API Platform - 17 CVEs (Page 1/1)

About “API Platform”

A curated feed of “API Platform”-related CVEs appears below. We currently track 17 CVEs for this tag (all time). In the last 365 days, 6 were published. Average CVSS is 6.8 (all time; 7.5 over 365d), and 47% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-863 - Incorrect Authorization, CWE-269 - Improper Privilege Management, CWE-178 - Improper Handling of Case Sensitivity.

In our taxonomy this topic maps to a LOW impact class. Language runtimes and libraries cascade through dependency graphs. Upgrade runtime and toolchain, pin versions, rebuild images, and enable SAST or DAST and linters. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

Support & lifecycle: api-platform

This table shows recent release cycles and their projected end-of-life. Data source: endoflife.date.

Cycle	Release	Latest	Premier Support	EOL
4.3	2026-03-13	4.3.7	Unavailable	-
4.2	2025-09-18	4.2.24	2026-03-13	-
4.1	2025-02-28	4.1.28	2025-09-18	2026-03-13 Expired
4.0	2024-09-18	4.0.22	2025-02-28	2025-09-18 Expired
3.4	2024-09-18	3.4.17	2024-09-18	2025-02-28 Expired
3.3	2024-04-29	3.3.15	2024-09-18	2025-02-28 Expired
3.2	2023-10-12	3.2.26	2024-04-29	2024-09-18 Expired
3.1	2023-01-23	3.1.29	2023-10-12	2024-04-29 Expired
3.0	2022-09-15	3.0.12	2023-01-23	2023-10-12 Expired
2.7	2022-09-15	2.7.18	2023-01-27	2023-01-27 Expired
2.6	2021-01-22	2.6.8	2022-09-15	2022-09-15 Expired
2.5	2019-09-30	2.5.10	2021-01-22	2022-09-15 Expired
2.4	2019-03-22	2.4.7	2019-09-30	2021-01-22 Expired
2.3	2018-07-06	2.3.6	2019-03-22	2019-09-30 Expired
2.2	2018-02-16	2.2.10	2018-07-06	2019-03-22 Expired
2.1	2017-09-08	2.1.6	2018-02-16	2018-07-06 Expired
2.0	2016-11-24	2.0.11	2017-09-08	2018-02-16 Expired

Maintained Soon (≤ 180 days) Expired

Subscribe lifecycle: RSS · RSS (expired) · ICS

Subscribe CVEs: RSS for “API Platform” · RSS (High+Critical only)

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0

2026-05-29

High

CVE-2026-9808

An authorization bypass vulnerability exists in the Mautic 7 API v2 endpoints (utilizing API Platform). Under certain conditions, roles configured with owner-scope restrictions (such as `viewown` or…

CVSS: 7.1 CWE: CWE-863 - Incorrect Authorization View on NVD

2026-04-14

High

CVE-2026-40291

Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, an insecure direct object modification vulnerability in the PUT /api/users/{id} endpoint allows any authenti…

CVSS: 8.8 CWE: CWE-269 - Improper Privilege Management View on NVD

2025-12-11

High

CVE-2025-67718

Form.io is a combined Form and API platform for Serverless applications. Versions 3.5.6 and below and 4.0.0-rc.1 through 4.4.2 contain a flaw in path handling which could allow an attacker to access…

CVSS: 8.7 CWE: CWE-178 - Improper Handling of Case Sensitivity View on NVD

2025-12-05

High

CVE-2025-13426

A vulnerability exists in Google Apigee's JavaCallout policy https://docs.apigee.com/api-platform/reference/policies/java-callout-policy that allows for remote code execution. It is possible for a…

CVSS: 8.7 CWE: CWE-913 - Improper Control of Dynamically-Managed Code Resources View on NVD

2025-07-09

Medium

CVE-2025-53674

Jenkins Sensedia Api Platform tools Plugin 1.0 does not mask the Sensedia API Manager integration token on the global configuration form, increasing the potential for attackers to observe and capture…

CVSS: 5.3 CWE: CWE-256 - Plaintext Storage of a Password View on NVD

Medium

CVE-2025-53673

Jenkins Sensedia Api Platform tools Plugin 1.0 stores the Sensedia API Manager integration token unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by user…

CVSS: 6.5 CWE: CWE-311 - Missing Encryption of Sensitive Data View on NVD

2025-04-08

Medium

CVE-2025-3411

A vulnerability, which was classified as critical, has been found in mymagicpower AIAS 20250308. This issue affects some unknown processing of the file 3_api_platform/api-platform/src/main/java/top/a…

CVSS: 6.3 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD

2025-04-03

High

CVE-2025-31485

API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Prior to 4.0.22 and 3.4.17, a GraphQL grant on a property might be cached with different objects. The ApiPlatform\Grap…

CVSS: 7.5 CWE: CWE-696 - Incorrect Behavior Order View on NVD

High

CVE-2025-31481

API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Using the Relay special node type you can bypass the configured security on an operation. This vulnerability is fixed…

CVSS: 7.5 CWE: CWE-863 - Incorrect Authorization View on NVD

Medium

CVE-2023-47639

API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. From 3.2.0 until 3.2.4, exception messages, that are not HTTP exceptions, are visible in the JSON error response. This…

CVSS: 5.3 CWE: CWE-209 - Generation of Error Message Containing Sensitive Information View on NVD

2025-03-24

Medium

CVE-2025-23204

API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Starting in version 3.3.8, a security check that gets called after GraphQl resolvers is always replaced by another one…

CVSS: 4.4 CWE: CWE-20 - Improper Input Validation View on NVD

2024-07-30

Low

CVE-2024-5250

In versions of Akana API Platform prior to 2024.1.0 overly verbose errors can be found in SAML integrations

CVSS: 3.5 CWE: CWE-209 - Generation of Error Message Containing Sensitive Information View on NVD

Medium

CVE-2024-5249

In versions of Akana API Platform prior to 2024.1.0, SAML tokens can be replayed.

CVSS: 5.4 CWE: CWE-294 - Authentication Bypass by Capture-replay View on NVD

Medium

CVE-2024-3930

In versions of Akana API Platform prior to 2024.1.0 a flaw resulting in XML External Entity (XXE) was discovered.

CVSS: 6.3 CWE: CWE-611 - Improper Restriction of XML External Entity Reference View on NVD

2024-04-18

Critical

CVE-2024-2796

A server-side request forgery (SSRF) was discovered in the Akana API Platform in versions prior to and including 2022.1.3. Reported by Jakob Antonsson.

CVSS: 9.3 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD

2023-02-28

High

CVE-2023-25575

API Platform Core is the server component of API Platform: hypermedia and GraphQL APIs. Resource properties secured with the `security` option of the `ApiPlatform\Metadata\ApiProperty` attribute can…

CVSS: 7.7 CWE: CWE-842 - Placement of User into Incorrect Group View on NVD

2019-02-04

Medium

CVE-2019-1000011

API Platform version from 2.2.0 to 2.3.5 contains an Incorrect Access Control vulnerability in GraphQL delete mutations that can result in a user authorized to delete a resource can delete any resour…

CVSS: 6.5 CWE: N/A View on NVD