44 matches found
EyesOfNetwork - Hardcoded API Key & SQL Injection
An issue was discovered in EyesOfNetwork 5.3. The EyesOfNetwork API 2.4.2 is prone to SQL injection, allowing an unauthenticated attacker to perform various tasks such as authentication bypass via the username field to getApiKey in include/apifunctions.php. id: CVE-2020-8656 info: name:...
CVE-2026-48245
Open ISES Tickets before 3.44.2 embeds a hardcoded Google Maps API key in tables.php that is committed to the public source repository. The key can be extracted by anyone with read access to the source and used to make Google Maps Platform requests billed against the original owner's Google Cloud...
CVE-2026-48243
Open ISES Tickets before 3.44.2 embeds a hardcoded WhitePages reverse-phone API key in wp1.php that is committed to the public source repository. Any actor with read access to the source tree can extract the key and use it to make third-party API calls billed to or rate-limited against the origin...
MAL-2026-4380 Malicious code in @dekuzxc/nexca (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 35a4db02ce3d3ea022c8a6b5349975b4721d3f2c5b516b6c3dd3dddbfa802271 When a consumer uses the advertised api.listen/listenE2EE flow, every incoming message attachment of type "photo" is auto-uploaded to imgbb.com using...
MAL-2026-4558 Malicious code in fastgrc-openclaw (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 158457237168ef50e3a6c4cd33f51e23f6aec642593745a3d11b9b4870ef36ce The package is an AI agent policy-check plugin. When a consumer does not configure their own API key, resolveApiKey returns a hardcoded BUNDLEDAPIKEY...
MAL-2026-4748 Malicious code in eplang (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1d53e4571f8ccfc385a265dfd47cbea9793946762a794aff432e98614ee10b21 The package ships epl/.aiconfig.json containing a hardcoded Groq API key with provider set to 'groq'. On any AI-related CLI invocation epl ai, epl ge...
MAL-2026-4743 Malicious code in buddyme (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6f4ae4b8c00d27e82d54a5d2d960b1dc4f40ba15bc938355bad8421c338d6ef6 buddyme advertises a CLI agent. When installed and run, the default REPL routes every prompt the user types to third-party LLM providers Zhipu GLM at...
CVE-2020-7999
The Intellian Aptus application 1.0.2 for Android has hardcoded values for DOWNLOADAPIKEY and FILEDOWNLOADAPIKEY...
Parse Server is vulnerable to Server-Side Request Forgery (SSRF) via Instagram OAuth Adapter
Impact The Instagram authentication adapter allows clients to specify a custom API URL via the apiURL parameter in authData. This enables SSRF attacks and possibly authentication bypass if malicious endpoints return fake responses to validate unauthorized users. Patches Fixed by hardcoding the...
EUVD-2020-28912
Malware in sbrugna...
EUVD-2022-31222
Malicious code in bioql PyPI...
EUVD-2025-6075
Malicious code in bioql PyPI...
EUVD-2023-27232
Malicious code in bioql PyPI...
EUVD-2025-16445
Malicious code in bioql PyPI...
EUVD-2024-16164
Malicious code in bioql PyPI...
CVE-2025-48491
Project AI is a platform designed to create AI agents. Prior to the pre-beta version, a hardcoded API key was present in the source code. This issue has been patched in the pre-beta version...
CVE-2025-48491
Project AI is a platform designed to create AI agents. Prior to the pre-beta version, a hardcoded API key was present in the source code. This issue has been patched in the pre-beta version...
PT-2025-23241 · Unknown · Project Ai
Name of the Vulnerable Software and Affected Versions: Project AI versions prior to pre-beta Description: The issue concerns a hardcoded API key present in the source code of Project AI, a platform for creating AI agents. This problem has been resolved in the pre-beta version. Recommendations: Fo...
CVE-2023-23132
Selfwealth iOS mobile App 3.3.1 is vulnerable to Sensitive key disclosure. The application reveals hardcoded API keys...
CVE-2020-35137
The MobileIron agents through 2021-03-22 for Android and iOS contain a hardcoded API key, used to communicate with the MobileIron SaaS discovery API, as demonstrated by Mobile@Work aka com.mobileiron. The key is in com/mobileiron/registration/RegisterActivity.java and can be used for...