DRUPAL-CONTRIB-2026-042

This module provides spam protection using the CleanTalk cloud service. The module doesn't sufficiently sanitize API response messages before rendering them in HTML output. The cleantalkdie and ctdie functions output the CleanTalk API response message directly into HTML without proper sanitizatio...

CVE-2026-3636 Sanitize team member data returned by API

Mattermost versions 11.6.x = 11.6.0, 11.5.x = 11.5.3, 11.4.x = 11.4.4, 10.11.x = 10.11.14 fail to sanitize team member data when returned via API to users without elevated permissions which allows a user without permissions to get data about team members roles via invoking various team API...

CVE-2026-42514

This vulnerability exists in e-Sushrut due to exposure of OTPs in plaintext within API responses. A remote attacker could exploit this vulnerability by intercepting API responses containing valid OTPs. Successful exploitation of this vulnerability could allow an attacker to impersonate the target...

EUVD-2026-26197

This vulnerability exists in e-Sushrut due to exposure of OTPs in plaintext within API responses. A remote attacker could exploit this vulnerability by intercepting API responses containing valid OTPs. Successful exploitation of this vulnerability could allow an attacker to impersonate the target...

CVE-2026-5375 runZero Platform API credential information leak

An issue that could allow a user with access to a credential to view sensitive fields through an API response has been resolved. This is an instance of CWE-200: Exposure of Sensitive Information to an Unauthorized Actor, and has an estimated CVSS score of...

EUVD-2025-208113

The administrative credentials can be extracted through application API responses, mobile application reverse engineering, and device firmware reverse engineering. The exposure may result in an attacker gaining full administrative access to the Gardyn IoT Hub exposing connected devices to malicio...

CVE-2025-1242

CVE-2025-1242 affects Gardyn Home Kit via Gardyn IoT Hub. Root cause: hard-coded administrative credential iothubowner exposed across multiple vectors (API responses, mobile app, and device firmware), enabling unauthenticated full admin access to the hub and connected devices. Connected documents...

CVE-2025-1242

The administrative credentials can be extracted through application API responses, mobile application reverse engineering, and device firmware reverse engineering. The exposure may result in an attacker gaining full administrative access to the Gardyn IoT Hub exposing connected devices to malicio...

GitLab 8.3 < 18.5.5 / 18.6 < 18.6.3 / 18.7 < 18.7.1 (CVE-2025-10569)

The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.3 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to create a denia...

CVE-2019-12474

Wikimedia MediaWiki 1.23.0 through 1.32.1 has an information leak. Privileged API responses that include whether a recent change has been patrolled may be cached publicly. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6...

Sensitive Information Exposure

@actual-app/sync-server is vulnerable to sensitive Information Exposure. The vulnerability is due to logging parsed API responses to STDOUT using console.log/console.debug, which allows an attacker with access to application logs to obtain sensitive data such as bearer tokens, bank account detail...

EUVD-2022-2038

Malicious code in bioql PyPI...

MAL-2025-7841 Malicious code in @epc-libraries/common-api-responses (npm)

The package @epc-libraries/common-api-responses was found to contain malicious code...

Prevent GitHub CLI and extensions from executing arbitrary commands from compromised GitHub Enterprise Server

Summary A security vulnerability has been identified in go-gh where an attacker-controlled GitHub Enterprise Server could result in executing arbitrary commands on a user's machine by replacing HTTP URLs provided by GitHub with local file paths for browsing. Details The GitHub CLI and CLI...

CVE-2023-26051

Saleor is a headless, GraphQL commerce platform delivering personalized shopping experiences. Some internal Python exceptions are not handled properly and thus are returned in API as error messages. Some messages might contain sensitive information like user email address in staff-authenticated...

CVE-2025-46736

Umbraco is a free and open source .NET content management system. Prior to versions 10.8.10 and 13.8.1, based on an analysis of the timing of post login API responses, it's possible to determine whether an account exists. The issue is patched in versions 10.8.10 and 13.8.1. No known workarounds a...

CVE-2025-46552

KHC-INVITATION-AUTOMATION is a GitHub automation script that automatically invites followers of a bot account to join your organization. In some commits on version 1.2, a vulnerability was identified where user data, including email addresses and Discord usernames, were exposed in API responses...

CVE-2025-46552

KHC-INVITATION-AUTOMATION is a GitHub automation script that automatically invites followers of a bot account to join your organization. In some commits on version 1.2, a vulnerability was identified where user data, including email addresses and Discord usernames, were exposed in API responses...

CVE-2025-46552 KHC-INVITATION-AUTOMATION Sensitive User Information Leakage in Invitation Automation

KHC-INVITATION-AUTOMATION is a GitHub automation script that automatically invites followers of a bot account to join your organization. In some commits on version 1.2, a vulnerability was identified where user data, including email addresses and Discord usernames, were exposed in API responses...

Account Enumeration

shopware/core is vulnerable to Account Enumeration. The vulnerability is due to differing API responses that reveal whether an email address is associated with an account, allowing attackers to infer user registration status...