Mattermost doesn't sanitize sensitive configuration fields before including them in support packet generation

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13, 11.4.x = 11.4.3 fail to sanitize sensitive configuration fields before including them in support packet generation, which allows a Mattermost System Admin or any party with access to a support packet to obtain sensitive credentials in...

GHSA-9P64-JPC7-M2RP Mattermost doesn't sanitize sensitive configuration fields before including them in support packet generation

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13, 11.4.x = 11.4.3 fail to sanitize sensitive configuration fields before including them in support packet generation, which allows a Mattermost System Admin or any party with access to a support packet to obtain sensitive credentials in...

Prototype Pollution

Axios is vulnerable to Prototype Pollution. The vulnerability is due to direct property access of configuration fields in the HTTP adapter e.g., config.auth, config.baseURL, config.socketPath, config.beforeRedirect, config.insecureHTTPParser without hasOwnProperty checks, allowing polluted...

Improper Authentication

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Improper Authentication via the bootstrap config endpoint. An attacker can access sensitive configuration fields intended for authenticated sessions by sending unauthenticated requests to...

CVE-2026-42092 Global Settings Publication Exposes Sensitive Configuration to Any Authenticated User in Titra

titra is an open source time tracking project. In version 0.99.52, the globalsettings Meteor publication returns all global settings without any admin or role check. Any authenticated user can subscribe via DDP and receive sensitive configuration fields such as googlesecret, openaiapikey, and...

CVE-2026-42092 Global Settings Publication Exposes Sensitive Configuration to Any Authenticated User in Titra

titra is an open source time tracking project. In version 0.99.52, the globalsettings Meteor publication returns all global settings without any admin or role check. Any authenticated user can subscribe via DDP and receive sensitive configuration fields such as googlesecret, openaiapikey, and...

CVE-2026-39336

ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting issue affects the Directory Reports form fields set from config, Person editor defaults rendered into address fields, and external self-registration form defaults. This is primarily an admin-to-adm...

Directory Traversal

Overview bentoml is a BentoML: Build Production-Grade AI Applications Affected versions of this package are vulnerable to Directory Traversal via the processing of user-supplied file paths in configuration fields description, docker.setupscript, docker.dockerfiletemplate, and conda.environmentyml...

CVE-2025-7329

A Stored Cross-Site Scripting security issue exists in the affected product that could potentially allow a malicious user to view and modify sensitive data or make the webpage unavailable. The vulnerability stems from missing special character filtering and encoding. Successful exploitation...

CVE-2025-7329 Rockwell Automation Comms - 1783-NATR Stored Cross-Site Scripting Vulnerability

A Stored Cross-Site Scripting security issue exists in the affected product that could potentially allow a malicious user to view and modify sensitive data or make the webpage unavailable. The vulnerability stems from missing special character filtering and encoding. Successful exploitation...

CVE-2025-60869

Publii CMS v0.46.5 build 17089 allows persistent Cross-Site Scripting XSS via unsanitized input in configuration fields such as "Site Description" and "Footer Follow Buttons". An attacker can inject arbitrary JavaScript, which is stored in the project and executed in the browsers of remote visito...

CVE-2025-60869

Publii CMS v0.46.5 build 17089 allows persistent Cross-Site Scripting XSS via unsanitized input in configuration fields such as "Site Description" and "Footer Follow Buttons". An attacker can inject arbitrary JavaScript, which is stored in the project and executed in the browsers of remote visito...

EUVD-2018-2400

Malware in sbrugna...

EUVD-2006-3205

Malware in sbrugna...

CVE-2025-50986

diskover-web v2.3.0 Community Edition suffers from multiple stored cross-site scripting XSS vulnerabilities in its administrative settings interface. Various configuration fields such as ESHOST, ESINDEXREFRESH, ESPORT, ESSCROLLSIZE, ESTRANSLOGSIZE, ESTRANSLOGSYNCINT, EXCLUDESFILES, FILETYPES,...

CVE-2025-50986

diskover-web v2.3.0 Community Edition suffers from multiple stored cross-site scripting XSS vulnerabilities in its administrative settings interface. Various configuration fields such as ESHOST, ESINDEXREFRESH, ESPORT, ESSCROLLSIZE, ESTRANSLOGSIZE, ESTRANSLOGSYNCINT, EXCLUDESFILES, FILETYPES,...

Arbitrary File Read

org.apache.kafka, kafka-clients is vulnerable to Arbitrary File Read. The vulnerability is due to the lack of proper validation and restriction on the sasl.oauthbearer.token.endpoint.url and sasl.oauthbearer.jwks.endpoint.url configuration fields, which allows the use of arbitrary URLs, including...

CVE-2022-40184

Incomplete filtering of JavaScript code in different configuration fields of the web based interface of the VIDEOJET multi 4000 allows an attacker with administrative credentials to store JavaScript code which will be executed for all administrators accessing the same configuration option...

CVE-2021-36545

Cross Site Scripting XSS vulnerability in tpcms 3.2 allows remote attackers to run arbitrary code via the cfgcopyright or cfgtel field in Site Configuration page...

CVE-2020-8007

The pwrstudio web application of EV Charger in the server in Circontrol Raption through 5.6.2 is vulnerable to OS command injection via three fields of the configuration menu for ntpserver0, ntpserver1, and pingip...