EUVD-2025-6899

Malicious code in bioql PyPI...

EUVD-2023-50859

Malicious code in bioql PyPI...

EUVD-2024-36385

Malicious code in bioql PyPI...

EUVD-2024-2826

Malicious code in bioql PyPI...

EUVD-2025-9530

Malicious code in bioql PyPI...

CVE-2025-57266

An issue was discovered in file AssistantController.java in ThriveX Blogging Framework 2.5.9 thru 3.1.3 allowing unauthenticated attackers to gain sensitive information such as API Keys via the /api/assistant/list endpoint...

CVE-2025-57266

ThriveX Blogging Framework versions 2.5.9 through 3.1.3 contain an unauthenticated information disclosure in AssistantController.java, exposing sensitive data (e.g., API Keys) via the /api/assistant/list endpoint. Publicly available documents (NVD, Red Hat, CVE listings) corroborate the issue and...

CVE-2025-53884

NeuVector stores user passwords and API keys using a simple, unsalted hash. This method is vulnerable to rainbow table attack offline attack where hashes of known passwords are precomputed...

CVE-2025-53884

NeuVector stores user passwords and API keys using a simple, unsalted hash. This method is vulnerable to rainbow table attack offline attack where hashes of known passwords are precomputed...

CVE-2025-53884

CVE-2025-53884 concerns NeuVector, where passwords and API keys are stored using a simple, unsalted hash. The provided documents state this scheme is vulnerable to rainbow table attacks (offline hash precomputation), enabling potential credential exposure if hashes are compromised. The NVD entry ...

Linux Distros Unpatched Vulnerability : CVE-2021-37937

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An issue was found with how API keys are created with the Fleet-Server service account. When an API key is created with a service account, it is possible that t...

CVE-2025-57806 Local Deep Research's API keys are stored in plain text

Local Deep Research is an AI-powered research assistant for deep, iterative research. Versions 0.2.0 through 0.6.7 stored confidential information, including API keys, in a local SQLite database without encryption. This behavior was not clearly documented outside of the database architecture page...

Local Deep Research's API keys are stored in plain text

Affected Versions: 0.2.0 and = 1.0.0 Description: The library stored confidential information, including API keys, in a local SQLite database without encryption. This behavior was not clearly documented outside of the database architecture page. Users were not given the ability to configure the...

Linux Distros Unpatched Vulnerability : CVE-2020-7009

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Elasticsearch versions from 6.7.0 before 6.8.8 and 7.0.0 before 7.6.2 contain a privilege escalation flaw if an attacker is able to create API keys. An attacker...

Malicious Package

Overview enumer-iam is a malicious package. This package contains malicious code disguised as a legitimate cloud client utility, and its content has been removed from the official package manager. Its primary purpose is to steal cloud-related secrets, such as API keys and access tokens. The packa...

Malicious Package

Overview credential-python-sdk is a malicious package. This package contains malicious code disguised as a legitimate cloud client utility, and its content has been removed from the official package manager. Its primary purpose is to steal cloud-related secrets, such as API keys and access tokens...

Malicious Package

Overview acloud-client-uses is a malicious package. This package contains malicious code disguised as a legitimate cloud client utility, and its content has been removed from the official package manager. Its primary purpose is to steal cloud-related secrets, such as API keys and access tokens. T...

CVE-2025-50733

NextChat contains a cross-site scripting XSS vulnerability in the HTMLPreview component of artifacts.tsx that allows attackers to execute arbitrary JavaScript code when HTML content is rendered in the AI chat interface. The vulnerability occurs because user-influenced HTML from AI responses is...

CVE-2025-57755 claude-code-router CORS. misconfiguration

claude-code-router is a powerful tool to route Claude Code requests to different models and customize any request. Due to improper Cross-Origin Resource Sharing CORS configuration, there is a risk that user API Keys or equivalent credentials may be exposed to untrusted domains. Attackers could...

Permissive Cross-domain Policy with Untrusted Domains

Overview @musistudio/claude-code-router is an Use Claude Code without an Anthropics account and route it to another LLM provider Affected versions of this package are vulnerable to Permissive Cross-domain Policy with Untrusted Domains due to improper CORS configuration. An attacker can access use...