CVE-2026-36606

Mercusys AC12G EU V1 router with firmware AC12GEUV1200909 encrypts configuration backups with a hardcoded DES key using single DES in ECB mode. An attacker who obtains a backup file can decrypt it to recover all stored credentials including admin password, WiFi PSK, and DDNS credentials...

CVE-2026-36606

Mercusys AC12G EU V1 router with firmware AC12GEUV1200909 encrypts configuration backups with a hardcoded DES key using single DES in ECB mode. An attacker who obtains a backup file can decrypt it to recover all stored credentials including admin password, WiFi PSK, and DDNS credentials...

WordPress Download Manager - File Password Exposure

The WordPress Download Manager plugin contains a vulnerability that allows attackers to obtain passwords for password-protected downloads by sending a specially crafted request to the validate-password API endpoint. id: CVE-2023-6421 info: name: WordPress Download Manager - File Password Exposure...

GHSA-C3PX-H233-H6FQ Arcane Has an Authenticated Arbitrary Host File Read via Docker Compose Include Directives

Summary ProjectService.GetProjectFileContent returns the contents of any Docker Compose include directive declared in a project's compose file before any path-traversal validation runs. Because ProjectService.CreateProject writes attacker-supplied compose content to disk without validating includ...

FreeBSD : Grafana -- Public dashboards discloses all direct mode datasources (6b2bf8e9-5900-11f1-b525-3c7c3fba4204)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 6b2bf8e9-5900-11f1-b525-3c7c3fba4204 advisory. https://grafana.com/security/security-advisories/cve-2026-27877 reports: When using public dashboards a...

CVE-2026-45413 MaxKB: Unsalted MD5 Password Hashing

MaxKB is an open-source AI assistant for enterprise. Prior to 2.9.1, user passwords are stored using unsalted MD5 hashes, making them trivially crackable via rainbow tables or GPU-accelerated brute force hashcat. This vulnerability is fixed in 2.9.1...

CVE-2026-44707

CVE-2026-44707 (Chatwoot) : From 2.14.0 up to before 4.13.0, an authentication flow vulnerability allows a pre-registered, unowned email to set a password, enabling a Pre-Account Takeover. If the legitimate user later signs in via Google OAuth or another OmniAuth provider, the OAuth flow can sile...

CVE-2018-25362

CVE-2018-25362 affects Twitter-Clone 1 with a SQL injection in follow.php via the userid parameter. The vulnerability lets an attacker manipulate queries using union-based or time-based blind payloads to extract sensitive data such as usernames, passwords, and database credentials. Impact is Conf...

CVE-2026-8673

CVE-2026-8673 describes an unprotected transport of credentials in Avantra from syslink software AG on Linux and Windows, allowing sniffing of credentials. The affected line is Avantra before version 25.3.0. Documented impacts emphasize confidentiality and integrity risks, with CVSS v3.1 indicati...

CVE-2026-8673 Password re-initialization mechanism sends passwords in plain text

Unprotected transport of credentials vulnerability in syslink software AG Avantra on Linux, Windows allows Sniffing Attacks. This issue affects Avantra: before 25.3.0...

CVE-2026-43618

A flaw was found in rsync. An authenticated daemon peer can exploit an integer overflow vulnerability in the compressed-token decoder. By carefully manipulating the compressed-token, a malicious sender can trigger an overflow, leading to remote memory disclosure. This allows an attacker to leak...

CVE-2026-25608 Lack of traffic encryption in STER

STER uses unencrypted TCP traffic to transmit data over the network. It allows an attacker to conduct a Man-In-The-Middle attack and obtain sensitive data such as passwords, personal data, or authentication tokens. This issue was fixed in version 9.5...

CVE-2026-25608 Lack of traffic encryption in STER

STER uses unencrypted TCP traffic to transmit data over the network. It allows an attacker to conduct a Man-In-The-Middle attack and obtain sensitive data such as passwords, personal data, or authentication tokens. This issue was fixed in version 9.5...

PT-2026-42744

STER uses unencrypted TCP traffic to transmit data over the network. It allows an attacker to conduct a Man-In-The-Middle attack and obtain sensitive data such as passwords, personal data, or authentication tokens. This issue was fixed in version 9.5...

CVE-2026-44052

Netatalk 2.1.0 through 4.4.2 inserts LDAP simple-bind passwords into log output in cleartext, which allows an attacker with access to the log files to obtain LDAP credentials...

CVE-2026-44052

CVE-2026-44052 affects Netatalk versions 2.1.0 through 4.4.2, where ldap simple-bind passwords are exposed in log output. The underlying issue is log exposure of LDAP credentials, enabling an attacker with log access to obtain credentials. The vulnerability is fixed in Netatalk 4.4.3. As per the ...

CVE-2026-44052 LDAP simple-bind password exposure in log output

Netatalk 2.1.0 through 4.4.2 inserts LDAP simple-bind passwords into log output in cleartext, which allows an attacker with access to the log files to obtain LDAP credentials...

CVE-2026-44052

Netatalk 2.1.0 through 4.4.2 inserts LDAP simple-bind passwords into log output in cleartext, which allows an attacker with access to the log files to obtain LDAP credentials...

EUVD-2026-31227

Netatalk 2.1.0 through 4.4.2 inserts LDAP simple-bind passwords into log output in cleartext, which allows an attacker with access to the log files to obtain LDAP credentials...

CVE-2026-44052 LDAP simple-bind password exposure in log output

Netatalk 2.1.0 through 4.4.2 inserts LDAP simple-bind passwords into log output in cleartext, which allows an attacker with access to the log files to obtain LDAP credentials...