9 matches found
CVE-2026-25118
immich is a high performance self-hosted photo and video management solution. Prior to version 2.6.0, the Immich application is vulnerable to credential disclosure when a user authenticates to a shared album. During the authentication process, the application transmits the album password within t...
CVE-2025-58584
In the HTTP request, the username and password are transferred directly in the URL as parameters. However, URLs can be stored in various systems such as server logs, browser histories or proxy servers. As a result, there is a high risk that this sensitive data will be disclosed unintentionally...
CVE-2025-58584 Plain Text Transmission of Username and Password in the URL
In the HTTP request, the username and password are transferred directly in the URL as parameters. However, URLs can be stored in various systems such as server logs, browser histories or proxy servers. As a result, there is a high risk that this sensitive data will be disclosed unintentionally...
CVE-2025-27662
CVE-2025-27662 affects Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.843 and Application 20.0.1923, where passwords can be exposed in URLs (OVE-20230524-0005). Root cause: insecure handling of credentials in URL. The CVSSv3.1 baseline is 9.8 (Network, Single, No user int...
CVE-2025-27662
Vasion Print formerly PrinterLogic before Virtual Appliance Host 22.0.843 Application 20.0.1923 allows Password in URL OVE-20230524-0005...
GHSA-93F3-23RQ-PJFP npm CLI exposing sensitive information through logs
Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like ://:@::/. The password value is not redacted and is printed to stdout and also to any generated log files...
DEBIAN-CVE-2009-2945
weblogin/login.fcgi aka the WebLogin login script in Stanford University WebAuth 3.5.5, 3.6.0, and 3.6.1 places passwords in URLs in certain circumstances involving conversion of a POST request to a GET request, which allows context-dependent attackers to discover passwords by reading 1 web-serve...
CVE-2005-2462
Kayako liveResponse 2.x, when logging in a user, records the password in plaintext in the URL, which allows local users and possibly remote attackers to gain privileges...
CVE-2005-1565
Bugzilla 2.17.1 through 2.18, 2.19.1, and 2.19.2, when a user is prompted to log in while attempting to view a chart, displays the password in the URL, which may allow local users to gain sensitive information from web logs or browser history...