Lucene search
+L

8486 matches found

CVE
CVE
added 3 hours ago9 views

CVE-2026-63307

CVE-2026-63307 affects Chat2DB prior to 5.3.0. The vulnerability is an insecure direct object reference in GET /api/connection/datasource/{id}. The handler calls dataSourceService.queryExistent(id, …) without an ownership check and returns the decrypted password field, enabling any authenticated ...

7.1CVSS5.4AI score
Exploits0References3
CVE
CVE
added 3 hours ago8 views

CVE-2026-63100

CVE-2026-63100 describes a missing authorization vulnerability in the Settings::HostingsController (through version 0.6.0). Authenticated low-privilege member-role users can access and modify global hosting settings because the before_action ensure_admin filter is only applied to the clear_cache ...

7.1CVSS5.3AI score
Exploits0References2
Nuclei
Nuclei
added 14 hours ago82 views

Cisco Smart Licensing Utility UnAuthenticated Logs Exposure Leaking Plaintext Credentials

A vulnerability in Cisco Smart Licensing Utility could allow an unauthenticated, remote attacker to access sensitive information.This vulnerability is due to excessive verbosity in a debug log file. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected...

7.5CVSS8.7AI score0.51466EPSS
Exploits0References1
NVD
NVD
added yesterday6 views

CVE-2026-46514

Frogman provides headless PBX control through MCP and HTTP API. Prior to 1.6.2, fmresetpassword in Tools/ResetPassword.php:48-53 returned a plaintext password and fmaddextension in Tools/AddExtension.php:172 returned a plaintext secret; Frogman.class.php:2207-2211 used auditOutcome to JSON-encode...

6.5CVSS
Exploits0References4
NVD
NVD
added yesterday6 views

CVE-2026-44969

dbt-mcp is a Model Context Protocol server for interacting with dbt. Prior to 1.17.1, DbtMCP.calltool in src/dbtmcp/mcp/server.py logged the raw arguments dictionary at INFO level before each tool call and at ERROR level on exceptions, and configurefilelogging wrote those records to dbt-mcp.log...

2.5CVSS0.00012EPSS
Exploits0References4
Cvelist
Cvelist
added yesterday29 views

CVE-2026-46513 Frogman: API tokens stored in plaintext

Frogman provides headless PBX control through MCP and HTTP API. Prior to 1.6.2, Frogman stored API tokens generated by Tools/CreateApiToken.php:33-36 as raw bin2hexrandombytes32 strings in ocapitokens, and Frogman.class.php:78 authenticated the X-Frogman-Token header by comparing it with the stor...

7.4CVSS
Exploits0References4
CVE
CVE
added yesterday7 views

CVE-2026-46513

Summary: Frogman prior to version 1.6.2 stored API tokens in plaintext as raw hex strings in the oc_api_tokens table and validated the X-Frogman-Token header by directly comparing it to the stored value, enabling database read access to reusable tokens at their permission level (including admin)....

7.4CVSS6.1AI score
Exploits0References4
CVE
CVE
added yesterday6 views

CVE-2026-46514

Frogman (headless PBX control via MCP/HTTP API) had a vulnerability prior to version 1.6.2 where returned a plaintext password and returned a plaintext secret. Frogman.class.php:2207-2211 JSON-encoded these values in , enabling any PERM_READ caller with access to to recover stored credentials....

6.5CVSS6.1AI score
Exploits0References4
Cvelist
Cvelist
added yesterday29 views

CVE-2026-44969 dbt-mcp: Tool Arguments Including SQL Queries and Credentials Logged in Plaintext Without Redaction When File Logging Is Enabled

dbt-mcp is a Model Context Protocol server for interacting with dbt. Prior to 1.17.1, DbtMCP.calltool in src/dbtmcp/mcp/server.py logged the raw arguments dictionary at INFO level before each tool call and at ERROR level on exceptions, and configurefilelogging wrote those records to dbt-mcp.log...

2.5CVSS0.00012EPSS
Exploits0References4
CVE
CVE
added yesterday13 views

CVE-2026-44969

dbt-mcp: CVE-2026-44969 involves logging of complete tool call arguments (including sql_query, vars, and node_selection) in plaintext when DBT_MCP_SERVER_FILE_LOGGING is enabled. The issue is present in earlier versions (e.g., v1.15.x) and fixed in v1.17.1. Connected sources confirm that argument...

2.5CVSS6.1AI score0.00012EPSS
Exploits0References4
RedHat Linux
RedHat Linux
added yesterday6 views

github.com/prometheus/prometheus: Prometheus: Information disclosure of Azure OAuth client secret via config API

A flaw was found in Prometheus, an open-source monitoring system. The clientsecret field within the Azure Active Directory AD remote write OAuth configuration was incorrectly handled as a plain string instead of a secure Secret type. This misconfiguration allowed any user or process with access t...

7.5CVSS6AI score0.00326EPSS
Exploits0References9
OSV
OSV
added 2 days ago6 views

BIT-PROMETHEUS-2026-42151 Prometheus Azure AD remote write OAuth client secret exposed via config API

Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the clientsecret field in the Azure AD remote write OAuth configuration storage/remote/azuread was typed as string instead of Secret. Prometheus redacts fields of type Secret when serving...

7.5CVSS5.8AI score0.00326EPSS
Exploits0References20
Cvelist
Cvelist
added 2 days ago34 views

CVE-2026-46458 Credential exposure in ICU Scandinavia Boomerang

ICU Scandinavia Boomerang is vulnerable to an information disclosure flaw where sensitive credential files are exposed via static HTTP. This allows an unauthenticated remote attacker to retrieve plaintext service account and SMTP credentials by requesting specific XML files from the webroot. This...

7.1CVSS0.00242EPSS
Exploits0References2
EUVD
EUVD
added 2 days ago5 views

EUVD-2026-44634

n8n before 2.28.1 contains an information disclosure vulnerability where external secrets are incorrectly resolved in workflow node expressions outside credentials scope. Authenticated project editors can read plaintext external secret values by referencing them in node expressions without...

6.3CVSS6.1AI score0.00265EPSS
Exploits0References2
OSV
OSV
added 2 days ago3 views

CVE-2026-59254 n8n - External Secrets Disclosure via Workflow Node Expressions

n8n before 2.28.1 contains an information disclosure vulnerability where external secrets are incorrectly resolved in workflow node expressions outside credentials scope. Authenticated project editors can read plaintext external secret values by referencing them in node expressions without...

6.3CVSS6.1AI score0.00265EPSS
Exploits0References4
EUVD
EUVD
added 3 days ago5 views

EUVD-2026-43547

9Router through version 0.4.41 contain an unauthenticated information disclosure vulnerability that allows remote attackers to retrieve plaintext API keys for all connected AI provider accounts by sending a single unauthenticated request to the /api/usage/stats endpoint. Attackers can exploit the...

9.3CVSS6.1AI score0.00371EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 3 days ago5 views

PT-2026-60096

Name of the Vulnerable Software and Affected Versions nebula-mesh affected versions not specified Description Operator session tokens are stored in plaintext within the token column of the operator sessions table. These tokens are 32-byte random hex values sent via cookies and remain valid for 24...

7.1CVSS6.1AI score
Exploits0References6
NVD
NVD
added 4 days ago6 views

CVE-2026-62327

9Router through version 0.4.41 contains an unauthenticated information disclosure vulnerability that allows remote attackers to retrieve plaintext API keys for all connected AI provider accounts by sending a single unauthenticated request to the /api/usage/stats endpoint. Attackers can exploit th...

9.3CVSS0.00371EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 4 days ago4 views

CVE-2026-62327

9Router through version 0.4.41 contains an unauthenticated information disclosure vulnerability that allows remote attackers to retrieve plaintext API keys for all connected AI provider accounts by sending a single unauthenticated request to the /api/usage/stats endpoint. Attackers can exploit th...

9.3CVSS6.1AI score0.00371EPSS
Exploits0References3
Cvelist
Cvelist
added 4 days ago33 views

CVE-2026-62327 9Router 0.4.41 - Unauthenticated API Key Exposure via /api/usage/stats

9Router through version 0.4.41 contains an unauthenticated information disclosure vulnerability that allows remote attackers to retrieve plaintext API keys for all connected AI provider accounts by sending a single unauthenticated request to the /api/usage/stats endpoint. Attackers can exploit th...

9.3CVSS0.00371EPSS
Exploits0References2
Rows per page
Query Builder