SmartSearchWP <= 2.4.4 - Unauthenticated Log Purge

The Chatbot with ChatGPT WordPress plugin before 2.4.5 does not validate access on some REST routes, allowing for an unauthenticated user to purge error and chat logs. id: CVE-2024-6846 info: name: SmartSearchWP = 2.4.4 - Unauthenticated Log Purge author: s4e-io severity: medium description: | Th...

Cisco Smart Licensing Utility UnAuthenticated Logs Exposure Leaking Plaintext Credentials

A vulnerability in Cisco Smart Licensing Utility could allow an unauthenticated, remote attacker to access sensitive information.This vulnerability is due to excessive verbosity in a debug log file. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected...

SMTP WP Plugin Directory Listing

The WordPress Easy WP SMTP Plugin has its log folder remotely accessible and its content available for access. id: CVE-2020-35234 info: name: SMTP WP Plugin Directory Listing author: PR3R00T severity: high description: The WordPress Easy WP SMTP Plugin has its log folder remotely accessible and i...

Anchor CMS 0.12.3 - Error Log Exposure

Anchor CMS 0.12.3 is susceptible to an error log exposure vulnerability due to an issue in config/error.php. The error log is exposed at an errors.log URI, and contains MySQL credentials if a MySQL error such as "Too many connections" has occurred. id: CVE-2018-7251 info: name: Anchor CMS 0.12.3 ...

WebTitan < 3.60 - Local File Inclusion

Directory traversal vulnerability in logs-x.php in SpamTitan WebTitan before 3.60 allows remote authenticated users to read arbitrary files via a .. dot dot in the fname parameter in a view action. id: CVE-2011-4640 info: name: WebTitan 3.60 - Local File Inclusion author: ctflearner severity:...

WordPress Hummingbird <= 3.18.0 - Sensitive Information Exposure via Log File

Hummingbird Performance WordPress plugin = 3.18.0 contains a sensitive information exposure caused by improper handling in the 'request' function, letting unauthenticated attackers extract sensitive data including Cloudflare API credentials, exploit requires no authentication. id: CVE-2025-14437...

Autoptimize < 3.1.0 - Information Disclosure

The Autoptimize WordPress plugin before 3.1.0 uses an easily guessable path to store plugin's exported settings and logs. id: CVE-2022-4057 info: name: Autoptimize 3.1.0 - Information Disclosure author: DhiyaneshDK severity: medium description: | The Autoptimize WordPress plugin before 3.1.0 uses...

CirCarLife Scada <4.3 - System Log Exposure

CirCarLife Scada before 4.3 allows remote attackers to obtain sensitive information via a direct request for the html/log or services/system/info.html URI. CirCarLife is an internet-connected electric vehicle charging station. id: CVE-2018-12634 info: name: CirCarLife Scada 4.3 - System Log...

CVE-2026-9073

A flaw was found in foreman-mcp-server. This component utilizes two distinct logging mechanisms that can expose sensitive session and authentication data. One mechanism logs session identifiers, which are treated as authentication credentials, at an informational level. The other, when debug...

EUVD-2026-38603

A flaw was found in foreman-mcp-server. This component utilizes two distinct logging mechanisms that can expose sensitive session and authentication data. One mechanism logs session identifiers, which are treated as authentication credentials, at an informational level. The other, when debug...

CVE-2026-9073

A flaw was found in foreman-mcp-server. This component utilizes two distinct logging mechanisms that can expose sensitive session and authentication data. One mechanism logs session identifiers, which are treated as authentication credentials, at an informational level. The other, when debug...

CVE-2026-9073

Foreman-mcp-server (MCP server) contains a log-related vulnerability that can leak sensitive credentials via log files. Two separate logging paths are involved: (1) session identifiers are logged at informational level and treated as authentication credentials, and (2) debug logging partially san...

CVE-2026-44960

A stored XSS can be exploited by leveraging the usernames as an attack vector. When an admin user viewed the audit log details for affected entries, any malicious JavaScript payload embedded in the username would be executed due to missing output sanitisation. Proper escaping has been added to th...

CVE-2026-56248

Cap-go capgo capgo-backend before 12.128.12 contains an unauthenticated denial-of-service vulnerability arising from the auditlogs table's Row-Level Security RLS policy when accessed via the Supabase PostgREST API. Because the PostgreSQL query planner executes costly logic before RLS rejection,...

CVE-2026-56248

Cap-go capgo (capgo-backend) before 12.128.12 is affected. An unauthenticated DoS arises from the audit_logs table RLS policy when accessed via the Supabase PostgREST API; the query planner performs costly work before RLS rejection, so unfiltered public.audit_logs queries with the public anon key...

CVE-2026-56248 Capgo - Unauthenticated Denial-of-Service via audit_logs RLS Policy

Cap-go capgo capgo-backend before 12.128.12 contains an unauthenticated denial-of-service vulnerability arising from the auditlogs table's Row-Level Security RLS policy when accessed via the Supabase PostgREST API. Because the PostgreSQL query planner executes costly logic before RLS rejection,...

EUVD-2026-38431

Cap-go capgo capgo-backend before 12.128.12 contains an unauthenticated denial-of-service vulnerability arising from the auditlogs table's Row-Level Security RLS policy when accessed via the Supabase PostgREST API. Because the PostgreSQL query planner executes costly logic before RLS rejection,...

EUVD-2026-38368

Cap-go before 12.128.2 contains a privilege inversion vulnerability in GET /build/logs/:jobId that allows read-only API key holders to cancel running native builds. The endpoint registers an abort listener on the SSE stream that unconditionally invokes cancelBuildOnDisconnect using the privileged...

CVE-2026-56280 Cap-go - Privilege Inversion in Build Log Stream via SSE Disconnect

Cap-go before 12.128.2 contains a privilege inversion vulnerability in GET /build/logs/:jobId that allows read-only API key holders to cancel running native builds. The endpoint registers an abort listener on the SSE stream that unconditionally invokes cancelBuildOnDisconnect using the privileged...

CVE-2026-8934

The CVE-2026-8934 describes a Missing Authorization vulnerability in a GraphQL private API operation within Google App Engine Cloud Console, enabling an unauthenticated attacker to leak sensitive App Engine request logs from other projects via a crafted request. Affected component: Google Cloud C...