CVE-2026-25146 OpenEMR's payments gateway_api_key secret rendered into client JS code

OpenEMR is a free and open source electronic health records and medical practice management application. From 5.0.2 to before 8.0.0, there are at least two paths where the gatewayapikey secret value is rendered to the client in plaintext. These secret keys being leaked could result in arbitrary...

EUVD-2026-9329

OpenEMR is a free and open source electronic health records and medical practice management application. From 5.0.2 to before 8.0.0, there are at least two paths where the gatewayapikey secret value is rendered to the client in plaintext. These secret keys being leaked could result in arbitrary...

CVE-2026-25146

OpenEMR is affected from version 5.0.2 up to, but not including, 8.0.0. In at least two code paths, the gateway_api_key secret value is rendered in plaintext in client-side JavaScript, exposing the key used to authorize payment gateway APIs. This leakage can enable arbitrary money movements or br...

Rancher's Azure AD permission changes are not reflected on active sessions

A bug has been identified in which permission changes in Azure AD are not reflected to users while they are logged in the Rancher UI. This would cause the users to retain their previous permissions in Rancher, even if they change groups on Azure AD, for example, to a lower privileged group, or ar...

WordPress AI ChatBot with ChatGPT and Content Generator by AYS plugin <= 2.7.5 - Missing Authorization to Unauthenticated API Key Modification vulnerability

Missing Authorization to Unauthenticated API Key Modification vulnerability discovered by Nabil Irawan - Heroes Cyber Security in WordPress Plugin AI ChatBot with ChatGPT and Content Generator by AYS versions = 2.7.5...

CVE-2026-1336 AI ChatBot with ChatGPT and Content Generator by AYS <= 2.7.5 - Missing Authorization to Unauthenticated API Key Modification

The AI ChatBot with ChatGPT and Content Generator by AYS plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on the storedata and getchatgptapikey functions in all versions up to, and including, 2.7.5. This makes it possible for...

CVE-2026-1336

The AI ChatBot with ChatGPT and Content Generator by AYS plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on the storedata and getchatgptapikey functions in all versions up to, and including, 2.7.5. This makes it possible for...

EUVD-2026-9268

The AI ChatBot with ChatGPT and Content Generator by AYS plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on the storedata and getchatgptapikey functions in all versions up to, and including, 2.7.5. This makes it possible for...

CVE-2026-1336 AI ChatBot with ChatGPT and Content Generator by AYS <= 2.7.5 - Missing Authorization to Unauthenticated API Key Modification

The AI ChatBot with ChatGPT and Content Generator by AYS plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on the storedata and getchatgptapikey functions in all versions up to, and including, 2.7.5. This makes it possible for...

CVE-2026-22207

OpenViking through version 0.1.18, prior to commit 0251c70, contains a broken access control vulnerability that allows unauthenticated attackers to gain ROOT privileges when the rootapikey configuration is omitted. Attackers can send requests to protected endpoints without authentication headers ...

Missing Authentication for Critical Function

Overview openviking is an An Agent-native context database Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the omission of the rootapikey configuration. An attacker can gain unauthorized ROOT-level access by sending requests to protected...

EUVD-2026-8885

OpenViking through version 0.1.18, prior to commit 0251c70, contains a broken access control vulnerability that allows unauthenticated attackers to gain ROOT privileges when the rootapikey configuration is omitted. Attackers can send requests to protected endpoints without authentication headers ...

CVE-2026-22207

OpenViking through version 0.1.18, prior to commit 0251c70, contains a broken access control vulnerability that allows unauthenticated attackers to gain ROOT privileges when the rootapikey configuration is omitted. Attackers can send requests to protected endpoints without authentication headers ...

CVE-2026-22207

OpenViking up to version 0.1.18 (pre-commit 0251c70) contains a broken access control flaw that lets unauthenticated attackers gain ROOT privileges when root_api_key is omitted. Attackers can reach protected endpoints without authentication headers to perform administrative actions including acco...

CVE-2026-22207

OpenViking through version 0.1.18, prior to commit 0251c70, contains a broken access control vulnerability that allows unauthenticated attackers to gain ROOT privileges when the rootapikey configuration is omitted. Attackers can send requests to protected endpoints without authentication headers ...

OpenViking 访问控制错误漏洞

OpenViking is an open-source artificial intelligence agent-based context database developed by Volcengine. Versions of OpenViking prior to 0.1.18 contained a security vulnerability related to access control. This vulnerability resulted from an attack on access control mechanisms, allowing...

PT-2026-22190

Name of the Vulnerable Software and Affected Versions OpenViking versions prior to 0.1.19 Description The software contains a broken access control issue. Unauthenticated attackers can gain ROOT privileges when the root api key configuration is not set. Attackers can send requests to protected AP...

CVE-2026-3209

A vulnerability has been found in fosrl Pangolin up to 1.15.4-s.3. This affects the function verifyRoleAccess/verifyApiKeyRoleAccess of the component Role Handler. The manipulation leads to improper access controls. Remote exploitation of the attack is possible. The exploit has been disclosed to...

EUVD-2026-8646

Budibase: Remote Code Execution via Unsafe eval in View Filter Map Function Budibase Cloud...

CVE-2025-14799

The Brevo - Email, SMS, Web Push, Chat, and more. plugin for WordPress is vulnerable to authorization bypass due to type juggling in all versions up to, and including, 3.3.0. This is due to the use of loose comparison == instead of strict comparison === when validating the installation ID in the...