CVE-2025-15105

A security flaw has been discovered in getmaxun maxun up to 0.0.28. Impacted is an unknown function of the file /getmaxun/maxun/blob/develop/server/src/routes/auth.ts. Performing manipulation of the argument apikey results in use of hard-coded cryptographic key . Remote exploitation of the attack...

EUVD-2025-205469

A security flaw has been discovered in getmaxun maxun up to 0.0.28. Impacted is an unknown function of the file /getmaxun/maxun/blob/develop/server/src/routes/auth.ts. Performing manipulation of the argument apikey results in use of hard-coded cryptographic key . Remote exploitation of the attack...

CVE-2025-15105

CVE-2025-15105 affects getmaxun maxun up to version 0.0.28. The vulnerability is in the file /getmaxun/maxun/blob/develop/server/src/routes/auth.ts, where manipulation of the argument api_key results in the use of a hard-coded cryptographic key. This enables remote exploitation and is described a...

Duplicate Advisory: Authentication Bypass via Default JWT Secret in NocoBase docker-compose Deployments

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-mv7p-34fv-4874. This link is maintained to preserve external references. Original Description A vulnerability was detected in nocobase up to 1.9.4/2.0.0-alpha.37. The affected element is an unknown function of t...

CVE-2025-13877 nocobase JWT Service jwt-service.ts hard-coded key

A vulnerability was detected in nocobase up to 1.9.4/2.0.0-alpha.37. The affected element is an unknown function of the file nocobase\packages\core\auth\src\base\jwt-service.ts of the component JWT Service. The manipulation of the argument APIKEY results in use of hard-coded cryptographic key . T...

CVE-2024-10092 Download Monitor <= 5.0.12 - Missing Authorization to API Key Manipulation

The Download Monitor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajaxhandleapikeyactions function in all versions up to, and including, 5.0.12. This makes it possible for authenticated attackers, with Subscriber-level access and...

WordPress Download Monitor plugin <= 5.0.12 - Missing Authorization to API Key Manipulation vulnerability

Missing Authorization to API Key Manipulation vulnerability discovered by Trương Hữu Phúc truonghuuphuc in WordPress Plugin Download Monitor versions = 5.0.12...

Automatic YouTube Gallery < 2.3.5 - Missing Authorization via AJAX actions

Description The Automatic YouTube Gallery plugin for WordPress is vulnerable to unauthorized plugin settings change due to a missing capability check on the ajaxcallbacksaveapikey and ajaxcallbackdeletecache functions in versions up to, and including, 2.3.3. This makes it possible for authenticat...

Insecure Access Control

shinobi uses insecure access controls. An attacker is able to access the User/Admin/Super API functions through the use of JS Proto Method names held in an internal JS Object and trick the System into accepting supplied API Key that exists in the underlying JS object...