Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization via the API response process. An attacker can access sensitive information about team member roles by invoking various team API endpoints without having elevated permissions. Remediation Upgrade...

CVE-2026-45401

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, the validateurl function in backend/openwebui/retrieval/web/utils.py only validates the initial URL submitted by the caller. The HTTP clients used downstream sync requests, async...

CVE-2025-52642 HCL AION is affected by an internal filesystem paths disloser vulnerability

HCL AION is affected by a vulnerability where internal filesystem paths may be exposed through application responses or system behaviour. Exposure of internal paths may reveal environment structure details which could potentially aid in further targeted attacks or information disclosure...

CVE-2025-14483 IBM Sterling B2B Integrator and IBM Sterling File Gateway Information Disclosure

IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.1.0.0 through 6.1.2.72, 6.2.0.0 through 6.2.0.51, 6.2.1.0 through 6.2.1.11, and 6.2.2.0 could disclose sensitive host information to authenticated users in responses that could be used in further attacks against the system...

EUVD-2026-10061

parse-server: Malformed $regex query leaks database error details in API response...

CVE-2025-13616 DataStage on Cloud Pak for Data is vulnerable to sensitive information leak due to HTTP response

IBM DataStage on Cloud Pak for Data 5.1.2 through 5.3.0 returns sensitive information in an HTTP response that could be used in further attacks against the system...

CVE-2025-67874

ChurchCRM prior to version 6.5.0 echoes plaintext passwords in HTTP responses, enabling potential credential disclosure and amplification of other issues (e.g., XSS, IDOR, session fixation). Affected component is the application’s authentication/password handling before 6.5.0. Remediation: upgrad...

CVE-2025-67874 ChurchCRM has plaintext password return in response

ChurchCRM is an open-source church management system. Prior to version 6.5.0, the application echoes back plaintext passwords submitted by users in subsequent HTTP responses. This information disclosure significantly increases the risk of credential compromise and may amplify the impact of other...

PT-2025-41823

Name of the Vulnerable Software and Affected Versions gpp-burgerportaal versions prior to 2.0.3 gpp-burgerportaal versions prior to 3.0.2 gpp-burgerportaal versions prior to 4.0.1 Description gpp-burgerportaal is a Dutch government citizen portal application. In affected versions, the name and...

EUVD-2010-2087

Malware in sbrugna...

CVE-2024-5213

In mintplex-labs/anything-llm versions up to and including 1.5.3, an issue was discovered where the password hash of a user is returned in the response after login POST /api/request-token and after account creations POST /api/admin/users/new. This exposure occurs because the entire User object,...

IBM Security ReaQta 安全漏洞

IBM Security ReaQta is an AI autonomous detection and response platform from International Business Machines IBM. An information disclosure vulnerability exists in IBM Security ReaQta version 3.12, which stems from the return of sensitive information in an HTTP response, and can be exploited by a...

GHSA-VGJ7-895J-GPR6 Improper Removal of Sensitive Information Before Storage or Transfer in Strapi

An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for API users if content types accessible to the authenticated user contain relationships to API users from:users-permissions. There are many scenarios in whic...

CVE-2022-24983

Forms generated by JQueryForm.com before 2022-02-05 allow remote attackers to obtain the URI to any uploaded file by capturing the POST response. When chained with CVE-2022-24984, this could lead to unauthenticated remote code execution on the underlying web server. This occurs because the Unique...

CVE-2018-12710

An issue was discovered on D-Link DIR-601 2.02NA devices. Being local to the network and having only "User" account which is a low privilege account access, an attacker can intercept the response from a POST request to obtain "Admin" rights due to the admin password being displayed in XML...