22 matches found
MAL-2026-5596 Malicious code in 0x2ai-demo8x (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f6d1ce2d7b8faa5bde122eb2bc6e0a79fec5f5720cfa7de0718a0c8948b344d6 On npm install, scripts/postinstall.cjs copies the package's payload/ tree into INITCWD the consumer's project root using fs.cpSync,...
CVE-2026-45021
Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs. Prior to 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, the default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is...
Malicious code in @kmmao/happy-coder (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c4478b22a21a87a37250e86ef25639330f79b779e5793f642eaf7ddaafd975d4 This package is a near-verbatim fork of the upstream happy-coder/happy-cli references to slopus/happy-cli and happy.engineering are retained througho...
CVE-2025-15609
The Fortis for WooCommerce WordPress plugin before 1.3.1 may leak sensitive API keys to unauthenticated attackers, allowing them to query Fortis' API and retrieve sensitive customer information, like past orders, PII, etc...
GPUBreach: Privilege Escalation Attacks on GPUs Using Rowhammer
NVIDIA GPUs with GDDR memories have been shown susceptible to Rowhammer-based bit-flips, similar to CPUs. However, Rowhammer exploits on GPUs have been limited to injecting untargeted bit-flips in victim data like weights of machine learning models, to degrade model accuracy, unlike CPU exploits...
Aiven Operator 安全漏洞
Aiven Operator is an open-source Kubernetes cluster management service developed by Aiven. Versions of Aiven Operator from 0.31.0 to 0.37.0 contained a security vulnerability. This vulnerability stemmed from the operator trusting the namespace values provided by users without verification. As a...
LiveCode 代码注入漏洞
LiveCode is a multi-platform programming tool developed by the LiveCode team. It can run on iOS, Android, OS X, Windows 95 through Windows 10, Raspberry Pi, and various Unix variants including Linux, Solaris, and BSD. LiveCode has a code injection vulnerability. This vulnerability stems from the...
USN-7981-1 wlc vulnerabilities
It was discovered that wlc did not correctly handle SSL verification. An attacker could possibly use this issue to access sensitive resources. CVE-2026-22250 It was discovered that wlc did not correctly handle API keys. An attacker could possibly use this issue to leak API keys to a malicious...
CVE-2025-68696
httparty is an API tool. In versions 0.23.2 and prior, httparty is vulnerable to SSRF. This issue can pose a risk of leaking API keys, and it can also allow third parties to issue requests to internal servers. This issue has been patched via commit 0529bcd...
httparty Has Potential SSRF Vulnerability That Leads to API Key Leakage
Summary There may be an SSRF vulnerability in httparty. This issue can pose a risk of leaking API keys, and it can also allow third parties to issue requests to internal servers. Details When httparty receives a path argument that is an absolute URL, it ignores the baseuri field. As a result, if ...
PT-2025-39877
Name of the Vulnerable Software and Affected Versions ThriveX Blogging Framework versions 2.5.9 through 3.1.3 Description An issue exists in the AssistantController.java file that allows unauthenticated attackers to obtain sensitive information, such as API Keys. The /api/assistant/list API...
Linux Distros Unpatched Vulnerability : CVE-2021-24116
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In wolfSSL through 4.6.0, a side-channel vulnerability in base64 PEM file decoding allows system-level administrator attackers to obtain information about secre...
CVE-2025-55165 Autocaliweb Exposure of Sensitive Information to an Unauthorized Actor in `config_sql.py`
Autocaliweb is a web app that offers an interface for browsing, reading, and downloading eBooks using a valid Calibre database. Prior to version 0.8.3, the debug pack generated by Autocaliweb can expose sensitive configuration data, including API keys. This occurs because the todict method, used ...
grpc: client communicating with a HTTP/2 proxy can poison the HPACK table between the proxy and the backend
A flaw was found in Google gRPC due to HPACK table poisoning between the proxy and backend so that other clients see failed requests, resulting in a denial of service. This occurs because the error status for a misencoded header is not cleared between header reads, resulting in subsequent...
DEBIAN-CVE-2024-7246
It's possible for a gRPC client communicating with a HTTP/2 proxy to poison the HPACK table between the proxy and the backend such that other clients see failed requests. It's also possible to use this vulnerability to leak other clients HTTP header keys, but not values. This occurs because the...
GHSA-2RCP-JVR4-R259 Tauri's Updater Private Keys Possibly Leaked via Vite Environment Variables
Impact This advisory is not describing a vulnerability in the Tauri code base itself but a commonly used misconfiguration which could lead to leaking of the private key and updater key password into bundled Tauri applications using the Vite frontend in a specific configuration. The Tauri...
MAL-2022-1826 Malicious code in capitain-title (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 6a75b2ce6eaabce715f2a5a587ac91d0a395294ce7647cf6d0d1eb2d6e088a89 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
SUSE SLES11 Security Update : mozilla-nspr, mozilla-nss (SUSE-SU-2020:14418-1)
The remote SUSE Linux SLES11 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2020:14418-1 advisory. - A vulnerability exists where it possible to force Network Security Services NSS to sign CertificateVerify with PKCS1 v1.5 signatures when...
CVE-2020-1026
A Security Feature Bypass vulnerability exists in the MSR JavaScript Cryptography Library that is caused by multiple bugs in the library’s Elliptic Curve Cryptography ECC implementation.An attacker could potentially abuse these bugs to learn information about a server’s private ECC key a key...
CVE-2018-11976
ECDSA signature code leaks private keys from secure world to non-secure world in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice &...