Server-Side Request Forgery (SSRF)

httparty is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to improper validation of user-supplied URLs, which allows an attacker to force the application to send unauthorized requests to internal servers and potentially leak sensitive information such as API keys...

CVE-2026-22251

The CVE-2026-22251 entry concerns the wlc Weblate command-line client. Before version 1.17.0, wlc allowed unscoped API keys to be stored in settings, a practice that could enable an API key to be leaked to different servers. Public advisories from Debian/Ubuntu/OSV reflect this issue and referenc...

CVE-2026-22251 wlc may leak API keys due to an insecure API key configuration

wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, wlc supported providing unscoped API keys in the setting. This practice was discouraged for years, but the code was never removed. This might cause the API key to be leaked to different servers...

CVE-2026-22198

GestSup prior to 3.2.60 (with sources also citing up to 3.2.56 in ENISA EUVD) contains a pre-authentication stored XSS in the API error logging. An unauthenticated attacker can craft the X-API-KEY header (e.g., to /api/v1/ticket.php) to inject HTML/JavaScript into log entries; when an administrat...

CVE-2023-4209

The POEditor WordPress plugin before 0.9.8 does not have CSRF checks in various places, which could allow attackers to make logged in admins perform unwanted actions, such as reset the plugin's settings and update its API key via CSRF attacks...

CVE-2021-27228

An issue was discovered in Shinobi through ocean version 1. lib/auth.js has Incorrect Access Control. Valid API Keys are held in an internal JS Object. Therefore an attacker can use JS Proto Method names such as constructor or hasOwnProperty to convince the System that the supplied API Key exists...

CVE-2021-31821

When the Windows Tentacle docker image starts up it logs all the commands that it runs along with the arguments, which writes the Octopus Server API key in plaintext. This does not affect the Linux Docker image...

CVE-2021-22148

Elastic Enterprise Search App Search versions before 7.14.0 was vulnerable to an issue where API keys were not bound to the same engines as their creator. This could lead to a less privileged user gaining access to unauthorized engines...

CVE-2022-0131

Jimoty App for Android versions prior to 3.7.42 uses a hard-coded API key for an external service. By exploiting this vulnerability, API key for an external service may be obtained by analyzing data in the app...

CVE-2022-35734

'Hulu / フールー' App for Android from version 3.0.47 to the version prior to 3.1.2 uses a hard-coded API key for an external service. By exploiting this vulnerability, API key for an external service may be obtained by analyzing data in the app...

CVE-2019-18933

In Zulip Server versions from 1.7.0 to before 2.0.7, a bug in the new user signup process meant that users who registered their account using social authentication e.g., GitHub or Google SSO in an organization that also allows password authentication could have their personal API key stolen by an...

CVE-2019-11231

An issue was discovered in GetSimple CMS through 3.3.15. insufficient input sanitation in the theme-edit.php file allows upload of files with arbitrary content PHP code, for example. This vulnerability is triggered by an authenticated user; however, authentication can be bypassed. According to th...

CVE-2023-4509

It is possible for an API key to be logged in clear text in the audit log file after an invalid login attempt...

CVE-2023-4021

The Modern Events Calendar lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Google API key and Calendar ID in versions up to, but not including, 7.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2021-41191

Roblox-Purchasing-Hub is an open source Roblox product purchasing hub. A security risk in versions 1.0.1 and prior allowed people who have someone's API URL to get product files without an API key. This issue is fixed in version 1.0.2. As a workaround, add @requireapikey in BOT/lib/cogs/website.p...

CVE-2025-14980

The BetterDocs plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.3 via the scripts function. This makes it possible for authenticated attackers, with contributor-level access and above, to extract sensitive data including the OpenAI API...

CVE-2025-14980

The CVE-2025-14980 entry concerns BetterDocs – Knowledge Base Documentation & FAQ Solution for Elementor & Block Editor for WordPress. Affected versions: all up to and including 4.3.3. Vulnerability type: Authenticated Sensitive Information Exposure via scripts() function, enabling an attacker wi...

PT-2026-1762

Name of the Vulnerable Software and Affected Versions BetterDocs versions prior to 4.3.4 Description The BetterDocs plugin for WordPress is susceptible to sensitive information exposure through the scripts function. Authenticated attackers with contributor-level access or higher can potentially...

Exploit for CVE-2024-0368

CVE-2024-0368 Hustle Plugin = 7.8.3 contains hardcoded Hub...

CVE-2025-1285

The Resido - Real Estate WordPress Theme theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the deleteapikey and saveapikey AJAX actions in all versions up to, and including, 3.6. This makes it possible for unauthenticated attackers to issue requests to...