PT-2025-28932 · Jenkins · Jenkins Applitools Eyes Plugin

Name of the Vulnerable Software and Affected Versions: Jenkins Applitools Eyes Plugin versions 1.16.5 and earlier Description: The Jenkins Applitools Eyes Plugin does not mask Applitools API keys displayed on the job configuration form. This increases the potential for attackers to observe and...

PT-2025-28920 · Jenkins · Jenkins Vaddy Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins VAddy Plugin versions prior to 1.2.9 Description: The Jenkins VAddy Plugin stores VAddy API Auth Keys unencrypted in job config.xml files on the Jenkins controller. These keys are accessible to users with Item/Extended Read permission...

PT-2025-28922 · Jenkins · Jenkins Nouvola Divecloud Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins Nouvola DiveCloud Plugin versions prior to 1.09 Description: The Jenkins Nouvola DiveCloud Plugin stores DiveCloud API Keys and Credentials Encryption Keys unencrypted in config.xml files on the Jenkins controller. Users with...

PT-2025-28950 · Ruckus +1 · Smartzone +2

Name of the Vulnerable Software and Affected Versions: RUCKUS SmartZone SZ versions prior to 6.1.2p3 Refresh Build Description: RUCKUS SmartZone SZ is susceptible to an OS command injection issue through a specific parameter within an API route. Recommendations: Update RUCKUS SmartZone SZ to...

CVE-2025-3780 WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible <= 6.7.16 - Missing Authorization to Unauthenticated Plugin Settings Modification

The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wcfmredirecttosetup function in all versions up to, and including, 6.7.16. This makes i...

PT-2025-28802 · WordPress · Wcfm – Frontend Manager For Woocommerce +1

Name of the Vulnerable Software and Affected Versions: WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress versions up to and including 6.7.16 Description: The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription...

MAL-2025-191914 Malicious code in typing-extensions-plus (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 78c15498f688e49c1d6a8b369eae95e0e77016cd05d74f89a72fa9e845c71da5 Importing the module starts code responsible of exfiltrating crypto tokens and API keys. Package imitates typing-extensions --- Category: MALICIOUS - The...

AgentSmith Flaw in LangSmith’s Prompt Hub Exposed User API Keys, Data

A CVSS 8.8 AgentSmith flaw in LangSmith's Prompt Hub exposed AI agents to data theft and LLM manipulation. Learn how malicious AI agents could steal API keys and hijack LLM responses. Fix deployed...

CVE-2025-26521

When an Apache CloudStack user-account creates a CKS-based Kubernetes cluster in a project, the API key and the secret key of the 'kubeadmin' user of the caller account are used to create the secret config in the CKS-based Kubernetes cluster. A member of the project who can access the CKS-based...

CVE-2025-47849 Apache CloudStack: Insecure access of user's API/Secret Keys in the same domain

A privilege escalation vulnerability exists in Apache CloudStack versions 4.10.0.0 through 4.20.0.0 where a malicious Domain Admin user in the ROOT domain can get the API key and secret key of user-accounts of Admin role type in the same domain. This operation is not appropriately restricted and...

The Hidden Threat in Your Stack: Why Non-Human Identity Management is the Next Cybersecurity Frontier

Modern enterprise networks are highly complex environments that rely on hundreds of apps and infrastructure services. These systems need to interact securely and efficiently without constant human oversight, which is where non-human identities NHIs come in. NHIs — including application secrets, A...

PT-2025-25171 · Apache · Apache Cloudstack

Name of the Vulnerable Software and Affected Versions: Apache CloudStack versions 4.10.0.0 through 4.20.0.0 Description: A privilege escalation issue exists where a malicious Domain Admin user in the ROOT domain can obtain the API key and secret key of user-accounts of Admin role type in the same...

AstrBot Has Path Traversal Vulnerability in /api/chat/get_file

Impact This vulnerability may lead to: Information disclosure, such as API keys for LLM providers, account passwords, and other sensitive data. Reproduce Follow these steps to set up a test environment for reproducing the vulnerability: 1. Install dependencies and clone the repository: bash pip...

CVE-2025-48957

AstrBot is a large language model chatbot and development framework. A path traversal vulnerability present in versions 3.4.4 through 3.5.12 may lead to information disclosure, such as API keys for LLM providers, account passwords, and other sensitive data. The vulnerability has been addressed in...

GO-2025-3736 Gokapi has stored XSS vulnerability in friendly name for API keys in github.com/forceu/gokapi

Gokapi has stored XSS vulnerability in friendly name for API keys in github.com/forceu/gokapi. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from vulnerability...

Gokapi has stored XSS vulnerability in friendly name for API keys

Impact By renaming the friendly name of an API key, an authenticated user could inject JS into the API key overview, which would also be executed when another user clicks on his API tab. With the affected versions v2.0, there was no user permission system implemented, therefore all authenticated...

CVE-2025-48957

AstrBot has a documented path traversal vulnerability in versions 3.4.4–3.5.12 that can disclose sensitive data (e.g., LLM API keys and passwords) via the /api/chat/get_file endpoint. The issue is addressed in PR #1676 and included in v3.5.13. A temporary workaround is to disable the dashboard in...

CVE-2025-48495

Gokapi (self-hosted file sharing server) has a stored XSS in the API key friendly name. By renaming an API key, an authenticated user could inject JS that executes when another user opens the API tab. Before 2.0.0 there was no user-permission system, so authenticated users could see/modify all re...

CVE-2025-48495 Gokapi has stored XSS vulnerability in friendly name for API keys

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. By renaming the friendly name of an API key, an authenticated user could inject JS into the API key overview, which would also be executed when another user clicks on his API tab. Prior to version 2.0.0,...

CVE-2025-48495 Gokapi has stored XSS vulnerability in friendly name for API keys

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. By renaming the friendly name of an API key, an authenticated user could inject JS into the API key overview, which would also be executed when another user clicks on his API tab. Prior to version 2.0.0,...