22 matches found
CVE-2026-56244
Capgo before 12.128.2 allows non-admin API keys to read webhook signing secrets via Supabase REST due to insufficient row-level security policies on the webhooks table. Attackers can retrieve the webhook secret and forge valid X-Capgo-Signature headers to send authenticated webhook events to...
CVE-2026-56244
CVE-2026-56244 (Capgo) affects Capgo prior to 12.128.2. The issue arises because non-admin API keys can read webhook signing secrets via Supabase REST due to insufficient row-level security on the webhooks table. This enables attackers to retrieve the webhook secret and forge valid X-Capgo-Signat...
EUVD-2026-38741
Capgo before 12.128.2 allows non-admin API keys to read webhook signing secrets via Supabase REST due to insufficient row-level security policies on the webhooks table. Attackers can retrieve the webhook secret and forge valid X-Capgo-Signature headers to send authenticated webhook events to...
Malicious code in wrld-dev (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 58965a325ad88c872b7c01668e4c08ca337b5fa022c15e626e23697d23fb594c The package exposes a public authentication API auth.user.login, auth.user.register, auth.user.get, auth.user.delete, plus an auth.system RPC surface...
MAL-2026-4733 Malicious code in wrld-dev (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 58965a325ad88c872b7c01668e4c08ca337b5fa022c15e626e23697d23fb594c The package exposes a public authentication API auth.user.login, auth.user.register, auth.user.get, auth.user.delete, plus an auth.system RPC surface...
Cleanuparr 访问控制错误漏洞
Cleanuparr is an automated tool developed by Cleanuparr OpenSource, designed to clean up invalid files in the download queue. Versions of Cleanuparr prior to 2.9.10 contained a access control vulnerability. This vulnerability stemmed from the global CORS policy, which reflected the Origin of each...
CVE-2025-63291
When processing API requests, the Alteryx server 2022.1.1.42654 and 2024.1 used MongoDB object IDs to uniquely identify the data being requested by the caller. The Alteryx server did not check whether the authenticated user had permission to access the specified MongoDB object ID. By specifying...
PT-2025-46999
Name of the Vulnerable Software and Affected Versions Alteryx server versions 2022.1.1.42654 and 2024.1 Description The Alteryx server does not properly validate user authorization when processing API requests that utilize MongoDB object IDs to identify data. Specifically, the server fails to...
CVE-2025-40774
CVE-2025-40774 affects SiPass integrated prior to v3.0. The vulnerability stems from passwords stored in the server’s database with decryption keys accessible to administrators, enabling password recovery. Exploitation could allow an attacker with admin access to obtain and use valid user passwor...
CVE-2025-44823
Nagios Log Server before 2024R1.3.2 allows authenticated users to retrieve cleartext administrative API keys via a /nagioslogserver/index.php/api/system/getusers call. This is GL:NLS475...
CVE-2025-44823
Nagios Log Server before 2024R1.3.2 allows authenticated users to retrieve cleartext administrative API keys via a /nagioslogserver/index.php/api/system/getusers call. This is GL:NLS475...
EUVD-2025-32882
Nagios Log Server before 2024R1.3.2 allows authenticated users to retrieve cleartext administrative API keys via a /nagioslogserver/index.php/api/system/getusers call. This is GL:NLS475...
CVE-2025-44823
Nagios Log Server (before 2024R1.3.2) is vulnerable: unauthenticated? No—authenticated users with access to the API can call /nagioslogserver/index.php/api/system/get_users to retrieve cleartext admin API keys. The underlying issue exposes user accounts and API keys, enabling full system compromi...
CVE-2025-10650
SoftIron HyperCloud 2.5.0 through 2.6.3 may incorrectly add user SSH keys to the administrator-level authorized keys under certain conditions, allowing unauthorized privilege escalation to admin via SSH. Affects non-production debug and internal development builds created between versions 2.5.0 a...
PT-2024-37910 · Foreman · Foreman
Name of the Vulnerable Software and Affected Versions: foreman affected versions not specified Description: A disclosure of sensitive information flaw was found in foreman via the "GraphQL API". If the introspection feature is enabled, it is possible for attackers to retrieve sensitive admin...
PT-2024-24598 · Tolgee · Tolgee
Name of the Vulnerable Software and Affected Versions: Tolgee versions 3.57.2 through 3.57.3 Description: Tolgee is an open-source localization platform. When an API key created by an admin user is used, it bypasses the permission check at all. Recommendations: For Tolgee versions 3.57.2 through...
PT-2024-20093 · Hid · Hid Iclass Se Reader Configuration Cards
Name of the Vulnerable Software and Affected Versions: HID iCLASS SE reader configuration cards affected versions not specified Description: Sensitive data can be extracted from HID iCLASS SE reader configuration cards, including credential and device administrator keys. Recommendations: At the...
PT-2024-19381 · Hid Global · Omnikey 5023 Readers +15
Name of the Vulnerable Software and Affected Versions: No specific software or versions are mentioned in the provided descriptions. Description: The issue concerns certain configurations in the communication channel for encoders that could expose sensitive data when reader configuration cards are...
foreman: foreman: OAuth secret exposure via unauthenticated access to the GraphQL API
A disclosure of sensitive information flaw was found in foreman via the GraphQL API. If the introspection feature is enabled, it is possible for attackers to retrieve sensitive admin authentication keys which could result in a compromise of the entire product's API...
CVE-2022-31883
Marval MSM v14.19.0.12476 is has an Insecure Direct Object Reference IDOR vulnerability. A low privilege user is able to see other users API Keys including the Admins API Keys...