57746 matches found
CVE-2026-9062
The Store Locator WordPress plugin before 1.6.9 does not validate a parameter before using it in a file path, allowing high-privileged users such as administrators to read arbitrary .php files from the server, including configuration files that contain database credentials and authentication keys...
CVE-2026-9062 Agile Store Locator < 1.6.9 - Admin+ Arbitrary File Read via Path Traversal
The Store Locator WordPress plugin before 1.6.9 does not validate a parameter before using it in a file path, allowing high-privileged users such as administrators to read arbitrary .php files from the server, including configuration files that contain database credentials and authentication keys...
Malicious code in @ci-lifecycle-test/postinstall-ping (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 75c160ad40a237c1e682c696ebd0aec2861ca072f47bd5b725bc80f7f95ed509 The package's postinstall lifecycle script postinstall.js executes automatically on npm install and POSTs the JSON-serialized contents of the entire...
EUVD-2026-36632
Information disclosure vulnerability in Avira Password Manager when used with Mozilla Firefox may allow a remote attacker operating a cross-origin iframe to obtain credentials autofilled for the parent web page via incorrect autofill field selection. This issue affects Avira Password Manager when...
EUVD-2026-36615
OpenClaw before 2026.5.2 contains a credential exposure vulnerability in message.action forwarding that allows model-controlled metadata to forward action payloads with Gateway credentials to attacker-supplied loopback URLs. Remote attackers can intercept Gateway tokens and action payloads by...
PT-2026-49080
The Store Locator WordPress plugin before 1.6.9 does not validate a parameter before using it in a file path, allowing high-privileged users such as administrators to read arbitrary .php files from the server, including configuration files that contain database credentials and authentication keys...
CVE-2026-12068
Information disclosure vulnerability in Avira Password Manager when used with Mozilla Firefox may allow a remote attacker operating a cross-origin iframe to obtain credentials autofilled for the parent web page via incorrect autofill field selection. This issue affects Avira Password Manager when...
CVE-2026-53839 OpenClaw < 2026.5.7 - Hostname Prefix Matching Bypass in Trusted Retry Endpoint Validation
OpenClaw before 2026.5.7 contains a hostname validation vulnerability in retry endpoint checks that allows matching hostname prefixes instead of exact hostnames. Attackers can exploit this by crafting a hostname prefix resembling a trusted host to send authentication material to untrusted endpoin...
CVE-2026-53827
OpenClaw is affected by CVE-2026-53827: before version 2026.5.2, a credential exposure vulnerability exists in message.action forwarding. The issue allows model-controlled metadata to forward action payloads containing Gateway credentials to attacker-supplied loopback URLs, enabling remote attack...
CVE-2026-44784
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, group owners who are not necessarily admins or moderators can view a group's outgoing email/SMTP credentials in plaintext...
Malicious code in claudechor (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4a9cbb36cf7ed82685830b5d3a2b341bff9ef86e2688842d1f54259b2b6fb533 The package's bin entry reads installer-owned Claude credential files /.claude/.credentials.json and /.claude.json — written by Anthropic's official...
MAL-2026-5717 Malicious code in claudechor (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4a9cbb36cf7ed82685830b5d3a2b341bff9ef86e2688842d1f54259b2b6fb533 The package's bin entry reads installer-owned Claude credential files /.claude/.credentials.json and /.claude.json — written by Anthropic's official...
MAL-2026-5716 Malicious code in beamz (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c380f1f0fc3c5cf723cd7d92bf41c30f622aafaa633a32f0a78bf91a3a769d2a The package advertises itself as a credential-transfer CLI but implements transfer by reading the user's Anthropic Claude Code credentials...
Malicious code in beamz (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c380f1f0fc3c5cf723cd7d92bf41c30f622aafaa633a32f0a78bf91a3a769d2a The package advertises itself as a credential-transfer CLI but implements transfer by reading the user's Anthropic Claude Code credentials...
CVE-2026-44784 Discourse: Non-staff group owners can see email password in plaintext through group history
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, group owners who are not necessarily admins or moderators can view a group's outgoing email/SMTP credentials in plaintext...
CVE-2026-44784
Discourse has a vulnerability where non-staff group owners can access a group’s outgoing SMTP credentials in plaintext via the group history log (/groups/:name/logs.json). Affected fields include email_password, email_username, smtp_server, smtp_port, and smtp_ssl_mode, with SMTP password being t...
EUVD-2026-36587
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, group owners who are not necessarily admins or moderators can view a group's outgoing email/SMTP credentials in plaintext...
CVE-2026-44784 Discourse: Non-staff group owners can see email password in plaintext through group history
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, group owners who are not necessarily admins or moderators can view a group's outgoing email/SMTP credentials in plaintext...
CVE-2026-50099
During WiFi association, Naxclow device firmware prints the host network’s SSID, PSK, and negotiated WPA keys in cleartext to an exposed UART console on production hardware. The UART pads are labeled, run with default serial settings, and drop to an interactive RT-Thread shell that permits...
GHSA-3GP5-Q4JW-3V94 Budibase: Basic app users can exfiltrate stored REST datasource auth by rewriting datasource base URL
Summary Budibase stores external REST datasource credentials server-side and documents that database credentials are applied server-side and are not exposed in the UI. The REST datasource implementation redacts stored Basic/Bearer/OAuth2 auth secrets before returning datasource data to clients...