EUVD-2026-24515

nesquena hermes-webui contains an environment variable leakage vulnerability where profile switching does not clear environment variables from the previously active profile before loading the next profile. Attackers or users can exploit additive dotenv reload behavior to access provider API keys...

CVE-2026-6830 Nesquena Hermes WebUI Environment Variable Credential Leakage via Profile Switch

nesquena hermes-webui contains an environment variable leakage vulnerability where profile switching does not clear environment variables from the previously active profile before loading the next profile. Attackers or users can exploit additive dotenv reload behavior to access provider API keys...

CVE-2026-6830

nesquena hermes-webui contains an environment variable leakage vulnerability where profile switching does not clear environment variables from the previously active profile before loading the next profile. Attackers or users can exploit additive dotenv reload behavior to access provider API keys...

EUVD-2016-6652

Malware in sbrugna...

EUVD-2024-0272

Malicious code in bioql PyPI...

CVE-2021-24226

In the AccessAlly WordPress plugin before 3.5.7, the file "resource/frontend/product/product-shortcode.php" responsible for the accessallyorderform shortcode is dumping serialize$SERVER, which contains all environment variables. The leakage occurs on all public facing pages containing the...

CVE-2024-40647

sentry-sdk is the official Python SDK for Sentry.io. A bug in Sentry's Python SDK 2.8.0 allows the environment variables to be passed to subprocesses despite the env= setting. In Python's subprocess calls, all environment variables are passed to subprocesses by default. However, if you specifical...

Information Disclosure

github.com/anchore/syft is vulnerable to Information Disclosure. The vulnerability exists due to the SYFTATTESTPASSWORD environment variable in the syft logs leaking when -vv or -vvv are used in the syft command which is any log level = DEBUG and in the attestation or SBOM only when the syft-json...

Updated docker-containerd packages fix security vulnerability

In containerd an industry-standard container runtime before versions 1.3.10 and 1.4.4, containers launched through containerd's CRI implementation through Kubernetes, crictl, or any other pod/container client that uses the containerd CRI service that share the same image may receive incorrect...

CVE-2021-24226

Summary: CVE-2021-24226 affects the WordPress AccessAlly plugin prior to 3.5.7. The vulnerability resides in the file resource/frontend/product/product-shortcode.php, which handles the [accessally_order_form] shortcode and dumps serialize($_SERVER), exposing environment variables on any public pa...

DEBIAN-CVE-2020-14370

An information disclosure vulnerability was found in containers/podman in versions before 2.0.5. When using the deprecated Varlink API or the Docker-compatible REST API, if multiple containers are created in a short duration, the environment variables from the first container will get leaked into...