CVE-2025-52662

A vulnerability in Nuxt DevTools has been fixed in version 2.6.4. This issue may have allowed Nuxt auth token extraction via XSS under certain configurations. All users are encouraged to upgrade. More details: https://vercel.com/changelog/cve-2025-52662-xss-on-nuxt-devtools...

CVE-2025-52662

A vulnerability in Nuxt DevTools has been fixed in version 2.6.4. This issue may have allowed Nuxt auth token extraction via XSS under certain configurations. All users are encouraged to upgrade. More details: https://vercel.com/changelog/cve-2025-52662-xss-on-nuxt-devtools...

CVE-2025-11749

The AI Engine plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.1.3 via the /mcp/v1/ REST API endpoint that exposes the 'Bearer Token' value when 'No-Auth URL' is enabled. This makes it possible for unauthenticated attackers to extract th...

CVE-2025-11749

The WordPress AI Engine plugin (≤ 3.1.3) is vulnerable to unauthenticated sensitive information exposure via the REST API endpoints under /mcp/v1/ when No-Auth URL is enabled. This allows attackers to retrieve the Bearer Token, enabling session hijacking and actions such as creating an administra...

CVE-2025-11749 AI Engine <= 3.1.3 - Unauthenticated Sensitive Information Exposure to Privilege Escalation

The AI Engine plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.1.3 via the /mcp/v1/ REST API endpoint that exposes the 'Bearer Token' value when 'No-Auth URL' is enabled. This makes it possible for unauthenticated attackers to extract th...

VulnCheck KEV: CVE-2025-11749

The AI Engine plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.1.3 via the /mcp/v1/ REST API endpoint that exposes the 'Bearer Token' value when 'No-Auth URL' is enabled. This makes it possible for unauthenticated attackers to extract th...

100,000 WordPress Sites Affected by Privilege Escalation Vulnerability in AI Engine WordPress Plugin

On October 4th, 2025, we received a submission for a Sensitive Information Exposure vulnerability in AI Engine, a WordPress plugin with more than 100,000 active installations. This vulnerability can be exploited by unauthenticated attackers to extract the bearer token and then get full access to...

Astra Linux – Vulnerability in Firefox, Thunderbird

The username:password portion was not properly removed from URLs in CSP reports, which could potentially expose HTTP Basic Authentication credentials. This vulnerability was fixed in Firefox 141, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1...

CVE-2025-62232

Sensitive data exposure via logging in basic-auth leads to plaintext usernames and passwords written to error logs and forwarded to log sinks when log level is INFO/DEBUG. This creates a high risk of credential compromise through log access. It has been fixed in the following commit: ...

CVE-2025-62232 Apache APISIX: basic-auth logs plaintext credentials at info level

Sensitive data exposure via logging in basic-auth leads to plaintext usernames and passwords written to error logs and forwarded to log sinks when log level is INFO/DEBUG. This creates a high risk of credential compromise through log access. It has been fixed in the following commit: ...

Malicious Package

Overview preview-server-auth is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

@aangeles/jefeui (>=1.10.0 <=1.11.6), @adamjoelfraser/auth-drizzle (>=1.0.0 <=1.0.2) +265 more potentially affected by unknown CVE via @auth/core (>=0.0.0-manual.fdbc96ab <=0.41.0)

@auth/core NPM version =0.0.0-manual.fdbc96ab, =1.10.0, =1.0.0, =0.1.0, =0.0.1, =1.0.0, =0.2.0, =0.1.0, =0.1.0, =0.1.0, =1.11.0 and more Source cves: unknown CVE Source advisory: SNYK:JS-AUTHCORE-13744119...

Improper Neutralization

Overview next-auth is an Authentication for Next.js Affected versions of this package are vulnerable to Improper Neutralization in the email validation component. An attacker can intercept sensitive authentication emails by submitting a specially crafted email address that manipulates the parsing...

@aangeles/jefeui (>=1.10.0 <=1.11.6), @aipmorg/chat (=1.5.3) +54 more potentially affected by unknown CVE via next-auth (>=5.0.0-beta.11 <=5.0.0-beta.3)

next-auth NPM version =5.0.0-beta.11, =1.10.0, =1.10.3, =0.1.0, =1.2.4-main.7f918ee.29, =0.0.2, =1.0.0, =0.1.6, =0.152.1, =1.0.0, =0.106.0, =0.122.0-rc.13 - @irshadkhan-dev/pandapulse-db =0.0.1 and more Source cves: unknown CVE Source advisory: OSV:GHSA-5JPX-9HW9-2FX4...

CVE-2025-12342

A flaw has been found in Serdar Bayram Ghost Hot Spot up to 20251014. The affected element is an unknown function of the file /Auth.php of the component Login. This manipulation causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used...

CVE-2025-12342 Serdar Bayram Ghost Hot Spot Login Auth.php sql injection

A flaw has been found in Serdar Bayram Ghost Hot Spot up to 20251014. The affected element is an unknown function of the file /Auth.php of the component Login. This manipulation causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used...

EUVD-2025-36389

A flaw has been found in Serdar Bayram Ghost Hot Spot up to 20251014. The affected element is an unknown function of the file /Auth.php of the component Login. This manipulation causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used...

CVE-2025-12342 Serdar Bayram Ghost Hot Spot Login Auth.php sql injection

A flaw has been found in Serdar Bayram Ghost Hot Spot up to 20251014. The affected element is an unknown function of the file /Auth.php of the component Login. This manipulation causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used...

Adobe Experience Manager Forms - Insecure Deserialization

Adobe Experience Manager versions 6.5.23 and earlier are affected by a Misconfiguration vulnerability that could result in arbitrary code execution. An attacker could leverage this vulnerability to bypass security mechanisms and execute code. Exploitation of this issue does not require user...

Serdar Bayram Ghost Hot Spot SQL注入漏洞

Serdar Bayram Ghost Hot Spot is a Portal Authentication System software by Serdar Bayram Individual Developer. A SQL injection vulnerability exists in Serdar Bayram Ghost Hot Spot 20251014 and earlier versions, which stems from a SQL injection vulnerability in the component Login in the file...