5 matches found
CVE-2026-42604
Actual is a local-first personal finance tool. The POST /openid/config endpoint in Actual Budget's sync-server versions = 26.4.0 exposes the full OpenID Connect configuration—including the OAuth2 clientsecret—to any caller who knows the bootstrap password. The endpoint also lacks authentication a...
CVE-2025-15622
Insufficiently Protected Credentials vulnerability in Sparx Systems Pty Ltd. Sparx Enterprise Architect. Client reveals plaintext OAuth2 client secretDesktop client decodes the secret and uses the plaintext secret to exchange it into an access and id tokens as part of the OpenID authentication fl...
CVE-2025-15622
Insufficiently Protected Credentials vulnerability in Sparx Systems Pty Ltd. Sparx Enterprise Architect. Client reveals plaintext OAuth2 client secretDesktop client decodes the secret and uses the plaintext secret to exchange it into an access and id tokens as part of the OpenID authentication fl...
CVE-2025-59406
The Flock Safety Pisco com.flocksafety.android.pisco application 6.21.11 for Android installed on Falcon and Sparrow License Plate Readers and Bravo Edge AI Compute Devices has a cleartext Auth0 client secret in its codebase. Because application binaries can be trivially decompiled or inspected,...
PT-2025-4596 · Coolify · Coolify
Name of the Vulnerable Software and Affected Versions: Coolify versions prior to 4.0.0-beta.361 Description: The issue is related to missing authorization, allowing any authenticated user to access and modify the global Coolify instance OAuth configuration. This exposes sensitive information,...