Lucene search
+L

1931 matches found

OSV
OSV
added 2026/06/26 4:32 p.m.3 views

GHSA-PR7J-96CJ-549H Fluentd is Vulnerable to Exposure of Sensitive Information via Monitor Agent API

Fluentd's Monitor Agent plugin inmonitoragent exposes internal metrics and plugin information via a REST API. It was discovered that the API response /api/plugins.json and related endpoints unintentionally includes internal instance variables of loaded plugins. If any plugins store sensitive...

7.5CVSS5.8AI score0.00474EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/26 4:21 p.m.9 views

EUVD-2026-39802

Dokku is a docker-powered PaaS. Prior to 0.38.2, the git:auth command creates $DOKKUROOT/.netrc using bash's touch command, which applies the default umask of 0644. This pre-creation defeats the netrc binary's built-in 0600 permission setting, leaving git credentials readable by any local user wh...

5.5CVSS5.8AI score0.00089EPSS
Exploits0References2
CVE
CVE
added 2026/06/26 7:5 a.m.31 views

CVE-2026-49486

The CVE concerns the Apache Airflow FTP provider. The FTPSHook.get_conn() creates an ftplib.FTP_TLS connection but does not call prot_p(), leaving the data channel unencrypted even though the control channel is TLS-protected. This exposes file contents and credentials-in-transit to anyone who can...

7.5CVSS5.8AI score0.00264EPSS
Exploits0References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/26 12:0 a.m.16 views

PT-2026-52964

Name of the Vulnerable Software and Affected Versions RustFS versions 1.0.0-alpha.1 through 1.0.0-beta.8 Description An authorization bypass exists in the bucket replication admin API. The ListRemoteTargetHandler handler for listing remote replication targets verifies the existence of request...

8.2CVSS5.8AI score0.00181EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/06/25 8:53 p.m.27 views

CVE-2026-44622 EVoke Systems EVoke CSMS Insufficiently Protected Credentials

Charging station authentication identifiers are publicly accessible via web-based mapping platforms...

6.9CVSS0.00248EPSS
Exploits0References3
CVE
CVE
added 2026/06/25 8:53 p.m.14 views

CVE-2026-44622

CVE-2026-44622 affects EVoke Systems EVoke CSMS (charging stations). The vulnerability is described as insufficiently protected credentials, causing authentication identifiers to be publicly accessible via web-based mapping platforms. CVSS v3.1 base score 6.5 (MEDIUM) and CVSS v4.0 base score 6.9...

6.9CVSS5.8AI score0.00248EPSS
Exploits0References3
NVD
NVD
added 2026/06/25 4:16 p.m.6 views

CVE-2026-9650

CWE-522 Insufficiently Protected Credentials vulnerability that could cause unauthorized access and exposure of sensitive information when unauthenticated attacker accesses credentials stored within firmware or system files. With this credential an attacker could subsequently compromise the devic...

8.7CVSS0.0024EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/25 4:8 p.m.7 views

EUVD-2026-39470

ToolJet is the open-source foundation am AI-native platform for building and deploying internal tools, workflows and AI agents. Prior to 3.20.1780-lts, the authenticated endpoint POST /api/data-sources/decrypt returns the decrypted plaintext for any credential whose credentialid is supplied in th...

6.8CVSS5.9AI score0.00126EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/25 1:12 p.m.6 views

EUVD-2026-39386

Improper input validation in the PAM AD discovery endpoints in Devolutions Server 2026.2.4.0 through 2026.2.7.0 allows an authenticated user with the UserGroupsView permission to coerce server-side authentication to an attacker-controlled host, exposing PAM provider credentials as a NTLMv2...

2.7CVSS5.8AI score0.00216EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/24 1:20 p.m.35 views

CVE-2026-57297

A missing permission check in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified username, API key, and service key...

0.00167EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/24 1:20 p.m.39 views

CVE-2026-57295

A cross-site request forgery CSRF vulnerability in Jenkins EC2 Fleet Plugin 4.2.3.539.v8fedff2a81c3 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing AWS credentials stored in Jenkins...

0.00128EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/24 5:33 a.m.34 views

CVE-2026-9183 24liveblog <= 2.2 - Authenticated (Contributor+) Exposure of Sensitive Information via Block Editor Script Localization

The 24liveblog - live blog tool plugin for WordPress is vulnerable to Exposure of Sensitive Information in versions up to, and including, 2.2. This is due to the lb24blockenqueuescripts function being hooked to enqueueblockeditorassets and, for any non-administrator user, falling back to loading...

4.3CVSS0.0021EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/23 7:53 p.m.51 views

CVE-2026-11820 Community.general: community.general nexmo — api credentials exposed in get url query string[security] community.general nexmo — api credentials exposed in get url query string

A flaw was found in the community.general Ansible collection's nexmo module. The module constructs HTTP requests to the Vonage/Nexmo SMS API by encoding API credentials apikey and apisecret into URL query parameters and sending them via GET requests. This causes credentials to be exposed in web...

6.5CVSS0.00287EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/06/23 7:53 p.m.5 views

CVE-2026-11820

A flaw was found in the community.general Ansible collection's nexmo module. The module constructs HTTP requests to the Vonage/Nexmo SMS API by encoding API credentials apikey and apisecret into URL query parameters and sending them via GET requests. This causes credentials to be exposed in web...

6.5CVSS5.8AI score0.00287EPSS
Exploits0References3
RedHat Linux
RedHat Linux
added 2026/06/23 6:53 p.m.8 views

eda-server: websocket missing authorization allows credential theft via activation_id spoofing

A missing authorization vulnerability was found in the Event-Driven Ansible EDA websocket API. The /api/eda/ws/ansible-rulebook endpoint does not verify user permissions when processing Worker messages. Any authenticated user can send a forged message with an arbitrary activationid to receive...

9.6CVSS5.9AI score0.00379EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/06/23 6:6 p.m.5 views

CVE-2026-54323

Daytona is a secure and elastic infrastructure runtime for AI-generated code execution and agent workflows. Prior to 0.185.0, the daemon's git clone implementation disabled TLS certificate verification. When a clone request carried Git credentials, the daemon sent the HTTP Basic Authorization...

5.9CVSS6.4AI score0.00117EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/06/23 3:36 p.m.24 views

CVE-2026-56695

OpenHarness ohmo gateway exposed by default to remote invocation via /resume and /summary, enabling attackers to enumerate and load arbitrary session snapshots by ID. This can grant access to private prompts, credentials, tool output, and file paths through shared gateway channels. Documented imp...

7.1CVSS6.1AI score0.00231EPSS
Exploits0References3
Debian CVE
Debian CVE
added 2026/06/23 2:54 p.m.6 views

CVE-2026-55568

Guzzle is an extensible PHP HTTP client. Prior to 7.12.1, in certain configurations, traffic expected to be protected by TLS on the hop to the proxy is transmitted in cleartext. Proxy authentication credentials the Proxy-Authorization header, proxy userinfo in the proxy URL, or CURLOPTPROXYUSERPW...

5.9CVSS5.9AI score0.00106EPSS
Exploits0
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.14 views

PT-2026-51578

Name of the Vulnerable Software and Affected Versions Daytona versions prior to 0.185.0 Description The daemon's git clone implementation disables TLS certificate verification. When a clone request includes Git credentials, the daemon transmits the HTTP Basic Authorization header to the remote...

5.9CVSS5.9AI score0.00117EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.13 views

PT-2026-51587

Name of the Vulnerable Software and Affected Versions Ansible affected versions not specified Description In the plugins/modules/nexmo.py module, the api key and api secret variables are marked as no log=True to prevent them from being logged. However, these credentials are URL-encoded and includ...

6.5CVSS5.8AI score0.00287EPSS
Exploits0References8
Rows per page
Query Builder