Lucene search
K

245 matches found

EUVD
EUVD
added yesterday5 views

EUVD-2026-40362

JimuReport through 2.5.0 exposes the POST /jmreport/auto/export endpoint without authentication: the handler is annotated @JimuNoLoginRequired, so JimuReportTokenInterceptor skips all authentication and authorization, and the export service streams the rendered report for any supplied report id...

8.7CVSS5.9AI score
Exploits0References2
EUVD
EUVD
added 2 days ago4 views

EUVD-2026-40159

Parseable before 2.9.2 contains an information disclosure vulnerability in the notification-target API endpoints that returns webhook tokens and basic-auth credentials in cleartext due to commented-out secret-masking functionality. Any authenticated user with the GetAlert action, including...

7.1CVSS5.8AI score0.00264EPSS
Exploits0References5
EUVD
EUVD
added 5 days ago13 views

EUVD-2026-31692

Hackney: Cross-origin Redirect Leaks Authorization, Cookie, and Request Body...

6.1CVSS5.8AI score0.00348EPSS
Exploits1References5
AlpineLinux
AlpineLinux
added 5 days ago6 views

CVE-2026-48615

A flaw in Node.js proxy tunnel error handling could expose proxy credentials in ERRPROXYTUNNEL error messages. When proxy credentials are embedded in the proxy URL, they may be exposed through error handling paths and captured by logs, diagnostics, or other error consumers. This vulnerability...

7.5CVSS6.6AI score0.00392EPSS
Exploits0
CVE
CVE
added 5 days ago8 views

CVE-2026-38571

The CVE-2026-38571 case concerns the Tenda N300 F3 device (version V603), where the unauthenticated UART debug console stores WPA2 credentials in cleartext and does not require authentication for rr/wr memory read/write commands. This enables a physically proximate attacker to extract stored WPA2...

4.6CVSS6AI score0.00113EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/23 7:53 p.m.9 views

EUVD-2026-38605

Module: plugins/modules/nexmo.py CVSS 3.1: 6.5 MEDIUM — AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Issue: apikey and apisecret are declared nolog=True at the input level, but both credentials are immediately URL-encoded into a GET request as query parameters, bypassing all nolog protection. Vulnerable...

6.5CVSS6AI score0.00281EPSS
Exploits0References2
CVE
CVE
added 2026/06/23 7:53 p.m.12 views

CVE-2026-11820

CVE-2026-11820 affects the community.general nexmo module. Credentials api_key and api_secret are declared no_log but are URL-encoded into a GET request, exposing them in the query string (e.g., .../sms/json?api_key=...&api_secret=...). The vulnerability arises because the code constructs the URL...

6.5CVSS5.8AI score0.00281EPSS
Exploits0References2Affected Software1
RedhatCVE
RedhatCVE
added 2026/06/23 7:53 p.m.9 views

CVE-2026-11820

A flaw was found in the community.general Ansible collection's nexmo module. The module constructs HTTP requests to the Vonage/Nexmo SMS API by encoding API credentials apikey and apisecret into URL query parameters and sending them via GET requests. This causes credentials to be exposed in web...

6.5CVSS5.8AI score0.00281EPSS
Exploits0References3
NVD
NVD
added 2026/06/23 4:17 p.m.14 views

CVE-2026-55568

Guzzle is an extensible PHP HTTP client. Prior to 7.12.1, in certain configurations, traffic expected to be protected by TLS on the hop to the proxy is transmitted in cleartext. Proxy authentication credentials the Proxy-Authorization header, proxy userinfo in the proxy URL, or CURLOPTPROXYUSERPW...

5.9CVSS0.00106EPSS
Exploits0References1
AstraLinux
AstraLinux
added 2026/06/19 11:10 a.m.6 views

Astra Linux – Vulnerability in Ansible

A flaw was discovered in several Ansible modules, where parameters containing credentials, such as “secrets,” were logged in plain text on managed nodes, and were also made visible on the controller node when run in verbose mode. These parameters were not protected by the “nolog” feature. An...

5.5CVSS6.8AI score0.00333EPSS
Exploits0References2
CVE
CVE
added 2026/06/09 10:40 p.m.94 views

CVE-2026-9735

CVE-2026-9735 concerns MongoDB server logging of SASL authentication parameters. The connected documents specify that when connection health metric logging is enabled, full authentication parameters (potentially including credentials) may be written to the server log without redaction. The NVD/NV...

6.8CVSS5.5AI score0.00119EPSS
Exploits0References1Affected Software1
EUVD
EUVD
added 2026/06/08 3:5 p.m.10 views

EUVD-2020-31250

OfflineIMAP before 8.0.3 trusts the server with their STARTTLS capability prior to authentication, which allows STRIPTLS/man-in-the-middle attacks, taking over the connection and extracting account credentials in cleartext...

6.5CVSS5.5AI score0.00186EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/06/05 9:8 p.m.35 views

CVE-2026-11431 Path Traversal in Altium Projects Service Allows Arbitrary File Read

A path traversal vulnerability exists in the Projects Service download endpoint shared by Altium Enterprise Server and Altium 365. An authenticated user can supply a crafted path parameter that bypasses validation, allowing arbitrary files including entire directories returned as archives to be...

8.3CVSS0.00517EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/05 8:12 p.m.6 views

CVE-2026-11423

A path traversal vulnerability exists in the Altium Enterprise Server Collaboration Service due to improper handling of user-supplied filenames in the MCAD and Simulation file download flows. A regular authenticated user can submit a collaboration message containing a crafted filename, which is...

9.4CVSS5.6AI score0.00321EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/06/03 12:0 a.m.6 views

CVE-2026-36610

Mercusys AC12G EU V1 with firmware AC12GEUV1200909 transmits DDNS credentials over plaintext HTTP with only Base64 encoding. The firmware contains no TLS implementation, allowing man-in-the-middle interception of DDNS service credentials...

5.9CVSS5.8AI score0.00147EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/29 9:30 a.m.43 views

CVE-2026-10078 Quay/config-tool: quay/config-tool: gitlab oauth client_secret exposed in url querystring

A flaw was found in the Quay config-tool's GitLab OAuth validator. This vulnerability causes sensitive credentials, specifically clientid and clientsecret, to be transmitted as plaintext in URL query parameters during POST requests to the GitLab endpoint. This insecure transmission can lead to th...

2.7CVSS0.00196EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/05/29 9:30 a.m.11 views

CVE-2026-10078 Quay/config-tool: quay/config-tool: gitlab oauth client_secret exposed in url querystring

A flaw was found in the Quay config-tool's GitLab OAuth validator. This vulnerability causes sensitive credentials, specifically clientid and clientsecret, to be transmitted as plaintext in URL query parameters during POST requests to the GitLab endpoint. This insecure transmission can lead to th...

2.7CVSS5.7AI score0.00196EPSS
Exploits0References2
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/23 1:51 p.m.11 views

Malicious code in @zaamx/netme (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3ff8cae34ceeb5f691ca4c4f92fbe10d0bc4e6b9eddf081e7c99ab1ee6193c98 This Medusa plugin hardcodes outbound POST requests to https://n8n.lidxi.com/webhook/ in multiple subscribers and admin routes, with no configuration...

5.8AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/21 12:0 a.m.13 views

PT-2026-42409

Name of the Vulnerable Software and Affected Versions Netatalk versions 2.1.0 through 4.4.2 Description Netatalk inserts LDAP simple-bind passwords into log output in cleartext. This allows an attacker with access to the log files to obtain LDAP credentials. Recommendations Update to version 4.4....

7.5CVSS5.8AI score0.0036EPSS
Exploits0References20
Positive Technologies
Positive Technologies
added 2026/05/21 12:0 a.m.13 views

PT-2026-42520

Open ISES Tickets before 3.44.2 contains hardcoded MySQL database connection credentials host, username, password, database name in import mdb.php. The credentials are embedded in source code committed to the public repository, allowing any reader of the source to obtain valid configuration value...

9.2CVSS5.9AI score0.00297EPSS
Exploits0References4
Rows per page
Query Builder