Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-13437

Summary
Assigner-DEVOLUTIONS
Assigner Org ID-bfee16bd-18e6-446c-9a65-f5b2e3d89c23
Published At-29 Jun, 2026 | 15:23
Updated At-29 Jun, 2026 | 16:25
Rejected At-
Credits

Insertion of sensitive information into sent data in the AI Agent job API in Devolutions PowerShell Universal 2026.2.0 allows an authenticated user with AI Agent read access to obtain reusable, potentially higher-privileged authentication tokens via App Tokens serialized in plaintext in job API responses.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:DEVOLUTIONS
Assigner Org ID:bfee16bd-18e6-446c-9a65-f5b2e3d89c23
Published At:29 Jun, 2026 | 15:23
Updated At:29 Jun, 2026 | 16:25
Rejected At:
▼CVE Numbering Authority (CNA)

Insertion of sensitive information into sent data in the AI Agent job API in Devolutions PowerShell Universal 2026.2.0 allows an authenticated user with AI Agent read access to obtain reusable, potentially higher-privileged authentication tokens via App Tokens serialized in plaintext in job API responses.

Affected Products
Vendor
DevolutionsDevolutions
Product
PowerShell Universal
Default Status
unaffected
Versions
Affected
  • 2026.2.0 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-201CWE-201 Insertion of Sensitive Information Into Sent Data
Type: CWE
CWE ID: CWE-201
Description: CWE-201 Insertion of Sensitive Information Into Sent Data
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://devolutions.net/security/advisories/DEVO-2026-0022/
N/A
Hyperlink: https://devolutions.net/security/advisories/DEVO-2026-0022/
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@devolutions.net
Published At:29 Jun, 2026 | 16:16
Updated At:02 Jul, 2026 | 15:09

Insertion of sensitive information into sent data in the AI Agent job API in Devolutions PowerShell Universal 2026.2.0 allows an authenticated user with AI Agent read access to obtain reusable, potentially higher-privileged authentication tokens via App Tokens serialized in plaintext in job API responses.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
N/A
Type: Secondary
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Type: N/A
Version:
Base score:
Base severity: N/A
Vector:
CPE Matches

Devolutions
devolutions
>>powershell_universal>>2026.2.0.0
cpe:2.3:a:devolutions:powershell_universal:2026.2.0.0:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-201Secondarysecurity@devolutions.net
NVD-CWE-noinfoPrimarynvd@nist.gov
CWE ID: CWE-201
Type: Secondary
Source: security@devolutions.net
CWE ID: NVD-CWE-noinfo
Type: Primary
Source: nvd@nist.gov
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://devolutions.net/security/advisories/DEVO-2026-0022/security@devolutions.net
Vendor Advisory
Hyperlink: https://devolutions.net/security/advisories/DEVO-2026-0022/
Source: security@devolutions.net
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

85Records found

CVE-2026-4927
Matching Score-10
Assigner-Devolutions Inc.
ShareView Details
Matching Score-10
Assigner-Devolutions Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.22% / 12.95%
||
7 Day CHG~0.00%
Published-01 Apr, 2026 | 14:54
Updated-03 Apr, 2026 | 19:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Exposure of sensitive information in the users MFA feature in Devolutions Server allows users with user management privileges to obtain other users OTP keys via an authenticated API request. This issue affects Server: from 2026.1.6 through 2026.1.11.

Action-Not Available
Vendor-Devolutions
Product-devolutions_serverServer
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2023-4417
Matching Score-8
Assigner-Devolutions Inc.
ShareView Details
Matching Score-8
Assigner-Devolutions Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.45% / 35.89%
||
7 Day CHG~0.00%
Published-21 Aug, 2023 | 18:38
Updated-04 Oct, 2024 | 16:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper access controls in the entry duplication component in Devolutions Remote Desktop Manager 2023.2.19 and earlier versions on Windows allows an authenticated user, under specific circumstances, to inadvertently share their personal vault entry with shared vaults via an incorrect vault in the duplication write process.

Action-Not Available
Vendor-Microsoft CorporationDevolutions
Product-windowsremote_desktop_managerRemote Desktop Manager
CVE-2026-6706
Matching Score-8
Assigner-Devolutions Inc.
ShareView Details
Matching Score-8
Assigner-Devolutions Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.20% / 10.09%
||
7 Day CHG~0.00%
Published-28 Apr, 2026 | 13:11
Updated-04 May, 2026 | 13:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper access control in the vault documentation feature in Devolutions Server allows an authenticated attacker to read documentation content from unauthorized vaults via a crafted API request. This issue affects Server: from 2026.1.6.0 through 2026.1.14.0, through 2025.3.18.0.

Action-Not Available
Vendor-Devolutions
Product-devolutions_serverServer
CWE ID-CWE-862
Missing Authorization
CVE-2025-2278
Matching Score-8
Assigner-Devolutions Inc.
ShareView Details
Matching Score-8
Assigner-Devolutions Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.42% / 33.84%
||
7 Day CHG~0.00%
Published-13 Mar, 2025 | 12:56
Updated-28 Mar, 2025 | 16:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper access control in temporary access requests and checkout requests endpoints in Devolutions Server 2024.3.13 and earlier allows an authenticated user to access information about these requests via a known request ID.

Action-Not Available
Vendor-Devolutions
Product-devolutions_serverServer
CWE ID-CWE-284
Improper Access Control
CVE-2025-1635
Matching Score-8
Assigner-Devolutions Inc.
ShareView Details
Matching Score-8
Assigner-Devolutions Inc.
CVSS Score-6.5||MEDIUM
EPSS-1.58% / 72.59%
||
7 Day CHG~0.00%
Published-13 Mar, 2025 | 12:47
Updated-28 Mar, 2025 | 16:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Exposure of sensitive information in hub data source export feature in Devolutions Remote Desktop Manager 2024.3.29 and earlier on Windows allows a user exporting a hub data source to include his authenticated session in the export due to faulty business logic.

Action-Not Available
Vendor-Devolutions
Product-remote_desktop_managerRemote Desktop Manager
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2025-1636
Matching Score-8
Assigner-Devolutions Inc.
ShareView Details
Matching Score-8
Assigner-Devolutions Inc.
CVSS Score-6.5||MEDIUM
EPSS-1.58% / 72.59%
||
7 Day CHG~0.00%
Published-13 Mar, 2025 | 12:47
Updated-28 Mar, 2025 | 16:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Exposure of sensitive information in My Personal Credentials password history component in Devolutions Remote Desktop Manager 2024.3.29 and earlier on Windows allows an authenticated user to inadvertently leak the My Personal Credentials in a shared vault via the clear history feature due to faulty business logic.

Action-Not Available
Vendor-Devolutions
Product-remote_desktop_managerRemote Desktop Manager
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2025-13683
Matching Score-8
Assigner-Devolutions Inc.
ShareView Details
Matching Score-8
Assigner-Devolutions Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.35% / 26.54%
||
7 Day CHG+0.01%
Published-28 Nov, 2025 | 17:00
Updated-18 Dec, 2025 | 21:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Exposure of credentials in unintended requests in Devolutions Server, Remote Desktop Manager on Windows.This issue affects Devolutions Server: through 2025.3.8.0; Remote Desktop Manager: through 2025.3.23.0.

Action-Not Available
Vendor-Devolutions
Product-remote_desktop_managerdevolutions_serverServerRemote Desktop Manager
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2026-3277
Matching Score-8
Assigner-Devolutions Inc.
ShareView Details
Matching Score-8
Assigner-Devolutions Inc.
CVSS Score-5.5||MEDIUM
EPSS-0.16% / 5.63%
||
7 Day CHG~0.00%
Published-27 Feb, 2026 | 15:11
Updated-30 Mar, 2026 | 21:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The OpenID Connect (OIDC) authentication configuration in PowerShell Universal before 2026.1.3 stores the OIDC client secret in cleartext in the .universal/authentication.ps1 script, which allows an attacker with read access to that file to obtain the OIDC client credentials

Action-Not Available
Vendor-ironmansoftwareDevolutions
Product-powershell_universalPowerShell Universal
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
CVE-2026-3131
Matching Score-8
Assigner-Devolutions Inc.
ShareView Details
Matching Score-8
Assigner-Devolutions Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.30% / 21.77%
||
7 Day CHG~0.00%
Published-24 Feb, 2026 | 19:01
Updated-26 Feb, 2026 | 17:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper access control in multiple DVLS REST API endpoints in Devolutions Server 2025.3.14.0 and earlier allows an authenticated user with view-only permission to access sensitive connection data.

Action-Not Available
Vendor-Devolutions
Product-devolutions_serverServer
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2025-12808
Matching Score-8
Assigner-Devolutions Inc.
ShareView Details
Matching Score-8
Assigner-Devolutions Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.36% / 27.89%
||
7 Day CHG~0.00%
Published-06 Nov, 2025 | 16:36
Updated-10 Nov, 2025 | 16:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper access control in Devolutions allows a View-only user to retrieve sensitive third-level nested fields, such as password lists custom values, resulting in password disclosure. This issue affects the following versions : * Devolutions Server 2025.3.2.0 through 2025.3.5.0 * Devolutions Server 2025.2.15.0 and earlier

Action-Not Available
Vendor-Devolutions
Product-devolutions_serverServer
CWE ID-CWE-284
Improper Access Control
CVE-2023-6588
Matching Score-8
Assigner-Devolutions Inc.
ShareView Details
Matching Score-8
Assigner-Devolutions Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.59% / 43.84%
||
7 Day CHG~0.00%
Published-07 Dec, 2023 | 15:59
Updated-02 Aug, 2024 | 08:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Offline mode is always enabled, even if permission disallows it, in Devolutions Server data source in Devolutions Workspace 2023.3.2.0 and earlier. This allows an attacker with access to the Workspace application to access credentials when offline.

Action-Not Available
Vendor-Devolutions
Product-workspaceWorkspace
CVE-2023-1201
Matching Score-8
Assigner-Devolutions Inc.
ShareView Details
Matching Score-8
Assigner-Devolutions Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.81% / 52.37%
||
7 Day CHG~0.00%
Published-06 Mar, 2023 | 17:15
Updated-06 Mar, 2025 | 14:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper access control in the secure messages feature in Devolutions Server 2022.3.12 and below allows an authenticated attacker that possesses the message UUID to access the data it contains.

Action-Not Available
Vendor-Devolutions
Product-devolutions_serverDevolutions Server
CVE-2023-1203
Matching Score-8
Assigner-Devolutions Inc.
ShareView Details
Matching Score-8
Assigner-Devolutions Inc.
CVSS Score-6.5||MEDIUM
EPSS-1.06% / 60.27%
||
7 Day CHG~0.00%
Published-06 Mar, 2023 | 16:38
Updated-06 Mar, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper removal of sensitive data in the entry edit feature of Hub Business submodule in Devolutions Remote Desktop Manager PowerShell Module 2022.3.1.5 and earlier allows an authenticated user to access sensitive data on entries that were edited using the affected submodule.

Action-Not Available
Vendor-Devolutions
Product-remote_desktop_managerRemote Desktop Manager PowerShell Module
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2023-0952
Matching Score-8
Assigner-Devolutions Inc.
ShareView Details
Matching Score-8
Assigner-Devolutions Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.66% / 47.02%
||
7 Day CHG~0.00%
Published-22 Feb, 2023 | 13:51
Updated-17 Mar, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper access controls on entries in Devolutions Server 2022.3.12 and earlier could allow an authenticated user to access sensitive data without proper authorization.

Action-Not Available
Vendor-Devolutions
Product-devolutions_serverDevolutions Server
CWE ID-CWE-863
Incorrect Authorization
CVE-2023-0661
Matching Score-8
Assigner-Devolutions Inc.
ShareView Details
Matching Score-8
Assigner-Devolutions Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.74% / 50.08%
||
7 Day CHG~0.00%
Published-03 Feb, 2023 | 15:48
Updated-03 Dec, 2025 | 15:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper access control in Devolutions Server allows an authenticated user to access unauthorized sensitive data.

Action-Not Available
Vendor-Devolutions
Product-devolutions_serverDevolutions Server
CWE ID-CWE-284
Improper Access Control
CVE-2026-12105
Matching Score-8
Assigner-Devolutions Inc.
ShareView Details
Matching Score-8
Assigner-Devolutions Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.20% / 10.11%
||
7 Day CHG~0.00%
Published-16 Jun, 2026 | 18:28
Updated-18 Jun, 2026 | 18:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper access control in Devolutions Server 2026.2.5, 2026.1.21 allows an authenticated user to access attachments via folder duplication with inherited permissions.

Action-Not Available
Vendor-Devolutions
Product-devolutions_serverDevolutions Server
CWE ID-CWE-862
Missing Authorization
CVE-2026-10786
Matching Score-8
Assigner-Devolutions Inc.
ShareView Details
Matching Score-8
Assigner-Devolutions Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.15% / 4.43%
||
7 Day CHG~0.00%
Published-08 Jun, 2026 | 18:26
Updated-12 Jun, 2026 | 17:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper access control in the ticketing integration settings in Devolutions Server allows an authenticated low-privileged user to obtain cleartext credentials for configured ticketing integrations via a crafted API request. This issue affects : * Devolutions Server 2026.2.4.0 * Devolutions Server 2026.1.20.0 and earlier

Action-Not Available
Vendor-Devolutions
Product-devolutions_serverServer
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
CVE-2024-5072
Matching Score-8
Assigner-Devolutions Inc.
ShareView Details
Matching Score-8
Assigner-Devolutions Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.68% / 47.77%
||
7 Day CHG~0.00%
Published-17 May, 2024 | 15:18
Updated-28 Mar, 2025 | 16:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper input validation in PAM JIT elevation feature in Devolutions Server 2024.1.11.0 and earlier allows an authenticated user with access to the PAM JIT elevation feature to manipulate the LDAP filter query via a specially crafted request.

Action-Not Available
Vendor-Devolutions
Product-devolutions_serverServer
CVE-2023-2282
Matching Score-8
Assigner-Devolutions Inc.
ShareView Details
Matching Score-8
Assigner-Devolutions Inc.
CVSS Score-3.1||LOW
EPSS-0.42% / 33.96%
||
7 Day CHG~0.00%
Published-25 Apr, 2023 | 18:23
Updated-04 Feb, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper access control in the Web Login listener in Devolutions Remote Desktop Manager 2023.1.22 and earlier on Windows allows an authenticated user to bypass administrator-enforced Web Login restrictions and gain access to entries via an unexpected vector.

Action-Not Available
Vendor-Microsoft CorporationDevolutions
Product-remote_desktop_managerwindowsRemote Desktop Manager
CVE-2023-1574
Matching Score-8
Assigner-Devolutions Inc.
ShareView Details
Matching Score-8
Assigner-Devolutions Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.48% / 38.05%
||
7 Day CHG~0.00%
Published-22 Mar, 2023 | 12:50
Updated-25 Feb, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Information disclosure in the user creation feature of a MSSQL data source in Devolutions Remote Desktop Manager 2023.1.9 and below on Windows allows an attacker with access to the user interface to obtain sensitive information via the error message dialog that displays the password in clear text.

Action-Not Available
Vendor-Devolutions
Product-remote_desktop_managerRemote Desktop Manager
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2022-3781
Matching Score-8
Assigner-Devolutions Inc.
ShareView Details
Matching Score-8
Assigner-Devolutions Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.43% / 34.86%
||
7 Day CHG~0.00%
Published-01 Nov, 2022 | 18:28
Updated-05 May, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dashlane password and Keepass Server password in My Account Settings  are not encrypted in the database in Devolutions Remote Desktop Manager 2022.2.26 and prior versions and Devolutions Server 2022.3.1 and prior versions which allows database users to read the data. This issue affects : Remote Desktop Manager 2022.2.26 and prior versions. Devolutions Server 2022.3.1 and prior versions.

Action-Not Available
Vendor-Devolutions
Product-devolutions_serverremote_desktop_managerRemote Desktop ManagerDevolutions Server
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2022-2221
Matching Score-8
Assigner-Devolutions Inc.
ShareView Details
Matching Score-8
Assigner-Devolutions Inc.
CVSS Score-6.5||MEDIUM
EPSS-1.11% / 61.85%
||
7 Day CHG~0.00%
Published-27 Jun, 2022 | 18:38
Updated-03 Aug, 2024 | 00:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Information Exposure vulnerability in My Account Settings of Devolutions Remote Desktop Manager before 2022.1.8 allows authenticated users to access credentials of other users. This issue affects: Devolutions Remote Desktop Manager versions prior to 2022.1.8.

Action-Not Available
Vendor-Devolutions
Product-remote_desktop_managerRemote Desktop Manager
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2024-12196
Matching Score-8
Assigner-Devolutions Inc.
ShareView Details
Matching Score-8
Assigner-Devolutions Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.46% / 36.37%
||
7 Day CHG+0.01%
Published-04 Dec, 2024 | 17:17
Updated-28 Mar, 2025 | 16:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Incorrect authorization in the permission component in Devolutions Server 2024.3.7.0 and earlier allows an authenticated user to view the password history of an entry without the view password permission.

Action-Not Available
Vendor-Devolutions
Product-devolutions_serverServer
CWE ID-CWE-863
Incorrect Authorization
CVE-2023-5575
Matching Score-8
Assigner-Devolutions Inc.
ShareView Details
Matching Score-8
Assigner-Devolutions Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.63% / 45.78%
||
7 Day CHG~0.00%
Published-16 Oct, 2023 | 13:29
Updated-16 Sep, 2024 | 18:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper access control in the permission inheritance in Devolutions Server 2022.3.13.0 and earlier allows an attacker that compromised a low privileged user to access entries via a specific combination of permissions in the entry and in its parent.

Action-Not Available
Vendor-Devolutions
Product-devolutions_serverServer
CVE-2025-41415
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-7.1||HIGH
EPSS-0.33% / 25.29%
||
7 Day CHG~0.00%
Published-21 Aug, 2025 | 19:57
Updated-22 Aug, 2025 | 18:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AVEVA PI Integrator Insertion of Sensitive Information into Sent Data

The vulnerability, if exploited, could allow an authenticated miscreant (with privileges to access publication targets) to retrieve sensitive information that could then be used to gain additional access to downstream resources.

Action-Not Available
Vendor-AVEVA
Product-PI Integrator
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2026-57347
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-Not Assigned
Published-02 Jul, 2026 | 11:15
Updated-02 Jul, 2026 | 13:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Hotel Booking Lite plugin <= 6.0.3 - Sensitive Data Exposure vulnerability

Subscriber Sensitive Data Exposure in Hotel Booking Lite <= 6.0.3 versions.

Action-Not Available
Vendor-jetmonsters
Product-Hotel Booking Lite
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2026-7184
Matching Score-4
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-4
Assigner-Mattermost, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.26% / 16.84%
||
7 Day CHG~0.00%
Published-12 Jun, 2026 | 15:49
Updated-18 Jun, 2026 | 14:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Mattermost Remote Cluster PATCH API Leaks Authentication Tokens

Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15 fail to sanitize the Remote Cluster API response on PATCH operations, which allows authenticated users with the {{manage_secure_connections}} permission to obtain remote cluster authentication tokens via a PATCH request to the remote cluster endpoint.. Mattermost Advisory ID: MMSA-2026-00662

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2025-69132
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-Not Assigned
Published-02 Jul, 2026 | 11:14
Updated-02 Jul, 2026 | 20:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Corpkit theme <= 1.0.5 - Sensitive Data Exposure vulnerability

Subscriber Sensitive Data Exposure in Corpkit <= 1.0.5 versions.

Action-Not Available
Vendor-Zozothemes
Product-Corpkit
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2026-48877
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.30% / 21.54%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 08:47
Updated-27 May, 2026 | 10:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress GenerateBlocks plugin <= 2.1.0 - Sensitive Data Exposure vulnerability

Insertion of Sensitive Information Into Sent Data vulnerability in Tom GenerateBlocks allows Retrieve Embedded Sensitive Data. This issue affects GenerateBlocks: from n/a through 2.1.0.

Action-Not Available
Vendor-Tom
Product-GenerateBlocks
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2026-45582
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.26% / 17.51%
||
7 Day CHG~0.00%
Published-29 May, 2026 | 13:37
Updated-01 Jun, 2026 | 18:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
n8n-MCP: Workflow telemetry sanitizer could retain partial values from URL-shaped node parameters

n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. Prior to 2.51.3, the workflow telemetry sanitizer could retain partial fragments of URL-shaped node parameters before sending workflow data to the project's anonymous telemetry backend. Values placed in HTTP-Request-style node parameters — such as customer or tenant identifiers, short secrets embedded in query strings, and signed request parameters — could therefore appear in stored telemetry, contrary to the collection boundary documented in PRIVACY.md. This vulnerability is fixed in 2.51.3.

Action-Not Available
Vendor-n8n-mcpczlonkowski
Product-n8n-mcpn8n-mcp
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2026-44653
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.28% / 19.35%
||
7 Day CHG~0.00%
Published-02 Jun, 2026 | 22:40
Updated-04 Jun, 2026 | 19:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
LibreChat Shared MCP Server View Leaks Decrypted Admin Secrets

LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.8.3, users with only `VIEW` access to an MCP server can retrieve the server's decrypted admin-managed secrets through `GET /api/mcp/servers` and `GET /api/mcp/servers/:serverName`. The returned config includes plaintext values for `apiKey.key` and `oauth.client_secret`. This allows viewers of a shared MCP server to exfiltrate the underlying provider credentials. Version 0.8..4 contains a patch. Other remediations include: never returning decrypted admin-managed secrets to non-owners; redacting apiKey.key and oauth.client_secret from all API responses consider returning only boolean presence indicators for secrets, similar to the auth-values route pattern; and, if owners need to edit configs without re-entering secrets, preserving secrets server-side and returning placeholders instead of plaintext.

Action-Not Available
Vendor-librechatdanny-avila
Product-librechatLibreChat
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2026-57318
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.36% / 27.56%
||
7 Day CHG~0.00%
Published-26 Jun, 2026 | 14:52
Updated-26 Jun, 2026 | 16:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Site Reviews plugin <= 8.0.11 - Sensitive Data Exposure vulnerability

Subscriber Sensitive Data Exposure in Site Reviews <= 8.0.11 versions.

Action-Not Available
Vendor-Gemini Labs
Product-Site Reviews
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2025-27001
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.32% / 23.34%
||
7 Day CHG+0.02%
Published-28 Mar, 2025 | 09:38
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Shipmondo – A complete shipping solution for WooCommerce plugin <= 5.0.3 - Authenticated Arbitrary WordPress Option Disclosure vulnerability

Insertion of Sensitive Information Into Sent Data vulnerability in Shipmondo Shipmondo – A complete shipping solution for WooCommerce pakkelabels-for-woocommerce allows Retrieve Embedded Sensitive Data.This issue affects Shipmondo – A complete shipping solution for WooCommerce: from n/a through <= 5.0.3.

Action-Not Available
Vendor-Shipmondo
Product-Shipmondo – A complete shipping solution for WooCommerce
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2025-2615
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.27% / 19.31%
||
7 Day CHG~0.00%
Published-15 Nov, 2025 | 08:04
Updated-19 Nov, 2025 | 17:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Insertion of Sensitive Information Into Sent Data in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.7 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2, that could have allowed a blocked user to access sensitive information by establishing GraphQL subscriptions through WebSocket connections.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2025-24567
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.37% / 29.18%
||
7 Day CHG~0.00%
Published-14 Feb, 2025 | 12:44
Updated-11 May, 2026 | 23:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Mailster plugin <= 1.8.16.0 - Sensitive Data Exposure vulnerability

Insertion of Sensitive Information Into Sent Data vulnerability in brandtoss WP Mailster wp-mailster allows Retrieve Embedded Sensitive Data.This issue affects WP Mailster: from n/a through <= 1.8.16.0.

Action-Not Available
Vendor-brandtoss
Product-WP Mailster
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2025-24597
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.34% / 25.61%
||
7 Day CHG+0.01%
Published-31 Jan, 2025 | 08:24
Updated-11 May, 2026 | 23:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Barcode Generator for WooCommerce plugin <= 2.0.2 - Sensitive Data Exposure vulnerability

Insertion of Sensitive Information Into Sent Data vulnerability in Dmitry V. (CEO of "UKR Solution") Barcode Generator for WooCommerce embedding-barcodes-into-product-pages-and-orders allows Retrieve Embedded Sensitive Data.This issue affects Barcode Generator for WooCommerce: from n/a through <= 2.0.2.

Action-Not Available
Vendor-Dmitry V. (CEO of "UKR Solution")
Product-Barcode Generator for WooCommerce
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2025-24639
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.45% / 36.15%
||
7 Day CHG+0.02%
Published-03 Feb, 2025 | 14:22
Updated-11 May, 2026 | 23:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Korea for WooCommerce plugin <= 1.1.11 - Sensitive Data Exposure vulnerability

Insertion of Sensitive Information Into Sent Data vulnerability in Greys Korea for WooCommerce korea-for-woocommerce allows Retrieve Embedded Sensitive Data.This issue affects Korea for WooCommerce: from n/a through <= 1.1.11.

Action-Not Available
Vendor-Greys
Product-Korea for WooCommerce
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2026-42539
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.23% / 13.99%
||
7 Day CHG~0.00%
Published-04 Jun, 2026 | 20:54
Updated-08 Jun, 2026 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IRIS has an Excessive Data Exposure issue

IRIS is a web collaborative platform that helps incident responders share technical details during investigations. Versions prior to 2.4.28 return sensitive data to the user which are not required for the client’s operation. Version 2.4.28 contains a patch.

Action-Not Available
Vendor-dfir-iris
Product-iris-web
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2023-4002
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.49% / 38.45%
||
7 Day CHG~0.00%
Published-04 Aug, 2023 | 00:30
Updated-02 Jun, 2026 | 04:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Insertion of Sensitive Information Into Sent Data in GitLab

An issue has been discovered in GitLab EE affecting all versions starting from 14.1 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. It was possible for EE-licensed users to link any security policy project by its ID to projects or groups the user has access to, potentially revealing the security projects's configured security policies.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2026-40161
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.7||HIGH
EPSS-0.26% / 17.37%
||
7 Day CHG~0.00%
Published-21 Apr, 2026 | 16:26
Updated-21 May, 2026 | 22:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tekton Pipelines: Git resolver API mode leaks system-configured API token to user-controlled serverURL

Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1, the Tekton Pipelines git resolver in API mode sends the system-configured Git API token to a user-controlled serverURL when the user omits the token parameter. A tenant with TaskRun or PipelineRun create permission can exfiltrate the shared API token (GitHub PAT, GitLab token, etc.) by pointing serverURL to an attacker-controlled endpoint. Versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1 fix the issue.

Action-Not Available
Vendor-tektoncdThe Linux Foundation
Product-tekton_pipelinespipeline
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2023-3413
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.62% / 45.48%
||
7 Day CHG~0.00%
Published-29 Sep, 2023 | 08:30
Updated-20 Nov, 2025 | 04:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Insertion of Sensitive Information Into Sent Data in GitLab

An issue has been discovered in GitLab affecting all versions starting from 16.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible to read the source code of a project through a fork created before changing visibility to only project members.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2023-28117
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.6||HIGH
EPSS-0.64% / 46.25%
||
7 Day CHG~0.00%
Published-22 Mar, 2023 | 19:37
Updated-25 Feb, 2025 | 14:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Sentry SDK leaks sensitive session information when `sendDefaultPII` is set to `True`

Sentry SDK is the official Python SDK for Sentry, real-time crash reporting software. When using the Django integration of versions prior to 1.14.0 of the Sentry SDK in a specific configuration it is possible to leak sensitive cookies values, including the session cookie to Sentry. These sensitive cookies could then be used by someone with access to your Sentry issues to impersonate or escalate their privileges within your application. In order for these sensitive values to be leaked, the Sentry SDK configuration must have `sendDefaultPII` set to `True`; one must use a custom name for either `SESSION_COOKIE_NAME` or `CSRF_COOKIE_NAME` in one's Django settings; and one must not be configured in one's organization or project settings to use Sentry's data scrubbing features to account for the custom cookie names. As of version 1.14.0, the Django integration of the `sentry-sdk` will detect the custom cookie names based on one's Django settings and will remove the values from the payload before sending the data to Sentry. As a workaround, use the SDK's filtering mechanism to remove the cookies from the payload that is sent to Sentry. For error events, this can be done with the `before_send` callback method and for performance related events (transactions) one can use the `before_send_transaction` callback method. Those who want to handle filtering of these values on the server-side can also use Sentry's advanced data scrubbing feature to account for the custom cookie names. Look for the `$http.cookies`, `$http.headers`, `$request.cookies`, or `$request.headers` fields to target with a scrubbing rule.

Action-Not Available
Vendor-sentrygetsentry
Product-sentry_software_development_kitsentry-python
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CWE ID-CWE-209
Generation of Error Message Containing Sensitive Information
CVE-2026-27877
Matching Score-4
Assigner-Grafana Labs
ShareView Details
Matching Score-4
Assigner-Grafana Labs
CVSS Score-6.5||MEDIUM
EPSS-0.31% / 22.66%
||
7 Day CHG+0.11%
Published-27 Mar, 2026 | 14:02
Updated-30 Jun, 2026 | 12:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Public dashboards discloses all direct mode datasources

When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards. No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments' security.

Action-Not Available
Vendor-Red Hat, Inc.Grafana Labs
Product-grafanaGrafanaRed Hat Enterprise Linux AppStream EUS (v. 10.0)Red Hat Enterprise Linux AppStream EUS (v.9.6)Red Hat Enterprise Linux 8Red Hat Enterprise Linux AppStream (v. 9)Red Hat Enterprise Linux AppStream (v. 10)
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
CVE-2026-27514
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-7.1||HIGH
EPSS-0.22% / 12.00%
||
7 Day CHG~0.00%
Published-23 Feb, 2026 | 16:27
Updated-11 May, 2026 | 23:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tenda F3 Plaintext Credential Exposure in Configuration Download

Shenzhen Tenda F3 Wireless Router firmware V12.01.01.55_multi contains a sensitive information exposure vulnerability in the configuration download functionality. The configuration download response includes the router password and administrative password in plaintext. The endpoint also omits appropriate Cache-Control directives, which can allow the response to be stored in client-side caches and recovered by other local users or processes with access to cached browser data.

Action-Not Available
Vendor-Shenzhen Tenda Technology Co., Ltd.Tenda Technology Co., Ltd.
Product-f3_firmwaref3Tenda F3
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CWE ID-CWE-525
Use of Web Browser Cache Containing Sensitive Information
CVE-2024-54309
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.65% / 46.72%
||
7 Day CHG~0.00%
Published-13 Dec, 2024 | 14:25
Updated-28 Apr, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress PostBox plugin <= 1.0.4 - Sensitive Data Exposure vulnerability

Insertion of Sensitive Information Into Sent Data vulnerability in wpdebuglog PostBox postbox-email-logs allows Retrieve Embedded Sensitive Data.This issue affects PostBox: from n/a through <= 1.0.4.

Action-Not Available
Vendor-wpdebuglog
Product-PostBox
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2026-27465
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-1.3||LOW
EPSS-0.24% / 15.18%
||
7 Day CHG~0.00%
Published-26 Feb, 2026 | 02:54
Updated-02 Mar, 2026 | 15:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Fleet: Sensitive Google Calendar credentials disclosed to low-privileged users

Fleet is open source device management software. In versions prior to 4.80.1, a vulnerability in Fleet’s configuration API could expose Google Calendar service account credentials to authenticated users with low-privilege roles. This may allow unauthorized access to Google Calendar resources associated with the service account. Fleet returns configuration data through an API endpoint that is accessible to authenticated users, including those with the lowest-privilege “Observer” role. In affected versions, Google Calendar service account credentials were not properly obfuscated before being returned. As a result, a low-privilege user could retrieve the service account’s private key material. Depending on how the Google Calendar integration is configured, this could allow unauthorized access to calendar data or other Google Workspace resources associated with the service account. This issue does not allow escalation of privileges within Fleet or access to device management functionality. Version 4.80.1 patches the issue. If an immediate upgrade is not possible, administrators should remove the Google Calendar integration from Fleet and rotate the affected Google service account credentials.

Action-Not Available
Vendor-fleetdmfleetdm
Product-fleetfleet
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2026-27935
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.9||MEDIUM
EPSS-0.27% / 18.57%
||
7 Day CHG~0.00%
Published-19 Mar, 2026 | 21:33
Updated-23 Mar, 2026 | 20:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Discourse leaks private topic metadata to non-authorized users

Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a vulnerability in an API endpoint that discloses private topic metadata of admin users to moderator users even if the moderators do not have access to the private topics. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.

Action-Not Available
Vendor-Civilized Discourse Construction Kit, Inc.
Product-discoursediscourse
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2026-28131
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.22% / 12.31%
||
7 Day CHG~0.00%
Published-26 Feb, 2026 | 08:33
Updated-28 Apr, 2026 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Elementor Addon Elements plugin <= 1.14.4 - Sensitive Data Exposure vulnerability

Insertion of Sensitive Information Into Sent Data vulnerability in WPVibes Elementor Addon Elements addon-elements-for-elementor-page-builder allows Retrieve Embedded Sensitive Data.This issue affects Elementor Addon Elements: from n/a through <= 1.14.4.

Action-Not Available
Vendor-WPVibes
Product-Elementor Addon Elements
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2026-25339
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.23% / 14.28%
||
7 Day CHG~0.00%
Published-25 Mar, 2026 | 16:14
Updated-29 Apr, 2026 | 10:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Contact Form by WPForms plugin <= 1.9.8.7 - Sensitive Data Exposure vulnerability

Insertion of Sensitive Information Into Sent Data vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows Retrieve Embedded Sensitive Data.This issue affects Contact Form by WPForms: from n/a through <= 1.9.8.7.

Action-Not Available
Vendor-Awesome Motive Inc.
Product-Contact Form by WPForms
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2026-24565
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.28% / 19.38%
||
7 Day CHG~0.00%
Published-23 Jan, 2026 | 14:28
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress B Accordion plugin <= 2.0.2 - Sensitive Data Exposure vulnerability

Insertion of Sensitive Information Into Sent Data vulnerability in bPlugins B Accordion b-accordion allows Retrieve Embedded Sensitive Data.This issue affects B Accordion: from n/a through <= 2.0.2.

Action-Not Available
Vendor-bPlugins
Product-B Accordion
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
  • Previous
  • 1
  • 2
  • Next
Details not found