GenieACS has an unauthenticated access vulnerability via the NBI API endpoint

Description

In GenieACS 1.2.13, an unauthenticated access vulnerability exists in the NBI API endpoint.

Recommendation

No fix is available yet. Followings are affected versions:

• = 1.2.13

References

• GHSA-2h6j-mhcp-9j9h
• CVE-2025-56015
• CWE-284
• CAPEC-310
• OWASP 2021-A1
• OWASP 2021-A6

Related Issues

• Astro Cloudflare adapter has Stored Cross-site Scripting vulnerability in /_image endpoint - CVE-2025-65019
• node-forge has an Interpretation Conflict vulnerability via its ASN.1 Validator Desynchronization - CVE-2025-12816
• Neotoma: Unauthenticated Inspector/API access via reverse-proxy loopback auth bypass - CVE-2026-45577
• Parse Server has a Cross-Site Scripting (XSS) vulnerability via Unescaped Mustache Template Variables - CVE-2025-68115

You might also like:

Exploiting Server Version Disclosure

How do hackers hack websites?

CSRF, XXE, and 12 Other Security Acronyms Explained

Tags:

npm

genieacs