Total
1269 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-2908 | 2026-04-15 | N/A | N/A | ||
| The exposure of credentials in the call forwarding configuration module in MeetMe products in versions prior to 2024-09 allows an attacker to gain access to some important assets via configuration files. | |||||
| CVE-2025-54467 | 2026-04-15 | N/A | 5.3 MEDIUM | ||
| When a Java command with password parameters is executed and terminated by NeuVector for Process rule violation the password will appear in the NeuVector security event log. | |||||
| CVE-2024-0368 | 1 Wpmudev | 1 Hustle | 2026-04-08 | N/A | 8.6 HIGH |
| The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.8.3 via hardcoded API Keys. This makes it possible for unauthenticated attackers to extract sensitive data including PII. | |||||
| CVE-2026-29872 | 1 Theunwindai | 1 Awesome Llm Apps | 2026-04-06 | N/A | 8.2 HIGH |
| A cross-session information disclosure vulnerability exists in the awesome-llm-apps project in commit e46690f99c3f08be80a9877fab52acacf7ab8251 (2026-01-19). The affected Streamlit-based GitHub MCP Agent stores user-supplied API tokens in process-wide environment variables using os.environ without proper session isolation. Because Streamlit serves multiple concurrent users from a single Python process, credentials provided by one user remain accessible to subsequent unauthenticated users. An attacker can exploit this issue to retrieve sensitive information such as GitHub Personal Access Tokens or LLM API keys, potentially leading to unauthorized access to private resources and financial abuse. | |||||
| CVE-2026-35467 | 2026-04-03 | N/A | 7.5 HIGH | ||
| The stored API keys in temporary browser client is not marked as protected allowing for JavScript console or other errors to allow for extraction of the encryption credentials. | |||||
| CVE-2026-4819 | 1 Search-guard | 1 Flx | 2026-04-03 | N/A | 4.9 MEDIUM |
| In Search Guard FLX versions from 1.0.0 up to 4.0.1, the audit logging feature might log user credentials from users logging into Kibana. | |||||
| CVE-2024-54471 | 1 Apple | 1 Macos | 2026-04-02 | N/A | 5.5 MEDIUM |
| This issue was addressed with additional entitlement checks. This issue is fixed in macOS Sequoia 15.1, macOS Sonoma 14.7.1, macOS Ventura 13.7.1. A malicious application may be able to leak a user's credentials. | |||||
| CVE-2026-23658 | 1 Microsoft | 1 Azure Devops | 2026-04-01 | N/A | 8.6 HIGH |
| Insufficiently protected credentials in Azure DevOps allows an unauthorized attacker to elevate privileges over a network. | |||||
| CVE-2025-15617 | 1 Wazuh | 1 Wazuh | 2026-03-31 | N/A | 6.5 MEDIUM |
| Wazuh version 4.12.0 contains an exposure vulnerability in GitHub Actions workflow artifacts that allows attackers to extract the GITHUB_TOKEN from uploaded artifacts. Attackers can use the exposed token within a limited time window to perform unauthorized actions such as pushing malicious commits or altering release tags. | |||||
| CVE-2026-21670 | 1 Veeam | 1 Veeam Backup \& Replication | 2026-03-31 | N/A | 7.7 HIGH |
| A vulnerability allowing a low-privileged user to extract saved SSH credentials. | |||||
| CVE-2025-14790 | 3 Ibm, Linux, Microsoft | 4 Aix, Infosphere Information Server, Linux Kernel and 1 more | 2026-03-30 | N/A | 6.5 MEDIUM |
| IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 could allow an attacker to obtain sensitive information due to insufficiently protected credentials. | |||||
| CVE-2026-33182 | 1 Saloon | 1 Saloon | 2026-03-30 | N/A | 7.5 HIGH |
| Saloon is a PHP library that gives users tools to build API integrations and SDKs. Prior to version 4.0.0, when building the request URL, Saloon combined the connector's base URL with the request endpoint. If the endpoint was a valid absolute URL, the code used that URL as-is and ignored the base URL. The request—and any authentication headers, cookies, or tokens attached by the connector—was then sent to the attacker-controlled host. If the endpoint could be influenced by user input or configuration (e.g. redirect_uri, callback URL), this allowed server-side request forgery (SSRF) and/or credential leakage to a third-party host. The fix in version 4.0.0 is to reject absolute URLs in the endpoint: URLHelper::join() throws InvalidArgumentException when the endpoint is a valid absolute URL, unless explicitly allowed, requiring callers to opt-in to the functionality on a per-connector or per-request basis. | |||||
| CVE-2026-33575 | 1 Openclaw | 1 Openclaw | 2026-03-30 | N/A | 7.5 HIGH |
| OpenClaw before 2026.3.12 embeds long-lived shared gateway credentials directly in pairing setup codes generated by /pair endpoint and OpenClaw qr command. Attackers with access to leaked setup codes from chat history, logs, or screenshots can recover and reuse the shared gateway credential outside the intended one-time pairing flow. | |||||
| CVE-2025-13478 | 2026-03-30 | N/A | N/A | ||
| Cache misconfiguration vulnerability in OpenText Identity Manager on Windows, Linux allows remote authenticated users to obtain another user's session data via insecure application cache handling. This issue affects Identity Manager: 25.2(v4.10.1). | |||||
| CVE-2025-36440 | 1 Ibm | 1 Concert | 2026-03-26 | N/A | 5.1 MEDIUM |
| IBM Concert 1.0.0 through 2.2.0 could allow a local user to obtain sensitive information due to missing function level access control. | |||||
| CVE-2026-32913 | 1 Openclaw | 1 Openclaw | 2026-03-24 | N/A | 9.3 CRITICAL |
| OpenClaw before 2026.3.7 contains an improper header validation vulnerability in fetchWithSsrFGuard that forwards custom authorization headers across cross-origin redirects. Attackers can trigger redirects to different origins to intercept sensitive headers like X-Api-Key and Private-Token intended for the original destination. | |||||
| CVE-2025-64998 | 2026-03-24 | N/A | N/A | ||
| Exposure of session signing secret in Checkmk <2.4.0p23, <2.3.0p45 and 2.2.0 allows an administrator of a remote site with config sync enabled to hijack sessions on the central site by forging session cookies. | |||||
| CVE-2026-31926 | 2026-03-23 | N/A | 6.5 MEDIUM | ||
| Charging station authentication identifiers are publicly accessible via web-based mapping platforms. | |||||
| CVE-2026-28204 | 2026-03-23 | N/A | 6.5 MEDIUM | ||
| Charging station authentication identifiers are publicly accessible via web-based mapping platforms. | |||||
| CVE-2026-32633 | 1 Nicolargo | 1 Glances | 2026-03-19 | N/A | 9.1 CRITICAL |
| Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, the `/api/4/serverslist` endpoint returns raw server objects from `GlancesServersList.get_servers_list()`. Those objects are mutated in-place during background polling and can contain a `uri` field with embedded HTTP Basic credentials for downstream Glances servers, using the reusable pbkdf2-derived Glances authentication secret. If the front Glances Browser/API instance is started without `--password`, which is supported and common for internal network deployments, `/api/4/serverslist` is completely unauthenticated. Any network user who can reach the Browser API can retrieve reusable credentials for protected downstream Glances servers once they have been polled by the browser instance. Version 4.5.2 fixes the issue. | |||||