9 matches found
EUVD-2026-38455
FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 have a Server-Side Template Injection SSTI vulnerability in the template rendering system. Administrators with access to features that render Twig templates email templates, mass mail campaigns, custo...
CVE-2026-26326 OpenClaw skills.status could leak secrets to operator.read clients
OpenClaw is a personal AI assistant. Prior to version 2026.2.14, skills.status could disclose secrets to operator.read clients by returning raw resolved config values in configChecks for skill requires.config paths. Version 2026.2.14 stops including raw resolved config values in requirement check...
SUSE CVE-2024-53859
go-gh is a Go module for interacting with the gh utility and the GitHub API from the command line. A security vulnerability has been identified in go-gh that could leak authentication tokens intended for GitHub hosts to non-GitHub hosts when within a codespace. go-gh sources authentication tokens...
UBUNTU-CVE-2024-53859
go-gh is a Go module for interacting with the gh utility and the GitHub API from the command line. A security vulnerability has been identified in go-gh that could leak authentication tokens intended for GitHub hosts to non-GitHub hosts when within a codespace. go-gh sources authentication tokens...
PT-2024-17852 · Gitlab · Gitlab
Name of the Vulnerable Software and Affected Versions: GitLab versions 16.8 prior to 16.8.4 GitLab versions 16.9 prior to 16.9.2 Description: A privilege escalation issue was discovered in GitLab. It was possible for a user with a custom role of manage group access tokens to rotate group access...
GHSA-J4G3-3Q8X-JXQP dbt-core's secret env vars written to package-lock.json in plaintext
Impact When used to pull source code from a private repository using a Personal Access Token PAT, some versions of dbt-core write a URL with the PAT in plaintext to the package-lock.yml file. Patches The bug has been fixed in dbt-core v1.7.3. Mitigations Remove any git URLs with plaintext secrets...
Privilege escalation via ApiTokensEndpoint
Impact An attacker with access to a token with few or no scopes can query /api/0/api-tokens/ for a list of all tokens created by a user, including tokens with greater scopes, and use those tokens in other requests. There is no evidence that the issue was exploited on https://sentry.io. For...
PT-2023-26895 · Sentry · Sentry
Name of the Vulnerable Software and Affected Versions: Sentry versions 22.1.0 through 23.7.2 Description: Sentry is an error tracking and performance monitoring platform. An attacker with access to a token with few or no scopes can query "/api/0/api-tokens/" for a list of all tokens created by a...
PT-2022-27773 · Grafana · Synthetic Monitoring Agent For Grafana
Name of the Vulnerable Software and Affected Versions: Synthetic Monitoring Agent for Grafana versions prior to 0.12.0 Description: The Synthetic Monitoring Agent for Grafana's Synthetic Monitoring application provides probe functionality and executes network checks for monitoring remote targets...