Lucene search
K

78 matches found

OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/26 9:10 a.m.14 views

Malicious code in massive (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 02d8dea3e47a2bd45fc796f33fc582956aec2be887add9672fd5eccc91c2135d Package self-describes as the 'Official Massive formerly Polygon.io REST and Websocket client,' a false rebrand claim — Polygon.io has not changed...

5.9AI score
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/21 12:0 a.m.6 views

PT-2026-42527

Open ISES Tickets before 3.44.2 disables TLS certificate verification in rm/incs/mobile login.inc.php by setting CURLOPT SSL VERIFYPEER to false and not setting CURLOPT SSL VERIFYHOST when issuing outbound HTTPS requests for outbound HTTPS requests issued during the mobile RouteMate login flow. A...

8.2CVSS5.9AI score0.00022EPSS
Exploits0References4
CVE
CVE
added 2026/05/19 6:0 a.m.12 views

CVE-2025-15609

The CVE-2025-15609 entry concerns the Fortis for WooCommerce WordPress plugin prior to version 1.3.1. The vulnerability allows unauthenticated attackers to leak sensitive API keys and query Fortis’ API, enabling retrieval of sensitive customer data (e.g., past orders and PII). The available sourc...

7.5CVSS5.8AI score0.00029EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/12 7:48 a.m.5 views

CVE-2026-4663

...

5.8AI score0.00075EPSS
Exploits0
Positive Technologies
Positive Technologies
added 2026/04/21 12:0 a.m.4 views

PT-2026-34194

nesquena hermes-webui contains an environment variable leakage vulnerability where profile switching does not clear environment variables from the previously active profile before loading the next profile. Attackers or users can exploit additive dotenv reload behavior to access provider API keys...

4.8CVSS5.8AI score0.00016EPSS
Exploits0References7
CNNVD
CNNVD
added 2026/04/02 12:0 a.m.2 views

cveClient 安全漏洞

cveClient is an open-source browser-based CVE record management client developed by the CERT Coordination Center CERT/CC. cveClient has a security vulnerability, which stems from the unprotected storage of API keys in the browser client, potentially leading to credential exposure...

7.5CVSS5.8AI score0.00011EPSS
Exploits0References2
NVD
NVD
added 2026/03/27 9:17 p.m.0 views

CVE-2026-34046

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.5.1, the readflow helper in src/backend/base/langflow/api/v1/flows.py branched on the AUTOLOGIN setting to decide whether to filter by userid. When AUTOLOGIN was False i.e., authentication was enable...

8.8CVSS0.00052EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/03/26 3:2 p.m.3 views

CVE-2026-32891

Anchorr is a Discord bot for requesting movies and TV shows and receiving notifications when items are added to a media server. Versions 1.4.1 and below contain a stored XSS vulnerability in the Jellyseerr user selector. Jellyseerr allows any account holder to execute arbitrary JavaScript in the...

9CVSS6AI score0.00025EPSS
Exploits0References1
CVE
CVE
added 2026/03/18 3:15 p.m.20 views

CVE-2026-33004

The CVE-2026-33004 issue affects Jenkins LoadNinja Plugin 2.1 and earlier. The vulnerability is that LoadNinja API keys displayed on the job configuration form are not masked, enabling potential observers to see and capture them. Affected component: LoadNinja API key display within the plugin con...

4.3CVSS5.8AI score0.00041EPSS
Exploits0References1Affected Software1
CVE
CVE
added 2026/03/10 9:57 p.m.6 views

CVE-2026-31837

CVE-2026-31837 affects Istio prior to versions 1.29.1, 1.28.5, and 1.27.8. If the JWKS resolver becomes unavailable or a fetch fails, a user is exposed to hardcoded defaults regardless of the use of the RequestAuthentication resource. This can impact confidentiality and system behavior as default...

8.7CVSS5.8AI score0.00072EPSS
Exploits0References1Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/07 4:35 p.m.1 views

CVE-2026-30859 WeKnora: Broken Access Control - Cross-Tenant Data Exposure

WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.12, a broken access control vulnerability in the database query tool allows any authenticated tenant to read sensitive data belonging to other tenants, including API keys, mod...

5.3CVSS5.8AI score0.00071EPSS
Exploits0References1
CNVD
CNVD
added 2026/03/06 12:0 a.m.5 views

OpenClaw Information Disclosure Vulnerability (CNVD-2026-13370)

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw suffers from an information disclosure vulnerability. The vulnerability stems from the fact that skills.status may return raw parsed configuration values for the skills.config path via configChecks, which can be...

5.3CVSS5.8AI score0.00014EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/02/17 1:27 p.m.4 views

CVE-2026-2451

Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when name is used in an email template, it will be replaced with the buyer's name for the final email. This mechanism contained a security-relevant bug: It was possible to exfiltrate information...

9CVSS5.6AI score0.00048EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/02/13 8:51 p.m.27 views

CVE-2026-26333 Calero VeraSMART < 2022 R1 .NET Remoting Arbitrary File Read Leading to ViewState RCE

Calero VeraSMART versions prior to 2022 R1 expose an unauthenticated .NET Remoting HTTP service on TCP port 8001. The service publishes default ObjectURIs including EndeavorServer.rem and RemoteFileReceiver.rem and permits the use of SOAP and binary formatters with TypeFilterLevel set to Full. An...

10CVSS0.00262EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2026/01/27 12:0 a.m.3 views

PT-2026-5007

Name of the Vulnerable Software and Affected Versions OctoPrint versions up to and including 1.11.5 Description OctoPrint, a web interface for controlling 3D printers, is affected by a timing attack that could allow an attacker with network access to extract API keys. The issue stems from the use...

6CVSS5.2AI score0.00015EPSS
Exploits0References12
Github Security Blog
Github Security Blog
added 2026/01/21 1:0 a.m.11 views

Claude Code Leaks Data via Malicious Environment Configuration Before Trust Confirmation

A vulnerability in Claude Code's project-load flow allowed malicious repositories to exfiltrate data including Anthropic API keys before users confirmed trust. If a user started Claude Code in an attacker-controller repository, and the repository included a settings file that set ANTHROPICBASEURL...

7.5CVSS5.6AI score0.00033EPSS
Exploits1References3Affected Software1
Tenable Nessus
Tenable Nessus
added 2026/01/12 12:0 a.m.2 views

Linux Distros Unpatched Vulnerability : CVE-2026-22251

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, wlc supported providing unscoped API keys in the setting. This practice was...

5.5CVSS5.9AI score0.00004EPSS
Exploits0References3
NVD
NVD
added 2026/01/09 7:16 a.m.4 views

CVE-2025-14574

The weDocs plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.15 via the /wp-json/wp/v2/docs/settings REST API endpoint. This makes it possible for unauthenticated attackers to extract sensitive data including third party services API ke...

5.3CVSS0.00014EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/01/07 1:23 p.m.20 views

CVE-2025-15479 NGSurvey Enterprise 3.6.4 incorrect authorization exposes other users’ API keys and personal data

Stored cross-site scripting XSS, CWE-79 in the survey content and administration functionality in Data Illusion Zumbrunn NGSurvey Enterprise Edition 3.6.4 on all supported platforms on Windows and Linux servers allows authenticated remote users with survey creation or edit privileges to execute...

5.1CVSS0.00026EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/01/07 1:23 p.m.2 views

CVE-2025-15479 NGSurvey Enterprise 3.6.4 incorrect authorization exposes other users’ API keys and personal data

Stored cross-site scripting XSS, CWE-79 in the survey content and administration functionality in Data Illusion Zumbrunn NGSurvey Enterprise Edition 3.6.4 on all supported platforms on Windows and Linux servers allows authenticated remote users with survey creation or edit privileges to execute...

5.1CVSS5.9AI score0.00026EPSS
Exploits0References2
Rows per page
Query Builder