CVE-2026-45296

OpenReplay is a self-hosted session replay suite. Prior to 1.26.0, OpenReplay's Python API exposes several appapikey routes that trust a caller-provided projectKey after validating only that the API key itself is valid and that the target projectKey exists. The authorization flow does not verify...

CVE-2026-45296

OpenReplay is a self-hosted session replay suite. Prior to 1.26.0, OpenReplay's Python API exposes several appapikey routes that trust a caller-provided projectKey after validating only that the API key itself is valid and that the target projectKey exists. The authorization flow does not verify...

EUVD-2026-32971

OpenReplay is a self-hosted session replay suite. Prior to 1.26.0, OpenReplay's Python API exposes several appapikey routes that trust a caller-provided projectKey after validating only that the API key itself is valid and that the target projectKey exists. The authorization flow does not verify...

PT-2026-44457

OpenReplay is a self-hosted session replay suite. Prior to 1.26.0, OpenReplay's Python API exposes several app apikey routes that trust a caller-provided projectKey after validating only that the API key itself is valid and that the target projectKey exists. The authorization flow does not verify...

Sulu: Used API Keys may be available via Admin API

Impact The users endpoint controller exposes a project's apiKey field to the logged-in user, provided they have permission for that endpoint. This only has impact if a project itself uses that specific field, Sulu itself does nothing with it and has no authentication per apiKey in its core. Patch...

EUVD-2019-10952

Malware in sbrugna...

CVE-2021-25057

The Translation Exchange WordPress plugin through 1.0.14 was vulnerable to Authenticated Stored Cross-Site Scripting XSS within the Project Key text field found in the plugin's settings...

There is no real fix to the security issues recently found in GitHub and other similar software

A recently discovered security issue in GitHub and other, similar, control system products seem to fit into the classic "its a feature, not a bug" category. Security researchers last week published their findings into some research of how deleted forks in GitHub work, potentially leaving the door...

QueryCompenentRenderer API returns project key

When an unauthenticated remote attacker accesses "/secure/QueryComponentRendererValue!Default.jspa?pid=10000", the project key is returned: code:java "project":"name":"Project","viewHtml":" \n \n Project:\n \n Project id=10,000 \n","editHtml":"\n","jql":"project =...

Atlassian Jira < 7.13.17 Project Key Enumeration

According to its self-reported version number, the instance of Atlassian Jira hosted on the remote web server is prior to 7.13.17, 7.14.x prior to 8.5.8 or 8.6.x prior to 8.12.0. It is, therefore, affected by a vulnerability that permits remote attackers to enumerate project keys via an Informati...

Atlassian Jira 7.14.0 < 8.5.8 Project Key Enumeration

According to its self-reported version number, the instance of Atlassian Jira hosted on the remote web server is prior to 7.13.17, 7.14.x prior to 8.5.8 or 8.6.x prior to 8.12.0. It is, therefore, affected by a vulnerability that permits remote attackers to enumerate project keys via an Informati...

Atlassian Jira 8.6.0 < 8.12.0 Project Key Enumeration

According to its self-reported version number, the instance of Atlassian Jira hosted on the remote web server is prior to 7.13.17, 7.14.x prior to 8.5.8 or 8.6.x prior to 8.12.0. It is, therefore, affected by a vulnerability that permits remote attackers to enumerate project keys via an Informati...

CVE-2021-25057

The Translation Exchange WordPress plugin through 1.0.14 was vulnerable to Authenticated Stored Cross-Site Scripting XSS within the Project Key text field found in the plugin's settings...

Translation Exchange <= 1.0.14 - Authenticated Stored Cross-Site Scripting (XSS)

The plugin was vulnerable to Authenticated Stored Cross-Site Scripting XSS within the Project Key text field found in the plugin's settings. PoC 1. Click on Use on translation exchange connector 2. In Basic Settings,insert following payload in Project Key text field. " 3. Click Save Changes...

Atlassian JIRA Data Center 注入漏洞

Atlassian JIRA Server and Atlassian JIRA Data Center are both products of Atlassian Australia.Atlassian JIRA Server is a server version of a defect tracking management system. Atlassian JIRA Data Center is the data center version of Atlassian JIRA, which is an information disclosure vulnerability...

CVE-2019-20412

The Convert Sub-Task to Issue page in affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate the following information via an Improper Authentication vulnerability: Workflow names; Project Key, if it is part of the workflow name; Issue Keys; Issue Types;...

Authentication flaw

The Convert Sub-Task to Issue page in affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate the following information via an Improper Authentication vulnerability: Workflow names; Project Key, if it is part of the workflow name; Issue Keys; Issue Types;...

CVE-2019-20412

The Convert Sub-Task to Issue page in affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate the following information via an Improper Authentication vulnerability: Workflow names; Project Key, if it is part of the workflow name; Issue Keys; Issue Types;...

Atlassian Jira 7.13 < 8.5.5 Jira Project Key Information Disclosure (JRASERVER-70565)

According to its self-reported version number, the instance of Atlassian Jira hosted on the remote web server is version 7.13.x prior to 8.5.5. It is, therefore, affected by an information disclosure vulnerability. An unauthenticated, remote attacker can exploit this, to determine if a Jira proje...

CVE-2019-20403

The API in Atlassian Jira Server and Data Center before version 8.6.0 allows remote attackers to determine if a Jira project key exists or not via an information disclosure vulnerability...