CVE-2025-31727

Jenkins AsakusaSatellite Plugin 0.1.1 and earlier stores AsakusaSatellite API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system...

CVE-2025-31726

Jenkins Stack Hammer Plugin 1.0.6 and earlier stores Stack Hammer API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...

PT-2025-14518 · Jenkins · Jenkins Asakusasatellite Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins AsakusaSatellite Plugin versions 0.1.1 and earlier Description: The issue concerns the exposure of AsakusaSatellite API keys on the job configuration form, which could allow attackers to observe and capture them. Recommendations: For...

Cannot create hosting connection for AWS "Failed to connect the AWS EC2 endpoint URL"

On entering API key and Secret key with Role Based Authentrication for AWS get the following error: Transaction ID:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Action Name: HostingEditHypervisorConnection Exception: StudioErrorId : ConnectionValidationFailure Reason : ManagedMachineGeneralException Exception :...

CVE-2025-2894

The Go1 also known as "The World's First Intelligence Bionic Quadruped Robot Companion of Consumer Level," contains an undocumented backdoor that can enable the manufacturer, and anyone in possession of the correct API key, complete remote control over the affected robotic device using the...

Solstice Pod 6.2 - API Session Key Extraction via API Endpoint

Exploit Title: Solstice Pod API Session Key Extraction via API Endpoint Google Dork: N/A Date: 1/17/2025 Exploit Author: The Baldwin School Ethical Hackers Vendor Homepage: https://www.mersive.com/ Software Link: https://documentation.mersive.com/en/solstice/about-solstice.html Versions: 5.5, 6.2...

CVE-2025-2894

The Go1 also known as "The World's First Intelligence Bionic Quadruped Robot Companion of Consumer Level," contains an undocumented backdoor that can enable the manufacturer, and anyone in possession of the correct API key, complete remote control over the affected robotic device using the...

CVE-2025-2894 Unitree Go1 Robot Dog Backdoor Control Channel

The Go1 also known as "The World's First Intelligence Bionic Quadruped Robot Companion of Consumer Level," contains an undocumented backdoor that can enable the manufacturer, and anyone in possession of the correct API key, complete remote control over the affected robotic device using the...

CVE-2025-2894

Concrete details exist for CVE-2025-2894 in connected docs: Unitree Go1 family robots (Go2, G1, H1, B2) expose a BLE Wi‑Fi configuration interface with a hardcoded AES-CFB128 key and IV, enabling an authentication bypass (

Improper API Key Masking

LiteLLM is vulnerable to improper API key masking. The vulnerability is due to insufficient key redaction in the file litellmlogging.py, allowing an attacker to extract most of the API key and potentially gain unauthorized access to related systems or services...

Improper Authorization

litellm is vulnerable to Improper authorization. The vulnerability is due to improper RBAC implementation, where 'internaluserviewer' users receive an overly privileged API key, allowing privilege escalation to PROXY ADMIN and unauthorized access to admin functionalities...

CVE-2024-11037

A path traversal vulnerability exists in binary-husky/gptacademic at commit 679352d, which allows an attacker to bypass the blockedpaths protection and read the config.py file containing sensitive information such as the OpenAI API key. This vulnerability is exploitable on Windows operating syste...

CVE-2025-0628

An improper authorization vulnerability exists in the main-latest version of BerriAI/litellm. When a user with the role 'internaluserviewer' logs into the application, they are provided with an overly privileged API key. This key can be used to access all the admin functionality of the applicatio...

CVE-2024-10109

A vulnerability in the mintplex-labs/anything-llm repository, as of commit 5c40419, allows low privilege users to access the sensitive API endpoint "/api/system/custom-models". This access enables them to modify the model's API key and base path, leading to potential API key leakage and denial of...

CVE-2024-9606

In berriai/litellm before version 1.44.12, the litellm/litellmcoreutils/litellmlogging.py file contains a vulnerability where the API key masking code only masks the first 5 characters of the key. This results in the leakage of almost the entire API key in the logs, exposing a significant amount ...

CVE-2024-8954

In composiohq/composio version 0.5.10, the API does not validate the x-api-key header's value during the authentication step. This vulnerability allows an attacker to bypass authentication by providing any random value in the x-api-key header, thereby gaining unauthorized access to the server...

CVE-2025-30197

Jenkins Zoho QEngine Plugin 1.0.29.vfacc23396502 and earlier does not mask the QEngine API Key form field, increasing the potential for attackers to observe and capture it...

Security Updates for SimpleHelp < 5.5.8

The version of SimpleHelp running on the remote web server is prior to 5.3.9, or 5.4.x prior to 5.4.10 or 5.5.x prior to 5.5.8. It is, therefore, affected by multiple vulnerabilities: - Allows low-privileges technicians to create API keys with excessive permissions. These API keys can be used to...

GHSA-FJCF-3J3R-78RP LiteLLM Has an Improper Authorization Vulnerability

An improper authorization vulnerability exists in the main-latest version of BerriAI/litellm. When a user with the role 'internaluserviewer' logs into the application, they are provided with an overly privileged API key. This key can be used to access all the admin functionality of the applicatio...

LiteLLM Has an Improper Authorization Vulnerability

An improper authorization vulnerability exists in the main-latest version of BerriAI/litellm. When a user with the role 'internaluserviewer' logs into the application, they are provided with an overly privileged API key. This key can be used to access all the admin functionality of the applicatio...