CVE-2026-44784 Discourse: Non-staff group owners can see email password in plaintext through group history

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, group owners who are not necessarily admins or moderators can view a group's outgoing email/SMTP credentials in plaintext...

CVE-2026-44784 Discourse: Non-staff group owners can see email password in plaintext through group history

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, group owners who are not necessarily admins or moderators can view a group's outgoing email/SMTP credentials in plaintext...

CVE-2026-50026 Frappe: Lack of permissions checks in 'relink' and 'set_email_password' endpoints

Frappe is a full-stack web application framework. Prior to versions 15.107.0 and 16.17.0, a lack of permission checks in these endpoints allowed unauthorized access to resources. This issue has been patched in versions 15.107.0 and 16.17.0...

CVE-2026-50026

Frappe (full‑stack web framework) contains a permission-checking flaw in the relink and set_email_password endpoints. Prior to versions 15.107.0 and 16.17.0, lack of proper authorization allowed unauthorized access to resources. The issue has been patched in those versions; remediation is to upgr...

CVE-2026-50026 Frappe: Lack of permissions checks in 'relink' and 'set_email_password' endpoints

Frappe is a full-stack web application framework. Prior to versions 15.107.0 and 16.17.0, a lack of permission checks in these endpoints allowed unauthorized access to resources. This issue has been patched in versions 15.107.0 and 16.17.0...

GHSA-66M2-V9V9-95C3 ci4-cms-erp/ci4ms: System Settings (Mail Settings) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

Summary Vulnerability: Stored DOM XSS via System Settings – Mail Settings Same-Page Attribute Breakout & Persistent Payload Injection - Stored Cross-Site Scripting via Unsanitized Mail Settings Configuration Fields Description The application fails to properly sanitize user-controlled input withi...

Cross-site Scripting (XSS)

Overview ci4-cms-erp/ci4ms is a composer create-project ci4-cms-erp/ci4ms Affected versions of this package are vulnerable to Cross-site Scripting XSS via unsanitized input in the Mail Settings configuration fields. An attacker can execute arbitrary JavaScript in the browser context of an...

EUVD-2026-16415

Outline is a service that allows for collaborative documentation. Outline implements an Email OTP login flow for users not associated with an Identity Provider. Starting in version 0.86.0 and prior to version 1.6.0, Outline does not invalidate OTP codes based on amount or frequency of invalid...

PT-2026-7672

AVideo Platform 8.1 contains an information disclosure vulnerability that allows attackers to enumerate user details through the playlistsFromUser.json.php endpoint. Attackers can retrieve sensitive user information including email, password hash, and administrative status by manipulating the use...

CVE-2017-18045

JBMC DirectAdmin before 1.52, when the emailftppasswordchange setting is nonzero, allows remote attackers to obtain access or cause a denial of service segfault via an unspecified request...

Siemens SICAM Q100/Q200 Cleartext Storage of Sensitive Information (CVE-2025-40752)

Affected devices store the password for the SMTP account as plain text. This could allow an authenticated local attacker to extract it and use the configured SMTP service for arbitrary purposes. This plugin only works with Tenable.ot. Please visit https://www.tenable.com/products/tenable-ot for...

CVE-2021-4466 IPCop <= 2.1.9 Authenticated RCE

IPCop versions up to and including 2.1.9 contain an authenticated remote code execution vulnerability within the web-based administration interface. The email configuration component inserts user-controlled values, including the EMAILPW parameter, directly into system-level operations without...

CVE-2021-4466 IPCop <= 2.1.9 Authenticated RCE

IPCop versions up to and including 2.1.9 contain an authenticated remote code execution vulnerability within the web-based administration interface. The email configuration component inserts user-controlled values, including the EMAILPW parameter, directly into system-level operations without...

CVE-2021-4466

IPCop

PT-2025-47017

Name of the Vulnerable Software and Affected Versions IPCop versions up to and including 2.1.9 Description IPCop versions up to and including 2.1.9 have an issue allowing authenticated remote code execution within the web-based administration interface. The email configuration component inserts...

CVE-2025-12363

Email Password Disclosure.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5...

CVE-2025-12363

Email Password Disclosure.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5...

CVE-2025-12363

Email Password Disclosure.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5...

EUVD-2025-36231

Email Password Disclosure.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5...

CVE-2025-12363 Email Password Disclosure

Email Password Disclosure.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5...