1298 matches found
CVE-2026-9073
A flaw was found in foreman-mcp-server. This component utilizes two distinct logging mechanisms that can expose sensitive session and authentication data. One mechanism logs session identifiers, which are treated as authentication credentials, at an informational level. The other, when debug...
CVE-2026-54327
Pi is a minimal terminal coding harness. From 0.74.0 until 0.78.1, Pi stored API keys and OAuth credentials in auth.json. A race condition in the file write path could briefly create or rewrite this file with permissions derived from the process umask before tightening the file to owner-only...
CVE-2026-11820
CVE-2026-11820 affects the community.general nexmo module. Credentials api_key and api_secret are declared no_log but are URL-encoded into a GET request, exposing them in the query string (e.g., .../sms/json?api_key=...&api_secret=...). The vulnerability arises because the code constructs the URL...
EUVD-2026-38603
A flaw was found in foreman-mcp-server. This component utilizes two distinct logging mechanisms that can expose sensitive session and authentication data. One mechanism logs session identifiers, which are treated as authentication credentials, at an informational level. The other, when debug...
CVE-2026-9073
A flaw was found in foreman-mcp-server. This component utilizes two distinct logging mechanisms that can expose sensitive session and authentication data. One mechanism logs session identifiers, which are treated as authentication credentials, at an informational level. The other, when debug...
CVE-2026-54327
Pi is a minimal terminal coding harness. From 0.74.0 until 0.78.1, Pi stored API keys and OAuth credentials in auth.json. A race condition in the file write path could briefly create or rewrite this file with permissions derived from the process umask before tightening the file to owner-only...
EUVD-2026-38430
Capgo before 12.128.2 contains a security control bypass vulnerability where the PostgREST/RLS plane accepts plaintext API keys through the capgkey header despite enforcehashedapikeys being enabled. Attackers can bypass org-level hashed-key enforcement by sending plaintext API keys directly to th...
CVE-2026-56243
Capgo before 12.128.2 has a security control bypass in the PostgREST/RLS plane: it accepts plaintext API keys via the capgkey header despite enforce_hashed_api_keys being enabled. Attackers can bypass org-level hashed-key enforcement by sending plaintext keys directly to the PostgREST/RLS plane t...
CVE-2026-56243 Capgo - Hashed API Key Enforcement Bypass via PostgREST/RLS Plane
Capgo before 12.128.2 contains a security control bypass vulnerability where the PostgREST/RLS plane accepts plaintext API keys through the capgkey header despite enforcehashedapikeys being enabled. Attackers can bypass org-level hashed-key enforcement by sending plaintext API keys directly to th...
CVE-2026-56229
Capgo before 12.128.2 contains an authorization bypass vulnerability in the /build/status and /build/logs endpoints that allows attackers to access build jobs belonging to different applications by supplying a mismatched appid and jobid combination. Limited API keys restricted to a single app can...
EUVD-2026-38164
Capgo before 12.128.2 contains an authorization bypass vulnerability in the /build/status and /build/logs endpoints that allows attackers to access build jobs belonging to different applications by supplying a mismatched appid and jobid combination. Limited API keys restricted to a single app can...
PT-2026-51218
Name of the Vulnerable Software and Affected Versions Capgo versions prior to 12.128.2 Description An authorization bypass exists in the '/build/status' and '/build/logs' endpoints. Attackers can access build jobs belonging to different applications by providing a mismatched app id and job id...
Hackers Exploit Gravity SMTP WordPress Plugin Bug to Expose API Keys
Threat actors are exploiting a recently patched security flaw impacting Gravity SMTP, a WordPress plugin that's installed on about 100,000 sites. The vulnerability, tracked as CVE-2026-4020 CVSS score: 5.3, is a medium-severity information disclosure flaw that can allow unauthenticated attackers ...
netlicensing-mcp: REST Path Traversal Bypasses Token Redaction
REST Path Traversal Bypasses Token Redaction in netlicensing-mcp Summary The netlicensinggetproduct MCP tool in netlicensing-mcp interpolates a caller-controlled productnumber argument directly into a REST URL path without any validation. Passing ../token as the product number causes httpx to...
PT-2026-50493
Name of the Vulnerable Software and Affected Versions @mariozechner/pi-coding-agent versions 0.28.0 through 0.73.1 @earendil-works/pi-coding-agent versions 0.74.0 through 0.78.0 Description A race condition in the file write path of the credential storage implementation allows the auth.json file,...
CVE-2026-53840
OpenClaw before 2026.5.12 contains an information disclosure vulnerability in streamable-http MCP servers that forwards operator-configured custom headers during cross-origin redirects. Attackers controlling or compromising an MCP endpoint can redirect requests to exfiltrate sensitive headers lik...
PT-2026-49757
Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.5.12 Description An information disclosure issue exists in streamable-http MCP servers that forwards operator-configured custom headers during cross-origin redirects. Attackers controlling or compromising an MCP...
MAL-2026-5784 Malicious code in vaults-monitor-cron (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b81c6b9e59e86c40858cb47e91d597b3776fea71def7feb3ca11833625fa3923 On npm install, the package's preinstall hook node postinstall.js || true executes automatically. The script collects hostname, username, and current...
CVE-2026-47225 Improper Search Cache Isolation for Scoped Search API Keys in Typesense
Typesense is a fast, typo-tolerant search engine. Prior to versions 29.1 and 30.2, there is a cache isolation issue affecting search requests that use both server-side search result caching and Scoped Search API Keys. Under specific request ordering, cached search results could be reused across...
CVE-2026-47225 Improper Search Cache Isolation for Scoped Search API Keys in Typesense
Typesense is a fast, typo-tolerant search engine. Prior to versions 29.1 and 30.2, there is a cache isolation issue affecting search requests that use both server-side search result caching and Scoped Search API Keys. Under specific request ordering, cached search results could be reused across...