Grafana - Exposes DingDing API Keys

An incident occurred where the DingDing alerting integration URL was inadvertently exposed to viewers due to a setting oversight in versions below or equals to 12.0.1. id: CVE-2025-3415 info: name: Grafana - Exposes DingDing API Keys author: lucasribolli severity: medium description: | An inciden...

NPM: Flowise: Cross-Workspace Chatflow Disclosure via chatflows/apikey Endpoint Returns All Unprotected Chatflows

NPM: Flowise: Cross-Workspace Chatflow Disclosure via chatflows/apikey Endpoint Returns All Unprotected Chatflows vulnerability discovered by ? in WordPress Npm flowise versions = 3.1.1...

GHSA-9M6V-8FXC-4R44 Sulu: Used API Keys may be available via Admin API

Impact The users endpoint controller exposes a project's apiKey field to the logged-in user, provided they have permission for that endpoint. This only has impact if a project itself uses that specific field, Sulu itself does nothing with it and has no authentication per apiKey in its core. Patch...

EUVD-2026-27069

titra is an open source time tracking project. In version 0.99.52, the globalsettings Meteor publication returns all global settings without any admin or role check. Any authenticated user can subscribe via DDP and receive sensitive configuration fields such as googlesecret, openaiapikey, and...

CVE-2026-42092 Global Settings Publication Exposes Sensitive Configuration to Any Authenticated User in Titra

titra is an open source time tracking project. In version 0.99.52, the globalsettings Meteor publication returns all global settings without any admin or role check. Any authenticated user can subscribe via DDP and receive sensitive configuration fields such as googlesecret, openaiapikey, and...

PT-2026-36884

Name of the Vulnerable Software and Affected Versions titra version 0.99.52 Description The globalsettings Meteor publication returns all global settings without performing administrative or role-based access checks. This allows any authenticated user to subscribe via DDP Distributed Data Protoco...

CVE-2026-32843

A reflected cross-site scripting (XSS) vulnerability affects Location Aware Sensor System by LinkIt ONE up to commit f06bd20 (2023-04-26) in PM25.php. The issue arises from allowing unencoded payloads via GET parameters (site, city, district, channel, or apikey), enabling remote attackers to exec...

CVE-2024-9432

Cleartext Storage of Sensitive Information vulnerability in OpenText™ Vertica allows Retrieve Embedded Sensitive Data. The vulnerability could read Vertica agent plaintext apikey.This issue affects Vertica versions: 23.X, 24.X, 25.X...

CVE-2024-9432

CVE-2024-9432 pertains to OpenText Vertica where a vulnerability in the Vertica agent can allow reading a plaintext API key. Affected versions are Vertica 23.X, 24.X, and 25.X. The CVSS metrics indicate local attack vector with high exploit complexity and high privileges required, potentially imp...

fence-agents security update

4.2.1-129.20 - bundled urllib3: fix CVE-2025-66471 - bundled urllib3: fix CVE-2026-21441 Resolves: RHEL-139756, RHEL-140783 4.2.1-129.17 - bundled urllib3: fix CVE-2025-66418 Resolves: RHEL-136027 4.2.1-129.16 - fencenutanixahv: new fence agent Resolves: RHEL-110964 4.2.1-129.15 - fencekubevirt:...

EUVD-2015-7314

Malware in sbrugna...

EUVD-2017-3174

Malware in sbrugna...

GHSA-3RW9-WMC8-8948 Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token

Summary If users log in to Coder via OIDC, and the OpenID Identity Provider does not return a refresh token, then Coder may allow their web session to continue beyond the expiration of the token returned by the OpenID Identity Provider. Details When a user logs in via OIDC, Coder stores the OIDC...

CVE-2021-37414

Zoho ManageEngine DesktopCentral before 10.0.709 allows anyone to get a valid user's APIKEY without authentication...

CVE-2017-11559

An issue was discovered in ZOHO ManageEngine OpManager 12.2. The 'apiKey' parameter of "/api/json/admin/getmailserversettings" and "/api/json/dashboard/gotoverviewlist" is vulnerable to a Blind SQL Injection attack...

CVE-2024-6360

Incorrect Permission Assignment for Critical Resource vulnerability in OpenText™ Vertica could allow Privilege Abuse and result in unauthorized access or privileges to Vertica agent apikey. This issue affects Vertica: from 10.0 through 10.X, from 11.0 through 11.X, from 12.0 through 12.X, from 23...

CVE-2024-6360 Incorrect Permission Assignment for Critical Resource vulnerability has been discovered in OpenText™ Vertica.

Incorrect Permission Assignment for Critical Resource vulnerability in OpenText™ Vertica could allow Privilege Abuse and result in unauthorized access or privileges to Vertica agent apikey. This issue affects Vertica: from 10.0 through 10.X, from 11.0 through 11.X, from 12.0 through 12.X, from 23...

PT-2024-37565 · Opentext · Opentext Vertica

Name of the Vulnerable Software and Affected Versions: OpenText Vertica versions 10.0 through 10.X OpenText Vertica versions 11.0 through 11.X OpenText Vertica versions 12.0 through 12.X OpenText Vertica versions 23.0 through 23.X OpenText Vertica versions 24.0 through 24.X Description: The issue...

Malicious code in sap-apikey (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis cb8fd3ec31e8b463a6693640ad63d0daa3ec8d6ab786d3c92b8b0b713dddeec6 The OpenSSF Package Analysis project identified 'sap-apikey' @ 0.0.0 npm as malicious. It is considered malicious because: - The package...

MAL-2024-7555 Malicious code in sap-apikey (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis cb8fd3ec31e8b463a6693640ad63d0daa3ec8d6ab786d3c92b8b0b713dddeec6 The OpenSSF Package Analysis project identified 'sap-apikey' @ 0.0.0 npm as malicious. It is considered malicious because: - The package...