8 matches found
EUVD-2026-30585
Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, the backend admin/auth-token endpoint allows an authenticated administrator to load another administrator's REST API token list by supplying that user's adminid. This can...
CVE-2026-33758 OpenBao has Reflected XSS in its OIDC authentication error message
OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao installations that have an OIDC/JWT authentication method enabled and a role with callbackmode=direct configured are vulnerable to XSS via the errordescription parameter on the page for a failed...
CVE-2025-54981
CVE-2025-54981 affects Apache StreamPark prior to 2.1.7, due to use of AES in ECB mode and a weak RNG for encrypting sensitive data such as JWT tokens. This weak encryption could lead to exposure of confidential data. The vulnerability is documented across multiple sources (NVD, Red Hat, OSV, CNV...
CVE-2025-62794 GitHub Workflow Updater stored the optional Github token in plaintext
GitHub Workflow Updater is a VS Code extension that automatically pins GitHub Actions to specific commits for enhanced security. Before 0.0.7, any provided Github token would be stored in plaintext in the editor configuration as json on disk, rather than through the more secure "securestorage" ap...
EUVD-2024-0827
Malicious code in bioql PyPI...
EUVD-2023-2349
Malicious code in bioql PyPI...
GHSA-PWHH-Q4H6-W599 Spotipy's cache file, containing spotify auth token, is created with overly broad permissions
Summary The CacheHandler class creates a cache file to store the auth token here: https://github.com/spotipy-dev/spotipy/blob/master/spotipy/cachehandler.pyL93-L98 The file created has rw-r--r-- 644 permissions by default, when it could be locked down to rw------- 600 permissions. I think 600 is ...
PT-2023-30313 · Pilos · Pilos
Name of the Vulnerable Software and Affected Versions: PILOS versions prior to 2.3.0 Description: The password reset component in PILOS uses the hostname supplied within the request host header when building a password reset URL. This could allow manipulation of the URL sent to PILOS users,...