Lucene search
K

1298 matches found

NVD
NVD
added 2026/06/23 9:17 p.m.14 views

CVE-2026-9073

A flaw was found in foreman-mcp-server. This component utilizes two distinct logging mechanisms that can expose sensitive session and authentication data. One mechanism logs session identifiers, which are treated as authentication credentials, at an informational level. The other, when debug...

6.2CVSS0.00152EPSS
Exploits0References3
NVD
NVD
added 2026/06/23 8:16 p.m.8 views

CVE-2026-54327

Pi is a minimal terminal coding harness. From 0.74.0 until 0.78.1, Pi stored API keys and OAuth credentials in auth.json. A race condition in the file write path could briefly create or rewrite this file with permissions derived from the process umask before tightening the file to owner-only...

2.2CVSS0.00074EPSS
Exploits0References3
CVE
CVE
added 2026/06/23 7:53 p.m.17 views

CVE-2026-11820

CVE-2026-11820 affects the community.general nexmo module. Credentials api_key and api_secret are declared no_log but are URL-encoded into a GET request, exposing them in the query string (e.g., .../sms/json?api_key=...&api_secret=...). The vulnerability arises because the code constructs the URL...

6.5CVSS5.8AI score0.00287EPSS
Exploits0References2Affected Software1
EUVD
EUVD
added 2026/06/23 7:53 p.m.7 views

EUVD-2026-38603

A flaw was found in foreman-mcp-server. This component utilizes two distinct logging mechanisms that can expose sensitive session and authentication data. One mechanism logs session identifiers, which are treated as authentication credentials, at an informational level. The other, when debug...

6.2CVSS5.8AI score0.00152EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/06/23 7:53 p.m.5 views

CVE-2026-9073

A flaw was found in foreman-mcp-server. This component utilizes two distinct logging mechanisms that can expose sensitive session and authentication data. One mechanism logs session identifiers, which are treated as authentication credentials, at an informational level. The other, when debug...

6.2CVSS5.8AI score0.00152EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/06/23 7:28 p.m.4 views

CVE-2026-54327

Pi is a minimal terminal coding harness. From 0.74.0 until 0.78.1, Pi stored API keys and OAuth credentials in auth.json. A race condition in the file write path could briefly create or rewrite this file with permissions derived from the process umask before tightening the file to owner-only...

2.2CVSS5.8AI score0.00074EPSS
Exploits0References4Affected Software1
EUVD
EUVD
added 2026/06/23 12:12 p.m.7 views

EUVD-2026-38430

Capgo before 12.128.2 contains a security control bypass vulnerability where the PostgREST/RLS plane accepts plaintext API keys through the capgkey header despite enforcehashedapikeys being enabled. Attackers can bypass org-level hashed-key enforcement by sending plaintext API keys directly to th...

8.6CVSS5.9AI score0.00273EPSS
Exploits0References2
CVE
CVE
added 2026/06/23 12:12 p.m.9 views

CVE-2026-56243

Capgo before 12.128.2 has a security control bypass in the PostgREST/RLS plane: it accepts plaintext API keys via the capgkey header despite enforce_hashed_api_keys being enabled. Attackers can bypass org-level hashed-key enforcement by sending plaintext keys directly to the PostgREST/RLS plane t...

8.6CVSS5.9AI score0.00273EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/23 12:12 p.m.33 views

CVE-2026-56243 Capgo - Hashed API Key Enforcement Bypass via PostgREST/RLS Plane

Capgo before 12.128.2 contains a security control bypass vulnerability where the PostgREST/RLS plane accepts plaintext API keys through the capgkey header despite enforcehashedapikeys being enabled. Attackers can bypass org-level hashed-key enforcement by sending plaintext API keys directly to th...

8.6CVSS0.00273EPSS
Exploits0References2
NVD
NVD
added 2026/06/21 2:16 p.m.18 views

CVE-2026-56229

Capgo before 12.128.2 contains an authorization bypass vulnerability in the /build/status and /build/logs endpoints that allows attackers to access build jobs belonging to different applications by supplying a mismatched appid and jobid combination. Limited API keys restricted to a single app can...

7.1CVSS0.00221EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/21 1:26 p.m.8 views

EUVD-2026-38164

Capgo before 12.128.2 contains an authorization bypass vulnerability in the /build/status and /build/logs endpoints that allows attackers to access build jobs belonging to different applications by supplying a mismatched appid and jobid combination. Limited API keys restricted to a single app can...

7.1CVSS5.9AI score0.00221EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/21 12:0 a.m.11 views

PT-2026-51218

Name of the Vulnerable Software and Affected Versions Capgo versions prior to 12.128.2 Description An authorization bypass exists in the '/build/status' and '/build/logs' endpoints. Attackers can access build jobs belonging to different applications by providing a mismatched app id and job id...

7.1CVSS5.8AI score0.00221EPSS
Exploits0References7
The Hacker News
The Hacker News
added 2026/06/20 9:56 a.m.15 views

Hackers Exploit Gravity SMTP WordPress Plugin Bug to Expose API Keys

Threat actors are exploiting a recently patched security flaw impacting Gravity SMTP, a WordPress plugin that's installed on about 100,000 sites. The vulnerability, tracked as CVE-2026-4020 CVSS score: 5.3, is a medium-severity information disclosure flaw that can allow unauthenticated attackers ...

7.5CVSS5.9AI score0.39704EPSS
Exploits2
Github Security Blog
Github Security Blog
added 2026/06/18 5:22 p.m.11 views

netlicensing-mcp: REST Path Traversal Bypasses Token Redaction

REST Path Traversal Bypasses Token Redaction in netlicensing-mcp Summary The netlicensinggetproduct MCP tool in netlicensing-mcp interpolates a caller-controlled productnumber argument directly into a REST URL path without any validation. Passing ../token as the product number causes httpx to...

5.5AI score
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.13 views

PT-2026-50493

Name of the Vulnerable Software and Affected Versions @mariozechner/pi-coding-agent versions 0.28.0 through 0.73.1 @earendil-works/pi-coding-agent versions 0.74.0 through 0.78.0 Description A race condition in the file write path of the credential storage implementation allows the auth.json file,...

2.2CVSS5.7AI score0.00074EPSS
Exploits0References8
NVD
NVD
added 2026/06/16 7:17 p.m.13 views

CVE-2026-53840

OpenClaw before 2026.5.12 contains an information disclosure vulnerability in streamable-http MCP servers that forwards operator-configured custom headers during cross-origin redirects. Attackers controlling or compromising an MCP endpoint can redirect requests to exfiltrate sensitive headers lik...

7.1CVSS0.00223EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/16 12:0 a.m.11 views

PT-2026-49757

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.5.12 Description An information disclosure issue exists in streamable-http MCP servers that forwards operator-configured custom headers during cross-origin redirects. Attackers controlling or compromising an MCP...

7.1CVSS5.3AI score0.00223EPSS
Exploits0References9
OSV
OSV
added 2026/06/15 3:9 p.m.9 views

MAL-2026-5784 Malicious code in vaults-monitor-cron (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b81c6b9e59e86c40858cb47e91d597b3776fea71def7feb3ca11833625fa3923 On npm install, the package's preinstall hook node postinstall.js || true executes automatically. The script collects hostname, username, and current...

5.4AI score
Exploits0References1
Cvelist
Cvelist
added 2026/06/12 5:12 p.m.63 views

CVE-2026-47225 Improper Search Cache Isolation for Scoped Search API Keys in Typesense

Typesense is a fast, typo-tolerant search engine. Prior to versions 29.1 and 30.2, there is a cache isolation issue affecting search requests that use both server-side search result caching and Scoped Search API Keys. Under specific request ordering, cached search results could be reused across...

6CVSS0.00226EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/06/12 5:12 p.m.10 views

CVE-2026-47225 Improper Search Cache Isolation for Scoped Search API Keys in Typesense

Typesense is a fast, typo-tolerant search engine. Prior to versions 29.1 and 30.2, there is a cache isolation issue affecting search requests that use both server-side search result caching and Scoped Search API Keys. Under specific request ordering, cached search results could be reused across...

6CVSS5.3AI score0.00226EPSS
Exploits0References1
Rows per page
Query Builder