Search Results (1428 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-21660 1 Johnsoncontrols 2 Frick Controls Quantum Hd, Frick Controls Quantum Hd Firmware 2026-04-17 9.8 Critical
Hardcoded Email Credentials Saved as Plaintext in Firmware (CWE-256: Plaintext Storage of a Password) vulnerability in Frick Controls Quantum HD version 10.22 and prior lead to unauthorized access, exposure of sensitive information, and potential misuse or system compromise This issue affects Frick Controls Quantum HD version 10.22 and prior.
CVE-2026-20791 1 Chargemap 1 Chargemap.com 2026-04-16 6.5 Medium
Charging station authentication identifiers are publicly accessible via web-based mapping platforms.
CVE-2026-27167 2 Gradio-app, Gradio Project 2 Gradio, Gradio 2026-04-16 0 Low
Gradio is an open-source Python package designed for quick prototyping. Starting in version 4.16.0 and prior to version 6.6.0, Gradio applications running outside of Hugging Face Spaces automatically enable "mocked" OAuth routes when OAuth components (e.g. `gr.LoginButton`) are used. When a user visits `/login/huggingface`, the server retrieves its own Hugging Face access token via `huggingface_hub.get_token()` and stores it in the visitor's session cookie. If the application is network-accessible, any remote attacker can trigger this flow to steal the server owner's HF token. The session cookie is signed with a hardcoded secret derived from the string `"-v4"`, making the payload trivially decodable. Version 6.6.0 fixes the issue.
CVE-2022-27774 6 Brocade, Debian, Haxx and 3 more 18 Fabric Operating System, Debian Linux, Curl and 15 more 2026-04-16 5.7 Medium
An insufficiently protected credentials vulnerability exists in curl 4.9 to and include curl 7.82.0 are affected that could allow an attacker to extract credentials when follows HTTP(S) redirects is used with authentication could leak credentials to other services that exist on different protocols or port numbers.
CVE-2026-27770 1 Epower 1 Epower.ie 2026-04-16 6.5 Medium
Charging station authentication identifiers are publicly accessible via web-based mapping platforms.
CVE-2026-28714 3 Acronis, Linux, Microsoft 4 Acronis Cyber Protect 17, Cyber Protect, Linux Kernel and 1 more 2026-04-16 N/A
Unnecessary transmission of sensitive cryptographic material. The following products are affected: Acronis Cyber Protect 17 (Linux, Windows) before build 41186.
CVE-2026-27027 1 Everon 1 Api.everon.io 2026-04-16 6.5 Medium
Charging station authentication identifiers are publicly accessible via web-based mapping platforms.
CVE-2026-20733 1 Cloudcharge 1 Cloudcharge.se 2026-04-16 6.5 Medium
Charging station authentication identifiers are publicly accessible via web-based mapping platforms.
CVE-2026-20435 6 Google, Linuxfoundation, Mediatek and 3 more 40 Android, Yocto, Mt2737 and 37 more 2026-04-16 4.6 Medium
In preloader, there is a possible read of device unique identifiers due to a logic error. This could lead to local information disclosure, if an attacker has physical access to the device, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS10607099; Issue ID: MSV-6118.
CVE-2026-27777 1 Mobiliti 1 E-mobi.hu 2026-04-16 6.5 Medium
Charging station authentication identifiers are publicly accessible via web-based mapping platforms.
CVE-2026-35185 2 Haxtheweb, Psu 2 Hax, Haxiam 2026-04-16 7.5 High
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to 25.0.0, the /server-status endpoint is publicly accessible and exposes sensitive information including authentication tokens (user_token), user activity, client IP addresses, and server configuration details. This allows any unauthenticated user to monitor real-time user interactions and gather internal infrastructure information. This vulnerability is fixed in 25.0.0.
CVE-1999-0013 1 Ssh 1 Ssh 2026-04-16 8.4 High
Stolen credentials from SSH clients via ssh-agent program, allowing other local users to access remote accounts belonging to the ssh-agent user.
CVE-2000-0944 1 Cgi 1 Script Center News Update 2026-04-16 9.8 Critical
CGI Script Center News Update 1.1 does not properly validate the original news administration password during a password change operation, which allows remote attackers to modify the password without knowing the original password.
CVE-2005-3435 1 Archilles 1 Newsworld 2026-04-16 9.8 Critical
admin_news.php in Archilles Newsworld up to 1.3.0 allows attackers to bypass authentication by obtaining the password hash for another user, for example through another Newsworld vulnerability, and specifying the hash in the pwd argument.
CVE-2026-25774 2 Ev.energy, Ev Energy 2 Ev.energy, Ev.energy 2026-04-15 6.5 Medium
Charging station authentication identifiers are publicly accessible via web-based mapping platforms.
CVE-2025-41682 1 Bender 4 Cc612, Cc613, Icc13xx and 1 more 2026-04-15 8.8 High
An authenticated, low-privileged attacker can obtain credentials stored on the charge controller including the manufacturer password.
CVE-2024-38285 1 Motorolasolutions 1 Vigilant Fixed Lpr Coms Box Bcav1f2 C600 2026-04-15 N/A
Logs storing credentials are insufficiently protected and can be decoded through the use of open source tools.
CVE-2024-53832 2026-04-15 4.6 Medium
A vulnerability has been identified in CPCI85 Central Processing/Communication (All versions < V05.30). The affected devices contain a secure element which is connected via an unencrypted SPI bus. This could allow an attacker with physical access to the SPI bus to observe the password used for the secure element authentication, and then use the secure element as an oracle to decrypt all encrypted update files.
CVE-2025-54467 2 Neuvector, Suse 2 Neuvector, Neuvector 2026-04-15 5.3 Medium
When a Java command with password parameters is executed and terminated by NeuVector for Process rule violation the password will appear in the NeuVector security event log.
CVE-2025-57806 2026-04-15 N/A
Local Deep Research is an AI-powered research assistant for deep, iterative research. Versions 0.2.0 through 0.6.7 stored confidential information, including API keys, in a local SQLite database without encryption. This behavior was not clearly documented outside of the database architecture page. Users were not given the ability to configure the database location, allowing anyone with access to the container or host filesystem to retrieve sensitive data in plaintext by accessing the .db file. This is fixed in version 1.0.0.