Lucene search
K

141 matches found

RedhatCVE
RedhatCVE
added 2026/02/04 3:15 a.m.8 views

CVE-2025-70841

Dokans Multi-Tenancy Based eCommerce Platform SaaS 3.9.2 allows unauthenticated remote attackers to obtain sensitive application configuration data via direct request to /script/.env file. The exposed file contains Laravel application encryption key APPKEY, database credentials, SMTP/SendGrid API...

10CVSS5.4AI score0.00383EPSS
Exploits1References1
OSV
OSV
added 2026/02/03 6:16 p.m.7 views

CVE-2025-70841

Dokans Multi-Tenancy Based eCommerce Platform SaaS 3.9.2 allows unauthenticated remote attackers to obtain sensitive application configuration data via direct request to /script/.env file. The exposed file contains Laravel application encryption key APPKEY, database credentials, SMTP/SendGrid API...

7.5CVSS5.9AI score0.00383EPSS
Exploits1References2
NVD
NVD
added 2026/02/03 6:16 p.m.8 views

CVE-2025-70841

Dokans Multi-Tenancy Based eCommerce Platform SaaS 3.9.2 allows unauthenticated remote attackers to obtain sensitive application configuration data via direct request to /script/.env file. The exposed file contains Laravel application encryption key APPKEY, database credentials, SMTP/SendGrid API...

10CVSS0.00383EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/02/03 12:0 a.m.27 views

CVE-2025-70841

Dokans Multi-Tenancy Based eCommerce Platform SaaS 3.9.2 allows unauthenticated remote attackers to obtain sensitive application configuration data via direct request to /script/.env file. The exposed file contains Laravel application encryption key APPKEY, database credentials, SMTP/SendGrid API...

10CVSS0.00383EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/02/03 12:0 a.m.2 views

CVE-2025-70841

Dokans Multi-Tenancy Based eCommerce Platform SaaS 3.9.2 allows unauthenticated remote attackers to obtain sensitive application configuration data via direct request to /script/.env file. The exposed file contains Laravel application encryption key APPKEY, database credentials, SMTP/SendGrid API...

10CVSS5.4AI score0.00383EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2026/02/03 12:0 a.m.12 views

PT-2026-5987

Name of the Vulnerable Software and Affected Versions Dokans Multi-Tenancy Based eCommerce Platform version 3.9.2 Description The platform allows unauthenticated remote attackers to obtain sensitive application configuration data by directly requesting the '/script/.env' file. This file contains...

10CVSS5.5AI score0.00383EPSS
Exploits1References6
CVE
CVE
added 2026/02/03 12:0 a.m.17 views

CVE-2025-70841

Dokans Multi-Tenancy Based eCommerce Platform SaaS version 3.9.2 is vulnerable to unauthenticated remote access to the /script/.env file. The exposure reveals sensitive data including the Laravel APP_KEY, database credentials, SMTP/SendGrid API credentials, and internal configuration parameters, ...

10CVSS5.5AI score0.00383EPSS
Exploits1References2Affected Software1
Cvelist
Cvelist
added 2026/01/24 3:34 p.m.37 views

CVE-2026-0862 Save as PDF Plugin by PDFCrowd <= 4.5.5 - Reflected Cross-Site Scripting via options

The Save as PDF Plugin by PDFCrowd plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘options’ parameter in all versions up to, and including, 4.5.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to injec...

6.1CVSS0.00227EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/01/21 10:29 p.m.4 views

CVE-2026-23996

FastAPI Api Key provides a backend-agnostic library that provides an API key system. Version 1.1.0 has a timing side-channel vulnerability in verifykey. The method applied a random delay only on verification failures, allowing an attacker to statistically distinguish valid from invalid API keys b...

3.7CVSS5.4AI score0.00254EPSS
Exploits0References4Affected Software1
Cvelist
Cvelist
added 2026/01/14 6:40 a.m.34 views

CVE-2026-0812 LinkedIn SC <= 1.1.9 - Authenticated (Administrator+) Stored Cross-Site Scripting via Settings Page

The LinkedIn SC plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'linkedinscdateformat', 'linkedinscapikey', and 'linkedinscsecretkey' parameters in all versions up to, and including, 1.1.9 due to insufficient input sanitization and output escaping. This makes it possible...

4.4CVSS0.00193EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/01/13 10:52 p.m.6 views

CVE-2026-22799

Emlog is an open source website building system. emlog v2.6.1 and earlier exposes a REST API endpoint /index.php?rest-api=upload for media file uploads. The endpoint fails to implement proper validation of file types, extensions, and content, allowing authenticated attackers with a valid API key ...

9.3CVSS8.1AI score0.00627EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/01/07 9:12 a.m.5 views

CVE-2025-67732

Dify is an open-source LLM app development platform. Prior to version 1.11.0, the API key is exposed in plaintext to the frontend, allowing non-administrator users to view and reuse it. This can lead to unauthorized access to third-party services, potentially consuming limited quotas. Version...

8.4CVSS6.6AI score0.00305EPSS
Exploits1References1
NVD
NVD
added 2025/12/27 9:15 a.m.7 views

CVE-2025-15105

A security flaw has been discovered in getmaxun maxun up to 0.0.28. Impacted is an unknown function of the file /getmaxun/maxun/blob/develop/server/src/routes/auth.ts. Performing manipulation of the argument apikey results in use of hard-coded cryptographic key . Remote exploitation of the attack...

6.3CVSS0.00458EPSS
Exploits1References4
OSV
OSV
added 2025/12/27 9:2 a.m.5 views

CVE-2025-15105 getmaxun auth.ts hard-coded key

A security flaw has been discovered in getmaxun maxun up to 0.0.28. Impacted is an unknown function of the file /getmaxun/maxun/blob/develop/server/src/routes/auth.ts. Performing manipulation of the argument apikey results in use of hard-coded cryptographic key . Remote exploitation of the attack...

6.3CVSS5.3AI score0.00458EPSS
Exploits1References6
Positive Technologies
Positive Technologies
added 2025/12/27 12:0 a.m.6 views

PT-2025-53617

Name of the Vulnerable Software and Affected Versions getmaxun versions up to 0.0.28 Description A security flaw exists in getmaxun maxun up to version 0.0.28. The issue involves manipulation of the api key argument within an unknown function located in the file...

6.3CVSS5.9AI score0.00458EPSS
Exploits1References8
GithubExploit
GithubExploit
added 2025/12/23 9:54 a.m.156 views

Exploit for Code Injection in Laravel Livewire

Livepyre A tool designed to exploit CVE-2025-54068 an...

9.8CVSS5.8AI score0.95376EPSS
Exploits5
Vulnrichment
Vulnrichment
added 2025/12/20 3:20 a.m.2 views

CVE-2025-12898 Pretty Google Calendar <= 2.0.0 - Missing Authorization to Unauthenticated Google API Key Exposure

The Pretty Google Calendar plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the pgcalajaxhandler function in all versions up to, and including, 2.0.0. This makes it possible for unauthenticated attackers to retrieve the Google API key set in t...

5.3CVSS4.9AI score0.00231EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2025/12/15 12:0 a.m.10 views

PT-2025-51227

The OneSignal – Web Push Notifications plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the settings handling functionality in all versions up to, and including, 3.6.1. This is due to the plugin processing POST requests without verifying...

5.3CVSS5.3AI score0.003EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2025/12/12 12:0 a.m.9 views

PT-2025-50860

The Truefy Embed plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing nonce validation on the 'truefy embed options update' settings update action. This makes it possible for unauthenticated attackers to update the...

4.3CVSS5.4AI score0.00129EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2025/12/02 4:14 p.m.8 views

CVE-2025-13829

Incorrect Authorization vulnerability in Data Illusion Zumbrunn NGSurvey allows any logged-in user to obtain the private information of any other user. Critical information retrieved: APIKEY 1 year user Session RefreshToken 10 minutes user Session Password hashed with bcrypt User IP Email Full Na...

8.6CVSS6.6AI score0.00265EPSS
Exploits0References1
Rows per page
Query Builder