Zoho ManageEngine OpManager - SQL Injection

Zoho ManageEngine OpManager before 12.3 Build 123196 does not require authentication for /oputilsServlet requests, as demonstrated by a /oputilsServlet?action=getAPIKey request that can be leveraged against Firewall Analyzer to add an admin user via /api/json/v2/admin/addUser or conduct a SQL...

Jeg Elementor Kit < 2.5.7 - Unauthenticated Settings Update

The Jeg Elementor Kit plugin for WordPress is vulnerable to authorization bypass in various functions used to update the plugin settings in versions up to, and including, 2.5.6. Unauthenticated users can use an easily available nonce, obtained from pages edited by the plugin, to update the...

SmartSearchWP < 2.4.6 - OpenAI Key Disclosure

The plugin does not have proper authorization in one of its REST endpoint, allowing unauthenticated users to retrieve the encoded key and then decode it, thereby leaking the OpenAI API key. id: CVE-2024-6845 info: name: SmartSearchWP 2.4.6 - OpenAI Key Disclosure author: s4e-io severity: medium...

Zoho ManageEngine - getUserAPIKey Authentication Bypass

Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, Firewall Analyzer, and OpUtils before 2022-07-27 through 2022-07-28 125657, 126002, 126104, and 126118 allow unauthenticated attackers to obtain a user's API key, and then access external...

SolarWinds Web Help Desk - Authentication Bypass

SolarWinds Web Help Desk 12.8.8 HF1 and earlier contains an authentication bypass vulnerability in the WebObjects session handling. By crafting a request with a manipulated path component to an internal admin page endpoint, an unauthenticated attacker can access privileged administrative function...

CVE-2026-12773

A flaw was found in BerriAI litellm, within its MCP Proxy component. A remote attacker could exploit an improper authentication vulnerability in the UserAPIKeyAuth function. This could allow unauthorized access, potentially compromising the confidentiality, integrity, and availability of data...

CVE-2026-54573 Authorization Bypass in API Key/OAuth Scopes via Path Parsing Discrepancy

Outline is a service that allows for collaborative documentation. Prior to 1.8.0, the AuthenticationHelper.canAccess function uses ctx.originalUrl to verify if an API key or OAuth token has the required scopes for a request. It extracts the resource by splitting the URL by / and taking the last...

Apache APISIX - Remote Code Execution

A default configuration of Apache APISIX with default API key is vulnerable to remote code execution. An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. When the admin key was changed or the port of Admin API was changed to a port different...

EyesOfNetwork - Hardcoded API Key & SQL Injection

An issue was discovered in EyesOfNetwork 5.3. The EyesOfNetwork API 2.4.2 is prone to SQL injection, allowing an unauthenticated attacker to perform various tasks such as authentication bypass via the username field to getApiKey in include/apifunctions.php. id: CVE-2020-8656 info: name:...

CVE-2026-57297

CVE-2026-57297 affects Jenkins via the Contrast Continuous Application Security Plugin (3.11 and earlier). The issue is a missing permission check that lets attackers with Overall/Read access cause a connection to an attacker‑specified URL using attacker‑provided credentials (username, API key, s...

CVE-2026-56237 Capgo - Unauthenticated API Key Generation via Client-Side Parameter Manipulation

Capgo before 12.128.2 contains a broken authentication vulnerability in its API key generation mechanism. API keys are exposed in frontend requests, and the backend fails to validate that keys are securely generated and bound to the authenticated user. An attacker can tamper with the API key...

CVE-2026-56231

Capgo prior to 12.128.2 contains a broken object level authorization (BOLA) in build endpoints: POST /build/start/:jobId and POST /build/cancel/:jobId. The handlers validate only the attacker-controlled app_id in the request body and fail to verify that the URL jobId belongs to the same app/tenan...

EUVD-2026-38738

Capgo before 12.128.2 contains a broken object level authorization BOLA vulnerability in the POST /build/start/:jobId and POST /build/cancel/:jobId endpoints. The handlers authorize the request based only on the attacker-controlled appid supplied in the request body and never verify that the jobI...

CVE-2026-53662

immich is a high performance self-hosted photo and video management solution. From commit 4ffa26c9 until 4eb1003, a reflected cross-site scripting XSS vulnerability on the /auth/login page allows an attacker to fully compromise any authenticated user's account with a single link click. The contin...

CVE-2026-53662

Immich (self-hosted photo/video management) has a reflected XSS in the /auth/login page observed between commits 4ffa26c9 and 4eb1003. The continue query parameter is read from the URL and passed to SvelteKit redirect() without URL scheme/origin validation, enabling attacker-controlled JavaScript...

PT-2026-51576

Name of the Vulnerable Software and Affected Versions immich versions 4ffa26c9 through 4eb1003 Description A reflected cross-site scripting XSS issue exists on the '/auth/login' page. The continue query parameter is processed by SvelteKit's redirect function without proper scheme or origin...

EUVD-2026-38369

Capgo before 12.128.2 contains a weak parsing vulnerability in the x-limited-key-id header that allows attackers to bypass subkey enforcement by submitting malformed values, zero, or duplicate headers that result in NaN or falsy values. Remote attackers can manipulate the x-limited-key-id header ...

CVE-2026-56306 Capgo - Subkey Enforcement Bypass via x-limited-key-id Header Parsing

Capgo before 12.128.2 contains a weak parsing vulnerability in the x-limited-key-id header that allows attackers to bypass subkey enforcement by submitting malformed values, zero, or duplicate headers that result in NaN or falsy values. Remote attackers can manipulate the x-limited-key-id header ...

CVE-2026-56242 Capgo - Unauthenticated API Key Validity Oracle and User Identity Disclosure via get_identity_apikey_only RPC

Capgo before 12.128.2 contains an unauthenticated security definer RPC function getidentityapikeyonly that returns the owning userid for supplied API keys, creating an API key validity oracle and user identity disclosure primitive. Attackers can call this endpoint with valid or invalid API keys t...

CVE-2026-12773

A weakness has been identified in BerriAI litellm up to 1.59.8. Affected is the function UserAPIKeyAuth of the file litellm/proxy/experimental/mcpserver/auth/userapikeyauthmcp.py of the component MCP Proxy. Executing a manipulation can lead to improper authentication. The attack may be launched...