Lucene search
K

1853 matches found

Nuclei
Nuclei
added 1 hour ago30 views

FortiOS - Insecure LDAP Configuration Detection

The FortiGate LDAP configuration was detected to be insecure due to missing ca-cert, secure LDAPS, or server-identity-check, potentially exposing LDAP communications to credential interception or man-in-the-middle attacks under specific network conditions. id: CVE-2019-5591 info: name: FortiOS -...

6.5CVSS6.9AI score0.18566EPSS
Exploits1References2
NVD
NVD
added yesterday7 views

CVE-2026-47828

During bosh create-env and bosh delete-env, the CLI uploads compiled CPI packages and rendered job templates to the new VM's DAV blobstore over HTTPS without verifying the server certificate, even though a CA certificate for that endpoint is available in the installation manifest. A network...

8.9CVSS0.00088EPSS
Exploits0References1
Cvelist
Cvelist
added 2 days ago30 views

CVE-2026-59947 Composer: URL-embedded HTTP-Basic username leaks to verbose logs (GitHub PAT exposure)

Composer is a dependency Manager for the PHP language. Prior to 2.2.29 and 2.10.2, when Composer is run with -vvv debug verbosity, it could print a credential embedded in the username slot of a repository or package URL, such as a GitHub Personal Access Token in https://TOKEN@host/, to debug outp...

4.7CVSS0.00108EPSS
Exploits0References5
NVD
NVD
added 2 days ago8 views

CVE-2026-59261

OpenClaw before 2026.5.28 contains a credential exposure vulnerability where workspace dotenv files can override provider credentials. Attackers with lower-trust access to configured input paths can expose sensitive data and credentials that should remain within trusted boundaries...

8.4CVSS0.00126EPSS
Exploits0References2
CVE
CVE
added 2 days ago8 views

CVE-2026-59261

OpenClaw vulnerable before version 2026.5.28 due to a credential exposure where workspace dotenv files can override provider credentials. The issue allows attackers with lower-trust access to configured input paths to exfiltrate sensitive data and credentials meant for trusted boundaries. There i...

8.4CVSS6AI score0.00126EPSS
Exploits0References2Affected Software1
EUVD
EUVD
added 2 days ago4 views

EUVD-2026-42322

OpenClaw before 2026.5.28 contains a credential exposure vulnerability where workspace dotenv files can override provider credentials. Attackers with lower-trust access to configured input paths can expose sensitive data and credentials that should remain within trusted boundaries...

8.4CVSS6AI score0.00126EPSS
Exploits0References2
CVE
CVE
added 2 days ago13 views

CVE-2026-56843

WebPros Plesk (XML-RPC API) prior to 18.0.78.4 has an incorrect authorization flaw that lets a low-privileged, authenticated user look up domains they do not own. Ownership checks apply only to some lookup filters, and legacy protocol versions bypass schema validation, enabling cross-tenant discl...

9.9CVSS6AI score0.00336EPSS
Exploits0References1
CVE
CVE
added 3 days ago8 views

CVE-2026-7017

CVE-2026-7017 affects HTTP::Tiny for Perl prior to 0.095. When a 3xx redirect is followed, the implementation re-merges caller-supplied headers into the new request without verifying origin sharing. This causes Authorization, Cookie, and Proxy-Authorization headers to be resent to the redirect ta...

7.1CVSS6AI score0.0026EPSS
Exploits0References6
NVD
NVD
added 4 days ago6 views

CVE-2026-59712

Leantime's Users::getUser method in the JSON-RPC API lacks proper authorization checks, allowing authenticated users to retrieve full user credential rows including password hashes, TOTP secrets, and session tokens. Attackers can exploit this by calling users.getUser with arbitrary user IDs to...

8.6CVSS0.0025EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 4 days ago6 views

CVE-2026-59712

Leantime's Users::getUser method in the JSON-RPC API lacks proper authorization checks, allowing authenticated users to retrieve full user credential rows including password hashes, TOTP secrets, and session tokens. Attackers can exploit this by calling users.getUser with arbitrary user IDs to...

8.6CVSS6AI score0.0025EPSS
Exploits0References5
EUVD
EUVD
added 4 days ago6 views

EUVD-2026-41942

Leantime's Users::getUser method in the JSON-RPC API lacks proper authorization checks, allowing authenticated users to retrieve full user credential rows including password hashes, TOTP secrets, and session tokens. Attackers can exploit this by calling users.getUser with arbitrary user IDs to...

8.6CVSS6AI score0.0025EPSS
Exploits0References4
EUVD
EUVD
added 4 days ago5 views

EUVD-2026-41905

Improper enforcement of a mandatory multi-factor authentication policy in Devolutions Server 2026.2.9.0 allows an attacker with valid user credentials to bypass the MFA Required policy and authenticate without completing multi-factor authentication. The problem occurs when DVLS encounters an...

6AI score0.00284EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 4 days ago5 views

CVE-2026-46584

Improper Input Validation, Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Camel Mail Component. The camel-mail producer MailProducer.getSender scanned the outgoing Exchange for message headers in the mail.smtp. / mail.smtps. namespace and, when any were present...

6AI score0.00378EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added last week33 views

CVE-2026-13341 Prompt Injection and Credential Exposure via Untrusted Analytics Data in Kong Konnect MCP

A vulnerability exists in the Kong Konnect Model Context Protocol MCP server prior to version 1.0.0, which could allow a remote attacker to perform an indirect prompt injection attack and execute unintended API requests...

7.4CVSS0.00258EPSS
Exploits0References1
CVE
CVE
added last week17 views

CVE-2026-13341

Kong Konnect MCP server (before 1.0.0) is affected. A remote attacker could perform an indirect prompt injection and cause unintended API requests due to the MCP component. Impact aligns with high-severity potential exposure (CVSS 7.4); exploit details are not provided in the sources. Remediation...

7.4CVSS6.1AI score0.00258EPSS
Exploits0References1
Snyk
Snyk
added last week6 views

Insufficiently Protected Credentials

Overview Affected versions of this package are vulnerable to Insufficiently Protected Credentials in the process that handles .netrc credential retrieval when a URL is specified with a username but without a password. An attacker can gain unauthorized access to sensitive information by exploiting...

9.1CVSS6AI score0.0061EPSS
Exploits1References2
Tenable Nessus
Tenable Nessus
added 2026/07/03 12:0 a.m.6 views

Devolutions Server 2026.2.4 <= 2026.2.7 Credential Exposure (DEVO-2026-0020)

The version of Devolutions Server installed on the remote host is 2026.2.4 through 2026.2.7. It is, therefore, affected by a vulnerability: - Improper input validation in the PAM AD discovery endpoints allows an authenticated user with the UserGroupsView permission to coerce server-side...

2.7CVSS6AI score0.00216EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 10:18 p.m.5 views

Active Debug Code

Overview Affected versions of this package are vulnerable to Active Debug Code via improper handler registration on the shared http.DefaultServeMux. An attacker can gain unauthorized access to sensitive debug and metrics endpoints by sending crafted requests, potentially exposing process command...

7.7CVSS6AI score0.00266EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/01 9:19 p.m.5 views

Incorrect Permission Assignment for Critical Resource

Overview Affected versions of this package are vulnerable to Incorrect Permission Assignment for Critical Resource via the createconfig path in awscli/customizations/codedeploy/register.py. An attacker can read the CodeDeploy on-premises configuration file by accessing it on the same Unix-like ho...

6.8CVSS6AI score0.00101EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/30 5:26 p.m.3 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the POST /api/n9e/datasource/list route, which lacks proper authorization checks. An attacker can obtain sensitive credentials, such as database passwords, HTTP bearer tokens, and mTLS client keys, by sending...

7.1CVSS6AI score0.00238EPSS
Exploits0References2
Rows per page
Query Builder