CVE-2026-56237 Capgo - Unauthenticated API Key Generation via Client-Side Parameter Manipulation

Capgo before 12.128.2 contains a broken authentication vulnerability in its API key generation mechanism. API keys are exposed in frontend requests, and the backend fails to validate that keys are securely generated and bound to the authenticated user. An attacker can tamper with the API key...

CVE-2021-47922

Slider by Soliloquy 2.6.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the title parameter. Attackers can add JavaScript payloads in the title field when creating or editing sliders, which executes in the browsers of...

Age verification vendor Persona left frontend exposed, researchers say

Researchers investigating Discord’s age-verification checks say they discovered an exposed frontend belonging to Persona, the identity-verification vendor used by Discord. It revealed a far more expansive surveillance and financial intelligence stack than a simple “teen safety” tool. A short whil...

CVE-2025-67732

Dify is an open-source LLM app development platform. Prior to version 1.11.0, the API key is exposed in plaintext to the frontend, allowing non-administrator users to view and reuse it. This can lead to unauthorized access to third-party services, potentially consuming limited quotas. Version...

EUVD-2025-206235

Dify is an open-source LLM app development platform. Prior to version 1.11.0, the API key is exposed in plaintext to the frontend, allowing non-administrator users to view and reuse it. This can lead to unauthorized access to third-party services, potentially consuming limited quotas. Version...

dify 安全漏洞

dify is an open source LLM application development platform from LangGenius Open Source. A security vulnerability exists in versions of dify prior to 1.11.0, which stems from an API key being exposed in plaintext to the front-end, which could lead to unauthorized access to third-party services...

CVE-2025-13163 Digiwin｜EasyFlow GP - Insufficiently Protected Credentials

EasyFlow GP developed by Digiwin has an Insufficiently Protected Credentials vulnerability, allowing privileged remote attackers to obtain plaintext database account credentials from the system frontend...

PT-2025-46269

Name of the Vulnerable Software and Affected Versions Document Pro Elementor – Documentation & Knowledge Base plugin for WordPress versions prior to 1.1.0 Description The plugin exposes sensitive Algolia API keys through the frontend JavaScript code via wp localize script without proper access...

CVE-2024-56828

File Upload vulnerability in ChestnutCMS through 1.5.0. Based on the code analysis, it was determined that the /api/member/avatar API endpoint receives a base64 string as input. This string is then passed to the memberService.uploadAvatarByBase64 method for processing. Within the service, the...

Nextcloud 信息泄露漏洞

Nextcloud is a set of open source self-hosted file synchronization and sharing communication application platform from Nextcloud, Germany. Nextcloud suffers from an information disclosure vulnerability that stems from the fact that after storing "global credentials" on the server, the API returns...

PT-2024-35125 · Mintplex · Anything-Llm

Name of the Vulnerable Software and Affected Versions: mintplex-labs/anything-llm versions up to and including 1.5.3 Description: An issue was discovered where the password hash of a user is returned in the response after login "POST /api/request-token" and after account creations "POST...

AnythingLLM Security Vulnerability

AnythingLLM is a document chatbot that meets business requirements. A security vulnerability exists in Mintplex Labs AnythingLLM versions 1.5.3 and earlier, which stems from the fact that the entire User object including the bcrypt password hash is included in the response sent to the front-end, ...

SQL Injection Vulnerability in the Frontend of Gallery 27.0, a Qixing Image & Video Library

Qixing Image & Video GalleryGallery is mainly used to store images or videos in the company. A SQL injection vulnerability exists in the frontend of Qixing Image & Video Library Gallery 27.0, which can be exploited by attackers to manipulate the database...