EUVD-2026-34210

The production build of the M3WebServer hard-codes its backend API keys, which can be easily intercepted through verbose error handling pages...

CVE-2026-49191 Exposed Hard-coded M3WebServer Backend API Key

The production build of the M3WebServer hard-codes its backend API keys, which can be easily intercepted through verbose error handling pages...

CVE-2026-49191 Exposed Hard-coded M3WebServer Backend API Key

The production build of the M3WebServer hard-codes its backend API keys, which can be easily intercepted through verbose error handling pages...

CVE-2026-49191

The CVE-2026-49191 entry concerns the production build of the M3WebServer where backend API keys are hard-coded and can be intercepted via verbose error handling pages. According to the provided data, this results in a high-impact exposure affecting confidentiality, integrity, and availability (C...

PT-2026-46149

The production build of the M3WebServer hard-codes its backend API keys, which can be easily intercepted through verbose error handling pages...

Insertion of Sensitive Information into Log File

Overview Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File via the stderr output when verbose logging is enabled. An attacker can obtain sensitive cluster credentials by accessing the stderr stream, which may be exposed through CI job logs,...

CVE-2026-6720

When calicoctl is invoked with --log-level=info or --log-level=debug, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential calicoctl uses to talk to the cluster — inline kubeconfig with bearer token,...

CVE-2026-6720

Calico component calicoctl is affected. When run with --log-level=info or --log-level=debug, it prints the full contents of its loaded connection-configuration struct to stderr in a single log line, exposing credentials (inline kubeconfig with bearer token, Kubernetes API bearer token, etcd passw...

EUVD-2026-32932

When calicoctl is invoked with --log-level=info or --log-level=debug, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential calicoctl uses to talk to the cluster — inline kubeconfig with bearer token,...

CVE-2026-6720

When calicoctl is invoked with --log-level=info or --log-level=debug, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential calicoctl uses to talk to the cluster — inline kubeconfig with bearer token,...

CVE-2026-6720 Calicoctl leaks cluster credentials to stderr when verbose logging is enabled

When calicoctl is invoked with --log-level=info or --log-level=debug, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential calicoctl uses to talk to the cluster — inline kubeconfig with bearer token,...

CVE-2026-6720 Calicoctl leaks cluster credentials to stderr when verbose logging is enabled

When calicoctl is invoked with --log-level=info or --log-level=debug, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential calicoctl uses to talk to the cluster — inline kubeconfig with bearer token,...

PT-2026-44417

Name of the Vulnerable Software and Affected Versions calicoctl affected versions not specified Description When the client is invoked with --log-level=info or --log-level=debug, it prints the full contents of its loaded connection-configuration struct to stderr in a single log line. This struct...

PT-2026-42674

Summary The request-filtering-agent SSRF protection was non-functional in the four notification webhook plugins Slack, Discord, Mattermost, Teams because httpAgent / httpsAgent were passed as part of the request body rather than the axios config. An authenticated user with hook-creation permissio...

Astra Linux - уязвимость в linux-5.10

In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Move the cfglogverbose check before calling lpfcdmpdbg. In an attempt to log message 0126 using LOGTRACEEVENT, the following hard lock-up occurred, causing the system to hang. Call Trace: rawspinlockirqsave+0x32/0x40$...

Astra Linux - уязвимость в 389-ds-base

A flaw has been discovered in 389-ds-base versions 1.4.x.x prior to 1.4.1.3. When executed in verbose mode, the dscreate and dsconf commands may display sensitive information, such as the Directory Manager password. An attacker who can view the screen or record the terminal’s standard error outpu...

CVE-2026-42871

WeGIA is a web manager for charitable institutions. In versions prior to 3.7.0, atendido/familiardocfamiliar.php displays an overly descriptive error message, including database-related details. This verbosity leads to information disclosure, which could assist a potential attacker in mapping the...

CVE-2026-42871

WeGIA is a web manager for charitable institutions. In versions prior to 3.7.0, atendido/familiardocfamiliar.php displays an overly descriptive error message, including database-related details. This verbosity leads to information disclosure, which could assist a potential attacker in mapping the...

CVE-2026-42873

WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, uploading a file with malicious content via funcionarios/docdependente_upload.php returns an overly descriptive error message, causing information disclosure and expanding the attack surface. The vulnerability is fix...

CVE-2026-42871 WeGIA: Error Handling familiar_docfamiliar

WeGIA is a web manager for charitable institutions. In versions prior to 3.7.0, atendido/familiardocfamiliar.php displays an overly descriptive error message, including database-related details. This verbosity leads to information disclosure, which could assist a potential attacker in mapping the...