CVE-2026-42514 Sensitive Data Exposure Vulnerability in e-Sushrut HMIS

This vulnerability exists in e-Sushrut due to exposure of OTPs in plaintext within API responses. A remote attacker could exploit this vulnerability by intercepting API responses containing valid OTPs. Successful exploitation of this vulnerability could allow an attacker to impersonate the target...

CVE-2026-42514

This vulnerability exists in e-Sushrut due to exposure of OTPs in plaintext within API responses. A remote attacker could exploit this vulnerability by intercepting API responses containing valid OTPs. Successful exploitation of this vulnerability could allow an attacker to impersonate the target...

CVE-2026-42514

CVE-2026-42514 affects e-Sushrut HMIS. The issue is exposure of OTPs in plaintext within API responses, enabling a remote attacker to intercept responses containing valid OTPs. If exploited, an attacker could impersonate a target user and gain unauthorized access to user accounts. Metrics indicat...

CVE-2025-52642 HCL AION is affected by an internal filesystem paths disloser vulnerability

HCL AION is affected by a vulnerability where internal filesystem paths may be exposed through application responses or system behaviour. Exposure of internal paths may reveal environment structure details which could potentially aid in further targeted attacks or information disclosure...

GHSA-9CP7-3Q5W-J92G parse-server: Malformed `$regex` query leaks database error details in API response

Impact A malformed $regex query parameter e.g. abc causes the database to return a structured error object that is passed unsanitized through the API response. This leaks database internals such as error messages, error codes, code names, cluster timestamps, and topology details. The vulnerabilit...

PT-2026-23754

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.7 Parse Server versions prior to 9.5.0-alpha.6 Description Parse Server is an open-source backend deployable on Node.js infrastructures. A malformed $regex query parameter, such as abc, can cause the database...

CVE-2025-1242

The administrative credentials can be extracted through application API responses, mobile application reverse engineering, and device firmware reverse engineering. The exposure may result in an attacker gaining full administrative access to the Gardyn IoT Hub exposing connected devices to malicio...

CVE-2025-1242

The administrative credentials can be extracted through application API responses, mobile application reverse engineering, and device firmware reverse engineering. The exposure may result in an attacker gaining full administrative access to the Gardyn IoT Hub exposing connected devices to malicio...

CVE-2025-1242 Administrative Credentials Can Be Extracted Through Gardyn API Responses

The administrative credentials can be extracted through application API responses, mobile application reverse engineering, and device firmware reverse engineering. The exposure may result in an attacker gaining full administrative access to the Gardyn IoT Hub exposing connected devices to malicio...

Gardyn 4 信任管理问题漏洞

Gardyn 4 is a home-use vertical hydroponic cultivation system developed by the American company Gardyn. Gardyn 4 has a vulnerability related to trust management. This vulnerability stems from the ability to extract management credentials through application API responses, mobile application rever...

PT-2026-21920

Name of the Vulnerable Software and Affected Versions Gardyn IoT Hub affected versions not specified Description Administrative credentials can be extracted through application API responses, mobile application reverse engineering, and device firmware reverse engineering. This exposure may allow ...

The Hidden Threat: How Sensitive Information Leakage Puts Your Business at Risk

You Don't Know What You Don't Know – And That's the Problem Picture this: Your development team has built a robust e-commerce platform. Your security team has implemented comprehensive protection measures. Your compliance team has checked all the boxes. Yet somewhere in your application stack, fu...

CVE-2023-26052

Saleor is a headless, GraphQL commerce platform delivering personalized shopping experiences. Some internal Python exceptions are not handled properly and thus are returned in API as error messages. Some messages might contain sensitive information like infrastructure details in unauthenticated...

CVE-2018-5559

In Rapid7 Komand version 0.41.0 and prior, certain endpoints that are able to list the always encrypted-at-rest connection data could return some configurations of connection data without obscuring sensitive data from the API response sent over an encrypted channel. This issue does not affect...

Fork CMS Cross Site Scripting

=================================================================================== Fork-CMS Stored XSS: Stored XSS: Author: Rafay Baloch Introduction: Cross Site scritping XSS has been a problem for ages, XSS occurs when the input data is copied into application responses without being sanitized...

WordPress Custom Contact Forms Cross Site Scripting

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Wordpress Security audit Custom Contact Forms 1. Cross-site scripting reflected 1.1. http://127.0.0.1/wp-admin/options-general.php name of an arbitrarily supplied request parameter 1.2. http://127.0.0.1/wp-admin/options-general.php name of an...