CVE-2026-29060

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, a registered user without privileges to create or modify file requests is able to create a short-lived API key that has the permission to do so. The user must be registered with...

CVE-2026-3236

In affected versions of Octopus Server it was possible to create a new API key from an existing access token resulting in the new API key having a lifetime exceeding the original API key used to mint the access token...

CVE-2026-3236

In affected versions of Octopus Server it was possible to create a new API key from an existing access token resulting in the new API key having a lifetime exceeding the original API key used to mint the access token...

EUVD-2024-36557

It was identified that under certain specific preconditions, an API key that was originally created with a specific privileges could be subsequently used to create new API keys that have elevated privileges...

PT-2026-5312

Name of the Vulnerable Software and Affected Versions AutoGPT versions prior to 0.6.44 Description AutoGPT Platform’s block execution endpoints, both the main web API and external API, allow execution of blocks by UUID without verifying the disabled flag. This allows any authenticated user to...

CVE-2025-12546 LogicalDOC Community Edition API Key creation UI cross site scripting

A vulnerability was determined in LogicalDOC Community Edition up to 9.2.1. This affects an unknown part of the component API Key creation UI. This manipulation causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized...

CVE-2025-61928 Better Auth: Unauthenticated API key creation through api-key plugin

Better Auth is an authentication and authorization library for TypeScript. In versions prior to 1.3.26, unauthenticated attackers can create or modify API keys for any user by passing that user's id in the request body to the api/auth/api-key/create route. session?.user ?? authRequired ? null : i...

CVE-2025-61928 Better Auth: Unauthenticated API key creation through api-key plugin

Better Auth is an authentication and authorization library for TypeScript. In versions prior to 1.3.26, unauthenticated attackers can create or modify API keys for any user by passing that user's id in the request body to the api/auth/api-key/create route. session?.user ?? authRequired ? null : i...

CVE-2025-61928

CVE-2025-61928 affects Better Auth (TypeScript) prior to version 1.3.26. The vulnerability allows unauthenticated attackers to create or modify API keys for any user by supplying the target user’s id in the request body to api/auth/api-key/create (and similarly in the update endpoint). The issue ...

Better Auth: Unauthenticated API key creation through api-key plugin

Summary A critical authentication bypass was identified in the API key creation and update endpoints. An attacker could create or modify API keys for arbitrary users by supplying a victim’s user ID in the request body. Due to a flaw in how the authenticated user was derived, the endpoints could...

PT-2025-41497

Name of the Vulnerable Software and Affected Versions Better Auth versions prior to 1.3.26 Description Better Auth is an authentication and authorization library for TypeScript. A critical authentication bypass allows unauthenticated attackers to create or modify API keys for any user. This is...

EUVD-2021-24413

Malware in sbrugna...

EUVD-2022-3946

Malicious code in bioql PyPI...

NeuVector has an insecure password storage vulnerable to rainbow attack

Impact NeuVector stores user passwords and API keys using a simple, unsalted hash. This method is vulnerable to rainbow table attack offline attack where hashes of known passwords are precomputed. NeuVector generates a cryptographically secure, random 16-character salt and uses it with the PBKDF2...

PT-2025-35110

Name of the Vulnerable Software and Affected Versions: NeuVector versions 5.0.0 through 5.4.5 Description: NeuVector stores user passwords and API keys using a simple, unsalted hash, making it vulnerable to rainbow table attacks. The software generates a cryptographically secure, random...

CVE-2025-3853

The WPshop 2 – E-Commerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions 2.0.0 to 2.6.0 via the callbackgenerateapikey due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above...

VulnCheck KEV: CVE-2021-45467

In CWP aka Control Web Panel or CentOS Web Panel before 0.9.8.1107, an unauthenticated attacker can use %00 bytes to cause /user/loader.php to register an arbitrary API key, as demonstrated by a /user/loader.php?api=1&scripts= .%00./.%00./api/accountnewcreate&acc=guadaapi URI. Any number of...

Privilege Escalation

snipe-it is vulnerable to privilege escalation. The vulnerability exists due to lack of santization of the auth controls on api key creation...