Rest-Api

A user with permissions to modify GitRepository records can manipulate the `current_head` field via the REST API in Nautobot, leading to repository state desynchronization or unavailability; this is remediated in versions 2.4.33 and 3.1.2.

MantisBT is vulnerable to a missing authorization check in its file visibility function, allowing authenticated users with REPORTER or higher access to download attachments on private bugnotes they should not be able to access through the REST API and SOAP API, affecting versions 2.23.0 to 2.28.1.

WeKan before 8.35 contains a missing authorization vulnerability in the Integration REST API endpoints, allowing authenticated board members to perform administrative actions without proper privilege verification, potentially leading to unauthorized data access and modification.

A missing authentication vulnerability (CVE-2026-7042) exists in 666ghj MiroFish up to version 0.1.2, allowing remote attackers to bypass authentication via manipulation of the REST API Endpoint's create_app function.