CVE-2026-56225

Capgo before 12.128.2 contains an authorization bypass vulnerability in its public API key management handlers get/put/delete/post. API keys created with mode=all but restricted to a single app via limitedtoapps are only checked for limitedtoorgs and not for limitedtoapps, so an app-scoped key ca...

CVE-2026-9851

The Booking Package plugin for WordPress is vulnerable to Privilege Escalation via Account Takeover in versions up to, and including, 1.7.16. This is due to a missing capability check on the 'updateUser' branch of the packageappaction AJAX endpoint, where the handler only validates a nonce and th...

CVE-2026-25193

Insertion of Sensitive Information into Log File CWE-532 in some Command Centre Service installers could lead to Service Account credentials exposure. Mitigating Factor: Only sites that install Command Centre Services with a custom Service Account not the default Network Service account are...

EUVD-2026-31636

Insertion of Sensitive Information into Log File CWE-532 in some Command Centre Service installers could lead to Service Account credentials exposure. Mitigating Factor: Only sites that install Command Centre Services with a custom Service Account not the default Network Service account are...

CVE-2026-25193

Insertion of Sensitive Information into Log File CWE-532 in some Command Centre Service installers could lead to Service Account credentials exposure. Mitigating Factor: Only sites that install Command Centre Services with a custom Service Account not the default Network Service account are...

CVE-2026-7325

Improper authorization in the Active Directory browsing feature in Devolutions Server allows a low-privileged authenticated user to obtain authentication material associated with a stored PAM provider service account via authentication relay to an attacker-controlled server. This issue affects :...

EUVD-2026-31462

Improper authorization in the Active Directory browsing feature in Devolutions Server allows a low-privileged authenticated user to obtain authentication material associated with a stored PAM provider service account via authentication relay to an attacker-controlled server. This issue affects :...

CVE-2026-4984 Botpress - Credential Disclosure via Twilio Webhook Handler

The Twilio integration webhook handler accepts any POST request without validating Twilio's 'X-Twilio-Signature'. When processing media messages, it fetches user-controlled URLs 'MediaUrlN' parameters using HTTP requests that include the integration's Twilio credentials in the 'Authorization'...

PT-2026-28704

Name of the Vulnerable Software and Affected Versions Twilio integration affected versions not specified Description The Twilio integration webhook handler improperly validates requests, accepting any POST request without verifying the 'X-Twilio-Signature' header. When handling media messages, th...

CVE-2026-4250

CVE-2026-4250 affects Albert Health Android app up to 1.7.3. The vulnerability lies in an unknown function within resources/assets/service-account.json of the Google Cloud Service Account Key Handler, leading to unprotected storage of credentials. Exploitation requires local access and is describ...

FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials

Cybersecurity researchers are calling attention to a new campaign where threat actors are abusing FortiGate Next-Generation Firewall NGFW appliances as entry points to breach victim networks. The activity involves the exploitation of recently disclosed security vulnerabilities or weak credentials...

FBI and Europol Seize LeakBase Forum Used to Trade Stolen Credentials

A joint law enforcement operation has dismantled LeakBase , one of the world's largest online forums for cybercriminals to buy and sell stolen data and cybercrime tools. The LeakBase forum, per the U.S. Department of Justice DoJ, had over 142,000 members and more than 215,000 messages between...

GHSA-2V6M-6XW3-6467 Fleet: Sensitive Google Calendar credentials disclosed to low-privileged users

Summary A vulnerability in Fleet’s configuration API could expose Google Calendar service account credentials to authenticated users with low-privilege roles. This may allow unauthorized access to Google Calendar resources associated with the service account. Impact Fleet returns configuration da...

CVE-2026-27465 Fleet: Sensitive Google Calendar credentials disclosed to low-privileged users

Fleet is open source device management software. In versions prior to 4.80.1, a vulnerability in Fleet’s configuration API could expose Google Calendar service account credentials to authenticated users with low-privilege roles. This may allow unauthorized access to Google Calendar resources...

CVE-2026-27465 Fleet: Sensitive Google Calendar credentials disclosed to low-privileged users

Fleet is open source device management software. In versions prior to 4.80.1, a vulnerability in Fleet’s configuration API could expose Google Calendar service account credentials to authenticated users with low-privilege roles. This may allow unauthorized access to Google Calendar resources...

PT-2026-22117

Name of the Vulnerable Software and Affected Versions Fleet versions prior to 4.80.1 Description Fleet’s configuration API could expose Google Calendar service account credentials to authenticated users with low-privilege roles. This may allow unauthorized access to Google Calendar resources...

PT-2026-4279

Name of the Vulnerable Software and Affected Versions affected versions not specified Description A low-privileged user can bypass account credentials without confirming the user's current authentication state, potentially leading to unauthorized privilege escalation. Recommendations At the momen...

CVE-2026-0717

The LottieFiles – Lottie block for Gutenberg plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.0.0 via the /wp-json/lottiefiles/v1/settings/ REST API endpoint. This makes it possible for unauthenticated attackers to retrieve the site...

CVE-2025-13607

A malicious actor can access camera configuration information, including account credentials, without authenticating when accessing a vulnerable URL...

EUVD-2025-202452

A malicious actor can access camera configuration information, including account credentials, without authenticating when accessing a vulnerable URL...