ReportizFlow
Filtered by vendor
Subscriptions
Total
1364 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-5922 | 1 Tsplus | 1 Tsplus Remote Access | 2026-04-15 | N/A |
| Access to TSplus Remote Access Admin Tool is restricted to administrators (unless "Disable UAC" option is enabled) and requires a PIN code. In versions below v18.40.6.17 the PIN's hash is stored in a system registry accessible to regular users, making it possible to perform a brute-force attack using rainbow tables, since the hash is not salted. LTS (Long-Term Support) versions also received patches in v17.2025.6.27 and v16.2025.6.27 releases. | ||||
| CVE-2024-35192 | 2026-04-15 | 5.5 Medium | ||
| Trivy is a security scanner. Prior to 0.51.2, if a malicious actor is able to trigger Trivy to scan container images from a crafted malicious registry, it could result in the leakage of credentials for legitimate registries such as AWS Elastic Container Registry (ECR), Google Cloud Artifact/Container Registry, or Azure Container Registry (ACR). These tokens can then be used to push/pull images from those registries to which the identity/user running Trivy has access. Systems are not affected if the default credential provider chain is unable to obtain valid credentials. This vulnerability only applies when scanning container images directly from a registry. This vulnerability is fixed in 0.51.2. | ||||
| CVE-2023-49233 | 1 Visual Planning | 1 Admin Center | 2026-04-15 | 8.8 High |
| Insufficient access checks in Visual Planning Admin Center 8 before v.1 Build 240207 allow attackers in possession of a non-administrative Visual Planning account to utilize functions normally reserved for administrators. The affected functions allow attackers to obtain different types of configured credentials and potentially elevate their privileges to administrator level. | ||||
| CVE-2024-6749 | 2026-04-15 | 6.3 Medium | ||
| Seth Fogie, member of the AXIS Camera Station Pro Bug Bounty Program, has found that the Incident report feature may expose sensitive credentials on the AXIS Camera Station windows client. If Incident report is not being used with credentials configured this flaw does not apply. Axis has released patched versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution. | ||||
| CVE-2024-47142 | 2026-04-15 | N/A | ||
| AIPHONE IXG SYSTEM IXG-2C7 firmware Ver.2.03 and earlier and IXG-2C7-L firmware Ver.2.03 and earlier contain an issue with insufficiently protected credentials, which may allow a network-adjacent authenticated attacker to perform unintended operations. | ||||
| CVE-2025-55306 | 2026-04-15 | 9.8 Critical | ||
| GenX_FX is an advance IA trading platform that will focus on forex trading. A vulnerability was identified in the GenX FX backend where API keys and authentication tokens may be exposed if environment variables are misconfigured. Unauthorized users could gain access to cloud resources (Google Cloud, Firebase, GitHub, etc.). | ||||
| CVE-2024-36127 | 2026-04-15 | 7.5 High | ||
| apko is an apk-based OCI image builder. apko exposures HTTP basic auth credentials from repository and keyring URLs in log output. This vulnerability is fixed in v0.14.5. | ||||
| CVE-2024-28981 | 2026-04-15 | 8.5 High | ||
| Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.1.0.0 and 9.3.0.8, including 8.3.x, discloses database passwords when searching metadata injectable fields. | ||||
| CVE-2024-44754 | 2026-04-15 | 6.8 Medium | ||
| Cryptographic key extraction from internal flash in Minut M2 with firmware version #15142 allows physically proximate attackers to inject modified firmware into any other Minut M2 product via USB. | ||||
| CVE-2025-34062 | 2026-04-15 | N/A | ||
| An information disclosure vulnerability exists in OneLogin AD Connector versions prior to 6.1.5 via the /api/adc/v4/configuration endpoint. An attacker with access to a valid directory_token—which may be retrievable from host registry keys or improperly secured logs—can retrieve a plaintext response disclosing sensitive credentials. These may include an API key, AWS IAM access and secret keys, and a base64-encoded JWT signing key used in the tenant’s SSO IdP configuration. | ||||
| CVE-2026-23658 | 1 Microsoft | 2 Azure Devops, Azure Devops Msazure | 2026-04-14 | 8.6 High |
| Insufficiently protected credentials in Azure DevOps allows an unauthorized attacker to elevate privileges over a network. | ||||
| CVE-2024-0368 | 1 Wpmudev | 1 Hustle | 2026-04-08 | 8.6 High |
| The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.8.3 via hardcoded API Keys. This makes it possible for unauthenticated attackers to extract sensitive data including PII. | ||||
| CVE-2024-7389 | 1 Incsub | 1 Forminator | 2026-04-08 | 7.5 High |
| The Forminator plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.29.1 via class-forminator-addon-hubspot-wp-api.php. This makes it possible for unauthenticated attackers to extract the HubSpot integration developer API key and make unauthorized changes to the plugin's HubSpot integration or expose personally identifiable information from plugin users using the HubSpot integration. | ||||
| CVE-2025-34078 | 1 Nsclient | 1 Nsclient\+\+ | 2026-04-07 | 7.8 High |
| A local privilege escalation vulnerability exists in NSClient++ 0.5.2.35 when both the web interface and ExternalScripts features are enabled. The configuration file (nsclient.ini) stores the administrative password in plaintext and is readable by local users. By extracting this password, an attacker can authenticate to the NSClient++ web interface (typically accessible on port 8443) and abuse the ExternalScripts plugin to inject and execute arbitrary commands as SYSTEM by registering a custom script, saving the configuration, and triggering it via the API. This behavior is documented but insecure, as the plaintext credential exposure undermines access isolation between local users and administrative functions. | ||||
| CVE-2026-29872 | 2 Shubhamsaboo, Theunwindai | 2 Awesome-llm-apps, Awesome Llm Apps | 2026-04-07 | 8.2 High |
| A cross-session information disclosure vulnerability exists in the awesome-llm-apps project in commit e46690f99c3f08be80a9877fab52acacf7ab8251 (2026-01-19). The affected Streamlit-based GitHub MCP Agent stores user-supplied API tokens in process-wide environment variables using os.environ without proper session isolation. Because Streamlit serves multiple concurrent users from a single Python process, credentials provided by one user remain accessible to subsequent unauthenticated users. An attacker can exploit this issue to retrieve sensitive information such as GitHub Personal Access Tokens or LLM API keys, potentially leading to unauthorized access to private resources and financial abuse. | ||||
| CVE-2026-4819 | 2 Floragunn, Search-guard | 2 Search Guard Flx, Flx | 2026-04-04 | 4.9 Medium |
| In Search Guard FLX versions from 1.0.0 up to 4.0.1, the audit logging feature might log user credentials from users logging into Kibana. | ||||
| CVE-2026-35467 | 1 Cert/cc | 1 Cveclient/encrypt-storage.js | 2026-04-04 | 7.5 High |
| The stored API keys in temporary browser client is not marked as protected allowing for JavScript console or other errors to allow for extraction of the encryption credentials. | ||||
| CVE-2024-54471 | 1 Apple | 1 Macos | 2026-04-02 | 5.5 Medium |
| This issue was addressed with additional entitlement checks. This issue is fixed in macOS Sequoia 15.1, macOS Sonoma 14.7.1, macOS Ventura 13.7.1. A malicious application may be able to leak a user's credentials. | ||||
| CVE-2026-21670 | 1 Veeam | 2 Backup And Replication, Veeam Backup \& Replication | 2026-04-02 | 7.7 High |
| A vulnerability allowing a low-privileged user to extract saved SSH credentials. | ||||
| CVE-2025-15617 | 1 Wazuh | 1 Wazuh | 2026-03-31 | 6.5 Medium |
| Wazuh version 4.12.0 contains an exposure vulnerability in GitHub Actions workflow artifacts that allows attackers to extract the GITHUB_TOKEN from uploaded artifacts. Attackers can use the exposed token within a limited time window to perform unauthorized actions such as pushing malicious commits or altering release tags. | ||||