Lucene search
K

58399 matches found

Cvelist
Cvelist
added 4 days ago34 views

CVE-2026-7874 Weak Cryptographic Key Derivation Exposed All Stored Credentials

IBM Langflow OSS 1.0.0 through 1.10.0 Langflow could allow disclosure of all stored credentials due to the use of a weak and reversible key derivation mechanism for encryption at rest...

9.1CVSS0.00164EPSS
Exploits0References1
CVE
CVE
added 4 days ago16 views

CVE-2026-7874

CVE-2026-7874 affects IBM Langflow OSS 1.0.0–1.10.0. The root cause is a weak and reversible key derivation mechanism used for at-rest encryption, which could allow an attacker to disclose all stored credentials (API keys, database passwords, OAuth tokens) if the encryption keys are compromised o...

9.1CVSS5.8AI score0.00164EPSS
Exploits0References1Affected Software1
EUVD
EUVD
added 4 days ago6 views

EUVD-2026-40380

IBM Langflow OSS 1.0.0 through 1.10.0 Langflow could allow disclosure of all stored credentials due to the use of a weak and reversible key derivation mechanism for encryption at rest...

9.1CVSS5.8AI score0.00164EPSS
Exploits0References1
NVD
NVD
added 4 days ago7 views

CVE-2026-58377

JeecgBoot through 3.9.2 contains a broken access control vulnerability that allows authenticated low-privilege users to perform full create, read, update, and delete operations on OpenAPI credentials by accessing the OpenApiAuthController and OpenApiPermissionController endpoints which lack Shiro...

8.6CVSS0.00263EPSS
Exploits0References2
NVD
NVD
added 4 days ago8 views

CVE-2026-58375

JimuReport through 2.5.0 exposes the POST /jmreport/auto/export endpoint without authentication: the handler is annotated @JimuNoLoginRequired, so JimuReportTokenInterceptor skips all authentication and authorization, and the export service streams the rendered report for any supplied report id...

8.7CVSS0.00458EPSS
Exploits0References2
CVE
CVE
added 4 days ago10 views

CVE-2026-58377

JeecgBoot 3.9.2 is affected by a broken access control vulnerability that allows authenticated, low-privilege users to perform full CRUD on OpenAPI credentials via OpenApiAuthController and OpenApiPermissionController endpoints that lack Shiro authorization annotations. Attackers can list, add, e...

8.6CVSS5.8AI score0.00263EPSS
Exploits0References2
Cvelist
Cvelist
added 4 days ago34 views

CVE-2026-58377 JeecgBoot 3.9.2 - Missing Authorization on OpenAPI Credential Management Endpoints Exposes Access/Secret Keys

JeecgBoot through 3.9.2 contains a broken access control vulnerability that allows authenticated low-privilege users to perform full create, read, update, and delete operations on OpenAPI credentials by accessing the OpenApiAuthController and OpenApiPermissionController endpoints which lack Shiro...

8.6CVSS0.00263EPSS
Exploits0References2
EUVD
EUVD
added 4 days ago6 views

EUVD-2026-40364

JeecgBoot through 3.9.2 contains a broken access control vulnerability that allows authenticated low-privilege users to perform full create, read, update, and delete operations on OpenAPI credentials by accessing the OpenApiAuthController and OpenApiPermissionController endpoints which lack Shiro...

8.6CVSS5.8AI score0.00263EPSS
Exploits0References2
Cvelist
Cvelist
added 4 days ago34 views

CVE-2026-58375 JimuReport 2.5.0 - Unauthenticated Report Export via /jmreport/auto/export

JimuReport through 2.5.0 exposes the POST /jmreport/auto/export endpoint without authentication: the handler is annotated @JimuNoLoginRequired, so JimuReportTokenInterceptor skips all authentication and authorization, and the export service streams the rendered report for any supplied report id...

8.7CVSS0.00458EPSS
Exploits0References2
CVE
CVE
added 4 days ago11 views

CVE-2026-58375

JimuReport up to version 2.5.0 exposes the POST /jmreport/auto/export endpoint without authentication. The handler is annotated @JimuNoLoginRequired, allowing JimuReportTokenInterceptor to skip auth, and the export service streams the rendered report for any supplied report id without verifying t...

8.7CVSS5.9AI score0.00458EPSS
Exploits0References2
EUVD
EUVD
added 4 days ago6 views

EUVD-2026-40362

JimuReport through 2.5.0 exposes the POST /jmreport/auto/export endpoint without authentication: the handler is annotated @JimuNoLoginRequired, so JimuReportTokenInterceptor skips all authentication and authorization, and the export service streams the rendered report for any supplied report id...

8.7CVSS5.9AI score0.00458EPSS
Exploits0References2
EUVD
EUVD
added 4 days ago5 views

EUVD-2026-40350

Vibe-Trading before 0.1.10 contains a DNS rebinding authentication bypass vulnerability that allows remote attackers to bypass bearer-token authentication by exploiting the server's trust of TCP peer addresses for loopback clients combined with missing Host header validation while binding to...

7.7CVSS6.4AI score0.00286EPSS
Exploits0References7
CVE
CVE
added 4 days ago7 views

CVE-2026-58167

Nightingale (n9e) prior to 9.0.0-beta.2 exposes full datasource configurations (plaintext DB passwords, HTTP Bearer tokens, HTTP Basic passwords, and mTLS keys) via POST /api/n9e/datasource/list to any authenticated low-privilege user. The route lacks an admin gate and the DatasourceFilter does n...

7.1CVSS5.8AI score0.00238EPSS
Exploits0References5
Cvelist
Cvelist
added 4 days ago33 views

CVE-2026-58167 Nightingale < 9.0.0-beta.2 - Datasource Credential Disclosure to Low-Privilege Users

Nightingale n9e before 9.0.0-beta.2 exposes full datasource configurations, including plaintext database passwords, HTTP bearer tokens, HTTP basic-auth passwords, and mTLS client keys, to any authenticated low-privilege Standard role user through POST /api/n9e/datasource/list. The route is...

7.1CVSS0.00238EPSS
Exploits0References5
The Hacker News
The Hacker News
added 4 days ago49 views

282 iOS AI Apps Leak API Keys and Open AI Proxy Access in Network Traffic Study

Researchers tested 444 AI chatbot apps for iPhone and found that 282 of them, nearly two-thirds, exposed paid AI access through their network traffic. In many cases, the path in was visible just by watching what the app sent: a plaintext API key, a reusable token, or a backend server that accepte...

5.8AI score
Exploits0
CVE
CVE
added 4 days ago6 views

CVE-2026-53692

CVE-2026-53692 affects Redeight CMS v1.0. The root cause is storing passwords with MD5 without a salt, a cryptographically broken hash, allowing attackers who obtain password hashes to reverse them via rainbow tables and expose plaintext credentials. The Connected CVE records confirm this in Rede...

5.9CVSS5.8AI score0.00082EPSS
Exploits0References1
Cvelist
Cvelist
added 4 days ago31 views

CVE-2026-53692 Weak hashing algorithm in Redeight CMS

Redeight CMS version 1.0 uses the MD5 algorithm without a salt to store user passwords. Because MD5 is a cryptographically broken algorithm and lacks salting, attackers who obtain the password hashes can trivially reverse them using rainbow tables, leading to the exposure of plaintext credentials...

5.9CVSS0.00082EPSS
Exploits0References1
EUVD
EUVD
added 4 days ago6 views

EUVD-2026-40294

Redeight CMS version 1.0 uses the MD5 algorithm without a salt to store user passwords. Because MD5 is a cryptographically broken algorithm and lacks salting, attackers who obtain the password hashes can trivially reverse them using rainbow tables, leading to the exposure of plaintext credentials...

9.3CVSS5.8AI score0.00399EPSS
Exploits0References1
EUVD
EUVD
added 4 days ago6 views

EUVD-2026-40272

Raytha CMS is vulnerable to SQL Injection within the OData filter parsing pipeline. The vulnerability allows a remote, unauthenticated attacker to execute arbitrary SQL statements against the underlying PostgreSQL database, leading to full database compromise, including credential extraction...

9.3CVSS5.9AI score0.00431EPSS
Exploits0References2
Nuclei
Nuclei
added 4 days ago71 views

VICIdial - SQL Injection

An unauthenticated attacker can leverage a time-based SQL injection vulnerability in VICIdial to enumerate database records. By default, VICIdial stores plaintext credentials within the database. id: CVE-2024-8503 info: name: VICIdial - SQL Injection author: s4e-io severity: critical description:...

9.8CVSS7.4AI score0.79059EPSS
Exploits12References3
Rows per page
Query Builder