EUVD-2026-36587

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, group owners who are not necessarily admins or moderators can view a group's outgoing email/SMTP credentials in plaintext...

CVE-2026-44784

Discourse has a vulnerability where non-staff group owners can access a group’s outgoing SMTP credentials in plaintext via the group history log (/groups/:name/logs.json). Affected fields include email_password, email_username, smtp_server, smtp_port, and smtp_ssl_mode, with SMTP password being t...

CVE-2026-50099

During WiFi association, Naxclow device firmware prints the host network’s SSID, PSK, and negotiated WPA keys in cleartext to an exposed UART console on production hardware. The UART pads are labeled, run with default serial settings, and drop to an interactive RT-Thread shell that permits...

GHSA-3GP5-Q4JW-3V94 Budibase: Basic app users can exfiltrate stored REST datasource auth by rewriting datasource base URL

Summary Budibase stores external REST datasource credentials server-side and documents that database credentials are applied server-side and are not exposed in the UI. The REST datasource implementation redacts stored Basic/Bearer/OAuth2 auth secrets before returning datasource data to clients...

CVE-2026-50099 Naxclow IoT Platform Insertion of sensitive information into Externally-Accessible file or directory

During WiFi association, Naxclow device firmware prints the host network’s SSID, PSK, and negotiated WPA keys in cleartext to an exposed UART console on production hardware. The UART pads are labeled, run with default serial settings, and drop to an interactive RT-Thread shell that permits...

EUVD-2026-36538

During WiFi association, Naxclow device firmware prints the host network’s SSID, PSK, and negotiated WPA keys in cleartext to an exposed UART console on production hardware. The UART pads are labeled, run with default serial settings, and drop to an interactive RT-Thread shell that permits...

CVE-2026-50099

CVE-2026-50099 affects Naxclow IoT platform firmware. During WiFi association, the device prints host network SSID, PSK, and negotiated WPA keys in cleartext to an exposed UART console on production hardware. UART pads are labeled, run with default serial settings, and drop to an interactive RT-T...

CVE-2026-50099 Naxclow IoT Platform Insertion of sensitive information into Externally-Accessible file or directory

During WiFi association, Naxclow device firmware prints the host network’s SSID, PSK, and negotiated WPA keys in cleartext to an exposed UART console on production hardware. The UART pads are labeled, run with default serial settings, and drop to an interactive RT-Thread shell that permits...

CVE-2026-50108

The CVE-2026-50108 entry concerns the Naxclow IoT Platform API where device relay registration details are returned with a persistent credential without verifying the requester’s identity. An actor who can present a platform-valid request signature can retrieve credentials for arbitrary devices a...

CVE-2026-50108 Naxclow IoT Platform Missing Authorization

The Naxclow platform API that returns device relay registration details exposes a persistent credential without verifying that the requester is the legitimate device or owner. An actor able to present a platform-valid request signature can retrieve credentials for arbitrary devices and register o...

CVE-2026-50101 Naxclow IoT Platform Not using password aging

Naxclow devices use a server-side, per-device relay credential that never rotates and is re-issued to the device on each boot. Because this credential remains valid indefinitely and cannot be reset or revoked by the legitimate owner, any party that obtains it through any exposure path can maintai...

CVE-2026-50083

The Aqara IAM/SSO Gateway gw-builder.aqara.com used a hardcoded OAuth client credential, which is an instance of "CWE-798: Use of Hard-coded Credentials." This issue has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N 9.1 Critical. When combined with CVE-2026-50082, CVE-50084, a...

MAL-2026-5696 Malicious code in voyager-web (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a7f4f15201378ec6cee4268469e85e17e50f3f5299d94a250031d6c2693177b8 package.json declares both preinstall and postinstall lifecycle hooks that execute callback.js on npm install. callback.js collects installer-side...

CVE-2026-10557

The Yarbo Android and iOS applications contain hard-coded MQTT broker credentials that are identical for all users and all devices. These credentials are embedded in the application binary and are readily extractable via APK decompilation. The credentials provide access to cloud MQTT brokers...

EUVD-2026-36473

The Aqara IAM/SSO Gateway gw-builder.aqara.com used a hardcoded OAuth client credential, which is an instance of "CWE-798: Use of Hard-coded Credentials." This issue has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N 9.1 Critical. When combined with CVE-2026-50082, CVE-50084, a...

CVE-2026-50083

The CVE-2026-50083 entry concerns the Aqara IAM/SSO Gateway (gw-builder.aqara.com) using a hardcoded OAuth client credential (CWE-798). This weak credential could enable a fully unauthenticated, remote takeover when combined with CVE-2026-50082, CVE-50084, and CVE-50085. Documented CVSSv3.1 base ...

CVE-2026-50083 Aqara hardcoded OAuth client credentials

The Aqara IAM/SSO Gateway gw-builder.aqara.com used a hardcoded OAuth client credential, which is an instance of "CWE-798: Use of Hard-coded Credentials." This issue has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N 9.1 Critical. When combined with CVE-2026-50082, CVE-50084, a...

CVE-2026-50083 Aqara hardcoded OAuth client credentials

The Aqara IAM/SSO Gateway gw-builder.aqara.com used a hardcoded OAuth client credential, which is an instance of "CWE-798: Use of Hard-coded Credentials." This issue has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N 9.1 Critical. When combined with CVE-2026-50082, CVE-50084, a...

MAL-2026-5693 Malicious code in sea-bound-siren (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cd5f2d5cc691968b1bb69f12ea7476c618f6432b42976869906df06312b912c0 On npm install, postinstall.js executes a shell pipeline that collects the output of id, os.hostname, the full process environment env | sort, the...

DEBIAN-CVE-2026-1836

The system stores the username and password from the login form after submitting the request. This could allow an attacker with access to the platform to return to the browser and view the login credentials...