PT-2025-52864

Name of the Vulnerable Software and Affected Versions httparty versions prior to 0.23.2 Description httparty is susceptible to a Server-Side Request Forgery SSRF condition in versions 0.23.2 and earlier. This issue could lead to the disclosure of API keys and enable unauthorized requests to...

httparty Has Potential SSRF Vulnerability That Leads to API Key Leakage

Summary There may be an SSRF vulnerability in httparty. This issue can pose a risk of leaking API keys, and it can also allow third parties to issue requests to internal servers. Details When httparty receives a path argument that is an absolute URL, it ignores the baseuri field. As a result, if ...

CVE-2025-13754

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.6.9.16. This is due to the plugin exposing its admin embed endpoint at /wp-json/ssa/v1/embed-inner-admin without...

EUVD-2025-204471

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.6.9.16. This is due to the plugin exposing its admin embed endpoint at /wp-json/ssa/v1/embed-inner-admin without...

CVE-2025-11369

The Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns plugin for WordPress is vulnerable to unauthorized access of data due to a missing or incorrect capability checks on the getinstagramaccesstokencallback, googlemapapikeysavecallback and getsiteinfo functions in all...

CVE-2025-11369

The Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns plugin for WordPress is vulnerable to unauthorized access of data due to a missing or incorrect capability checks on the getinstagramaccesstokencallback, googlemapapikeysavecallback and getsiteinfo functions in all...

EUVD-2025-203863

The Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns plugin for WordPress is vulnerable to unauthorized access of data due to a missing or incorrect capability checks on the getinstagramaccesstokencallback, googlemapapikeysavecallback and getsiteinfo functions in all...

Zimbra Collaboration 安全漏洞

Zimbra Collaboration is an open source enterprise email and collaboration platform from Zimbra that supports email, calendar, document management and team collaboration features. A security vulnerability exists in Zimbra Collaboration versions 10.0 and 10.1, which stems from hard-coded API keys i...

Sensitive Information Disclosure

Jenkins Curseforge Publisher Plugin is vulnerable to Sensitive Information Disclosure. The vulnerability is due to storing API keys in plaintext in job configuration files, allowing users with Item/Extended Read permission or file system access on the Jenkins controller to view and misuse the...

Authentication Bypass

better-auth is vulnerable to an Authentication Bypass. The vulnerability is due to improper handling of the userId field when no session exists, allowing attackers to supply a victim’s ID and have the server treat them as that user, enabling unauthenticated creation or modification of API keys an...

Devolutions Server < 2025.3.10.0 AI Integration API Key Exposure (DEVO-2025-0017)

The version of Devolutions Server installed on the remote host is prior to 2025.3.10.0, and is, therefore, affected by an AI integration API key exposure vulnerability: - Exposure of credentials in unintended requests in Devolutions Server, Remote Desktop Manager on Windows. This issue affects...

CVE-2025-13084

The users endpoint in the groov View API returns a list of all users and associated metadata including their API keys. This endpoint requires an Editor role to access and will display API keys for all users, including Administrators...

Years of JSONFormatter and CodeBeautify Leaks Expose Thousands of Passwords and API Keys

New research has found that organizations in various sensitive sectors, including governments, telecoms, and critical infrastructure, are pasting passwords and credentials into online tools like JSONformatter and CodeBeautify that are used to format and validate code. Cybersecurity company...

CVE-2025-12822

The WP Login and Register using JWT plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'mojwtgeneratenewapikey' function in all versions up to, and including, 3.0.0. This makes it possible for authenticated attackers, with Subscriber-level...

CVE-2025-12822 WP Login and Register using JWT <= 3.0.0 - Missing Authorization to Authenticated (Subscriber+) API Key Exposure

The WP Login and Register using JWT plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'mojwtgeneratenewapikey' function in all versions up to, and including, 3.0.0. This makes it possible for authenticated attackers, with Subscriber-level...

CVE-2025-63291

When processing API requests, the Alteryx server 2022.1.1.42654 and 2024.1 used MongoDB object IDs to uniquely identify the data being requested by the caller. The Alteryx server did not check whether the authenticated user had permission to access the specified MongoDB object ID. By specifying...

EUVD-2025-197655

When processing API requests, the Alteryx server 2022.1.1.42654 and 2024.1 used MongoDB object IDs to uniquely identify the data being requested by the caller. The Alteryx server did not check whether the authenticated user had permission to access the specified MongoDB object ID. By specifying...

CVE-2025-63291

When processing API requests, the Alteryx server 2022.1.1.42654 and 2024.1 used MongoDB object IDs to uniquely identify the data being requested by the caller. The Alteryx server did not check whether the authenticated user had permission to access the specified MongoDB object ID. By specifying...

CVE-2025-12732 WP Import – Ultimate CSV XML Importer for WordPress <= 7.33 - Missing Authorization to Authenticated (Author+) Sensitive Information Exposure

The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to unauthorized access of sensitive information due to a missing authorization check on the showsetting function in all versions up to, and including, 7.33. This makes it possible for authenticated attacker...

EUVD-2025-119985

The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to unauthorized access of sensitive information due to a missing authorization check on the showsetting function in all versions up to, and including, 7.33. This makes it possible for authenticated attacker...