CVE-2021-22148

Elastic Enterprise Search App Search versions before 7.14.0 was vulnerable to an issue where API keys were not bound to the same engines as their creator. This could lead to a less privileged user gaining access to unauthorized engines...

EUVD-2020-3201

Malware in sbrugna...

EUVD-2016-7702

Malware in sbrugna...

EUVD-2025-6442

Malicious code in bioql PyPI...

EUVD-2022-29612

Malicious code in bioql PyPI...

EUVD-2024-30281

Malicious code in bioql PyPI...

EUVD-2022-33791

Malicious code in bioql PyPI...

EUVD-2021-8647

Malicious code in bioql PyPI...

CVE-2025-4592

The AI Image Lab – Free AI Image Generator plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.6. This is due to missing or incorrect nonce validation on the 'wpz-ai-images' page. This makes it possible for unauthenticated attackers to update...

CVE-2025-48495

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. By renaming the friendly name of an API key, an authenticated user could inject JS into the API key overview, which would also be executed when another user clicks on his API tab. Prior to version 2.0.0,...

CVE-2021-22149

Elastic Enterprise Search App Search versions before 7.14.0 are vulnerable to an issue where API keys were missing authorization via an alternate route. Using this vulnerability, an authenticated attacker could utilize API keys belonging to higher privileged users...

CVE-2025-3853

The WPshop 2 – E-Commerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions 2.0.0 to 2.6.0 via the callbackgenerateapikey due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above...

CVE-2025-3853 WPshop 2 – E-Commerce 2.0.0 - 2.6.0 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Key Generation

The WPshop 2 – E-Commerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions 2.0.0 to 2.6.0 via the callbackgenerateapikey due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above...

CVE-2025-30197

Jenkins Zoho QEngine Plugin 1.0.29.vfacc23396502 and earlier does not mask the QEngine API Key form field, increasing the potential for attackers to observe and capture it...

CVE-2025-1285

The Resido - Real Estate WordPress Theme theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the deleteapikey and saveapikey AJAX actions in all versions up to, and including, 3.6. This makes it possible for unauthenticated attackers to issue requests to...

Leantime allows Stored Cross-Site Scripting (XSS)

Description Leantime allows stored cross-site scripting XSS in the API key name while generating the API key. Impact Any low privileged user like manager, or editor, can create an API key with XSS payload. When admin will visit the Company page, the XSS will automatically get triggerred leading t...

CVE-2024-34897

Nedis SmartLife android app v1.4.0 was discovered to contain an API key disclosure vulnerability...

HackerOne: Ability to access policy and updates for unauthorized program

The vulnerability allowed an unauthorized user to access the policy and updates for a restricted program using an API key. The user was able to retrieve sensitive data from the unauthorized program, even though they were only granted access to one of the two programs in the organization...

CVE-2024-10781

The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an missing empty value check on the 'apikey' value in the 'perform' function in all versions up to, and including, 6.44. This makes it possible for...

WordPress Getwid – Gutenberg Blocks plugin <= 2.0.10 - Missing Authentication to API key update vulnerability

Missing Authentication to API key update vulnerability discovered by Peter Thaleikis in WordPress Plugin Getwid versions = 2.0.10...