Malicious code in crw (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4324181416ad15727c0f51a30b56858c42fad99b93635922494acfe4c0f5d597 Package 'crw' impersonates the Firecrawl SDK: it declares 'firecrawl' as a keyword, replicates Firecrawl's client surface...

CVE-2026-35484 text-generation-webui has a Path Traversal in load_preset() — .yaml file read without authentication

text-generation-webui is an open-source web interface for running Large Language Models. Prior to 4.3, an unauthenticated path traversal vulnerability in loadpreset allows reading any .yaml file on the server filesystem. The parsed YAML key-value pairs including passwords, API keys, connection...

Missing Authorization

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Missing Authorization in the Tool Valves endpoint. An attacker can obtain sensitive information, such as API keys for backend systems, by sending GET /api/v1/tools/id//valves requests using a low-privileged...

CVE-2026-22038

AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to autogpt-platform-beta-v0.6.46, the AutoGPT platform's Stagehand integration blocks log API keys and authentication secrets in plaintext using...

PT-2026-1578

Name of the Vulnerable Software and Affected Versions aBlocks – WordPress Gutenberg Blocks plugin versions prior to 2.4.1 Description The aBlocks – WordPress Gutenberg Blocks plugin for WordPress has a flaw that allows unauthorized modification of data and disclosure of sensitive information. Thi...

EUVD-2025-206235

Dify is an open-source LLM app development platform. Prior to version 1.11.0, the API key is exposed in plaintext to the frontend, allowing non-administrator users to view and reuse it. This can lead to unauthorized access to third-party services, potentially consuming limited quotas. Version...

CVE-2025-34283

Nagios XI versions prior to 2024R1.4.2 revealed API keys to users who were not authorized for API access when using Neptune themes. An authenticated user without API privileges could view another user's or their own API key value...

CVE-2025-57755 claude-code-router CORS. misconfiguration

claude-code-router is a powerful tool to route Claude Code requests to different models and customize any request. Due to improper Cross-Origin Resource Sharing CORS configuration, there is a risk that user API Keys or equivalent credentials may be exposed to untrusted domains. Attackers could...

Insufficiently Protected Credentials

Overview Affected versions of this package are vulnerable to Insufficiently Protected Credentials via the job configuration form. An attacker can obtain sensitive API keys by viewing the exposed values in the configuration interface. Remediation There is no fixed version for...

CVE-2024-48310

AutoLib Software Systems OPAC v20.10 was discovered to have multiple API keys exposed within the source code. Attackers may use these keys to access the backend API or other sensitive information...

AutoLib Software Systems OPAC 20.10 Secret Disclosure

AutoLib Software Systems OPAC version 20.10 discloses multiple API keys within the source code. Attackers may use these keys to access the backend API or other sensitive information. + Credits: Shahnawaz Shaikh, Security Researcher at Cybergate Defense LLC + twitter.com/striv3r Vendor Autolib-ind...

CVE-2024-48310

AutoLib Software Systems OPAC v20.10 was discovered to have multiple API keys exposed within the source code. Attackers may use these keys to access the backend API or other sensitive information...

CVE-2023-2632 API keys stored and displayed in plain text by Code Dx Plugin

Jenkins Code Dx Plugin 3.1.0 and earlier stores Code Dx server API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system...

CVE-2018-17499

Envoy Passport for Android and Envoy Passport for iPhone could allow a local attacker to obtain sensitive information, caused by the storing of unencrypted data in logs. An attacker could exploit this vulnerability to obtain two API keys, a token and other sensitive information...