PT-2026-49773

Name of the Vulnerable Software and Affected Versions OpenClaw versions 2026.4.23 through 2026.4.23 Description An insecure file permissions issue exists in the config recovery process that restores the OpenClaw.json file with overly broad permissions. Local attackers on shared hosts can exploit...

CVE-2026-40543 Missing Authorization in SOPlanning

SOPlanning does not enforce authorization for backup functionalities. An unauthenticated attacker can directly query backup-related endpoints and retrieve backup archives containing user databases with usernames and password hashes, as well as the config.csv file, which includes additional...

CVE-2026-35174

Chyrp Lite is an ultra-lightweight blogging engine. Prior to 2026.01, a path traversal vulnerability exists in the administration console that allows an administrator or a user with Change Settings permission to change the uploads path to any folder. This vulnerability allows the user to download...

CVE-2025-34171 CasaOS <= 0.4.15 Unauthenticated File and Debug Data Exposure

CasaOS versions up to and including 0.4.15 expose multiple unauthenticated endpoints that allow remote attackers to retrieve sensitive configuration files and system debug information. The /v1/users/image endpoint can be abused with a user-controlled path parameter to access files under...

Exposure of Data Element to Wrong Session

Overview skypilot is a SkyPilot: Run AI on Any Infra — Unified, Faster, Cheaper. Affected versions of this package are vulnerable to Exposure of Data Element to Wrong Session in the form of allowing users to see the pending jobs belonging to other users, under some conditions, and leaking keys in...

CVE-2025-65009 Insecure Password Storage in WODESYS WD-R608U router

In WODESYS WD-R608U router also known as WDR122B V2.0 and WDR28 admin password is stored in configuration file as plaintext and can be obtained by unauthorized user by direct references to the resource in question. The vendor was notified early about this vulnerability, but didn't respond with th...

Exploit for CVE-2025-13380

AI Engine for WordPress: ChatGPT, GPT Content Generator true,...

CVE-2025-64144

Jenkins ByteGuard Build Actions Plugin 1.0 stores API tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission, or access to the Jenkins controller file system...

EUVD-2018-2319

Malware in sbrugna...

XWiki Platform 安全漏洞

XWiki Platform is the XWiki open source suite of wiki platforms for creating web collaboration applications. A security vulnerability exists in XWiki Platform versions 4.2-milestone-2 through 16.10.6, which stems from a configuration file that is accessible via jsx and sx endpoints...

Linux Distros Unpatched Vulnerability : CVE-2023-44690

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Inadequate encryption strength in mycli 1.27.0 allows attackers to view sensitive information via /mycli/config.py CVE-2023-44690 Note that Nessus relies on the...

CVE-2025-55169

WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. Prior to version 3.4.8, a path traversal vulnerability was discovered in the WeGIA application, html/socio/sistema/downloadremessa.php endpoint. This vulnerability could allow an attacker to...

The vulnerability of the QMetry Test Management plugin for Jenkins’ automation server lies in the fact that the API keys of Qmetry Automation are stored publicly, allowing an attacker to gain unauthorized access to the protected information.

The vulnerability of the QMetry Test Management plugin for the Jenkins automation server lies in the fact that API keys from Qmetry Automation are stored publicly in the config.xml file. Exploiting this vulnerability could allow an attacker to gain unauthorized access to protected information...

CVE-2022-1332

One of the API in Mattermost version 6.4.1 and earlier fails to properly protect the permissions, which allows the authenticated members with restricted custom admin role to bypass the restrictions and view the server logs and server config.json file contents...

CVE-2022-36672

Novel-Plus v3.6.2 was discovered to contain a hard-coded JWT key located in the project config file. This vulnerability allows attackers to create a custom user session...

The vulnerability of the web interface of IP-telephone devices, BAS-IP, allows a perpetrator to disclose protected information.

The vulnerability of the web interface of IP-telephone devices BAS-IP relates to the storage of user credentials in configuration files. Exploiting this vulnerability can allow an attacker to disclose sensitive information by sending a specially crafted HTTP request...

CVE-2024-6317

The Generate PDF using Contact Form 7 plugin for WordPress is vulnerable to Cross-Site Request Forgery to Arbitrary File Upload in versions up to, and including, 4.0.6. This is due to missing nonce validation and the plugin not properly validating a file or its path prior to deleting it in the...

SUSE CVE-2023-44690

Inadequate encryption strength in mycli 1.27.0 allows attackers to view sensitive information via /mycli/config.py...

DEBIAN-CVE-2023-44690

Inadequate encryption strength in mycli 1.27.0 allows attackers to view sensitive information via /mycli/config.py...

PYSEC-2023-213

Inadequate encryption strength in mycli 1.27.0 allows attackers to view sensitive information via /mycli/config.py...