46 matches found
PT-2026-55450
Name of the Vulnerable Software and Affected Versions dragonfly versions prior to 2.4.4 Description The Dragonfly Manager fails to enforce authentication on specific API endpoints, allowing unauthenticated network-reachable attackers to retrieve sensitive OAuth client secrets. The issue occurs...
New Attacks Trick OpenClaw AI Agent Into Running Code and Leaking Secrets
Two security teams have shown, in separate research published this week, that OpenClaw, the popular self-hosted AI agent, can be driven to run attacker-controlled code or hand over sensitive data through ordinary-looking inputs. Imperva buried instructions inside shared contacts, vCards, and...
CVE-2026-44653
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.8.3, users with only VIEW access to an MCP server can retrieve the server's decrypted admin-managed secrets through GET /api/mcp/servers and GET /api/mcp/servers/:serverName. The returned...
CVE-2026-44460
FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. Prior to 3.12.0, /api/totpsetup.php is callable from a session that has only passed the password check state pendingloginuser. When the target account already has TOTP configured, the endpoint...
sealed-env: TOTP secret embedded in unseal token payload (enterprise mode)
In sealed-env enterprise mode, versions 0.1.0-alpha.1 through 0.1.0-alpha.3 embedded the operator's literal TOTP secret in the JWS payload of every minted unseal token. JWS payload is base64-encoded JSON, NOT encrypted. Any party who could observe a minted token CI build logs, container env dumps...
CVE-2025-41762 Secret leak with wwwdnload.cgi
An unauthenticated attacker can abuse the weak hash of the backup generated by the wwwdnload.cgi endpoint to gain unauthorized access to sensitive data, including password hashes and certificates...
CVE-2026-26326
CVE-2026-26326 affects the OpenClaw OpenClaw AI assistant. Before version 2026.2.14, the function skills.status could disclose secrets to operator.read clients by returning raw resolved config values in configChecks for requires.config paths. The fix in 2026.2.14 stops including raw resolved conf...
CVE-2025-14844
The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 3.2.16 via the 'rcpstripecreatesetupintentforsavedcard' function due to missing capability check. Additionally, the plugin does not check a user-controlled...
EUVD-2023-43431
Malicious code in bioql PyPI...
EUVD-2023-43439
Malicious code in bioql PyPI...
EUVD-2023-43433
Malicious code in bioql PyPI...
EUVD-2023-43434
Malicious code in bioql PyPI...
EUVD-2023-43432
Malicious code in bioql PyPI...
EUVD-2023-43436
Malicious code in bioql PyPI...
CVE-2025-25209 Rhcl: sharedsecretref can be used to leak secrets severity
The AuthPolicy metadata on Red Hat Connectivity Link contains an object which stores secretes, however it assumes those secretes are already in the kuadrant-system instead of copying it to the referred namespace. This creates space for a malicious actor with a developer persona access to leak tho...
CVE-2024-53253
Sentry is an error tracking and performance monitoring platform. Version 24.11.0, and only version 24.11.0, is vulnerable to a scenario where a specific error message generated by the Sentry platform could include a plaintext Client ID and Client Secret for an application integration. The Client ...
CVE-2024-37283
An issue was discovered whereby Elastic Agent will leak secrets from the agent policy elastic-agent.yml only when the log level is configured to debug. By default the log level is set to info, where no leak occurs...
CVE-2023-39734
The leakage of the client secret in VISION MEAT WORKS TrackDiner10/10mc Line v13.6.1 allows attackers to obtain the channel access token and send crafted broadcast messages...
Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-6.10.1.5)
The version of AOS installed on the remote host is prior to 6.10.1.5. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AOS-6.10.1.5 advisory. - virtualenv before 20.26.6 allows command injection through the activation scripts for a virtual environment. Magic templa...
GO-2023-2049 Argo CD cluster secret might leak in cluster details page in github.com/argoproj/argo-cd
Argo CD cluster secret might leak in cluster details page in github.com/argoproj/argo-cd...