CVE-2026-49983

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.1, environment access is gated by the env permission. You can deny it with --deny-env, or restrict it to a specific allowlist with --allow-env=FOO,BAR. The expectation is that a program running without env permission cannot...

Deno: process.loadEnvFile() bypasses env permission checks and mutates process.env with only read access

Summary In Deno, environment access is gated by the env permission. You can deny it with --deny-env, or restrict it to a specific allowlist with --allow-env=FOO,BAR. The expectation is that a program running without env permission cannot change process.env. process.loadEnvFile the Node-compatible...

PT-2026-50155

Name of the Vulnerable Software and Affected Versions Deno versions prior to 2.8.1 Description Environment access is managed by the env permission, which can be restricted via --deny-env or an allowlist using --allow-env=FOO,BAR. The process.loadEnvFile function, a Node-compatible API for loading...

[SECURITY] Fedora 43 Update: python-dotenv-1.2.2-1.fc43

Reads the key/value pairs from a .env file and can add them to environment variables...

[SECURITY] Fedora 44 Update: python-dotenv-1.2.2-1.fc44

Reads the key/value pairs from a .env file and can add them to environment variables...

OpenClaw 安全漏洞

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw suffers from a security vulnerability that stems from a failure to properly preserve the OPENCLAWRuntime Control Environment namespace in the workspace dotenv file, which can be exploited by an attacker to manipula...

EUVD-2026-23998

OpenClaw before 2026.3.28 loads the current working directory .env file before trusted state-dir configuration, allowing environment variable injection. Attackers can place a malicious .env file in a repository or workspace to override runtime configuration and security-sensitive environment...

CVE-2026-39394 CI4MS has an .env CRLF Injection via Unvalidated `host` Parameter in Install Controller

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Install::index controller reads the host POST parameter without any validation and passes it directly into updateEnvSettings, which...

CI4MS 访问控制错误漏洞

CI4MS is an open-source blog page management tool developed by Ci4MS. Versions of CI4MS prior to 0.31.4.0 contained a access control vulnerability. This vulnerability stemmed from the reliance on volatile cache checks for routing protection, which could lead to ineffective protection when the...

Untrusted Search Path

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Untrusted Search Path via the loading of .env files from the current working directory before trusted configuration is applied. An attacker can override runtime configuration and...

Storybook manager bundle may expose environment variables during build

On December 11th, the Storybook team received a responsible disclosure alerting them to a potential vulnerability in certain built and published Storybooks. The vulnerability is a bug in how Storybook handles environment variables defined in a .env file, which could, in specific circumstances, le...

CVE-2025-68429 Storybook manager bundle may expose environment variables during build

Storybook is a frontend workshop for building user interface components and pages in isolation. A vulnerability present starting in versions 7.0.0 and prior to versions 7.6.21, 8.6.15, 9.1.17, and 10.1.10 relates to Storybook’s handling of environment variables defined in a .env file, which could...

Improper Configuration Management

TinyEnv is vulnerable to Improper Configuration Management. The vulnerability is due to the application not requiring the .env file to exist when loading environment variables, which allows an attacker or misconfiguration to cause the application to run with insecure defaults or missing...

Improper Check or Handling of Exceptional Conditions

Overview datahihi1/tiny-env is a simple environment variable loader for PHP applications Affected versions of this package are vulnerable to Improper Check or Handling of Exceptional Conditions due to the loading of environment variables without requiring the .env file to exist. An attacker can...

GHSA-88F9-7XXH-C688 Cachet configuration leak

Impact Authenticated users, regardless of their privileges User or Admin, can leak the value of any configuration entry of the dotenv file, e.g. the application secret APPKEY and various passwords email, database, etc. Patches This issue was addressed by improving UpdateConfigCommandHandler and...

CVE-2021-39174

Cachet is an open source status page system. Prior to version 2.5.1, authenticated users, regardless of their privileges User or Admin, can leak the value of any configuration entry of the dotenv file, e.g. the application secret APPKEY and various passwords email, database, etc. This issue was...

CVE-2021-39174

Cachet is an open source status page system. Prior to version 2.5.1, authenticated users, regardless of their privileges User or Admin, can leak the value of any configuration entry of the dotenv file, e.g. the application secret APPKEY and various passwords email, database, etc. This issue was...

Default configuration

Cachet is an open source status page system. Prior to version 2.5.1, authenticated users, regardless of their privileges User or Admin, can leak the value of any configuration entry of the dotenv file, e.g. the application secret APPKEY and various passwords email, database, etc. This issue was...