Aquatronica Controller System <= 5.1.6 - Information Disclosure

Aquatronica Controller System firmware 5.1.6 and earlier and web interface 2.0 and earlier contain an information disclosure vulnerability caused by unauthenticated access to tcp.php endpoint, letting remote attackers retrieve sensitive configuration data including plaintext credentials, exploit...

PT-2026-47647

In specific scenarios involving HTTP redirects from a secure to an insecure endpoint, the Reactor Netty HTTP client may leak credentials. In order for this to happen, the HTTP client must have been explicitly configured to follow redirects. Affected versions: Reactor Netty 1.0.0 through 1.0.51;...

Malicious code in executor-http (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cde4da7201fbc0dd3ae09240232f5767c2893e33977d6c8ee9071d15e79f0363 The package ships executorhttp-setup.pth, which Python auto-loads at interpreter start for any environment where the package is installed. The.pth fi...

CVE-2026-40885

goshs is a SimpleHTTPServer written in Go. From 2.0.0-beta.4 to 2.0.0-beta.5, goshs leaks file-based ACL credentials through its public collaborator feed when the server is deployed without global basic auth. Requests to .goshs-protected folders are logged before authorization is enforced, and th...

curl: curl/libcurl 8.20.0 NOPROXY bypass via uppercase-hex IPv4 aliases leaks off-proxy Basic credentials to the configured proxy

Summary: curl/libcurl 8.20.0 fails to enforce CURLOPTNOPROXY, --noproxy, and NOPROXY consistently for uppercase-hex IPv4 aliases such as 0X7f.1 on glibc-based systems that accept these legacy numeric IPv4 forms. When a canonical IP literal is excluded from proxying, curl sends the canonical form...

CVE-2025-14713

The vulnerability CVE-2025-14713 affects the Synology C2 Identity Edge Server package running on DSM versions prior to 1.76.0-0307. Affected component: Edge Server’s exposed method/function that can be abused to obtain user credentials from the edge server. Root cause is an exposed dangerous meth...

Insufficiently Protected Credentials

Overview @hapi/wreck is a HTTP Client Utilities library. Affected versions of this package are vulnerable to Insufficiently Protected Credentials due to leaking the sensitive Proxy-Authorization header across cross-hostname redirects. An attacker can obtain sensitive proxy credentials by inducing...

CVE-2026-36539

The affected product is Netis AC1200 Router NC21 (firmware version referenced: V4.0.1.4296). The issue is an unauthenticated CGI endpoint at /cgi-bin/skk_get.cgi that returns the entire router configuration as JSON, exposing administrator credentials, Wi‑Fi and PPPoE credentials, DDNS credentials...

SUSE SLES15 Security Update : curl (SUSE-SU-2026:1940-1)

The remote SUSE Linux SLES15 / SLESSAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:1940-1 advisory. Security issues fixed: - CVE-2026-4873: connection reuse ignores TLS requirement bsc1262631. - CVE-2026-5545: wrong reuse of HTTP...

SUSE-SU-2026:1940-1 Security update for curl

This update for curl fixes the following issues: Security issues fixed: - CVE-2026-4873: connection reuse ignores TLS requirement bsc1262631. - CVE-2026-5545: wrong reuse of HTTP Negotiate connection bsc1262632. - CVE-2026-6253: proxy credentials leak over redirect-to proxy bsc1262635. -...

Malicious code in exxpress-utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector dfa81f7c144d5feeea9c49254fbeec68f8271460d4a51efd5757a62b251c05f2 The package declares scripts.postinstall pointing at postinstall.js, which runs automatically on npm install. The script performs three...

CVE-2026-6253 proxy credentials leak over redirect-to proxy

curl might erroneously pass on credentials for a first proxy to a second proxy. This can happen when the following conditions are true: 1. curl is setup to use specific different proxies for different URL schemes 2. the first proxy needs credentials 3. the second proxy uses no credentials 4. whil...

CVE-2026-6253 proxy credentials leak over redirect-to proxy

curl might erroneously pass on credentials for a first proxy to a second proxy. This can happen when the following conditions are true: 1. curl is setup to use specific different proxies for different URL schemes 2. the first proxy needs credentials 3. the second proxy uses no credentials 4. whil...

CVE-2026-8109

CVE-2026-8109 affects the Core Server of Ivanti Endpoint Manager prior to version 2024 SU6. The vulnerability is an exposed dangerous method that can be exploited by a remote authenticated attacker to leak credentials. This has been documented in NVD and CVE records, which describe the affected c...

SUSE CVE-2026-41506

go-git is an extensible git implementation library written in pure Go. Prior to versions 5.18.0 and 6.0.0-alpha.2, go-git may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations. This issue has been patched in versions 5.18.0 and 6.0.0-alpha....

Insertion of Sensitive Information into Log File

Overview apache-airflow-providers-opensearch is a Provider package apache-airflow-providers-opensearch for Apache Airflow Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File via the grouplogsbyhost method in ostaskhandler.py. An attacker can expose...

CVE-2026-41018

The Elasticsearch logging provider, when configured with a host URL that embeds credentials for example https://user:[email protected]:9200, wrote the full host URL — including the embedded credentials — into task logs. Any user with task-log read permission could harvest the backend...

CVE-2026-43826 Apache Airflow Providers OpenSearch: OpenSearch task-log handler leaks credentials embedded in the host URL

The OpenSearch logging provider, when configured with a host URL that embeds credentials for example https://user:[email protected]:9200, wrote the full host URL — including the embedded credentials — into task logs. Any user with task-log read permission could harvest the backend...

SUSE SLED15 / SLES15 Security Update : curl (SUSE-SU-2026:1717-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:1717-1 advisory. Security issues fixed: - CVE-2026-4873: connection reuse ignores TLS requirement bsc1262631. - CVE-2026-5545:...

Linux Distros Unpatched Vulnerability : CVE-2026-41506

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - go-git is an extensible git implementation library written in pure Go. Prior to versions 5.18.0 and 6.0.0-alpha.2, go-git may leak HTTP authentication credentia...