274 matches found
CVE-2026-25193
Insertion of Sensitive Information into Log File CWE-532 in some Command Centre Service installers could lead to Service Account credentials exposure. Mitigating Factor: Only sites that install Command Centre Services with a custom Service Account not the default Network Service account are...
EUVD-2026-31636
Insertion of Sensitive Information into Log File CWE-532 in some Command Centre Service installers could lead to Service Account credentials exposure. Mitigating Factor: Only sites that install Command Centre Services with a custom Service Account not the default Network Service account are...
CVE-2026-25193
Insertion of Sensitive Information into Log File CWE-532 in some Command Centre Service installers could lead to Service Account credentials exposure. Mitigating Factor: Only sites that install Command Centre Services with a custom Service Account not the default Network Service account are...
CVE-2026-7325
Improper authorization in the Active Directory browsing feature in Devolutions Server allows a low-privileged authenticated user to obtain authentication material associated with a stored PAM provider service account via authentication relay to an attacker-controlled server. This issue affects :...
EUVD-2026-31462
Improper authorization in the Active Directory browsing feature in Devolutions Server allows a low-privileged authenticated user to obtain authentication material associated with a stored PAM provider service account via authentication relay to an attacker-controlled server. This issue affects :...
CVE-2026-4984 Botpress - Credential Disclosure via Twilio Webhook Handler
The Twilio integration webhook handler accepts any POST request without validating Twilio's 'X-Twilio-Signature'. When processing media messages, it fetches user-controlled URLs 'MediaUrlN' parameters using HTTP requests that include the integration's Twilio credentials in the 'Authorization'...
PT-2026-28704
Name of the Vulnerable Software and Affected Versions Twilio integration affected versions not specified Description The Twilio integration webhook handler improperly validates requests, accepting any POST request without verifying the 'X-Twilio-Signature' header. When handling media messages, th...
CVE-2026-4250
CVE-2026-4250 affects Albert Health Android app up to 1.7.3. The vulnerability lies in an unknown function within resources/assets/service-account.json of the Google Cloud Service Account Key Handler, leading to unprotected storage of credentials. Exploitation requires local access and is describ...
FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials
Cybersecurity researchers are calling attention to a new campaign where threat actors are abusing FortiGate Next-Generation Firewall NGFW appliances as entry points to breach victim networks. The activity involves the exploitation of recently disclosed security vulnerabilities or weak credentials...
FBI and Europol Seize LeakBase Forum Used to Trade Stolen Credentials
A joint law enforcement operation has dismantled LeakBase , one of the world's largest online forums for cybercriminals to buy and sell stolen data and cybercrime tools. The LeakBase forum, per the U.S. Department of Justice DoJ, had over 142,000 members and more than 215,000 messages between...
GHSA-2V6M-6XW3-6467 Fleet: Sensitive Google Calendar credentials disclosed to low-privileged users
Summary A vulnerability in Fleet’s configuration API could expose Google Calendar service account credentials to authenticated users with low-privilege roles. This may allow unauthorized access to Google Calendar resources associated with the service account. Impact Fleet returns configuration da...
CVE-2026-27465 Fleet: Sensitive Google Calendar credentials disclosed to low-privileged users
Fleet is open source device management software. In versions prior to 4.80.1, a vulnerability in Fleet’s configuration API could expose Google Calendar service account credentials to authenticated users with low-privilege roles. This may allow unauthorized access to Google Calendar resources...
CVE-2026-27465 Fleet: Sensitive Google Calendar credentials disclosed to low-privileged users
Fleet is open source device management software. In versions prior to 4.80.1, a vulnerability in Fleet’s configuration API could expose Google Calendar service account credentials to authenticated users with low-privilege roles. This may allow unauthorized access to Google Calendar resources...
PT-2026-22117
Name of the Vulnerable Software and Affected Versions Fleet versions prior to 4.80.1 Description Fleet’s configuration API could expose Google Calendar service account credentials to authenticated users with low-privilege roles. This may allow unauthorized access to Google Calendar resources...
PT-2026-4279
Name of the Vulnerable Software and Affected Versions affected versions not specified Description A low-privileged user can bypass account credentials without confirming the user's current authentication state, potentially leading to unauthorized privilege escalation. Recommendations At the momen...
CVE-2026-0717
The LottieFiles – Lottie block for Gutenberg plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.0.0 via the /wp-json/lottiefiles/v1/settings/ REST API endpoint. This makes it possible for unauthenticated attackers to retrieve the site...
CVE-2025-13607
A malicious actor can access camera configuration information, including account credentials, without authenticating when accessing a vulnerable URL...
EUVD-2025-202452
A malicious actor can access camera configuration information, including account credentials, without authenticating when accessing a vulnerable URL...
CVE-2025-13607
CVE-2025-13607 affects D-Link CCTV camera model DCS-F5614-L1 and related entries, describing unauthenticated access to camera configuration data (including account credentials) via a vulnerable URL. Connected sources consistently state missing authentication as the root cause; several enrichments...
CVE-2025-13607 D-Link CCTV camera model DCS-F5614-L1 Missing Authentication for Critical Function
A malicious actor can access camera configuration information, including account credentials, without authenticating when accessing a vulnerable URL...