Neotoma: Unauthenticated Inspector/API access via reverse-proxy loopback auth bypass

Neotoma versions starting at v0.6.0 can treat public reverse-proxied requests as local when the app receives them over a loopback socket and no Bearer token is present. In affected deployments, the REST auth middleware can resolve unauthenticated requests as the local development user, making the...

Flight vulnerable to sensitive information disclosure via default error handler

Summary The default error handler Engine::error writes the full exception message, exception code, and stack trace including absolute filesystem paths directly into the HTTP 500 response, with no debug gating. Production deployments leak internal paths, any secret interpolated into an exception...

EUVD-2026-24511

Oxia is a metadata store and coordination system. Prior to 0.16.2, when OIDC authentication fails, the full bearer token is logged at DEBUG level in plaintext. If debug logging is enabled in production, JWT tokens are exposed in application logs and any connected log aggregation system. This...

CVE-2025-52024

A vulnerability exists in the Aptsys POS Platform Web Services module thru 2025-05-28, which exposes internal API testing tools to unauthenticated users. By accessing specific URLs, an attacker is presented with a directory-style index listing all available backend services and POS web services,...

CVE-2025-52024

CVE-2025-52024 affects Aptsys POS Platform Web Services. Affected: Aptsys POS Platform Web Services version(s) prior to 2025-05-29. Root cause: unauthenticated access exposes internal API testing tooling and a directory-style index of backend services and POS web services, each with HTML forms fo...

PT-2026-4529

Name of the Vulnerable Software and Affected Versions Aptsys POS Platform Web Services versions prior to 2025-05-29 Description The Aptsys POS Platform Web Services module contains a flaw that allows unauthenticated users to access internal API testing tools. Accessing specific URLs reveals a...

Adobe Experience Manager (AEM) Debugging Client Libraries Exposure

This plugin detects the presence of the Adobe Experience Manager AEM Debugging Client Libraries on a web server. These libraries are intended for development and debugging purposes and should not be exposed in a production environment, as they may contain sensitive information or functionality th...

Information Exposure

Overview collaborative-article-sharing is a Command-line interface for interacting with the CAS API Affected versions of this package are vulnerable to Information Exposure because the Flask application runs in debug mode in a production environment. Remediation Upgrade...

zsa security vulnerability

zsa is a library open-sourced by zsa for building type-safe server operations in Next.js. A security vulnerability exists in versions prior to zsa 0.3.3 that stems from a zsa application transferring a parsing error stack from the server to the client in production build mode, resulting in the...

PT-2024-27346 · Zsa · Zsa

Name of the Vulnerable Software and Affected Versions: zsa versions prior to 0.3.3 Description: The zsa application transfers the parse error stack from the server to the client in production build mode, potentially revealing sensitive information about the server environment, such as the machine...

GHSA-P9P4-97G9-WCRH Dev error stack trace leaking into prod in Play Framework

Impact Play Framework, when run in dev mode, shows verbose errors for easy debugging, including an exception stack trace. Play does this by configuring its DefaultHttpErrorHandler to do so based on the application mode. In its Scala API Play also provides a static object DefaultHttpErrorHandler...

GHSA-7X92-2J68-H32C Directory Traversal in featurebook

Affected versions of featurebook resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system. The...

DEBIAN-CVE-2018-3760

There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application's root directory, when the Sprockets server is...

UBUNTU-CVE-2018-3760

There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application's root directory, when the Sprockets server is...