Lucene search
K

1038 matches found

CVE
CVE
added 13 hours ago14 views

CVE-2026-9079

CVE-2026-9079 concerns libcurl: when instructed to clear proxy authentication credentials, it failed to do so, leaving the old credentials in place and potentially reused in subsequent transfers that should not know or use them. The description across multiple sources consistently states this cre...

6AI score
Exploits0References3
EUVD
EUVD
added 13 hours ago3 views

EUVD-2026-41510

libcurl had a flaw that when instructed to clear proxy authentication credentials which made it not do so, leaving the old credentials around to get used for subsequent transfers that should not know nor use them...

6AI score
Exploits0References3
OSV
OSV
added 2 days ago3 views

GHSA-JXPM-75MH-9FP7 oras-go blob upload vulnerable to credential forwarding via unvalidated Location header

Summary oras-go follows a registry-controlled Location header during the monolithic blob upload flow and reuses the Authorization header from the initial POST request for the subsequent PUT request. If a malicious registry returns a cross-host Location, oras-go can send the caller's credentials t...

7.5CVSS5.8AI score
Exploits0References5
EUVD
EUVD
added last week13 views

EUVD-2026-31654

Cargo can be coerced to share credentials between registries...

6.5CVSS7.1AI score0.00328EPSS
Exploits0References5
CVE
CVE
added last week9 views

CVE-2026-55188

RustFS’s ListRemoteTargetHandler in versions 1.0.0-alpha.1 through 1.0.0-beta.8 contains an authorization bypass that only checks for credentials and neglects to verify replication or admin permissions. This allows an authenticated user without bucket/admin rights to list remote replication targe...

8.2CVSS5.8AI score0.00181EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/25 9:15 p.m.5 views

CVE-2026-11703

Missing SNI/ALPN binding on stateful session-ID resumption, which previously skipped the binding check performed for ticket-based resumption. A cached session could be resumed under a different SNI/ALPN than originally negotiated and, where client-authentication policy differs across virtual host...

6CVSS5.9AI score0.0021EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/06/24 2:0 p.m.3 views

UBUNTU-CVE-2026-9079

libcurl had a flaw that when instructed to clear proxy authentication credentials which made it not do so, leaving the old credentials around to get used for subsequent tranfers that should not know nor use them...

5.9AI score
Exploits0References4
OSV
OSV
added 2026/06/24 8:0 a.m.16 views

CURL-CVE-2026-9079 stale proxy password leak

libcurl had a flaw that when instructed to clear proxy authentication credentials which made it not do so, leaving the old credentials around to get used for subsequent transfers that should not know nor use them...

5.8AI score
Exploits0
Cvelist
Cvelist
added 2026/06/23 7:53 p.m.26 views

CVE-2026-11819 Community.general: community.general keyring_info — os keyring passphrase returned in plaintext

Module: plugins/modules/keyringinfo.py CVSS 3.1: 5.5 MEDIUM — AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Issue: The module retrieves a passphrase from the OS native keyring GNOME Keyring, macOS Keychain, Windows Credential Manager and places it directly into result"passphrase" with no output suppression...

5.5CVSS0.00128EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/23 3:48 p.m.32 views

CVE-2026-54304 n8n: SecurityScorecard Node Leaks API Token to User-Controlled Host

n8n is an open source workflow automation platform. Prior to 1.123.55, 2.25.7, and 2.26.1, an authenticated user with permission to create or modify workflows and access to a SecurityScorecard credential with limited allowed domains could configure the SecurityScorecard node's report download...

7.1CVSS0.00353EPSS
Exploits0References1
NVD
NVD
added 2026/06/22 6:16 p.m.10 views

CVE-2026-53632

launch-editor allows users to open files with line numbers in editor from Node.js. Prior to 2.14.1, the launch-editor NPM package accesses arbitrary paths including Windows UNC paths. When a UNC path is opened, Windows automatically attempts NTLM authentication to the remote host, causing the...

5.5CVSS0.00322EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/22 3:54 p.m.30 views

CVE-2026-53632 NTLMv2 hash disclosure via UNC path handling on Windows

launch-editor allows users to open files with line numbers in editor from Node.js. Prior to 2.14.1, the launch-editor NPM package accesses arbitrary paths including Windows UNC paths. When a UNC path is opened, Windows automatically attempts NTLM authentication to the remote host, causing the...

5.5CVSS0.00322EPSS
Exploits0References1
CVE
CVE
added 2026/06/22 3:54 p.m.17 views

CVE-2026-53632

CVE-2026-53632 affects the npm package launch-editor . Before version 2.14.1, it can open arbitrary paths including Windows UNC paths; when a UNC path is opened Windows triggers NTLM authentication to the remote host, causing the user’s NTLMv2 password hash to be leaked to an attacker-controlled ...

5.5CVSS6AI score0.00322EPSS
Exploits0References1
CVE
CVE
added 2026/06/22 3:41 p.m.17 views

CVE-2026-50169

The CVE-2026-50169 issue affects the Angular service worker (@angular/service-worker). The vulnerability stems from the request reconstruction path in the service worker, where an internal helper strips strict client-defined redirect policies (for example redirect: 'error'), causing the browser t...

6.1CVSS5.9AI score0.00165EPSS
Exploits0References2Affected Software1
Debian CVE
Debian CVE
added 2026/06/22 3:32 p.m.7 views

CVE-2026-54264

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, an information disclosure vulnerability exists in the @angular/service-worker package of the Angular framework. When the Servi...

8.3CVSS5.9AI score0.00226EPSS
Exploits0
Cvelist
Cvelist
added 2026/06/22 1:18 p.m.31 views

CVE-2026-10601 Path Traversal in Tempo and Loki Data Source Plugins — Credential Leakage and Admin Endpoint Access

The Tempo and Loki datasource plugins construct backend HTTP requests by interpolating user-supplied input into URL paths without sanitization, enabling path traversal. A Viewer-role user can: 1 capture admin-configured datasource credentials secureJsonData custom headers by traversing to an...

5.4CVSS0.00258EPSS
Exploits0References1
CVE
CVE
added 2026/06/22 1:18 p.m.157 views

CVE-2026-10601

CVE-2026-10601 affects Grafana Tempo and Loki datasource plugins. The root cause is unsanitized user input interpolated into backend HTTP URL paths, enabling path traversal. A Viewer-role user can (1) retrieve admin-configured datasource credentials via an attacker-controlled endpoint, (2) trigge...

5.4CVSS5.9AI score0.00258EPSS
Exploits0References1Affected Software1
EUVD
EUVD
added 2026/06/19 2:20 p.m.9 views

EUVD-2026-37760

undici vulnerable to cross-origin request routing via SOCKS5 proxy pool reuse...

7.5CVSS6.4AI score0.00277EPSS
Exploits0References4
AstraLinux
AstraLinux
added 2026/06/19 11:10 a.m.4 views

Astra Linux – Vulnerability in curl

A poorly protected credentials vulnerability exists in curl 4.9, and versions including curl 7.82.0 are also affected. This vulnerability could allow attackers to extract credentials when using HTTPS redirections with authentication. As a result, credentials may be leaked to other services that...

5.7CVSS6.6AI score0.01595EPSS
Exploits1References2
AstraLinux
AstraLinux
added 2026/06/19 11:10 a.m.3 views

Astra Linux – Vulnerability in Thunderbird

Thunderbird processes the X-Mozilla-External-Attachment-URL header to handle attachments that can be hosted externally. When an email is opened, Thunderbird accesses the specified URL to determine the file size, and navigates to the attachment when the user clicks on it. Since the URL is not...

6.3CVSS6.6AI score0.00226EPSS
Exploits0References2
Rows per page
Query Builder