1270 matches found
CVE-2025-0330
In berriai/litellm version v1.52.1, an issue in proxyserver.py causes the leakage of Langfuse API keys when an error occurs while parsing team settings. This vulnerability exposes sensitive information, including langfusesecret and langfusepublickey, which can provide full access to the Langfuse...
CVE-2024-9099
In lunary-ai/lunary version v1.4.29, the GET /projects API endpoint exposes both public and private API keys for all projects to users with minimal permissions, such as Viewers or Prompt Editors. This vulnerability allows unauthorized users to retrieve sensitive credentials, which can be used to...
LiteLLM Has a Leakage of Langfuse API Keys
In berriai/litellm version v1.52.1, an issue in proxyserver.py causes the leakage of Langfuse API keys when an error occurs while parsing team settings. This vulnerability exposes sensitive information, including langfusesecret and langfusepublickey, which can provide full access to the Langfuse...
CVE-2025-0330
In berriai/litellm version v1.52.1, an issue in proxyserver.py causes the leakage of Langfuse API keys when an error occurs while parsing team settings. This vulnerability exposes sensitive information, including langfusesecret and langfusepublickey, which can provide full access to the Langfuse...
CVE-2024-9099
In lunary-ai/lunary version v1.4.29, the GET /projects API endpoint exposes both public and private API keys for all projects to users with minimal permissions, such as Viewers or Prompt Editors. This vulnerability allows unauthorized users to retrieve sensitive credentials, which can be used to...
CVE-2024-6842
In version 1.5.5 of mintplex-labs/anything-llm, the /setup-complete API endpoint allows unauthorized users to access sensitive system settings. The data returned by the currentSettings function includes sensitive information such as API keys for search engines, which can be exploited by attackers...
CVE-2024-6842
In version 1.5.5 of mintplex-labs/anything-llm, the /setup-complete API endpoint allows unauthorized users to access sensitive system settings. The data returned by the currentSettings function includes sensitive information such as API keys for search engines, which can be exploited by attackers...
CVE-2024-9099 Exposure of Private API Keys in lunary-ai/lunary
In lunary-ai/lunary version v1.4.29, the GET /projects API endpoint exposes both public and private API keys for all projects to users with minimal permissions, such as Viewers or Prompt Editors. This vulnerability allows unauthorized users to retrieve sensitive credentials, which can be used to...
CVE-2024-9099 Exposure of Private API Keys in lunary-ai/lunary
In lunary-ai/lunary version v1.4.29, the GET /projects API endpoint exposes both public and private API keys for all projects to users with minimal permissions, such as Viewers or Prompt Editors. This vulnerability allows unauthorized users to retrieve sensitive credentials, which can be used to...
CVE-2024-6842 Exposure of Sensitive Information in mintplex-labs/anything-llm
In version 1.5.5 of mintplex-labs/anything-llm, the /setup-complete API endpoint allows unauthorized users to access sensitive system settings. The data returned by the currentSettings function includes sensitive information such as API keys for search engines, which can be exploited by attackers...
CVE-2024-6842 Exposure of Sensitive Information in mintplex-labs/anything-llm
In version 1.5.5 of mintplex-labs/anything-llm, the /setup-complete API endpoint allows unauthorized users to access sensitive system settings. The data returned by the currentSettings function includes sensitive information such as API keys for search engines, which can be exploited by attackers...
CVE-2024-8551
CVE-2024-8551 : A path traversal vulnerability affects modelscope/agentscope in the save-workflow and load-workflow functionality, present in versions prior to the fix. An attacker can read and write arbitrary JSON files on the filesystem, potentially exposing or modifying sensitive data (config ...
CVE-2024-9447
CVE-2024-9447 affects transformeroptimus/superagi. An information disclosure vulnerability exists where the /get/organisation/ endpoint does not verify the user’s organization, allowing any authenticated user to retrieve sensitive configuration details, including API keys, of any organization. Im...
CVE-2025-0330 Exposure of Sensitive Information in berriai/litellm
In berriai/litellm version v1.52.1, an issue in proxyserver.py causes the leakage of Langfuse API keys when an error occurs while parsing team settings. This vulnerability exposes sensitive information, including langfusesecret and langfusepublickey, which can provide full access to the Langfuse...
CVE-2025-0330
The CVE-2025-0330 issue affects berriai/litellm v1.52.1, where a flaw in proxy_server.py leads to leakage of Langfuse API keys (langfuse_secret and langfuse_public_key) when parsing team settings. This reportedly grants full access to the Langfuse project storing all requests. Connected documents...
CVE-2025-0330 Exposure of Sensitive Information in berriai/litellm
In berriai/litellm version v1.52.1, an issue in proxyserver.py causes the leakage of Langfuse API keys when an error occurs while parsing team settings. This vulnerability exposes sensitive information, including langfusesecret and langfusepublickey, which can provide full access to the Langfuse...
PT-2025-12313 · Unknown · Berriai/Litellm
Name of the Vulnerable Software and Affected Versions: berriai/litellm version 1.52.1 Description: An issue in the proxy server.py file causes the leakage of Langfuse API keys when an error occurs while parsing team settings. This exposes sensitive information, including langfuse secret and...
GHSA-2X3G-RR4W-4QRP Jenkins Zoho QEngine Plugin Displays Unmasked API Keys
Jenkins Zoho QEngine Plugin 1.0.29.vfacc23396502 and earlier does not mask the QEngine API Key form field, increasing the potential for attackers to observe and capture it...
TikTok: Stored XSS on TikTok's backend leads to the leakage of highly sensitive administrator data (Cookies, API Keys, Internal Paths, Emails, phone numbers).
A stored cross-site scripting vulnerability was discovered in TikTok's contact form backend. Malicious code submitted through the form executed when administrators viewed the submission, exposing sensitive internal data such as cookies, API keys, internal paths, emails, and phone numbers...
Microsoft Disrupts Storm-2139 for LLMjacking and Azure AI Exploitation
Microsoft exposes Storm-2139, a cybercrime network exploiting Azure AI via LLMjacking. Learn how stolen API keys enabled harmful…...