Malicious code in massive (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 02d8dea3e47a2bd45fc796f33fc582956aec2be887add9672fd5eccc91c2135d Package self-describes as the 'Official Massive formerly Polygon.io REST and Websocket client,' a false rebrand claim — Polygon.io has not changed...

PT-2026-42527

Open ISES Tickets before 3.44.2 disables TLS certificate verification in rm/incs/mobile login.inc.php by setting CURLOPT SSL VERIFYPEER to false and not setting CURLOPT SSL VERIFYHOST when issuing outbound HTTPS requests for outbound HTTPS requests issued during the mobile RouteMate login flow. A...

CVE-2025-15609

The CVE-2025-15609 entry concerns the Fortis for WooCommerce WordPress plugin prior to version 1.3.1. The vulnerability allows unauthenticated attackers to leak sensitive API keys and query Fortis’ API, enabling retrieval of sensitive customer data (e.g., past orders and PII). The available sourc...

CVE-2026-4663

...

PT-2026-34194

nesquena hermes-webui contains an environment variable leakage vulnerability where profile switching does not clear environment variables from the previously active profile before loading the next profile. Attackers or users can exploit additive dotenv reload behavior to access provider API keys...

cveClient 安全漏洞

cveClient is an open-source browser-based CVE record management client developed by the CERT Coordination Center CERT/CC. cveClient has a security vulnerability, which stems from the unprotected storage of API keys in the browser client, potentially leading to credential exposure...

CVE-2026-34046

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.5.1, the readflow helper in src/backend/base/langflow/api/v1/flows.py branched on the AUTOLOGIN setting to decide whether to filter by userid. When AUTOLOGIN was False i.e., authentication was enable...

CVE-2026-32891

Anchorr is a Discord bot for requesting movies and TV shows and receiving notifications when items are added to a media server. Versions 1.4.1 and below contain a stored XSS vulnerability in the Jellyseerr user selector. Jellyseerr allows any account holder to execute arbitrary JavaScript in the...

CVE-2026-33004

The CVE-2026-33004 issue affects Jenkins LoadNinja Plugin 2.1 and earlier. The vulnerability is that LoadNinja API keys displayed on the job configuration form are not masked, enabling potential observers to see and capture them. Affected component: LoadNinja API key display within the plugin con...

CVE-2026-31837

CVE-2026-31837 affects Istio prior to versions 1.29.1, 1.28.5, and 1.27.8. If the JWKS resolver becomes unavailable or a fetch fails, a user is exposed to hardcoded defaults regardless of the use of the RequestAuthentication resource. This can impact confidentiality and system behavior as default...

CVE-2026-30859 WeKnora: Broken Access Control - Cross-Tenant Data Exposure

WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.12, a broken access control vulnerability in the database query tool allows any authenticated tenant to read sensitive data belonging to other tenants, including API keys, mod...

OpenClaw Information Disclosure Vulnerability (CNVD-2026-13370)

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw suffers from an information disclosure vulnerability. The vulnerability stems from the fact that skills.status may return raw parsed configuration values for the skills.config path via configChecks, which can be...

CVE-2026-2451

Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when name is used in an email template, it will be replaced with the buyer's name for the final email. This mechanism contained a security-relevant bug: It was possible to exfiltrate information...

CVE-2026-26333 Calero VeraSMART < 2022 R1 .NET Remoting Arbitrary File Read Leading to ViewState RCE

Calero VeraSMART versions prior to 2022 R1 expose an unauthenticated .NET Remoting HTTP service on TCP port 8001. The service publishes default ObjectURIs including EndeavorServer.rem and RemoteFileReceiver.rem and permits the use of SOAP and binary formatters with TypeFilterLevel set to Full. An...

PT-2026-5007

Name of the Vulnerable Software and Affected Versions OctoPrint versions up to and including 1.11.5 Description OctoPrint, a web interface for controlling 3D printers, is affected by a timing attack that could allow an attacker with network access to extract API keys. The issue stems from the use...

Claude Code Leaks Data via Malicious Environment Configuration Before Trust Confirmation

A vulnerability in Claude Code's project-load flow allowed malicious repositories to exfiltrate data including Anthropic API keys before users confirmed trust. If a user started Claude Code in an attacker-controller repository, and the repository included a settings file that set ANTHROPICBASEURL...

Linux Distros Unpatched Vulnerability : CVE-2026-22251

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, wlc supported providing unscoped API keys in the setting. This practice was...

CVE-2025-14574

The weDocs plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.15 via the /wp-json/wp/v2/docs/settings REST API endpoint. This makes it possible for unauthenticated attackers to extract sensitive data including third party services API ke...

CVE-2025-15479 NGSurvey Enterprise 3.6.4 incorrect authorization exposes other users’ API keys and personal data

Stored cross-site scripting XSS, CWE-79 in the survey content and administration functionality in Data Illusion Zumbrunn NGSurvey Enterprise Edition 3.6.4 on all supported platforms on Windows and Linux servers allows authenticated remote users with survey creation or edit privileges to execute...

CVE-2025-15479 NGSurvey Enterprise 3.6.4 incorrect authorization exposes other users’ API keys and personal data

Stored cross-site scripting XSS, CWE-79 in the survey content and administration functionality in Data Illusion Zumbrunn NGSurvey Enterprise Edition 3.6.4 on all supported platforms on Windows and Linux servers allows authenticated remote users with survey creation or edit privileges to execute...