OpenFGA: Unauthenticated playground endpoint discloses preshared API key in HTML response

Description When OpenFGA is configured to use preshared-key authentication with the built-in playground enabled, the local server includes the preshared API key in the HTML response of the /playground endpoint. The /playground endpoint is enabled by default and does not require authentication. It...

GHSA-5VP3-3CG6-2RQ3 JustHTML is vulnerable to XSS via code fence breakout in <pre> content

Summary tomarkdown is vulnerable when serializing attacker-controlled content. The handler emits a fixed three-backtick fenced code block, but writes decoded text content into that fence without choosing a delimiter longer than any backtick run inside the content. An attacker can place backticks...

Security Bulletin: Multiple Vulnerabilities in IBM Engineering AI hub.

Summary Multiple vulnerabilities were addressed in IBM Engineering AI Hub version 1.1.0. Vulnerability Details CVEID:CVE-2025-58751 DESCRIPTION: Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, files starting with the same name with the publi...

CVE-2025-65000

SSH private keys of the "Remote alert handlers Linux" rule were exposed in the rule page's HTML source in Checkmk = 2.4.0p18 and all versions of Checkmk 2.3.0. This potentially allowed unauthorized triggering of predefined alert handlers on hosts where the handler was deployed...

EUVD-2025-27180

Malicious code in bioql PyPI...

CVE-2025-58752

Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, any HTML files on the machine were served regardless of the server.fs settings. Only apps that explicitly expose the Vite dev server to the network using --host or server.host config option and...

PT-2025-36529

Name of the Vulnerable Software and Affected Versions: Vite versions prior to 7.1.5 Vite versions prior to 7.0.7 Vite versions prior to 6.3.6 Vite versions prior to 5.4.20 Description: Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, any HTML...

CVE-2023-28444

angular-server-side-configuration helps configure an angular application at runtime on the server or in a docker container via environment variables. angular-server-side-configuration detects used environment variables in TypeScript .ts files during build time of an Angular CLI project. The...

CVE-2020-29550

An issue was discovered in URVE Build 24.03.2020. The password of an integration user account used for the connection of the MS Office 365 Integration Service is stored in cleartext in configuration files as well as in the database. The following files contain the password in cleartext:...

Urve Information Disclosure Vulnerability

Urve is a device for booking meeting rooms/rooms from Urve UK. The device supports integration with MS Exchange, Lotus, Office 365, Google Calendar and other systems to support meeting room and guest room reservations. A security vulnerability exists in URVE Build 24.03.2020, which arises when th...

PT-2020-17186 · Microsoft · Ms Office 365

Name of the Vulnerable Software and Affected Versions: URVE Build 24.03.2020 Description: An issue was discovered where the password of an integration user account, used for the connection of the MS Office 365 Integration Service, is stored in cleartext in configuration files as well as in the...

CVE-2020-3547

A vulnerability in the web-based management interface of Cisco AsyncOS software for Cisco Email Security Appliance ESA, Cisco Content Security Management Appliance SMA, and Cisco Web Security Appliance WSA could allow an authenticated, remote attacker to access sensitive information on an affecte...

PYSEC-2020-230

In Django User Sessions django-user-sessions before 1.7.1, the views provided allow users to terminate specific sessions. The session key is used to identify sessions, and thus included in the rendered HTML. In itself this is not a problem. However if the website has an XSS vulnerability, the...