33 matches found
EUVD-2026-39654
In JetBrains YouTrack before 2026.2.16593 project settings disclosure via the MCP was possible...
CVE-2026-57922
In JetBrains YouTrack before 2026.2.16593 project settings disclosure via the MCP was possible...
CVE-2026-57922
CVE-2026-57922 affects JetBrains YouTrack prior to version 2026.2.16593, where project settings could be disclosed via MCP. The vulnerability is described as a disclosure of project settings, with no exploitation details provided. The documents imply a fix in version 2026.2.16593, but do not prov...
CVE-2026-57922
In JetBrains YouTrack before 2026.2.16593 project settings disclosure via the MCP was possible...
PT-2026-52702
Name of the Vulnerable Software and Affected Versions JetBrains YouTrack versions prior to 2026.2.16593 Description An issue exists that allows the disclosure of project settings via the MCP. Recommendations Update to version 2026.2.16593...
EUVD-2026-34831
Lyrion Music Server 9.2.0 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts through media file metadata tags like GENRE, ARTIST, and ALBUM. Attackers can craft files with XSS payloads in metadata tags that execute in the web interface when user...
CVE-2026-50232
Lyrion Music Server 9.2.0 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts through media file metadata tags like GENRE, ARTIST, and ALBUM. Attackers can craft files with XSS payloads in metadata tags that execute in the web interface when user...
CVE-2026-7552 Geo Mashup <= 1.13.19 - Missing Authorization to Unauthenticated Plugin Settings Disclosure via 'geo_mashup_content' Parameter
The Geo Mashup plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.13.19. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to expose sensitive plugin...
WordPress Geo Mashup plugin <= 1.13.19 - Missing Authorization to Unauthenticated Plugin Settings Disclosure vulnerability
Missing Authorization to Unauthenticated Plugin Settings Disclosure vulnerability discovered by t0ann9uy3n in WordPress Plugin Geo Mashup versions = 1.13.19...
GHSA-7JRR-XW9C-MJ39 Nginx-UI: Authenticated settings disclosure exposes node.secret and enables trusted-node authentication abuse, backup exfiltration, and restore-based nginx-ui state rollback
Summary An authenticated user can call GET /api/settings and retrieve sensitive configuration values, including node.secret. The same node.secret is accepted by AuthRequired through the X-Node-Secret header or nodesecret query parameter, causing the request to be treated as authenticated via the...
Nginx-UI: Authenticated settings disclosure exposes node.secret and enables trusted-node authentication abuse, backup exfiltration, and restore-based nginx-ui state rollback
An authenticated user can call GET /api/settings and retrieve sensitive configuration values, including node.secret. The same node.secret is accepted by AuthRequired through the X-Node-Secret header or nodesecret query parameter, causing the request to be treated as authenticated via the...
CVE-2026-42220 nginx-ui: Authenticated settings disclosure exposes node.secret and enables trusted-node authentication abuse, backup exfiltration, and restore-based nginx-ui state rollback
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, an authenticated user can call GET /api/settings and retrieve sensitive configuration values, including node.secret. The same node.secret is accepted by AuthRequired through the X-Node-Secret header or nodesecret...
CVE-2026-42220 nginx-ui: Authenticated settings disclosure exposes node.secret and enables trusted-node authentication abuse, backup exfiltration, and restore-based nginx-ui state rollback
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, an authenticated user can call GET /api/settings and retrieve sensitive configuration values, including node.secret. The same node.secret is accepted by AuthRequired through the X-Node-Secret header or nodesecret...
CVE-2026-42220
Nginx UI (nginx-ui) prior to version 2.3.8 exposes a vulnerability where an authenticated user can call GET /api/settings to retrieve sensitive values, including node.secret. The node.secret is accepted by AuthRequired() via the X-Node-Secret header (or node_secret query parameter), allowing the ...
WordPress WP Social Ninja plugin <= 4.0.1 - Missing Authorization to Unauthenticated Plugin's Settings Disclosure And Modification vulnerability
Missing Authorization to Unauthenticated Plugin's Settings Disclosure And Modification vulnerability discovered by shark3y in WordPress Plugin WP Social Ninja versions = 4.0.1...
CVE-2024-58277
CVE-2024-58277 affects the R Radio Network FM Transmitter v1.07, where an unauthenticated actor can access the admin password via the system.cgi endpoint, enabling authentication bypass and FM station setup access. Public sources (Zero Science Lab) describe an improper access control allowing dis...
CVE-2025-54533
In JetBrains TeamCity before 2025.07 improper access control allowed disclosure of build settings via VCS configuration...
CVE-2025-54532
In JetBrains TeamCity before 2025.07 improper access control allowed disclosure of build settings via snapshot dependencies...
CVE-2025-54533
In JetBrains TeamCity before 2025.07 improper access control allowed disclosure of build settings via VCS configuration...
CVE-2025-54533
In JetBrains TeamCity before 2025.07 improper access control allowed disclosure of build settings via VCS configuration...