Lucene search
+L

143 matches found

Github Security Blog
Github Security Blog
added 2026/05/08 8:48 p.m.13 views

OpenTelemetry.Exporter.Instana bypasses TLS certificate validation when a proxy is configured

Summary The OpenTelemetry.Exporter.Instana NuGet package does not validate HTTPS/TLS certificates are valid when sending telemetry to a configured Instana back-end when a proxy is configured using the INSTANAENDPOINTPROXY environment variable. If a network attacker can Man-in-the-Middle MitM the...

6.5CVSS5.8AI score0.00207EPSS
Exploits0References3Affected Software1
NVD
NVD
added 2026/05/08 3:16 p.m.19 views

CVE-2026-41487

Langfuse is an open source large language model engineering platform. From version 3.68.0 to before version 3.167.0, there is a role-based-access control flaw in the LLM connection update flow. An authenticated, low-privileged user of role “member” in a project could request the update of an...

5.4CVSS0.00181EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/05/08 12:0 a.m.16 views

PT-2026-39240

Name of the Vulnerable Software and Affected Versions OpenTelemetry.Exporter.Instana affected versions not specified Description The OpenTelemetry.Exporter.Instana NuGet package fails to validate HTTPS/TLS certificates when sending telemetry to an Instana back-end if a proxy is configured via the...

6.5CVSS5.8AI score0.00207EPSS
Exploits0References7
Github Security Blog
Github Security Blog
added 2026/04/25 11:50 p.m.11 views

OpenClaw: Workspace dotenv MiniMax host override could redirect credentialed requests

Affected Packages / Versions - Package: openclaw npm - Affected versions: = 2026.4.5, 2026.4.20 - Patched version: 2026.4.20 Impact A malicious workspace .env could set MINIMAXAPIHOST and redirect credentialed MiniMax requests to an attacker-controlled origin, exposing the MiniMax API key in the...

5CVSS5.2AI score0.00119EPSS
Exploits0References5Affected Software1
NVD
NVD
added 2026/04/17 9:16 p.m.7 views

CVE-2026-40293

OpenFGA is an authorization/permission engine built for developers. In versions 0.1.4 through 1.13.1, when OpenFGA is configured to use preshared-key authentication with the built-in playground enabled, the local server includes the preshared API key in the HTML response of the /playground...

7.5CVSS0.00286EPSS
Exploits0References8
EUVD
EUVD
added 2026/04/03 9:31 p.m.4 views

EUVD-2026-18827

prompts.chat prior to commit 30a8f04 contains a server-side request forgery vulnerability in Fal.ai media status polling that allows authenticated users to perform arbitrary outbound requests by supplying attacker-controlled URLs in the token parameter. Attackers can exploit the lack of URL...

7.7CVSS6AI score0.00301EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2026/04/03 12:0 a.m.12 views

PT-2026-30228

prompts.chat prior to commit 30a8f04 contains a server-side request forgery vulnerability in Fal.ai media status polling that allows authenticated users to perform arbitrary outbound requests by supplying attacker-controlled URLs in the token parameter. Attackers can exploit the lack of URL...

7.7CVSS6AI score0.00301EPSS
Exploits1References4
Cvelist
Cvelist
added 2026/03/26 7:4 p.m.25 views

CVE-2026-33148 URL Parameter Injection in FDC Food Search API Causes Server Crash and Exposes Internal API Key

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the FDC USDA FoodData Central search endpoint constructs an upstream API URL by directly interpolating the user-supplied query parameter into the URL string without...

6.5CVSS0.00467EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/03/26 7:4 p.m.5 views

CVE-2026-33148 URL Parameter Injection in FDC Food Search API Causes Server Crash and Exposes Internal API Key

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the FDC USDA FoodData Central search endpoint constructs an upstream API URL by directly interpolating the user-supplied query parameter into the URL string without...

6.5CVSS5.8AI score0.00467EPSS
Exploits1References1
CNNVD
CNNVD
added 2026/03/23 12:0 a.m.7 views

WordPress plugin King Addons for Elementor 信息泄露漏洞

WordPress is a blogging platform developed using the PHP language. The platform has the ability to set up a personal blog site on a PHP and MySQL based server.WordPress plugin is an application plugin. An information disclosure vulnerability exists in the WordPress plugin King Addons for Elemento...

5.3CVSS5.7AI score0.00219EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/02/19 12:0 a.m.8 views

PT-2026-20621

The Virusdie - One-click website security plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.7. This is due to missing capability checks on the vd get apikey function which is hooked to wp ajax virusdie apikey. This makes it possible for...

4.3CVSS5.3AI score0.00327EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/02/14 1:26 a.m.6 views

CVE-2026-26069

Scraparr is a Prometheus Exporter for various components of the arr Suite. From 3.0.0-beta to before 3.0.2, when the Readarr integration was enabled, the exporter exposed the configured Readarr API key as the alias metric label value. Users were affected only if all of the following conditions ar...

9.1CVSS5.5AI score0.00295EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/02/12 9:33 p.m.27 views

CVE-2026-26069 Scraparr Readarr Integration exposes sensitive values as metric labels.

Scraparr is a Prometheus Exporter for various components of the arr Suite. From 3.0.0-beta to before 3.0.2, when the Readarr integration was enabled, the exporter exposed the configured Readarr API key as the alias metric label value. Users were affected only if all of the following conditions ar...

9.1CVSS0.00295EPSS
Exploits0References3
OSV
OSV
added 2026/02/12 9:33 p.m.6 views

CVE-2026-26069 Scraparr Readarr Integration exposes sensitive values as metric labels.

Scraparr is a Prometheus Exporter for various components of the arr Suite. From 3.0.0-beta to before 3.0.2, when the Readarr integration was enabled, the exporter exposed the configured Readarr API key as the alias metric label value. Users were affected only if all of the following conditions ar...

9.1CVSS5.5AI score0.00295EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/02/06 12:0 a.m.4 views

CVE-2025-70963

Gophish =0.12.1 is vulnerable to Incorrect Access Control. The administrative dashboard exposes each user’s long-lived API key directly inside the rendered HTML/JavaScript of the page on every login. This makes permanent API credentials accessible to any script running in the browser context...

5.4AI score0.00267EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/01/12 5:55 p.m.4 views

CVE-2026-22251 wlc may leak API keys due to an insecure API key configuration

wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, wlc supported providing unscoped API keys in the setting. This practice was discouraged for years, but the code was never removed. This might cause the API key to be leaked to different servers...

5.3CVSS6.7AI score0.00164EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/01/07 9:18 a.m.12 views

CVE-2025-1285

The Resido - Real Estate WordPress Theme theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the deleteapikey and saveapikey AJAX actions in all versions up to, and including, 3.6. This makes it possible for unauthenticated attackers to issue requests to...

5.3CVSS7AI score0.00258EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/01/05 12:0 a.m.11 views

PT-2026-1341

Name of the Vulnerable Software and Affected Versions Dify versions prior to 1.11.0 Description Dify is an open-source LLM app development platform. Before version 1.11.0, the API key was exposed in plaintext to the frontend, allowing non-administrator users to view and reuse it. This could lead ...

8.4CVSS6.3AI score0.00305EPSS
Exploits1References7
Cvelist
Cvelist
added 2025/12/27 9:2 a.m.27 views

CVE-2025-15105 getmaxun auth.ts hard-coded key

A security flaw has been discovered in getmaxun maxun up to 0.0.28. Impacted is an unknown function of the file /getmaxun/maxun/blob/develop/server/src/routes/auth.ts. Performing manipulation of the argument apikey results in use of hard-coded cryptographic key . Remote exploitation of the attack...

6.3CVSS0.00458EPSS
Exploits1References4
NVD
NVD
added 2025/12/20 4:16 a.m.4 views

CVE-2025-12898

The Pretty Google Calendar plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the pgcalajaxhandler function in all versions up to, and including, 2.0.0. This makes it possible for unauthenticated attackers to retrieve the Google API key set in t...

5.3CVSS0.00231EPSS
Exploits0References3
Rows per page
Query Builder