PYSEC-2026-3 Two telnyx versions published containing credential harvesting malware

After an API token exposure from an exploited Trivy dependency, two new releases of telnyx were uploaded to PyPI containing automatically activated malware, harvesting sensitive credentials and files, and exfiltrating to a remote API. Compromised versions execute code during importing the telnyx...

PYSEC-2026-2 Two litellm versions published containing credential harvesting malware

After an API Token exposure from an exploited Trivy dependency, two new releases of litellm were uploaded to PyPI containing automatically activated malware, harvesting sensitive credentials and files, and exfiltrating to a remote API. The malicious code runs during importing any module from the...

EUVD-2026-14178

The e-shot form builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.2. The eshotformbuildergetaccountdata function is registered as a wpajax AJAX handler accessible to all authenticated users. The function lacks any capability che...

CVE-2026-3546 e-shot <= 1.0.2 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure via API Token via 'eshot_form_builder_get_account_data' AJAX Action

The e-shot form builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.2. The eshotformbuildergetaccountdata function is registered as a wpajax AJAX handler accessible to all authenticated users. The function lacks any capability che...

CVE-2026-3546 e-shot <= 1.0.2 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure via API Token via 'eshot_form_builder_get_account_data' AJAX Action

The e-shot form builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.2. The eshotformbuildergetaccountdata function is registered as a wpajax AJAX handler accessible to all authenticated users. The function lacks any capability che...

EUVD-2020-0093

Malware in sbrugna...

EUVD-2023-40564

Malicious code in bioql PyPI...

CVE-2021-27024

A flaw was discovered in Continuous Delivery for Puppet Enterprise CD4PE that results in a user with lower privileges being able to access a Puppet Enterprise API token. This issue is resolved in CD4PE 4.10.0...

CVE-2024-35223 Dapr API Token Exposure

Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. Dapr sends the app token of the invoker app instead of the app token of the invoked app. This causes of a leak of the application token of the invoker app to the invoked app when using Dapr as a...

CVE-2023-36620

An issue was discovered in the Boomerang Parental Control application before 13.83 for Android. The app is missing the android:allowBackup="false" attribute in the manifest. This allows the user to backup the internal memory of the app to a PC. This gives the user access to the API token that is...

PT-2023-25636 · Unknown · Boomerang Parental Control

Name of the Vulnerable Software and Affected Versions: Boomerang Parental Control application versions prior to 13.83 for Android Description: An issue was discovered in the Boomerang Parental Control application where the app is missing the android:allowBackup="false" attribute in the manifest...

PT-2022-25771 · Jenkins · Jenkins Cons3Rt Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins CONS3RT Plugin versions 1.0.0 and earlier Description: The issue allows users with access to the Jenkins controller file system to view the Cons3rt API token, which is stored unencrypted in job config.xml files on the Jenkins...