Lucene search
K

265 matches found

Rapid7 Blog
Rapid7 Blog
added 2026/04/21 2:38 p.m.17 views

Kyber Ransomware Double Trouble: Windows and ESXi Attacks Explained

Overview For executive leadership, the emergence of Kyber ransomware represents a significant and immediate threat due to its specialized, dual-platform deployment capability targeting mission-critical virtualization infrastructure VMware ESXi and core Windows file systems. This cross-platform...

6.1AI score
Exploits0
RedhatCVE
RedhatCVE
added 2026/04/16 4:32 p.m.6 views

CVE-2026-40091

A flaw was found in SpiceDB. When SpiceDB starts with log level info, the startup configuration log will expose the full datastore Data Source Name DSN, including the plaintext password. This vulnerability allows an attacker with access to these logs to obtain sensitive database credentials,...

6CVSS5.8AI score0.00166EPSS
Exploits0References5
NVD
NVD
added 2026/04/15 4:17 a.m.12 views

CVE-2026-40091

SpiceDB is an open source database system for creating and managing security-critical application permissions. In versions 1.49.0 through 1.51.0, when SpiceDB starts with log level info, the startup "configuration" log will include the full datastore DSN, including the plaintext password, inside...

6CVSS0.00166EPSS
Exploits0References2
CVE
CVE
added 2026/04/14 11:50 p.m.9 views

CVE-2026-40091

SpiceDB 1.49.0–1.51.0 logs startup configuration with the full datastore DSN (DatastoreConfig.URI), including plaintext password, when the log level is info. This exposes credentials in startup logs. The issue is fixed in 1.51.1. If upgrading is not possible, the recommended workaround is to set ...

6CVSS5.8AI score0.00166EPSS
Exploits0References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/14 11:50 p.m.5 views

CVE-2026-40091 SpiceDB: SPICEDB_DATASTORE_CONN_URI is leaked on startup logs

SpiceDB is an open source database system for creating and managing security-critical application permissions. In versions 1.49.0 through 1.51.0, when SpiceDB starts with log level info, the startup "configuration" log will include the full datastore DSN, including the plaintext password, inside...

6CVSS5.8AI score0.00166EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/04/14 11:50 p.m.3 views

CVE-2026-40091

SpiceDB is an open source database system for creating and managing security-critical application permissions. In versions 1.49.0 through 1.51.0, when SpiceDB starts with log level info, the startup "configuration" log will include the full datastore DSN, including the plaintext password, inside...

6CVSS5.8AI score0.00166EPSS
Exploits0References3Affected Software1
Cvelist
Cvelist
added 2026/04/14 11:50 p.m.18 views

CVE-2026-40091 SpiceDB: SPICEDB_DATASTORE_CONN_URI is leaked on startup logs

SpiceDB is an open source database system for creating and managing security-critical application permissions. In versions 1.49.0 through 1.51.0, when SpiceDB starts with log level info, the startup "configuration" log will include the full datastore DSN, including the plaintext password, inside...

6CVSS0.00166EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/04/14 10:33 p.m.6 views

SpiceDB's SPICEDB_DATASTORE_CONN_URI is leaked on startup logs

Impact When SpiceDB starts with log level info, the startup "configuration" log will include the full datastore DSN, including the plaintext password, inside DatastoreConfig.URI. Patches v1.51.1 Workarounds Change the log level to warn or error...

6CVSS5.8AI score0.00166EPSS
Exploits0References4Affected Software1
Snyk
Snyk
added 2026/04/14 10:33 p.m.4 views

Insertion of Sensitive Information into Log File

Overview github.com/authzed/spicedb/pkg/cmd/server is a Google Zanzibar-inspired fine-grained permissions database Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File in the configuration log output during startup when the log level is set to info...

6.7CVSS5.8AI score0.00166EPSS
Exploits0References2
EUVD
EUVD
added 2026/04/14 10:33 p.m.4 views

EUVD-2026-22815

SpiceDB's SPICEDBDATASTORECONNURI is leaked on startup logs...

6CVSS5.8AI score0.00166EPSS
Exploits0References2
OSV
OSV
added 2026/04/14 10:33 p.m.2 views

GHSA-JF4F-RR2C-9M58 SpiceDB's SPICEDB_DATASTORE_CONN_URI is leaked on startup logs

Impact When SpiceDB starts with log level info, the startup "configuration" log will include the full datastore DSN, including the plaintext password, inside DatastoreConfig.URI. Patches v1.51.1 Workarounds Change the log level to warn or error...

6CVSS5.8AI score0.00166EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/04/14 12:0 a.m.5 views

PT-2026-32969

Name of the Vulnerable Software and Affected Versions SpiceDB versions 1.49.0 through 1.51.0 Description When the system starts with the log level set to info, the startup 'configuration' log exposes the full datastore DSN, including the plaintext password, within the DatastoreConfig.URI variable...

6CVSS5.9AI score0.00166EPSS
Exploits0References7
OSV
OSV
added 2026/04/13 3:25 p.m.2 views

MAL-2026-2574 Malicious code in @amplify-js/datastore (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a31c933f191cd94be3e10adb951ed57652fe41955589d37ce8c200c96256f36e The package @amplify-js/datastore was found to contain malicious code. Source: ghsa-malware...

5.7AI score
Exploits0References1
Snyk
Snyk
added 2026/04/13 3:25 p.m.5 views

Malicious Package

Overview @amplify-js/datastore is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/04/13 3:25 p.m.11 views

Malicious code in @amplify-js/datastore (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a31c933f191cd94be3e10adb951ed57652fe41955589d37ce8c200c96256f36e The package @amplify-js/datastore was found to contain malicious code. Source: ghsa-malware...

5.7AI score
Exploits0References1
Snyk
Snyk
added 2026/04/02 6:42 p.m.1 views

SQL Injection

Overview Affected versions of this package are vulnerable to SQL Injection in the Apple MDM profile delivery pipeline. An attacker can access or modify sensitive database contents, such as user credentials, API tokens, and device enrollment secrets, by sending a malicious UDID during the MDM...

8.6CVSS6.2AI score0.00197EPSS
Exploits0References3
Snyk
Snyk
added 2026/03/27 8:22 p.m.5 views

Exposure of Data Element to Wrong Session

Overview Affected versions of this package are vulnerable to Exposure of Data Element to Wrong Session in the MDM command processing while handling SyncML status code. An attacker can obtain sensitive configuration data belonging to other devices such as WiFi credentials, VPN secrets, and...

8.7CVSS5.9AI score0.00161EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/27 8:22 p.m.5 views

Exposure of Data Element to Wrong Session

Overview Affected versions of this package are vulnerable to Exposure of Data Element to Wrong Session in the MDM command processing while handling SyncML status code. An attacker can obtain sensitive configuration data belonging to other devices such as WiFi credentials, VPN secrets, and...

8.7CVSS5.9AI score0.00161EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/03/20 7:21 a.m.22 views

CVE-2026-33060 CKAN MCP Server: SSRF via base_url allows access to internal networks

CKAN MCP Server is a tool for querying CKAN open data portals. Versions prior to 0.4.85 provide tools including ckanpackagesearch and sparqlquery that accept a baseurl parameter, making HTTP requests to arbitrary endpoints without restriction. A CKAN portal client has no legitimate reason to...

5.3CVSS0.00289EPSS
Exploits1References2
OSV
OSV
added 2026/03/20 7:21 a.m.4 views

CVE-2026-33060 CKAN MCP Server: SSRF via base_url allows access to internal networks

CKAN MCP Server is a tool for querying CKAN open data portals. Versions prior to 0.4.85 provide tools including ckanpackagesearch and sparqlquery that accept a baseurl parameter, making HTTP requests to arbitrary endpoints without restriction. A CKAN portal client has no legitimate reason to...

5.3CVSS5.8AI score0.00289EPSS
Exploits1References4
Rows per page
Query Builder