CVE-2026-39393 Post-Installation Re-entry via Cache-Dependent Install Guard Bypass in ci4ms

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the install route guard in ci4ms relies solely on a volatile cache check cache'settings' combined with .env file existence to block...

CVE-2024-20489

A vulnerability in the storage method of the PON Controller configuration file could allow an authenticated, local attacker with low privileges to obtain the MongoDB credentials. This vulnerability is due to improper storage of the unencrypted database credentials on the device that is running...

Design/Logic Flaw

Mattermost Sever fails to redact the DB username and password before emitting an application log during server initialization...

MTN Group: Download full backup [Mtn.co.rw]

Summary: I discovered few critical vulnerabilities here, one of them is exposed backup files via directory listing. Steps To Reproduce: go to https://mtn.co.rw/mtn.zip and download the file extract the file and open you will see the full backup of the website Similar report:...

U.S. Dept Of Defense: critical information disclosure

Description: hey all , I have found critical information through this endpoint ████ on ███████ DB credentials such as DBNAME,DBUSER,DBPASSWORD,DBHOST, etc.. Impact full access control on DB service on website System Hosts ███ Affected Products and Versions CVE Numbers Steps to Reproduce Go to...

Nextcloud: Acting under any different user via DB-stored credentials

The issue is related to all Nextcloud versions. It is not patched yet. All versions 18-20 seems to be vulnerable. The issue came up in the following environment: - nextcloud docker image 20.0.2 and 20.0.3 - LDAP authentication - external SMB shares via DB stored credentials The problem came up...

U.S. Dept Of Defense: Blind Stored XSS Payload fired at the backend on https://█████████/

Summary: I have just gotten an email notification from my XSSHunter payload that my blind stored XSS has been triggered by an administrator on the █████████ site, in the following URL: javascript https://█████/████ Admin IP address: ████████ User-Agent: █████████ Cookies: javascript ██████...

XCloner Backup and Restore 4.2.1 - 4.2.12 - Unprotected AJAX Action

"This flaw gave authenticated attackers, with subscriber-level or above capabilities, the ability to modify arbitrary files, including PHP files. Doing so would allow an attacker to achieve remote code execution on a vulnerable site’s server. Alternatively, an attacker could create an exploit cha...

U.S. Dept Of Defense: Local File Disclosure on the ████████ (https://████/) leads to the source code disclosure & DB credentials leak

Description I discovered another LFD on the https://████/ virtual host on the █████ IP POC https://█████/file.ashx?path=web.config will download the website configuration file. It exposes different DB credentials than in previous reports: ███ Similarly, attacker able to get content of any...

U.S. Dept Of Defense: Local File Disclosure on the █████ (https://████████.edu/) leads to the full source code disclosure and credentials leak

A local file disclosure vulnerability was discovered on the █████ website https://████████.edu/. The vulnerability allowed an attacker to download the website's configuration file, which exposed the database credentials. Additionally, the source code for certain server-side resources was also...

Rockstar Games: Leak IP internal

The researcher found an old marketing web application for one of our previous titles that was not properly decommissioned. As a result, an internal IP address and a set of DB credentials were being exposed. Fortunately, the database in question had already been decommissioned so the credentials...

Ashley Madison 2.0 — Hackers Leak 20GB Data Dump, Including CEO's Emails

The Impact Team – Wait, Cheaters! We haven't yet done. The group of hackers behind the breach of Ashley Madison, the popular cheater's dating service, have released a second, even much bigger 'cheat sheet' exposing sensitive materials that include sensitive corporate information. Two days ago, th...

CVE-2014-0894

RICOS in IBM Algo Credit Limits aka ACLM 4.5.0 through 4.7.0 before 4.7.0.03 FP5 in IBM Algorithmics allows context-dependent attackers to discover database credentials by reading the DbUser and DbPass fields in an XML document...

Eurologon CMS Db credentials disclosure / files download

--------------------------------------------------------------- / | | / | / |/ | | |/ | | / | | | | | |/ | | // | || | ||| /| / / | |||| /| / / --------------------------------------------------------------- Http://www.inj3ct-it.org Staffatinj3ct-itdotorg...

Eurologon CMS - files.php Arbitrary File Download

Eurologon CMS - files.php Arbitrary File Download --------------------------------------------------------------- / | |\ \ / | / |/ | | |/ \ | | | |||| /| / / --------------------------------------------------------------- Http://www.inj3ct-it.org Staffatinj3ct-itdotorg...

Re: PHP-Nuke NSN Script Depository module <= 1.0.3 Remote Source / DB Credentials Disclosure

sorry, i've made a mistake! only the versions = 1.0.0 are veulnerable!...

PHP-Nuke NSN Script Depository module <= 1.0.3 Remote Source / DB Credentials Disclosure

--------------------------------------------------------------- / | | / | / |/ | | |/ | | / | | | | | |/ | | // | || | ||| /| / / | |||| /| / / --------------------------------------------------------------- Http://www.inj3ct-it.org Staffatinj3ct-itdotorg...