Malicious code in wrld-dev (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 58965a325ad88c872b7c01668e4c08ca337b5fa022c15e626e23697d23fb594c The package exposes a public authentication API auth.user.login, auth.user.register, auth.user.get, auth.user.delete, plus an auth.system RPC surface...

MAL-2026-4733 Malicious code in wrld-dev (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 58965a325ad88c872b7c01668e4c08ca337b5fa022c15e626e23697d23fb594c The package exposes a public authentication API auth.user.login, auth.user.register, auth.user.get, auth.user.delete, plus an auth.system RPC surface...

Cleanuparr 访问控制错误漏洞

Cleanuparr is an automated tool developed by Cleanuparr OpenSource, designed to clean up invalid files in the download queue. Versions of Cleanuparr prior to 2.9.10 contained a access control vulnerability. This vulnerability stemmed from the global CORS policy, which reflected the Origin of each...

CVE-2025-63291

When processing API requests, the Alteryx server 2022.1.1.42654 and 2024.1 used MongoDB object IDs to uniquely identify the data being requested by the caller. The Alteryx server did not check whether the authenticated user had permission to access the specified MongoDB object ID. By specifying...

PT-2025-46999

Name of the Vulnerable Software and Affected Versions Alteryx server versions 2022.1.1.42654 and 2024.1 Description The Alteryx server does not properly validate user authorization when processing API requests that utilize MongoDB object IDs to identify data. Specifically, the server fails to...

CVE-2025-40774

CVE-2025-40774 affects SiPass integrated prior to v3.0. The vulnerability stems from passwords stored in the server’s database with decryption keys accessible to administrators, enabling password recovery. Exploitation could allow an attacker with admin access to obtain and use valid user passwor...

CVE-2025-44823

Nagios Log Server before 2024R1.3.2 allows authenticated users to retrieve cleartext administrative API keys via a /nagioslogserver/index.php/api/system/getusers call. This is GL:NLS475...

CVE-2025-44823

Nagios Log Server before 2024R1.3.2 allows authenticated users to retrieve cleartext administrative API keys via a /nagioslogserver/index.php/api/system/getusers call. This is GL:NLS475...

CVE-2025-44823

Nagios Log Server (before 2024R1.3.2) is vulnerable: unauthenticated? No—authenticated users with access to the API can call /nagioslogserver/index.php/api/system/get_users to retrieve cleartext admin API keys. The underlying issue exposes user accounts and API keys, enabling full system compromi...

EUVD-2025-32882

Nagios Log Server before 2024R1.3.2 allows authenticated users to retrieve cleartext administrative API keys via a /nagioslogserver/index.php/api/system/getusers call. This is GL:NLS475...

CVE-2025-10650

SoftIron HyperCloud 2.5.0 through 2.6.3 may incorrectly add user SSH keys to the administrator-level authorized keys under certain conditions, allowing unauthorized privilege escalation to admin via SSH. Affects non-production debug and internal development builds created between versions 2.5.0 a...

PT-2024-37910 · Foreman · Foreman

Name of the Vulnerable Software and Affected Versions: foreman affected versions not specified Description: A disclosure of sensitive information flaw was found in foreman via the "GraphQL API". If the introspection feature is enabled, it is possible for attackers to retrieve sensitive admin...

PT-2024-24598 · Tolgee · Tolgee

Name of the Vulnerable Software and Affected Versions: Tolgee versions 3.57.2 through 3.57.3 Description: Tolgee is an open-source localization platform. When an API key created by an admin user is used, it bypasses the permission check at all. Recommendations: For Tolgee versions 3.57.2 through...

PT-2024-20093 · Hid · Hid Iclass Se Reader Configuration Cards

Name of the Vulnerable Software and Affected Versions: HID iCLASS SE reader configuration cards affected versions not specified Description: Sensitive data can be extracted from HID iCLASS SE reader configuration cards, including credential and device administrator keys. Recommendations: At the...

PT-2024-19381 · Hid Global · Omnikey 5023 Readers +15

Name of the Vulnerable Software and Affected Versions: No specific software or versions are mentioned in the provided descriptions. Description: The issue concerns certain configurations in the communication channel for encoders that could expose sensitive data when reader configuration cards are...

foreman: foreman: OAuth secret exposure via unauthenticated access to the GraphQL API

A disclosure of sensitive information flaw was found in foreman via the GraphQL API. If the introspection feature is enabled, it is possible for attackers to retrieve sensitive admin authentication keys which could result in a compromise of the entire product's API...

CVE-2022-31883

Marval MSM v14.19.0.12476 is has an Insecure Direct Object Reference IDOR vulnerability. A low privilege user is able to see other users API Keys including the Admins API Keys...

Rugpull vector : a single admin address can withdraw all funds

Lines of code Vulnerability details Impact Someone with access to admin keys could rug pull all funds Proof of Concept The gravity.sol contract should work as an escrow to mint equivalent tokens in the cosmos chain. This is maintained by a system of validators. The possible decentralization of th...

PT-2021-22447 · Ghost · Ghost

Name of the Vulnerable Software and Affected Versions: Ghost versions 4.0.0 through 4.9.4 Description: An error in the implementation of the limits service allows all authenticated users, including contributors, to view admin-level API keys via the "integrations API endpoint", leading to a...