Lucene search
+L

52 matches found

Nuclei
Nuclei
added yesterday28 views

Grafana - Exposes DingDing API Keys

An incident occurred where the DingDing alerting integration URL was inadvertently exposed to viewers due to a setting oversight in versions below or equals to 12.0.1. id: CVE-2025-3415 info: name: Grafana - Exposes DingDing API Keys author: lucasribolli severity: medium description: | An inciden...

4.3CVSS5.2AI score0.0089EPSS
Exploits0References1
NVD
NVD
added 2 days ago8 views

CVE-2026-62241

clawvet self-hosted API server apps/api before 0.7.5 hard-codes a fallback JWT secret 'clawvet-dev-secret-change-me' in auth.ts and ships it as the default in .env.example. Because GET /api/v1/scans returns scan records containing userId values without authentication, a remote unauthenticated...

9.3CVSS0.00389EPSS
Exploits0References2
NVD
NVD
added 2026/07/11 2:16 p.m.6 views

CVE-2026-56303

Capgo before 12.128.2 contains an information disclosure vulnerability in the findapikeybyvalue PostgreSQL function marked SECURITY DEFINER and executable by the anon role. Unauthenticated attackers can call this function via the /rest/v1/rpc/findapikeybyvalue endpoint to retrieve sensitive API k...

8.7CVSS0.00302EPSS
Exploits0References2
EUVD
EUVD
added 2026/07/01 12:34 a.m.12 views

EUVD-2026-40441

Capgo before 12.128.2 contains a server-side validation bypass vulnerability in organization security settings that allows authenticated org admins to persist invalid security policy state. Attackers can bypass backend validation by directly updating the public.orgs table from the browser,...

5.3CVSS5.8AI score0.00234EPSS
Exploits0References3
NVD
NVD
added 2026/06/30 11:17 p.m.9 views

CVE-2026-56333

Capgo before 12.128.2 contains a server-side validation bypass vulnerability in organization security settings that allows authenticated org admins to persist invalid security policy state. Attackers can bypass backend validation by directly updating the public.orgs table from the browser,...

5.3CVSS0.00234EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/06/30 10:8 p.m.5 views

CVE-2026-56333

Capgo before 12.128.2 contains a server-side validation bypass vulnerability in organization security settings that allows authenticated org admins to persist invalid security policy state. Attackers can bypass backend validation by directly updating the public.orgs table from the browser,...

5.3CVSS5.8AI score0.00234EPSS
Exploits0References3
OSV
OSV
added 2026/06/30 10:8 p.m.3 views

CVE-2026-56333 Capgo - Server-Side Validation Bypass via Direct Browser-Side Organization Security Settings Updates

Capgo before 12.128.2 contains a server-side validation bypass vulnerability in organization security settings that allows authenticated org admins to persist invalid security policy state. Attackers can bypass backend validation by directly updating the public.orgs table from the browser,...

5.3CVSS6AI score0.00234EPSS
Exploits0References4
OSV
OSV
added 2026/06/25 6:26 p.m.6 views

GO-2026-5170 OpenFGA: Unauthenticated playground endpoint discloses preshared API key in HTML response in github.com/openfga/openfga

OpenFGA: Unauthenticated playground endpoint discloses preshared API key in HTML response in github.com/openfga/openfga...

7.5CVSS5.8AI score0.00286EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/22 9:4 p.m.29 views

CVE-2026-56268 Flowise - Cross-Workspace Information Disclosure via chatflows/apikey Endpoint

Flowise before 3.1.2 contains an information disclosure vulnerability in the /api/v1/chatflows/apikey/:apikey endpoint. When the keyonly query parameter is omitted the default, the endpoint returns not only the chatflows bound to the supplied API key but also all chatflows across every workspace...

7.7CVSS0.00281EPSS
Exploits1References2
CVE
CVE
added 2026/06/21 1:26 p.m.25 views

CVE-2026-56242

Technical details beyond the provided description are not publicly available in the supplied documents. Monitor for updates for vulnerability specifics, affected versions, impact, and remediations.

8.7CVSS5.9AI score0.00259EPSS
Exploits0References2
NVD
NVD
added 2026/06/20 1:16 a.m.15 views

CVE-2026-56216

Capgo before 12.128.2 contains a scope escalation vulnerability in the POST /functions/v1/apikey endpoint that allows app-limited API keys to mint unrestricted keys by setting empty limits. Attackers with a compromised app-limited key can create an unrestricted key with org-wide access to resourc...

8.8CVSS0.00251EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/06/20 12:14 a.m.8 views

CVE-2026-56216

Capgo before 12.128.2 contains a scope escalation vulnerability in the POST /functions/v1/apikey endpoint that allows app-limited API keys to mint unrestricted keys by setting empty limits. Attackers with a compromised app-limited key can create an unrestricted key with org-wide access to resourc...

8.8CVSS5.9AI score0.00251EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/20 12:14 a.m.9 views

EUVD-2026-38102

Capgo before 12.128.2 contains a scope escalation vulnerability in the POST /functions/v1/apikey endpoint that allows app-limited API keys to mint unrestricted keys by setting empty limits. Attackers with a compromised app-limited key can create an unrestricted key with org-wide access to resourc...

8.8CVSS5.9AI score0.00251EPSS
Exploits0References2
CVE
CVE
added 2026/06/20 12:14 a.m.31 views

CVE-2026-56216

Capgo before 12.128.2 is vulnerable to a scope escalation in POST /functions/v1/apikey where app-limited API keys can mint unrestricted keys by sending empty limits. An compromised app-limited key can create an org-wide, unrestricted key accessing resources such as app listings and protected endp...

8.8CVSS5.9AI score0.00251EPSS
Exploits0References2
Patchstack
Patchstack
added 2026/05/20 3:45 p.m.19 views

NPM: Flowise: Cross-Workspace Chatflow Disclosure via chatflows/apikey Endpoint Returns All Unprotected Chatflows

NPM: Flowise: Cross-Workspace Chatflow Disclosure via chatflows/apikey Endpoint Returns All Unprotected Chatflows vulnerability discovered by ? in WordPress Npm flowise versions = 3.1.1...

5.8AI score
Exploits0References2Affected Software1
OSV
OSV
added 2026/05/18 5:34 p.m.7 views

GHSA-9M6V-8FXC-4R44 Sulu: Used API Keys may be available via Admin API

Impact The users endpoint controller exposes a project's apiKey field to the logged-in user, provided they have permission for that endpoint. This only has impact if a project itself uses that specific field, Sulu itself does nothing with it and has no authentication per apiKey in its core. Patch...

2.3CVSS5.8AI score
Exploits0References4
EUVD
EUVD
added 2026/05/04 5:30 p.m.13 views

EUVD-2026-27069

titra is an open source time tracking project. In version 0.99.52, the globalsettings Meteor publication returns all global settings without any admin or role check. Any authenticated user can subscribe via DDP and receive sensitive configuration fields such as googlesecret, openaiapikey, and...

6.5CVSS5.8AI score0.00219EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/04 5:30 p.m.9 views

CVE-2026-42092 Global Settings Publication Exposes Sensitive Configuration to Any Authenticated User in Titra

titra is an open source time tracking project. In version 0.99.52, the globalsettings Meteor publication returns all global settings without any admin or role check. Any authenticated user can subscribe via DDP and receive sensitive configuration fields such as googlesecret, openaiapikey, and...

6.5CVSS5.8AI score0.00219EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/04 12:0 a.m.17 views

PT-2026-36884

Name of the Vulnerable Software and Affected Versions titra version 0.99.52 Description The globalsettings Meteor publication returns all global settings without performing administrative or role-based access checks. This allows any authenticated user to subscribe via DDP Distributed Data Protoco...

6.5CVSS5.8AI score0.00219EPSS
Exploits0References4
CVE
CVE
added 2026/03/19 2:39 p.m.13 views

CVE-2026-32843

A reflected cross-site scripting (XSS) vulnerability affects Location Aware Sensor System by LinkIt ONE up to commit f06bd20 (2023-04-26) in PM25.php. The issue arises from allowing unencoded payloads via GET parameters (site, city, district, channel, or apikey), enabling remote attackers to exec...

5.1CVSS6AI score0.00454EPSS
Exploits0References2
Rows per page
Query Builder