Lucene search
K

117 matches found

RedHat Linux
RedHat Linux
added 4 days ago5 views

github.com/prometheus/prometheus: Prometheus: Information disclosure of Azure OAuth client secret via config API

A flaw was found in Prometheus, an open-source monitoring system. The clientsecret field within the Azure Active Directory AD remote write OAuth configuration was incorrectly handled as a plain string instead of a secure Secret type. This misconfiguration allowed any user or process with access t...

7.5CVSS5.9AI score0.00326EPSS
Exploits0References9
RedHat Linux
RedHat Linux
added 2026/07/01 6:46 p.m.8 views

github.com/prometheus/prometheus: Prometheus: Information disclosure of Azure OAuth client secret via config API

A flaw was found in Prometheus, an open-source monitoring system. The clientsecret field within the Azure Active Directory AD remote write OAuth configuration was incorrectly handled as a plain string instead of a secure Secret type. This misconfiguration allowed any user or process with access t...

7.5CVSS5.8AI score0.00326EPSS
Exploits0References9
NVD
NVD
added 2026/07/01 5:16 p.m.8 views

CVE-2026-58454

JAIOTlink C492A-W6 Wi-Fi IP cameras running firmware 4.8.30.57701411 contain a remote code execution vulnerability that allows authenticated attackers to execute arbitrary shell scripts by writing to the writable persistent JFFS2 storage path and triggering execution through the authenticated HTT...

7.7CVSS0.00523EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/07/01 3:36 p.m.33 views

CVE-2026-58454 JAIOTlink C492A-W6 4.8.30.57701411 RCE via /Anyka/config Endpoint

JAIOTlink C492A-W6 Wi-Fi IP cameras running firmware 4.8.30.57701411 contain a remote code execution vulnerability that allows authenticated attackers to execute arbitrary shell scripts by writing to the writable persistent JFFS2 storage path and triggering execution through the authenticated HTT...

7.7CVSS0.00523EPSS
Exploits0References3
CVE
CVE
added 2026/07/01 3:36 p.m.15 views

CVE-2026-58454

Affected product : JAIOTlink C492A-W6 Wi‑Fi IP cameras running firmware 4.8.30.57701411. Vulnerability : remote code execution via the authenticated /Anyka/config HTTP endpoint. Root cause / vector : attackers with authentication can write to writable persistent JFFS2 storage, stage a malicious s...

7.7CVSS6.6AI score0.00523EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/26 8:58 p.m.38 views

CVE-2026-49869 Kestra: Unauthenticated Remote Code Execution via Authentication Bypass in `AuthenticationFilter`

Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, AuthenticationFilter in Kestra OSS uses request.getPath.endsWith"/configs" to whitelist the public configuration endpoint from Basic Auth. Because the check is a suffix match rather than an exact path match...

10CVSS0.00684EPSS
Exploits2References1
Positive Technologies
Positive Technologies
added 2026/06/26 12:0 a.m.10 views

PT-2026-52979

Name of the Vulnerable Software and Affected Versions Kestra versions prior to 1.0.45 Kestra versions prior to 1.3.21 Description An authentication bypass exists in the AuthenticationFilter of Kestra OSS. The system uses a suffix match via request.getPath.endsWith"/configs" to whitelist the publi...

10CVSS6.4AI score0.00684EPSS
Exploits2References12
EUVD
EUVD
added 2026/06/22 12:31 a.m.10 views

EUVD-2026-38200

A flaw has been found in Comfast CF-WR631AX V3 up to 2.7.0.8. This issue affects the function system of the file /cgi-bin/mbox-config?section=pingconfig of the component API Endpoint. This manipulation of the argument destination causes os command injection. The attack is possible to be carried o...

6.5CVSS6.1AI score0.01182EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/06/12 6:42 p.m.31 views

CVE-2026-42604 Actual has an OpenID `client_secret` Disclosure via Broken Authorization Guard in `/openid/config`

Actual is a local-first personal finance tool. The POST /openid/config endpoint in Actual Budget's sync-server versions = 26.4.0 exposes the full OpenID Connect configuration—including the OAuth2 clientsecret—to any caller who knows the bootstrap password. The endpoint also lacks authentication a...

9.1CVSS0.004EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/06/05 7:47 p.m.11 views

CVE-2026-6799

A security flaw has been discovered in Comfast CF-N1-S 2.6.0.1. Affected by this issue is some unknown functionality of the file /cgi-bin/mbox-config?method=SET=pingconfig of the component Endpoint. Performing a manipulation of the argument destination results in command injection. The attack can...

6.5CVSS6.3AI score0.01181EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/29 4:15 p.m.10 views

CVE-2026-45630

Dokploy is a free, self-hostable Platform as a Service PaaS. In 0.28.8 and earlier, authenticated OS command injection in the application.updateTraefikConfig tRPC endpoint allows admin/owner users to execute arbitrary system commands on remote servers via unsanitized echo shell interpolation...

9CVSS6.1AI score0.00763EPSS
Exploits0References2Affected Software1
CNNVD
CNNVD
added 2026/05/13 12:0 a.m.10 views

Hoppscotch 访问控制错误漏洞

Hoppscotch is an open-source API development ecosystem created by Hoppscotch. Versions of Hoppscotch from 2026.2.0 to 2026.4.0 contained a access control vulnerability. This vulnerability stemmed from the GET /v1/onboarding/config endpoint, which still exposed all infrastructure secrets in plain...

7.5CVSS5.8AI score0.0024EPSS
Exploits0References2
EUVD
EUVD
added 2026/05/11 6:31 p.m.9 views

EUVD-2026-29139

OpenClaw before 2026.4.22 contains an authentication bypass vulnerability in the Control UI bootstrap config endpoint that allows unauthenticated attackers to read sensitive configuration fields. Attackers can access the bootstrap config route without a valid Gateway token to expose sensitive...

6.3CVSS5.8AI score0.00317EPSS
Exploits0References4
CVE
CVE
added 2026/05/11 4:46 p.m.14 views

CVE-2026-44994

Technical details are not publicly available in the provided documents. Monitor for updates on affected versions, impact, and remediation.

6.3CVSS5.8AI score0.00317EPSS
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/11 4:46 p.m.7 views

CVE-2026-44994

OpenClaw before 2026.4.22 contains an authentication bypass vulnerability in the Control UI bootstrap config endpoint that allows unauthenticated attackers to read sensitive configuration fields. Attackers can access the bootstrap config route without a valid Gateway token to expose sensitive...

6.3CVSS5.8AI score0.00317EPSS
Exploits0References4
SUSE CVE
SUSE CVE
added 2026/05/06 1:41 a.m.9 views

SUSE CVE-2026-42151

Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the clientsecret field in the Azure AD remote write OAuth configuration storage/remote/azuread was typed as string instead of Secret. Prometheus redacts fields of type Secret when serving...

7.5CVSS5.8AI score0.00326EPSS
Exploits0References11
Tenable Nessus
Tenable Nessus
added 2026/05/06 12:0 a.m.13 views

Linux Distros Unpatched Vulnerability : CVE-2026-42151

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the clientsecret field in the Azure AD remote write...

7.5CVSS6AI score0.00326EPSS
Exploits0References4
Snyk
Snyk
added 2026/05/04 9:29 p.m.10 views

Cleartext Storage of Sensitive Information

Overview Affected versions of this package are vulnerable to Cleartext Storage of Sensitive Information via the /-/config HTTP API endpoint, where the clientsecret field in the Azure AD remote write OAuth configuration was not properly redacted. An attacker can obtain sensitive authentication...

8.7CVSS5.8AI score0.00326EPSS
Exploits0References2
NVD
NVD
added 2026/05/04 7:16 p.m.12 views

CVE-2026-42151

Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the clientsecret field in the Azure AD remote write OAuth configuration storage/remote/azuread was typed as string instead of Secret. Prometheus redacts fields of type Secret when serving...

7.5CVSS0.00326EPSS
Exploits0References19
AlpineLinux
AlpineLinux
added 2026/05/04 6:12 p.m.9 views

CVE-2026-42151

Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the clientsecret field in the Azure AD remote write OAuth configuration storage/remote/azuread was typed as string instead of Secret. Prometheus redacts fields of type Secret when serving...

7.5CVSS5.8AI score0.00326EPSS
Exploits0
Rows per page
Query Builder