Search Results (1375 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2022-27774 6 Brocade, Debian, Haxx and 3 more 18 Fabric Operating System, Debian Linux, Curl and 15 more 2026-04-16 5.7 Medium
An insufficiently protected credentials vulnerability exists in curl 4.9 to and include curl 7.82.0 are affected that could allow an attacker to extract credentials when follows HTTP(S) redirects is used with authentication could leak credentials to other services that exist on different protocols or port numbers.
CVE-2026-27770 1 Epower 1 Epower.ie 2026-04-16 6.5 Medium
Charging station authentication identifiers are publicly accessible via web-based mapping platforms.
CVE-2026-28714 3 Acronis, Linux, Microsoft 4 Acronis Cyber Protect 17, Cyber Protect, Linux Kernel and 1 more 2026-04-16 N/A
Unnecessary transmission of sensitive cryptographic material. The following products are affected: Acronis Cyber Protect 17 (Linux, Windows) before build 41186.
CVE-2026-27027 1 Everon 1 Api.everon.io 2026-04-16 6.5 Medium
Charging station authentication identifiers are publicly accessible via web-based mapping platforms.
CVE-2026-20733 1 Cloudcharge 1 Cloudcharge.se 2026-04-16 6.5 Medium
Charging station authentication identifiers are publicly accessible via web-based mapping platforms.
CVE-2026-20435 6 Google, Linuxfoundation, Mediatek and 3 more 40 Android, Yocto, Mt2737 and 37 more 2026-04-16 4.6 Medium
In preloader, there is a possible read of device unique identifiers due to a logic error. This could lead to local information disclosure, if an attacker has physical access to the device, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS10607099; Issue ID: MSV-6118.
CVE-2026-27777 1 Mobiliti 1 E-mobi.hu 2026-04-16 6.5 Medium
Charging station authentication identifiers are publicly accessible via web-based mapping platforms.
CVE-2026-35185 2 Haxtheweb, Psu 2 Hax, Haxiam 2026-04-16 7.5 High
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to 25.0.0, the /server-status endpoint is publicly accessible and exposes sensitive information including authentication tokens (user_token), user activity, client IP addresses, and server configuration details. This allows any unauthenticated user to monitor real-time user interactions and gather internal infrastructure information. This vulnerability is fixed in 25.0.0.
CVE-2005-3435 1 Archilles 1 Newsworld 2026-04-16 9.8 Critical
admin_news.php in Archilles Newsworld up to 1.3.0 allows attackers to bypass authentication by obtaining the password hash for another user, for example through another Newsworld vulnerability, and specifying the hash in the pwd argument.
CVE-1999-0013 1 Ssh 1 Ssh 2026-04-16 8.4 High
Stolen credentials from SSH clients via ssh-agent program, allowing other local users to access remote accounts belonging to the ssh-agent user.
CVE-2000-0944 1 Cgi 1 Script Center News Update 2026-04-16 9.8 Critical
CGI Script Center News Update 1.1 does not properly validate the original news administration password during a password change operation, which allows remote attackers to modify the password without knowing the original password.
CVE-2026-25774 2 Ev.energy, Ev Energy 2 Ev.energy, Ev.energy 2026-04-15 6.5 Medium
Charging station authentication identifiers are publicly accessible via web-based mapping platforms.
CVE-2025-6081 2026-04-15 6.8 Medium
Insufficiently Protected Credentials in LDAP in Konica Minolta bizhub 227 Multifunction printers version GCQ-Y3 or earlier allows an attacker can reconfigure the target device to use an external LDAP service controlled by the attacker. If an LDAP password is set on the target device, the attacker can force the target device to authenticate to the attacker controlled LDAP service. This will allow the attacker to capture the plaintext password of the configured LDAP service.
CVE-2024-33849 2026-04-15 6.5 Medium
ci solution CI-Out-of-Office Manager through 6.0.0.77 uses a Hard-coded Cryptographic Key.
CVE-2025-23040 2026-04-15 6.6 Medium
GitHub Desktop is an open-source Electron-based GitHub app designed for git development. An attacker convincing a user to clone a repository directly or through a submodule can allow the attacker access to the user's credentials through the use of maliciously crafted remote URL. GitHub Desktop relies on Git to perform all network related operations (such as cloning, fetching, and pushing). When a user attempts to clone a repository GitHub Desktop will invoke `git clone` and when Git encounters a remote which requires authentication it will request the credentials for that remote host from GitHub Desktop using the git-credential protocol. Using a maliciously crafted URL it's possible to cause the credential request coming from Git to be misinterpreted by Github Desktop such that it will send credentials for a different host than the host that Git is currently communicating with thereby allowing for secret exfiltration. GitHub username and OAuth token, or credentials for other Git remote hosts stored in GitHub Desktop could be improperly transmitted to an unrelated host. Users should update to GitHub Desktop 3.4.12 or greater which fixes this vulnerability. Users who suspect they may be affected should revoke any relevant credentials.
CVE-2024-49364 2026-04-15 N/A
tiny-secp256k1 is a tiny secp256k1 native/JS wrapper. Prior to version 1.1.7, a private key can be extracted on signing a malicious JSON-stringifiable object, when global Buffer is the buffer package. This affects only environments where require('buffer') is the NPM buffer package. The Buffer.isBuffer check can be bypassed, resulting in k reuse for different messages, leading to private key extraction over a single invalid message (and a second one for which any message/signature could be taken, e.g. previously known valid one). This issue has been patched in version 1.1.7.
CVE-2024-51240 1 Openwrt 1 Luci 2026-04-15 8 High
An issue in the luci-mod-rpc package in OpenWRT Luci LTS allows for privilege escalation from an admin account to root via the JSON-RPC-API, which is exposed by the luci-mod-rpc package
CVE-2025-54808 1 Nanoporetech 1 Minknow 2026-04-15 7.8 High
Oxford Nanopore Technologies' MinKNOW software at or prior to version 24.11 stores authentication tokens in a file located in the system's temporary directory (/tmp) on the host machine. This directory is typically world-readable, allowing any local user or application to access the token. If the token is leaked (e.g., via malware infection or other local exploit), and remote access is enabled, it can be used to establish unauthorized remote connections to the sequencer. Remote access must be enabled for remote exploitation to succeed. This may occur either because the user has enabled remote access for legitimate operational reasons or because malware with elevated privileges (e.g., sudo access) enables it without user consent. This vulnerability can be chained with remote access capabilities to generate a developer token from a remote device. Developer tokens can be created with arbitrary expiration dates, enabling persistent access to the sequencer and bypassing standard authentication mechanisms.
CVE-2024-29941 2026-04-15 8.0 High
Insecure storage of the ICT MIFARE and DESFire encryption keys in the firmware binary allows malicious actors to create credentials for any site code and card number that is using the default ICT encryption.
CVE-2025-13163 1 Digiwin 1 Easyflow Gp 2026-04-15 4.9 Medium
EasyFlow GP developed by Digiwin has an Insufficiently Protected Credentials vulnerability, allowing privileged remote attackers to obtain plaintext database account credentials from the system frontend.