gmaps-mcp's unauthenticated HTTP transport allows unlimited Google Maps API calls at operator expense

Unauthenticated HTTP Transport Allows Unlimited Google Maps API Calls at Operator Expense The gmaps-mcp codebase was reviewed at commit e671db68c804c9e67d51582d3280839ffa65f127 and three issues worth flagging were discovered — one high-severity, one medium, one structural. There were no...

@grackle-ai/powerline Runs Without Authentication by Default

Impact When --token is not provided and GRACKLEPOWERLINETOKEN is not set, the PowerLine gRPC server runs with zero authentication. A warning is logged "NO AUTH development only" but nothing prevents deployment in this state. Any client that can reach the PowerLine port can spawn agent sessions,...

CVE-2026-32596 Glances exposes the REST API without authentication

Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.2, Glances web server runs without authentication by default when started with glances -w, exposing REST API with sensitive system information including process command-lines containing credentials passwords, API keys,...

CVE-2025-34414

Entrust Instant Financial Issuance (IFI) On Premise (CardWizard) versions 5.x, before 6.10.5 and before 6.11.1, contain an insecure .NET Remoting exposure in the Legacy Remoting Service enabled by default. The Legacy Remoting Service registers a TCP remoting channel with SOAP and binary formatter...

Dataphone A920 安全漏洞

Dataphone A920 is a POS from Dataphone USA. A security vulnerability exists in Dataphone A920 version v2025.07.161103, which originates from exposing services on port 8888 on the local network by default and without authentication, which could lead to unauthorized device interaction and informati...

CVE-2017-17877

An issue was discovered in Valve Steam Link build 643. When the SSH daemon is enabled for local development, the device is publicly available via IPv6 TCP port 22 over the internet with stateless address autoconfiguration by default, which makes it easier for remote attackers to obtain access by...

Multiple vulnerabilities in Rakuten Casa

Overview Rakuten Casa provided by Rakuten Mobile, Inc. contains multiple vulnerabilities listed below. Use of Hard-coded Credentials CWE-798 - CVE-2022-29525 Improper Access Control CWE-284 - CVE-2022-28704 Improper Access Control CWE-284 - CVE-2022-26834 CVE-2022-29525 Narumi Hirai of LAC Co.,...

ansible: user data leak in snmp_facts module

A flaw was found in ansible. The 'authkey' and 'privkey' credentials are disclosed by default and not protected by nolog feature when using the snmpfacts module. Attackers could take advantage of this information to steal the SNMP credentials. The highest threat from this vulnerability is to data...