CVE-2026-43860

mutt before 2.3.2 sometimes truncates the hashpasswd by one byte for IMAP authcram MD5 digest...

PT-2026-36773

mutt before 2.3.2 sometimes truncates the hash passwd by one byte for IMAP auth cram MD5 digest...

CVE-2026-3867

An improper ownership management vulnerability has been identified in Moxa’s Secure Router. Because of improper ownership management, a low-privileged authenticated user may access a configuration file containing the hashed password of the administrative account. Successful exploitation of this...

CVE-2026-3867

An improper ownership management vulnerability has been identified in Moxa’s Secure Router. Because of improper ownership management, a low-privileged authenticated user may access a configuration file containing the hashed password of the administrative account. Successful exploitation of this...

CVE-2026-33318

Actual is a local-first personal finance tool. Prior to version 26.4.0, any authenticated user including BASIC role can escalate to ADMIN on servers migrated from password authentication to OpenID Connect. Three weaknesses combine: POST /account/change-password has no authorization check, allowin...

CVE-2026-33318

CVE-2026-33318 affects Actual, a local-first personal finance tool. Prior to version 26.4.0, any authenticated session could escalate to ADMIN on OpenID-migrated servers due to a three‑part chain: 1) missing authorization on POST /account/change-password allows overwriting the password hash; 2) a...

Missing Authorization

Overview @actual-app/sync-server is an actual syncing server Affected versions of this package are vulnerable to Missing Authorization via the change-password endpoint, which lacks proper authorization checks. An attacker can gain administrative privileges by overwriting the password hash for the...

CVE-2025-15480

In Ubuntu, ubuntu-desktop-provision version 24.04.4 could leak sensitive user credentials during crash reporting. Upon installation failure, if a user submitted a bug report to Launchpad, ubuntu-desktop-provision could include the user's password hash in the attached logs...

CVE-2025-15480

In Ubuntu, ubuntu-desktop-provision version 24.04.4 could leak sensitive user credentials during crash reporting. Upon installation failure, if a user submitted a bug report to Launchpad, ubuntu-desktop-provision could include the user's password hash in the attached logs...

CVE-2025-15480

CVE-2025-15480 affects ubuntu-desktop-provision 24.04.4 in Ubuntu. If a user fails installation and submits a bug report to Launchpad, the attached logs could include the user’s password hash, leading to confidential data exposure. The impact is described as a password-hash disclosure in crash-re...

CVE-2025-15480 Senstive information disclosure was affecting ubuntu-desktop-provision

In Ubuntu, ubuntu-desktop-provision version 24.04.4 could leak sensitive user credentials during crash reporting. Upon installation failure, if a user submitted a bug report to Launchpad, ubuntu-desktop-provision could include the user's password hash in the attached logs...

CVE-2025-15480 Senstive information disclosure was affecting ubuntu-desktop-provision

In Ubuntu, ubuntu-desktop-provision version 24.04.4 could leak sensitive user credentials during crash reporting. Upon installation failure, if a user submitted a bug report to Launchpad, ubuntu-desktop-provision could include the user's password hash in the attached logs...

Ubuntu Desktop Provision 安全漏洞

Ubuntu Desktop Provision is an open-source desktop configuration tool developed by Canonical. Version 24.04.4 of Ubuntu Desktop Provision contains a security vulnerability, which stems from improper handling of crash reports and could lead to password hash leaks...

CVE-2026-29108

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. Prior to versions 8.9.3, an authenticated API endpoint allows any user to retrieve detailed information about any other user, including their password hash, username, and MFA configuration. As...

CVE-2026-29108 Authenticated SuiteCRM Users Can Retrieve The Password Hash of Any User

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. Prior to versions 8.9.3, an authenticated API endpoint allows any user to retrieve detailed information about any other user, including their password hash, username, and MFA configuration. As...

CVE-2026-29108

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. Prior to versions 8.9.3, an authenticated API endpoint allows any user to retrieve detailed information about any other user, including their password hash, username, and MFA configuration. As...

CVE-2026-29108 Authenticated SuiteCRM Users Can Retrieve The Password Hash of Any User

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. Prior to versions 8.9.3, an authenticated API endpoint allows any user to retrieve detailed information about any other user, including their password hash, username, and MFA configuration. As...

CVE-2026-29108

SuiteCRM vulnerable prior to 8.9.3 via an authenticated API endpoint that can reveal detailed user data including password hashes and MFA configuration for any user. Root cause: exposed information in the API when queried by an authenticated user. Impact: potential to crack stored password hashes...

CVE-2026-29108 Authenticated SuiteCRM Users Can Retrieve The Password Hash of Any User

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. Prior to versions 8.9.3, an authenticated API endpoint allows any user to retrieve detailed information about any other user, including their password hash, username, and MFA configuration. As...

CVE-2026-3658 Appointment Booking Calendar <= 1.6.10.0 - Unauthenticated SQL Injection via 'fields' Parameter

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to SQL Injection via the 'fields' parameter in all versions up to, and including, 1.6.10.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparati...