CVE-2026-33710

Chamilo LMS (prior to 1.11.38 and 2.0.0-RC.3) uses REST API keys generated by md5(time() + (user_id * 5) - rand(10000, 10000)). Since rand(10000,10000) always returns 10000, the key becomes md5(timestamp + user_id*5 - 10000), enabling brute-forcing by an attacker who knows a username and approxim...

CVE-2026-35668

OpenClaw contains a path traversal vulnerability in its sandbox enforcement prior to version 2026.3.24. The flaw allows sandboxed agents to read arbitrary files from other agents’ workspaces through unnormalized mediaUrl and fileUrl parameter keys, due to incomplete parameter validation in normal...

Anthropic Claude Code < 2.0.65 API Key Leak via Project Settings (CVE-2026-21852)

The version of Anthropic Claude Code installed on the remote host is prior to 2.0.65. It is, therefore, affected by an information disclosure vulnerability. A vulnerability in the project-load flow allowed malicious repositories to exfiltrate data including Anthropic API keys before users confirm...

CVE-2026-39943 Directus exposes sensitive fields in revision history

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus stores revision records in directusrevisions whenever items are created or updated. Due to the revision snapshot code not consistently calling the prepareDelta sanitization pipeline,...

CVE-2026-39412

LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.4, the sortnatural filter bypasses the ownPropertyOnly security option, allowing template authors to extract values of prototype-inherited properties through a sorting side-channel attack...

CVE-2026-35484 text-generation-webui has a Path Traversal in load_preset() — .yaml file read without authentication

text-generation-webui is an open-source web interface for running Large Language Models. Prior to 4.3, an unauthenticated path traversal vulnerability in loadpreset allows reading any .yaml file on the server filesystem. The parsed YAML key-value pairs including passwords, API keys, connection...

CVE-2026-35484

text-generation-webui is an open-source web interface for running Large Language Models. Prior to 4.3, an unauthenticated path traversal vulnerability in loadpreset allows reading any .yaml file on the server filesystem. The parsed YAML key-value pairs including passwords, API keys, connection...

CVE-2026-35462 Papra Does Not Reject Expired API Keys

Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, API keys with an expiresAt date are never validated against the current time during authentication. Any API key — regardless of its expiration date — is accepted indefinitely, allowing a user whose key has expire...

EUVD-2026-19657

Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, API keys with an expiresAt date are never validated against the current time during authentication. Any API key — regardless of its expiration date — is accepted indefinitely, allowing a user whose key has expire...

METATRON AI Penetration Testing

Metatron is a CLI-based AI penetration testing assistant that runs entirely on your local machine - no cloud, no API keys, no subscriptions. You give it a target IP or domain. It runs real recon tools nmap, whois, whatweb, curl, dig, nikto, feeds all results to a locally running AI model, and the...

GHSA-MVV8-V4JJ-G47J Directus: Sensitive fields exposed in revision history

Summary Directus stores revision records in directusrevisions whenever items are created or updated. Due to the revision snapshot code not consistently calling the prepareDelta sanitization pipeline, sensitive fields including user tokens, two-factor authentication secrets, external auth...

CVE-2026-35467

The stored API keys in temporary browser client is not marked as protected allowing for JavScript console or other errors to allow for extraction of the encryption credentials...

CVE-2026-35467 Private Key stored as extractable in browser IndexeDB

The stored API keys in temporary browser client is not marked as protected allowing for JavScript console or other errors to allow for extraction of the encryption credentials...

CVE-2026-35467

The stored API keys in temporary browser client is not marked as protected allowing for JavScript console or other errors to allow for extraction of the encryption credentials...

CVE-2026-35467

CVE-2026-35467 concerns unprotected storage of API keys in a temporary browser client (IndexedDB), allowing exposure of encryption credentials via JavaScript console or similar errors. Multiple sources (NVD, Red Hat, ENISA EUVD, CIRCL, CVE List, AttackersKB, CVE records) describe the same issue w...

Missing Authorization

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Missing Authorization in the Tool Valves endpoint. An attacker can obtain sensitive information, such as API keys for backend systems, by sending GET /api/v1/tools/id//valves requests using a low-privileged...

CVE-2026-33073

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, the discourse-subscriptions plugin leaks stripe API keys across sites in a multisite cluster resulting in the potential fo...

CVE-2026-34361 HAPI FHIR: Unauthenticated SSRF via /loadIG Chains with startsWith() Credential Leak for Authentication Token Theft

HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.4, the FHIR Validator HTTP service exposes an unauthenticated "/loadIG" endpoint that makes outbound HTTP requests to attacker-controlled URLs. Combined with a startsWith...

CVE-2026-29872

A cross-session information disclosure vulnerability exists in the awesome-llm-apps project in commit e46690f99c3f08be80a9877fab52acacf7ab8251 2026-01-19. The affected Streamlit-based GitHub MCP Agent stores user-supplied API tokens in process-wide environment variables using os.environ without...

CVE-2026-33003

Jenkins LoadNinja Plugin 2.1 and earlier stores LoadNinja API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system...