EUVD-2025-60927

The Crypto plugin for WordPress is vulnerable to Information exposure in all versions up to, and including, 2.22. This is due to the plugin registering an unauthenticated AJAX action wpajaxnoprivcryptoconnectajaxprocess that allows calling the register and savenft methods with only a...

CVE-2025-52662

A vulnerability in Nuxt DevTools has been fixed in version 2.6.4. This issue may have allowed Nuxt auth token extraction via XSS under certain configurations. All users are encouraged to upgrade. More details: https://vercel.com/changelog/cve-2025-52662-xss-on-nuxt-devtools...

Nuxt DevTools vulnerable to cross-site scripting (XSS)

A vulnerability in Nuxt DevTools has been fixed in version 2.6.4. This issue may have allowed Nuxt auth token extraction via XSS under certain configurations. All users are encouraged to upgrade...

GHSA-XMQ3-Q5PM-RP26 Nuxt DevTools vulnerable to cross-site scripting (XSS)

A vulnerability in Nuxt DevTools has been fixed in version 2.6.4. This issue may have allowed Nuxt auth token extraction via XSS under certain configurations. All users are encouraged to upgrade...

CVE-2025-52662

A vulnerability in Nuxt DevTools has been fixed in version 2.6.4. This issue may have allowed Nuxt auth token extraction via XSS under certain configurations. All users are encouraged to upgrade. More details: https://vercel.com/changelog/cve-2025-52662-xss-on-nuxt-devtools...

CVE-2025-52662

A vulnerability in Nuxt DevTools has been fixed in version 2.6.4. This issue may have allowed Nuxt auth token extraction via XSS under certain configurations. All users are encouraged to upgrade. More details: https://vercel.com/changelog/cve-2025-52662-xss-on-nuxt-devtools...

CVE-2025-52662

A vulnerability in Nuxt DevTools has been fixed in version 2.6.4. This issue may have allowed Nuxt auth token extraction via XSS under certain configurations. All users are encouraged to upgrade. More details: https://vercel.com/changelog/cve-2025-52662-xss-on-nuxt-devtools...

CVE-2025-52662

A vulnerability in Nuxt DevTools has been fixed in version 2.6.4. This issue may have allowed Nuxt auth token extraction via XSS under certain configurations. All users are encouraged to upgrade. More details: https://vercel.com/changelog/cve-2025-52662-xss-on-nuxt-devtools...

CVE-2025-11749

The AI Engine plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.1.3 via the /mcp/v1/ REST API endpoint that exposes the 'Bearer Token' value when 'No-Auth URL' is enabled. This makes it possible for unauthenticated attackers to extract th...

CVE-2025-11749 AI Engine <= 3.1.3 - Unauthenticated Sensitive Information Exposure to Privilege Escalation

The AI Engine plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.1.3 via the /mcp/v1/ REST API endpoint that exposes the 'Bearer Token' value when 'No-Auth URL' is enabled. This makes it possible for unauthenticated attackers to extract th...

CVE-2025-11749

The WordPress AI Engine plugin (≤ 3.1.3) is vulnerable to unauthenticated sensitive information exposure via the REST API endpoints under /mcp/v1/ when No-Auth URL is enabled. This allows attackers to retrieve the Bearer Token, enabling session hijacking and actions such as creating an administra...

VulnCheck KEV: CVE-2025-11749

The AI Engine plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.1.3 via the /mcp/v1/ REST API endpoint that exposes the 'Bearer Token' value when 'No-Auth URL' is enabled. This makes it possible for unauthenticated attackers to extract th...

100,000 WordPress Sites Affected by Privilege Escalation Vulnerability in AI Engine WordPress Plugin

On October 4th, 2025, we received a submission for a Sensitive Information Exposure vulnerability in AI Engine, a WordPress plugin with more than 100,000 active installations. This vulnerability can be exploited by unauthenticated attackers to extract the bearer token and then get full access to...

Astra Linux – Vulnerability in Firefox, Thunderbird

The username:password portion was not properly removed from URLs in CSP reports, which could potentially expose HTTP Basic Authentication credentials. This vulnerability was fixed in Firefox 141, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1...

CVE-2025-62232

Sensitive data exposure via logging in basic-auth leads to plaintext usernames and passwords written to error logs and forwarded to log sinks when log level is INFO/DEBUG. This creates a high risk of credential compromise through log access. It has been fixed in the following commit: ...

CVE-2025-62232 Apache APISIX: basic-auth logs plaintext credentials at info level

Sensitive data exposure via logging in basic-auth leads to plaintext usernames and passwords written to error logs and forwarded to log sinks when log level is INFO/DEBUG. This creates a high risk of credential compromise through log access. It has been fixed in the following commit: ...

Malicious Package

Overview preview-server-auth is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

@aangeles/jefeui (>=1.10.0 <=1.11.6), @adamjoelfraser/auth-drizzle (>=1.0.0 <=1.0.2) +265 more potentially affected by unknown CVE via @auth/core (>=0.0.0-manual.fdbc96ab <=0.41.0)

@auth/core NPM version =0.0.0-manual.fdbc96ab, =1.10.0, =1.0.0, =0.1.0, =0.0.1, =1.0.0, =0.2.0, =0.1.0, =0.1.0, =0.1.0, =1.11.0 and more Source cves: unknown CVE Source advisory: SNYK:JS-AUTHCORE-13744119...

Improper Neutralization

Overview next-auth is an Authentication for Next.js Affected versions of this package are vulnerable to Improper Neutralization in the email validation component. An attacker can intercept sensitive authentication emails by submitting a specially crafted email address that manipulates the parsing...

@aangeles/jefeui (>=1.10.0 <=1.11.6), @aipmorg/chat (=1.5.3) +54 more potentially affected by unknown CVE via next-auth (>=5.0.0-beta.11 <=5.0.0-beta.3)

next-auth NPM version =5.0.0-beta.11, =1.10.0, =1.10.3, =0.1.0, =1.2.4-main.7f918ee.29, =0.0.2, =1.0.0, =0.1.6, =0.152.1, =1.0.0, =0.106.0, =0.122.0-rc.13 - @irshadkhan-dev/pandapulse-db =0.0.1 and more Source cves: unknown CVE Source advisory: OSV:GHSA-5JPX-9HW9-2FX4...