Lucene search
K

79 matches found

RedhatCVE
RedhatCVE
added 2026/06/05 7:30 p.m.9 views

CVE-2026-42876

External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Prior to 2.4.1, a user who only has permission to create ExternalSecret resources can cause the operator to create a Secret that Kubernetes will automatically populat...

4.9CVSS5.5AI score0.00214EPSS
Exploits0References1
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/20 2:6 p.m.11 views

Malicious code in @bcrumbs.net/bc-chat (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d4bd9ccff2d027c9982ab41ff4b4417e62475e70aba04212794f267030f63ab0 The exported BCChat React component embeds a hardcoded Azure Blob SAS URL https://bcuserres.blob.core.windows.net/anonymous with a long-lived SAS tok...

5.8AI score
Exploits0References1
NVD
NVD
added 2026/05/11 8:25 p.m.19 views

CVE-2026-42876

External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Prior to 2.4.1, a user who only has permission to create ExternalSecret resources can cause the operator to create a Secret that Kubernetes will automatically populat...

4.9CVSS0.00214EPSS
Exploits0References3
CVE
CVE
added 2026/05/11 6:58 p.m.19 views

CVE-2026-42876

External Secrets Operator (ESO) vulnerability where a user with permission to create ExternalSecret resources can trigger creation of a Secret populated with a long‑lived token for a service account, enabling impersonation of that service account in the namespace. This privilege escalation is pos...

4.9CVSS5.8AI score0.00214EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/08 5:24 p.m.10 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization via ExternalSecret resource handling for Service Account tokens. A user can impersonate service accounts by crafting ExternalSecret resources that cause the operator to create Secrets populated with long-lived...

6.9CVSS5.9AI score0.00214EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/08 5:24 p.m.8 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization via ExternalSecret resource handling for Service Account tokens. A user can impersonate service accounts by crafting ExternalSecret resources that cause the operator to create Secrets populated with long-lived...

6.9CVSS5.9AI score0.00214EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/05/08 5:24 p.m.13 views

ExternalSecrets vulnerable to privilege escalation with secret overwriting

ExternalSecrets allows users to craft Service Account tokens for misconfigured Service Accounts in namespaces the users have access to. Impact A user who only has permission to create ExternalSecret resources can cause the operator to create a Secret that Kubernetes will automatically populate wi...

4.9CVSS5.8AI score0.00214EPSS
Exploits0References5Affected Software1
EUVD
EUVD
added 2026/03/29 3:30 p.m.5 views

EUVD-2026-17029

OpenClaw before 2026.3.12 embeds long-lived shared gateway credentials directly in pairing setup codes generated by /pair endpoint and OpenClaw qr command. Attackers with access to leaked setup codes from chat history, logs, or screenshots can recover and reuse the shared gateway credential outsi...

8.6CVSS5.9AI score0.00246EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/03/29 12:44 p.m.1 views

CVE-2026-33575 OpenClaw < 2026.3.12 - Long-lived Credential Exposure in Pairing Setup Codes

OpenClaw before 2026.3.12 embeds long-lived shared gateway credentials directly in pairing setup codes generated by /pair endpoint and OpenClaw qr command. Attackers with access to leaked setup codes from chat history, logs, or screenshots can recover and reuse the shared gateway credential outsi...

8.6CVSS5.9AI score0.00246EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/03/29 12:44 p.m.22 views

CVE-2026-33575 OpenClaw < 2026.3.12 - Long-lived Credential Exposure in Pairing Setup Codes

OpenClaw before 2026.3.12 embeds long-lived shared gateway credentials directly in pairing setup codes generated by /pair endpoint and OpenClaw qr command. Attackers with access to leaked setup codes from chat history, logs, or screenshots can recover and reuse the shared gateway credential outsi...

8.6CVSS0.00246EPSS
Exploits0References2
OSV
OSV
added 2026/03/13 8:54 p.m.3 views

GHSA-7H7G-X2PX-94HJ OpenClaw: Pairing setup codes exposed long-lived shared gateway credentials instead of short-lived bootstrap tokens

Summary OpenClaw pairing setup codes generated by /pair and openclaw qr embedded the configured shared gateway token or password directly in the setup payload. Anyone who obtained that code from chat history, logs, screenshots, or copied QR payloads could recover the long-lived shared credential...

6.9CVSS5.9AI score
Exploits0References3
SUSE CVE
SUSE CVE
added 2026/03/05 6:54 a.m.7 views

SUSE CVE-2025-70963

Gophish =0.12.1 is vulnerable to Incorrect Access Control. The administrative dashboard exposes each user's long-lived API key directly inside the rendered HTML/JavaScript of the page on every login. This makes permanent API credentials accessible to any script running in the browser context...

7.6CVSS5.8AI score0.00267EPSS
Exploits1References3
The Hacker News
The Hacker News
added 2026/02/23 11:58 a.m.9 views

How Exposed Endpoints Increase Risk Across LLM Infrastructure

As more organizations run their own Large Language Models LLMs, they are also deploying more internal services and Application Programming Interfaces APIs to support those models. Modern security risks are being introduced less from the models themselves and more from the infrastructure that...

6.2AI score
Exploits0
RedhatCVE
RedhatCVE
added 2026/02/07 1:23 a.m.6 views

CVE-2025-70963

Gophish =0.12.1 is vulnerable to Incorrect Access Control. The administrative dashboard exposes each user’s long-lived API key directly inside the rendered HTML/JavaScript of the page on every login. This makes permanent API credentials accessible to any script running in the browser context...

7.6CVSS5.3AI score0.00267EPSS
Exploits1References1
Github Security Blog
Github Security Blog
added 2026/02/06 6:30 p.m.8 views

Gophish is vulnerable to Incorrect Access Control

Gophish = 0.12.1 is vulnerable to Incorrect Access Control. The administrative dashboard exposes each user’s long-lived API key directly inside the rendered HTML/JavaScript of the page on every login. This makes permanent API credentials accessible to any script running in the browser context...

7.6CVSS5.4AI score0.00267EPSS
Exploits1References3Affected Software1
OSV
OSV
added 2026/02/06 6:30 p.m.6 views

GHSA-9F8M-9547-2GQM Gophish is vulnerable to Incorrect Access Control

Gophish = 0.12.1 is vulnerable to Incorrect Access Control. The administrative dashboard exposes each user’s long-lived API key directly inside the rendered HTML/JavaScript of the page on every login. This makes permanent API credentials accessible to any script running in the browser context...

8.5CVSS5.4AI score0.00267EPSS
Exploits1References3
NVD
NVD
added 2026/02/06 6:15 p.m.13 views

CVE-2025-70963

Gophish =0.12.1 is vulnerable to Incorrect Access Control. The administrative dashboard exposes each user’s long-lived API key directly inside the rendered HTML/JavaScript of the page on every login. This makes permanent API credentials accessible to any script running in the browser context...

7.6CVSS0.00267EPSS
Exploits1References1
EUVD
EUVD
added 2026/02/06 12:0 a.m.7 views

EUVD-2025-206883

Gophish =0.12.1 is vulnerable to Incorrect Access Control. The administrative dashboard exposes each user’s long-lived API key directly inside the rendered HTML/JavaScript of the page on every login. This makes permanent API credentials accessible to any script running in the browser context...

7.6CVSS5.3AI score0.00267EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/02/06 12:0 a.m.4 views

CVE-2025-70963

Gophish =0.12.1 is vulnerable to Incorrect Access Control. The administrative dashboard exposes each user’s long-lived API key directly inside the rendered HTML/JavaScript of the page on every login. This makes permanent API credentials accessible to any script running in the browser context...

5.4AI score0.00267EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2026/02/06 12:0 a.m.7 views

PT-2026-6855

Gophish = 0.12.1 is vulnerable to Incorrect Access Control. The administrative dashboard exposes each user’s long-lived API key directly inside the rendered HTML/JavaScript of the page on every login. This makes permanent API credentials accessible to any script running in the browser context...

8.5CVSS5.5AI score0.00267EPSS
Exploits1References4
Rows per page
Query Builder