25 matches found
PT-2026-45375
Name of the Vulnerable Software and Affected Versions Apache Airflow versions prior to 3.2.2 Description The Log server authorizes JWT tokens against Dag IDs by applying the str.lstrip function to the requested path segment when verifying the sub claim. Because str.lstrip removes any character fr...
Portainer: JWT accepted in URL query leaks tokens to logs and referers
Summary Portainer's authentication middleware accepts JWT bearer tokens passed as the ?token= URL query parameter on any authenticated API endpoint, in addition to the standard Authorization: Bearer header. URLs are recorded in reverse-proxy access logs, browser history, and HTTP Referer headers ...
GHSA-JVP4-Q659-95MJ Portainer: JWT accepted in URL query leaks tokens to logs and referers
Summary Portainer's authentication middleware accepts JWT bearer tokens passed as the ?token= URL query parameter on any authenticated API endpoint, in addition to the standard Authorization: Bearer header. URLs are recorded in reverse-proxy access logs, browser history, and HTTP Referer headers ...
CVE-2026-37504
Sensitive servertoken exposed via GET parameter in V2Board thru 1.7.4. In app/Http/Controllers/Server/UniProxyController.php, the server authentication token is accepted via GET parameter transmission. The token appears in URLs such as /api/v1/server/UniProxy/user?token=SECRET, causing it to be...
Gogs: Access tokens get exposed through URL params in API requests
Summary The Gogs API still accepts tokens in URL parameters such as token and accesstoken, which can leak through logs, browser history, and referrers. Details A static review shows that the API still checks tokens in the URL query before looking at headers: - internal/context/auth.go reads...
CVE-2025-62879
A vulnerability has been identified within the Rancher Backup Operator, resulting in the leakage of S3 tokens both accessKey and secretKey into the rancher-backup-operator pod's logs...
PT-2026-20791
Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.15 Description The application logs Telegram bot tokens without redaction when they appear in error messages or stack traces, such as in request URLs including https://api.telegram.org/bot/.... This can lead t...
CVE-2025-12679
A vulnerability in Brocade SANnav before 2.4.0b prints the Password-Based Encryption PBE key in plaintext in the system audit log file. The vulnerability could allow a remote authenticated attacker with access to the audit logs to access the pbe key. Note: The vulnerability is only triggered duri...
CVE-2026-22644
Certain requests pass the authentication token in the URL as string query parameter, making it vulnerable to theft through server logs, proxy logs and Referer headers, which could allow an attacker to hijack the user's session and gain unauthorized access...
EUVD-2025-199666
Core Bot Is an Open Source discord bot made for maple hospital servers. Prior to commit dffe050, the API keys SUPABASEAPIKEY, TOKEN are loaded using environment variables, but there are cases in code error handling, summaries, webhooks where configuration summaries may inadvertently leak sensitiv...
CVE-2025-65957 Core Bot is Leaking Sensitive Credentials in Logs, Errors, and Messages
Core Bot Is an Open Source discord bot made for maple hospital servers. Prior to commit dffe050, the API keys SUPABASEAPIKEY, TOKEN are loaded using environment variables, but there are cases in code error handling, summaries, webhooks where configuration summaries may inadvertently leak sensitiv...
Linux Distros Unpatched Vulnerability : CVE-2025-11065
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A flaw was found in github.com/go-viper/mapstructure/v2, in the field processing component using mapstructure.WeakDecode. This vulnerability allows information...
Linux Distros Unpatched Vulnerability : CVE-2025-52893
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. OpenBao before v2.3.0 m...
CVE-2025-55285 @backstage/plugin-scaffolder-backend Template Secret Leakage in Logs in Scaffolder When Using `fetch:template`
@backstage/plugin-scaffolder-backend is the backend for the default Backstage software templates. Prior to version 2.1.1, duplicate logging of the input values in the fetch:template action in the Scaffolder meant that some of the secrets were not properly redacted. If $ secrets.x is not passed...
Linux Distros Unpatched Vulnerability : CVE-2023-4237
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A flaw was found in the Ansible Automation Platform. When creating a new keypair, the ec2key module prints out the private key directly to the standard output...
PT-2024-22598 · Checkmk · Checkmk
Name of the Vulnerable Software and Affected Versions: Checkmk versions prior to 2.3.0p7 Checkmk versions prior to 2.2.0p28 Checkmk versions prior to 2.1.0p45 Checkmk versions prior to or equal to 2.0.0p39 Description: The issue allows sensitive information to be inserted into log files, causing...
Backstage Information Disclosure Vulnerability
Backstage is a software application. Backstage is an open platform for building developer portals. A security vulnerability exists in Backstage that stems from the GitlabDiscoveryEntityProvider leaking gitlab integration tokens in logs when tokens with newlines are supplied...
Elasticsearch Log Information Disclosure Vulnerability
Elasticsearch is a search engine based on the Lucene library. A security vulnerability exists in Elasticsearch that stems from the fact that sensitive information and credentials are not filtered out when requests to Elasticsearch use certain deprecated API URIs. This could result in sensitive...
GitLab CE/EE 安全漏洞
GitLab is an open source, end-to-end software development platform from GitLab, Inc. with built-in version control, issue tracking, code review, CI/CD Continuous Integration and Continuous Delivery and other features. A security vulnerability exists in GitLab CE/EE, which stems from the leakage o...
DEBIAN-CVE-2022-0718
A flaw was found in python-oslo-utils. Due to improper parsing, passwords with a double quote " in them cause incorrect masking in debug logs, causing any part of the password after the double quote to be plaintext...