WordPress Hummingbird <= 3.18.0 - Sensitive Information Exposure via Log File

Hummingbird Performance WordPress plugin = 3.18.0 contains a sensitive information exposure caused by improper handling in the 'request' function, letting unauthenticated attackers extract sensitive data including Cloudflare API credentials, exploit requires no authentication. id: CVE-2025-14437...

FUXA <= 1.2.7 - Hardcoded JWT Secret Authentication Bypass

FUXA v1.2.7 contains a hardcoded credentials vulnerability caused by use of a hard-coded secret key in server/api/jwt-helper.js, letting remote attackers forge admin tokens and bypass authentication, exploit requires no special conditions. id: CVE-2025-69971 info: name: FUXA = 1.2.7 - Hardcoded J...

Electrolink FM/DAB/TV Transmitter - Credentials Disclosure

A credential exposure vulnerability in Electrolink 500W, 1kW, 2kW Medium DAB Transmitter Web v01.09, v01.08, v01.07, and Display v1.4, v1.2 allows unauthorized attackers to access credentials in plaintext. id: CVE-2025-28228 info: name: Electrolink FM/DAB/TV Transmitter - Credentials Disclosure...

ArgoCD Project API Token Repository Credentials Exposure

Argo CD API tokens with project-level permissions are able to retrieve sensitive repository credentials usernames, passwords through the project details API endpoint, even when the token only has standard application management permissions and no explicit access to secrets. This vulnerability...

Vue Vben Admin - Default Credentials

Vue Vben Admin 2.10.1 contains a broken authentication caused by hardcoded credentials in the backend, letting attackers log in without proper authorization, exploit requires access to the login interface. id: CVE-2025-25570 info: name: Vue Vben Admin - Default Credentials author: 0xAkoko severit...

NetMRI < 7.6.1 - Authentication Bypass via Hardcoded Credentials

An issue was discovered in Infoblox NETMRI before 7.6.1. Authentication Bypass via a Hardcoded credential can occur. id: CVE-2025-32815 info: name: NetMRI 7.6.1 - Authentication Bypass via Hardcoded Credentials author: iamnoooob,pdresearch severity: medium description: | An issue was discovered i...

Aquatronica Controller System <= 5.1.6 - Information Disclosure

Aquatronica Controller System firmware 5.1.6 and earlier and web interface 2.0 and earlier contain an information disclosure vulnerability caused by unauthenticated access to tcp.php endpoint, letting remote attackers retrieve sensitive configuration data including plaintext credentials, exploit...

Ivanti Endpoint Manager - Authentication Bypass

Ivanti Endpoint Manager 2024 SU5 contains an authentication bypass caused by improper access control, letting remote unauthenticated attackers leak stored credential data, exploit requires no special privileges. id: CVE-2026-1603 info: name: Ivanti Endpoint Manager - Authentication Bypass author:...

Tieline IP Audio Gateway <=2.6.4.8 - Unauthorized Remote Admin Panel Access

Tieline IP Audio Gateway 2.6.4.8 and below is affected by a vulnerability in the web administrative interface that could allow an unauthenticated user to access a sensitive part of the system with a high privileged account. id: CVE-2021-35336 info: name: Tieline IP Audio Gateway =2.6.4.8 -...

ZZcms - Cross-Site Scripting

ZZcms 2019 contains a cross-site scripting vulnerability in the user login page. An attacker can inject arbitrary JavaScript code in the referer header via user/login.php, which can allow theft of cookie-based credentials and launch of subsequent attacks. id: CVE-2020-20285 info: name: ZZcms -...

SonarQube - Authentication Bypass

SonarQube 8.4.2.36762 allows remote attackers to discover cleartext SMTP, SVN, and GitLab credentials via the api/settings/values URI. id: CVE-2020-27986 info: name: SonarQube - Authentication Bypass author: pikpikcu severity: high description: | SonarQube 8.4.2.36762 allows remote attackers to...

Wireless Multiplex Terminal Playout Server <=20.2.8 - Default Credential Detection

Wireless Multiplex Terminal Playout Server =20.2.8 has a default account with a password of pokon available via its web administrative interface. id: CVE-2020-35338 info: name: Wireless Multiplex Terminal Playout Server =20.2.8 - Default Credential Detection author: Jeya Seelan severity: critical...

Grafana & Zabbix Integration - Credentials Disclosure

Grafana through 7.3.4, when integrated with Zabbix, contains a credential disclosure vulnerability. The Zabbix password can be found in the apijsonrpc.php HTML source code. When the user logs in and allows the user to register, one can right click to view the source code and use Ctrl-F to search...

Wavlink WL-WN533A8 M33A8.V5030.190716 - Information Disclosure

An access control issue in the component /cgi-bin/ExportLogs.sh of Wavlink WL-WN533A8 M33A8.V5030.190716 allows unauthenticated attackers to download configuration data and log files and obtain admin credentials. id: CVE-2022-48164 info: name: Wavlink WL-WN533A8 M33A8.V5030.190716 - Information...

Trendnet AC2600 TEW-827DRU - Credentials Disclosure

Trendnet AC2600 TEW-827DRU version 2.08B01 improperly discloses information via redirection from the setup wizard. A user may view information as Admin by manually browsing to the setup wizard and forcing it to redirect to the desired page. id: CVE-2021-20150 info: name: Trendnet AC2600 TEW-827DR...

Microweber Information Disclosure

Microweber contains a vulnerability that allows exposure of sensitive information to an unauthorized actor in Packagist microweber/microweber prior to 1.2.11. id: CVE-2022-0281 info: name: Microweber Information Disclosure author: pikpikcu severity: high description: Microweber contains a...

Jiangnan Online Judge 0.8.0 - Local File Inclusion

Jiangnan Online Judge aka jnoj 0.8.0 is susceptible to local file inclusion via web/polygon/problem/viewfile?id=1&name=../. id: CVE-2019-17538 info: name: Jiangnan Online Judge 0.8.0 - Local File Inclusion author: pussycat0x severity: high description: | Jiangnan Online Judge aka jnoj 0.8.0 is...

TOTOLINK/Realtek Routers - Information Disclosure

A certain router administration interface using Realtek APMIB e.g., on TOTOLINK models allows unauthenticated remote attackers to disclose the entire router configuration, including sensitive credentials, via accessing the "config.dat" file. Affected devices include TOTOLINK A3002RU through 2.0.0...

VICIdial - SQL Injection

An unauthenticated attacker can leverage a time-based SQL injection vulnerability in VICIdial to enumerate database records. By default, VICIdial stores plaintext credentials within the database. id: CVE-2024-8503 info: name: VICIdial - SQL Injection author: s4e-io severity: critical description:...

ZKTeco BioTime <= 9.0.1 - Privilege Escalation

BioTime default employee credentials password 123456 allow login. Sessions are not role-validated, enabling privilege escalation to perform admin actions and enumerate backup files. id: CVE-2023-38952 info: name: ZKTeco BioTime = 9.0.1 - Privilege Escalation author: riteshs4hu severity: high...