Lucene search
K

1884 matches found

CVE
CVE
added 3 hours ago7 views

CVE-2026-46458

CVE-2026-46458 affects ICU Scandinavia Boomerang. An information-disclosure flaw allows an unauthenticated attacker to retrieve plaintext credentials by requesting specific XML files from the webroot over static HTTP. The root cause is exposure of sensitive credential files via static HTTP paths....

7.1CVSS6.1AI score
Exploits0References2
Cvelist
Cvelist
added 3 hours ago8 views

CVE-2026-46458 Credential exposure in ICU Scandinavia Boomerang

ICU Scandinavia Boomerang is vulnerable to an information disclosure flaw where sensitive credential files are exposed via static HTTP. This allows an unauthenticated remote attacker to retrieve plaintext service account and SMTP credentials by requesting specific XML files from the webroot. This...

7.1CVSS
Exploits0References2
Nuclei
Nuclei
added 11 hours ago31 views

FortiOS - Insecure LDAP Configuration Detection

The FortiGate LDAP configuration was detected to be insecure due to missing ca-cert, secure LDAPS, or server-identity-check, potentially exposing LDAP communications to credential interception or man-in-the-middle attacks under specific network conditions. id: CVE-2019-5591 info: name: FortiOS -...

6.5CVSS6.8AI score0.18566EPSS
Exploits1References2
RedhatCVE
RedhatCVE
added yesterday4 views

CVE-2026-48978

A flaw was found in oras-go. The auth.Client in oras-go does not properly validate the scheme or host of the realm URL provided in a registry's WWW-Authenticate: Bearer challenge. A remote attacker, operating a malicious registry or performing a man-in-the-middle attack, could exploit this to...

3.1CVSS6AI score
Exploits0References4
OSSF Malicious Packages
OSSF Malicious Packages
added 4 days ago7 views

Malicious code in google-caja-bower (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e34339f1be6afb8a41b6dbe2f7d7c480d5a438a67ff119b235d1d98ffa2b2e4a [email protected] declares scripts.preinstall = 'node index.js', so index.js runs automatically on npm install. index.js walks the...

6.1AI score
Exploits0References8
NVD
NVD
added 5 days ago7 views

CVE-2026-15143

A flaw was found in the filetype content detector of guardrails-detectors. This vulnerability allows a remote attacker to supply an arbitrary XML Schema Definition XSD string, which is processed without proper restrictions. This can lead to server-side requests to arbitrary URLs or local file...

9.3CVSS0.00255EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 5 days ago7 views

CVE-2026-15143

A flaw was found in the filetype content detector of guardrails-detectors. This vulnerability allows a remote attacker to supply an arbitrary XML Schema Definition XSD string, which is processed without proper restrictions. This can lead to server-side requests to arbitrary URLs or local file...

9.3CVSS6.1AI score0.00255EPSS
Exploits0References3
NVD
NVD
added 6 days ago8 views

CVE-2026-47828

During bosh create-env and bosh delete-env, the CLI uploads compiled CPI packages and rendered job templates to the new VM's DAV blobstore over HTTPS without verifying the server certificate, even though a CA certificate for that endpoint is available in the installation manifest. A network...

8.9CVSS0.00148EPSS
Exploits0References1
Cvelist
Cvelist
added last week33 views

CVE-2026-59947 Composer: URL-embedded HTTP-Basic username leaks to verbose logs (GitHub PAT exposure)

Composer is a dependency Manager for the PHP language. Prior to 2.2.29 and 2.10.2, when Composer is run with -vvv debug verbosity, it could print a credential embedded in the username slot of a repository or package URL, such as a GitHub Personal Access Token in https://TOKEN@host/, to debug outp...

4.7CVSS0.00108EPSS
Exploits0References5
NVD
NVD
added last week11 views

CVE-2026-59261

OpenClaw before 2026.5.28 contains a credential exposure vulnerability where workspace dotenv files can override provider credentials. Attackers with lower-trust access to configured input paths can expose sensitive data and credentials that should remain within trusted boundaries...

8.4CVSS0.00192EPSS
Exploits0References2
CVE
CVE
added 2026/07/08 4:1 p.m.12 views

CVE-2026-59261

OpenClaw vulnerable before version 2026.5.28 due to a credential exposure where workspace dotenv files can override provider credentials. The issue allows attackers with lower-trust access to configured input paths to exfiltrate sensitive data and credentials meant for trusted boundaries. There i...

8.4CVSS6AI score0.00192EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/07/08 4:1 p.m.4 views

CVE-2026-59261 OpenClaw < 2026.5.28 - Credential Override via Workspace Dotenv Files

OpenClaw before 2026.5.28 contains a credential exposure vulnerability where workspace dotenv files can override provider credentials. Attackers with lower-trust access to configured input paths can expose sensitive data and credentials that should remain within trusted boundaries...

8.4CVSS6.1AI score0.00192EPSS
Exploits0References4
EUVD
EUVD
added 2026/07/08 4:1 p.m.5 views

EUVD-2026-42322

OpenClaw before 2026.5.28 contains a credential exposure vulnerability where workspace dotenv files can override provider credentials. Attackers with lower-trust access to configured input paths can expose sensitive data and credentials that should remain within trusted boundaries...

8.4CVSS6AI score0.00192EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/07/08 7:0 a.m.5 views

CVE-2026-46584

A flaw was found in the Apache Camel Mail Component. This vulnerability, due to improper input validation, allows a remote attacker to exploit routes that channel untrusted input into the mail producer without proper header stripping. Before version 4.19.0, this could lead to the redirection of...

7.5CVSS5.9AI score0.00378EPSS
Exploits1References4
CVE
CVE
added 2026/07/08 12:15 a.m.18 views

CVE-2026-56843

WebPros Plesk (XML-RPC API) prior to 18.0.78.4 has an incorrect authorization flaw that lets a low-privileged, authenticated user look up domains they do not own. Ownership checks apply only to some lookup filters, and legacy protocol versions bypass schema validation, enabling cross-tenant discl...

9.9CVSS6AI score0.00364EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/07/08 12:0 a.m.9 views

PT-2026-56484

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.5.28 Description A credential exposure issue exists where workspace dotenv files can override provider credentials. This allows attackers with lower-trust access to configured input paths to expose sensitive dat...

8.4CVSS6.1AI score0.00192EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/07/08 12:0 a.m.9 views

PT-2026-56550

Name of the Vulnerable Software and Affected Versions Composer versions prior to 2.2.29 Composer versions prior to 2.10.2 Description When run with -vvv debug verbosity, the software may print credentials embedded in the username slot of a repository or package URL for example, a GitHub Personal...

4.7CVSS6.1AI score0.00108EPSS
Exploits0References10
CVE
CVE
added 2026/07/07 5:41 p.m.11 views

CVE-2026-7017

CVE-2026-7017 affects HTTP::Tiny for Perl prior to 0.095. When a 3xx redirect is followed, the implementation re-merges caller-supplied headers into the new request without verifying origin sharing. This causes Authorization, Cookie, and Proxy-Authorization headers to be resent to the redirect ta...

7.1CVSS6AI score0.0026EPSS
Exploits0References6
OSV
OSV
added 2026/07/07 3:26 p.m.8 views

GO-2026-5832 Nezha Dashboard: DDNS and Notification credential exposure via unredacted list API in github.com/nezhahq/nezha

Nezha Dashboard: DDNS and Notification credential exposure via unredacted list API in github.com/nezhahq/nezha. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports...

6.9CVSS5.9AI score0.00304EPSS
Exploits0References1
NVD
NVD
added 2026/07/06 9:16 p.m.11 views

CVE-2026-59712

Leantime's Users::getUser method in the JSON-RPC API lacks proper authorization checks, allowing authenticated users to retrieve full user credential rows including password hashes, TOTP secrets, and session tokens. Attackers can exploit this by calling users.getUser with arbitrary user IDs to...

8.6CVSS0.0025EPSS
Exploits0References4
Rows per page
Query Builder