11 matches found
CVE-2026-11820 Community.general: community.general nexmo — api credentials exposed in get url query string[security] community.general nexmo — api credentials exposed in get url query string
A flaw was found in the community.general Ansible collection's nexmo module. The module constructs HTTP requests to the Vonage/Nexmo SMS API by encoding API credentials apikey and apisecret into URL query parameters and sending them via GET requests. This causes credentials to be exposed in web...
CVE-2026-40945
Oxia is a metadata store and coordination system. Prior to 0.16.2, when OIDC authentication fails, the full bearer token is logged at DEBUG level in plaintext. If debug logging is enabled in production, JWT tokens are exposed in application logs and any connected log aggregation system. This...
EUVD-2020-17758
Malware in sbrugna...
EUVD-2025-12581
Malicious code in bioql PyPI...
CVE-2025-53885 Directus doesn't redact sensitive user data when logging via event hooks
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, when using Directus Flows to handle CRUD events for users it is possible to log the incoming data to console using the "Log to Console" operation and a template...
AWS VDP: Non-Production API Endpoints for the Forecast Service Fail to Log to CloudTrail Resulting in Silent Permission Enumeration
The Forecast service in Amazon Web Services AWS has four non-production API endpoints that can be accessed using standard IAM credentials, but do not log any activity to CloudTrail. This allows for silent permission enumeration, where an adversary can test the capabilities of compromised...
Security update for podman
This update for podman fixes the following issues: CVE-2024-6104: possible sensitive data exposure due to hashicorp/go-retryablehttp not sanitizing URLs when writing them to log files. bsc1227052 CVE-2023-45288: possible excessive CPU consumption due to no limit being set on the number of...
SUSE CVE-2017-1000401
The Jenkins 2.73.1 and earlier, 2.83 and earlier default form control for passwords and other secrets, , supports form validation e.g. for API keys. The form validation AJAX requests were sent via GET, which could result in secrets being logged to a HTTP access log in non-default configurations o...
CVE-2022-38756
A vulnerability has been identified in Micro Focus GroupWise Web in versions prior to 18.4.2. The GW Web component makes a request to the Post Office Agent that contains sensitive information in the query parameters that could be logged by any intervening HTTP proxies...
CVE-2022-2394
Puppet Bolt prior to version 3.24.0 will print sensitive parameters when planning a run resulting in them potentially being logged when run programmatically, such as via Puppet Enterprise...
socat: Format string vulnerability
Background socat is a multipurpose bidirectional relay, similar to netcat. Description socat contains a syslog based format string vulnerablility in the 'msg' function of 'error.c'. Exploitation of this bug is only possible when socat is run with the '-ly' option, causing it to log messages to...