-controlled, potentially enabling cross-user ...
A critical access control vulnerability has been patched in the Account API framework, addressing a scenario where protected endpoints remained reachable even after explicitly disabling the ACCOUNT_API feature flag. The flaw, catalogued as CVE-2026-7500, created a pathway for unauthorized access to account data through...
A growing number of Google Cloud customers are fighting for refunds after discovering their API keys were compromised and exploited to run costly artificial intelligence inference workloads, leaving them responsible for bills totaling tens of thousands of dollars. The exposed keys were allegedly used within minutes to ...