CVE-2024-8954 Authentication Bypass in composiohq/composio

In composiohq/composio version 0.5.10, the API does not validate the x-api-key header's value during the authentication step. This vulnerability allows an attacker to bypass authentication by providing any random value in the x-api-key header, thereby gaining unauthorized access to the server...

CVE-2024-10109 Incorrect Authorization in mintplex-labs/anything-llm

A vulnerability in the mintplex-labs/anything-llm repository, as of commit 5c40419, allows low privilege users to access the sensitive API endpoint "/api/system/custom-models". This access enables them to modify the model's API key and base path, leading to potential API key leakage and denial of...

CVE-2024-10109

CVE-2024-10109 affects the mintplex-labs/anything-llm repository (commit 5c40419). Affected component: API endpoint /api/system/custom-models, exposed to low-privilege users. Root cause described as insufficient authorization allowing access to a sensitive endpoint, enabling modification of the m...

CVE-2024-9606

CVE-2024-9606 — Improper API key masking in Litellm A vulnerability in berriai/litellm prior to 1.44.12 arises from the masking logic in litellm_logging.py, which only masks the first 5 characters of API keys. This allows leakage of most of the secret key in logs, as noted for version v1.44.9 and...

CVE-2024-9606 Improper Output Neutralization for Logs in berriai/litellm

In berriai/litellm before version 1.44.12, the litellm/litellmcoreutils/litellmlogging.py file contains a vulnerability where the API key masking code only masks the first 5 characters of the key. This results in the leakage of almost the entire API key in the logs, exposing a significant amount ...

CVE-2024-11037 Path Traversal in binary-husky/gpt_academic

A path traversal vulnerability exists in binary-husky/gptacademic at commit 679352d, which allows an attacker to bypass the blockedpaths protection and read the config.py file containing sensitive information such as the OpenAI API key. This vulnerability is exploitable on Windows operating syste...

CVE-2024-11037 Path Traversal in binary-husky/gpt_academic

A path traversal vulnerability exists in binary-husky/gptacademic at commit 679352d, which allows an attacker to bypass the blockedpaths protection and read the config.py file containing sensitive information such as the OpenAI API key. This vulnerability is exploitable on Windows operating syste...

CVE-2024-11037

CVE-2024-11037 affects binary-husky/gpt_academic. A path traversal flaw at commit 679352d allows bypassing blocked_paths and reading config.py containing sensitive data (e.g., OpenAI API key). Exploitation is described as Windows-specific via a URL containing the project’s absolute path. No mitig...

Jenkins Zoho QEngine Plugin Displays Unmasked API Keys

Jenkins Zoho QEngine Plugin 1.0.29.vfacc23396502 and earlier does not mask the QEngine API Key form field, increasing the potential for attackers to observe and capture it...

CVE-2025-30197

Jenkins Zoho QEngine Plugin 1.0.29.vfacc23396502 and earlier does not mask the QEngine API Key form field, increasing the potential for attackers to observe and capture it...

CVE-2025-30197

Jenkins Zoho QEngine Plugin 1.0.29.vfacc23396502 and earlier does not mask the QEngine API Key form field, increasing the potential for attackers to observe and capture it...

CVE-2025-30197

CVE-2025-30197 concerns Jenkins Zoho QEngine Plugin prior to 1.0.29.vfa_cc23396502, where the QEngine API Key form field is not masked. This omission can allow attackers to observe or capture the API key in the UI input path. The CVE is documented across multiple sources (NVD entry and Red Hat ad...

CVE-2025-30197

Jenkins Zoho QEngine Plugin 1.0.29.vfacc23396502 and earlier does not mask the QEngine API Key form field, increasing the potential for attackers to observe and capture it...

Jenkins Zoho QEngine Plugin 安全漏洞

Jenkins Zoho QEngine Plugin is a Jenkins plugin for Jenkins open source. A security vulnerability exists in Jenkins Zoho QEngine Plugin 1.0.29.vfacc23396502 and prior versions, which stems from an unmasked QEngine API Key form field...

CVE-2025-1285

The Resido - Real Estate WordPress Theme theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the deleteapikey and saveapikey AJAX actions in all versions up to, and including, 3.6. This makes it possible for unauthenticated attackers to issue requests to...

CVE-2025-1285 Resido - Real Estate WordPress Theme <= 3.6 - Missing Authorization to Unauthenticated Server-Side Request Forgery and API Key Settings Update

The Resido - Real Estate WordPress Theme theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the deleteapikey and saveapikey AJAX actions in all versions up to, and including, 3.6. This makes it possible for unauthenticated attackers to issue requests to...

CVE-2025-1285 Resido - Real Estate WordPress Theme <= 3.6 - Missing Authorization to Unauthenticated Server-Side Request Forgery and API Key Settings Update

The Resido - Real Estate WordPress Theme theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the deleteapikey and saveapikey AJAX actions in all versions up to, and including, 3.6. This makes it possible for unauthenticated attackers to issue requests to...

CVE-2025-1285

CVE-2025-1285 affects the Resido – Real Estate WordPress Theme. The vulnerability arises from a missing capability check on the delete_api_key and save_api_key AJAX actions in all versions up to and including 3.6, enabling unauthenticated attackers to issue requests to internal services and updat...

Flowise Pre-auth Arbitrary File Upload

Summary An unauthorized attacker can leverage the whitelisted route /api/v1/attachments to upload arbitrary files when the storageType is set to local default. Details When a new request arrives, the system first checks if the URL starts with /api/v1/. If it does, the system then verifies whether...

CVE-2025-27643

Vasion Print formerly PrinterLogic before Virtual Appliance Host 22.0.933 Application 20.0.2368 allows Hardcoded AWS API Key V-2024-006...