CVE-2026-46397 haxcms-php Local File Inclusion via saveOutline API Location Parameter v2.0

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an Authenticated Local File Inclusion LFI vulnerability in the HAXCMS saveOutline endpoint allows a low-privileged user to read arbitrary files on the server by manipulating the location field written in...

CVE-2026-32847

DeepCode through commit c991dc2 contains a path traversal vulnerability in the SPA catch-all route in newui/backend/main.py that allows unauthenticated attackers to read arbitrary files by supplying percent-encoded path segments to the GET /fullpath:path endpoint. Attackers can bypass Starlette's...

CVE-2026-32847 DeepCode 1.2.0 Path Traversal via SPA Catch-All Route in main.py

DeepCode through commit c991dc2 contains a path traversal vulnerability in the SPA catch-all route in newui/backend/main.py that allows unauthenticated attackers to read arbitrary files by supplying percent-encoded path segments to the GET /fullpath:path endpoint. Attackers can bypass Starlette's...

CVE-2026-42878 FacturaScripts: Unauthenticated phpinfo() Disclosure via Installer Endpoint in FacturaScripts

FacturaScripts is an open source accounting and invoicing software. Prior to v2026, an unauthenticated information disclosure vulnerability in the Installer controller allows any remote attacker to trigger phpinfo on a fresh FacturaScripts deployment by requesting /?phpinfo=TRUE, exposing full PH...

GHSA-6Q65-J4JW-9CG8 DotVVM allows path traversal when deployed in Debug mode

Description There is a path traversal vulnerability in any DotVVM application started in Debug mode, if at least one resource with the FileResourceLocation has been added. The vulnerability allows an attacker to read arbitrary files from the filesystem accessible by the web application i.e...

The Hidden Threat in Your Stack: Why Non-Human Identity Management is the Next Cybersecurity Frontier

Modern enterprise networks are highly complex environments that rely on hundreds of apps and infrastructure services. These systems need to interact securely and efficiently without constant human oversight, which is where non-human identities NHIs come in. NHIs — including application secrets, A...

CVE-2025-48024

In BlueWave Checkmate before 2.1, an authenticated regular user can access sensitive application secrets via the /api/v1/settings endpoint...

CVE-2025-48024

In BlueWave Checkmate before 2.1, an authenticated regular user can access sensitive application secrets via the /api/v1/settings endpoint...

PT-2025-21262 · Unknown · Bluewave Checkmate

Name of the Vulnerable Software and Affected Versions: BlueWave Checkmate versions prior to 2.1 Description: The issue allows an authenticated regular user to access sensitive application secrets. This is achieved via the "/api/v1/settings" endpoint. Recommendations: For versions prior to 2.1,...

CVE-2025-48024

In BlueWave Checkmate before 2.1, an authenticated regular user can access sensitive application secrets via the /api/v1/settings endpoint...

CVE-2025-48024

CVE-2025-48024 affects BlueWave Checkmate before 2.1. An authenticated regular user can access sensitive application secrets via the /api/v1/settings endpoint, leading to secret disclosure. The advisories consistently describe the issue and recommend upgrading to version 2.1 or later; as a tempor...

CVE-2021-42718

Information Disclosure in API in Replicated Replicated Classic versions prior to 2.53.1 on all platforms allows authenticated users with Admin Console access to retrieve sensitive data, including application secrets, via accessing container definitions with environment variables through the Admin...

CVE-2024-55578

Zammad before 6.4.1 places sensitive data such as authmicrosoftoffice365credentials and applicationsecret in log files...

PT-2024-39724 · Unknown · Quarkus Cxf

Name of the Vulnerable Software and Affected Versions: Quarkus CXF affected versions not specified Description: A vulnerability was found in Quarkus CXF where passwords and other secrets may appear in the application log despite the user configuring them to be hidden. This issue requires specific...

Django settings leak in date template filter

The getformat function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via a settings key in place of a date/time format setting, as demonstrated by SECRETKEY...

Zammad 安全漏洞

Zammad is a ticket management software from Zammad, a German company. versions prior to Zammad 4.1.1 have security vulnerabilities that allow attackers to discover application secrets and obtain sensitive information through the API...

GHSA-J7VX-8MQJ-CQP9 Exposure of Sensitive Information to an Unauthorized Actor in Doorkeeper

Impact Information disclosure vulnerability. Allows an attacker to see all Doorkeeper::Application model attribute values including secrets using authorized applications controller if it's enabled GET /oauth/authorizedapplications.json. Patches These versions have the fix: 5.0.3 5.1.1 5.2.5 5.3.2...

Doorkeeper application secret information disclosure vulnerability

Information disclosure vulnerability. Allows an attacker to see all Doorkeeper::Application model attribute values including secrets after authorizing an application to their user. An application is vulnerable if the authorized applications controller is enabled GET...

Furniture Mod - Base64 encoded String, Exported ContentProvider, Hardcoded secrets vulnerabilities

HackApp vulnerability scanner discovered that application Furniture Mod published at the 'play' market has multiple vulnerabilities...

CVE-2015-8213

The getformat function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via a settings key in place of a date/time format setting, as demonstrated by SECRETKEY...