Monthly
Sensitive configuration data and credentials are exposed in API responses within HCL DevOps Deploy / HCL Launch, affecting all maintained version branches from 7.3 through 8.2.1.0. Any authenticated user with low-privilege access can retrieve secrets through standard API interactions, creating a stepping-stone for lateral movement or privilege escalation across connected deployment targets. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, but real-world risk is elevated because CI/CD platforms routinely store high-value credentials for downstream infrastructure.
Sensitive authentication data is inserted into network-transmitted responses in OSOS, the energy management platform by Sayax Energy Technologies Inc., enabling authenticated low-privilege users to extract credentials or session tokens and bypass authentication controls. All versions through build 09072026 are affected with no vendor patch available - TR-CERT disclosed this vulnerability but received no response from the vendor. No public exploit code has been identified at time of analysis, though the network-accessible attack vector with low complexity raises practical risk in industrial energy environments where even low-privilege account access is common.
Passive network de-anonymization of Encrypted Client Hello (ECH) connections is possible in Go's crypto/tls library because pre-shared key (PSK) identities are exposed in cleartext outer ClientHello messages, allowing any on-path observer to correlate resumption sessions and identify servers despite ECH's intended privacy protections. Affected versions span crypto/tls prior to 1.25.12, 1.26.5, and 1.27.0-rc.2 across the Go standard library. No public exploit code has been identified at time of analysis and no CISA KEV listing exists; however, exploitation requires no authentication or user interaction and is accessible to any network-level adversary with passive traffic visibility.
Sensitive data exposure in Softaculous FormLayer WordPress plugin through version 1.0.6 allows remote unauthenticated attackers to retrieve embedded sensitive information from data transmitted by the plugin. The root cause (CWE-201) indicates the plugin inserts sensitive content - potentially API keys, tokens, or internal configuration - into outbound data visible to requesting clients. No public exploit code and no active exploitation have been identified at time of analysis, though the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms trivial remote accessibility.
Sensitive data exposure in Exclusive Addons Elementor (WordPress plugin by Tim Strifler) through version 2.7.9.9 enables unauthenticated remote attackers to retrieve sensitive information embedded within HTTP responses. The CWE-201 root cause indicates the plugin incorrectly includes sensitive data in outbound responses accessible to any network client without authentication, as confirmed by the CVSS vector (PR:N/UI:N). No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, though the network-accessible, zero-prerequisite attack surface warrants prompt patching on internet-facing WordPress installations.
Sensitive subscriber data exposure in the Hotel Booking Lite WordPress plugin (versions 6.0.3 and earlier) allows authenticated low-privileged users to access confidential booking or guest information they should not be authorized to view. The vulnerability, classified under CWE-201, involves the plugin including sensitive data in API responses or rendered output accessible to subscriber-level WordPress accounts. No public exploit code or active exploitation has been identified at time of analysis, but the high confidentiality impact and low barrier to exploitation (only a subscriber account required) make patching a priority for any hospitality operator running this plugin.
Sensitive data exposure in the Corpkit WordPress theme (versions <= 1.0.5) allows an authenticated subscriber-level user to retrieve confidential information that should be inaccessible to that role. The CVSS vector (PR:L, C:H) confirms that any low-privileged account holder - the default registered-user role in WordPress - can trigger the disclosure over the network with no additional interaction required. No public exploit code or active exploitation has been identified at time of analysis, but the low barrier of entry (subscriber registration is often open on WordPress sites) elevates real-world risk.
Sensitive data exposure in the HubSpot (Leadin) WordPress plugin versions up to and including 11.3.51 allows a low-privileged authenticated user to retrieve embedded sensitive information that is inserted into data sent by the plugin. Reported by Patchstack and tracked as CWE-201 with a CVSS 7.4 (scope-changed), there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The realistic impact is limited to information disclosure of secrets or private data the plugin transmits, without evidence of widespread or automated exploitation.
The genucenter web interface by genua exposes SNMP authentication and encryption keys in cleartext HTTP responses to any user holding the 'Service' or 'Admin' role, enabling credential theft without any exploitation complexity beyond normal authenticated use. Affected versions are all releases prior to 8.0p11; the fix was disclosed by sba-research via a coordinated advisory in April 2026. No public exploit code or active exploitation has been identified at time of analysis, though the disclosure of SNMP v3 keys - which govern both authentication integrity and traffic encryption - represents a meaningful lateral movement risk if those keys are reused across network devices.
Sensitive configuration and secret disclosure in IBM UrbanCode Deploy (7.3-7.3.2.18) and IBM DevOps Deploy (8.0-8.2.1.0) exposes credentials and configuration data to any authenticated low-privilege user via API responses. The exposed secrets can serve as a direct launchpad for privilege escalation or lateral movement within the CI/CD pipeline and connected deployment targets. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, though the CVSS-assigned high confidentiality impact reflects real post-authentication risk.
Sensitive configuration data and credentials are exposed in API responses within HCL DevOps Deploy / HCL Launch, affecting all maintained version branches from 7.3 through 8.2.1.0. Any authenticated user with low-privilege access can retrieve secrets through standard API interactions, creating a stepping-stone for lateral movement or privilege escalation across connected deployment targets. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, but real-world risk is elevated because CI/CD platforms routinely store high-value credentials for downstream infrastructure.
Sensitive authentication data is inserted into network-transmitted responses in OSOS, the energy management platform by Sayax Energy Technologies Inc., enabling authenticated low-privilege users to extract credentials or session tokens and bypass authentication controls. All versions through build 09072026 are affected with no vendor patch available - TR-CERT disclosed this vulnerability but received no response from the vendor. No public exploit code has been identified at time of analysis, though the network-accessible attack vector with low complexity raises practical risk in industrial energy environments where even low-privilege account access is common.
Passive network de-anonymization of Encrypted Client Hello (ECH) connections is possible in Go's crypto/tls library because pre-shared key (PSK) identities are exposed in cleartext outer ClientHello messages, allowing any on-path observer to correlate resumption sessions and identify servers despite ECH's intended privacy protections. Affected versions span crypto/tls prior to 1.25.12, 1.26.5, and 1.27.0-rc.2 across the Go standard library. No public exploit code has been identified at time of analysis and no CISA KEV listing exists; however, exploitation requires no authentication or user interaction and is accessible to any network-level adversary with passive traffic visibility.
Sensitive data exposure in Softaculous FormLayer WordPress plugin through version 1.0.6 allows remote unauthenticated attackers to retrieve embedded sensitive information from data transmitted by the plugin. The root cause (CWE-201) indicates the plugin inserts sensitive content - potentially API keys, tokens, or internal configuration - into outbound data visible to requesting clients. No public exploit code and no active exploitation have been identified at time of analysis, though the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms trivial remote accessibility.
Sensitive data exposure in Exclusive Addons Elementor (WordPress plugin by Tim Strifler) through version 2.7.9.9 enables unauthenticated remote attackers to retrieve sensitive information embedded within HTTP responses. The CWE-201 root cause indicates the plugin incorrectly includes sensitive data in outbound responses accessible to any network client without authentication, as confirmed by the CVSS vector (PR:N/UI:N). No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, though the network-accessible, zero-prerequisite attack surface warrants prompt patching on internet-facing WordPress installations.
Sensitive subscriber data exposure in the Hotel Booking Lite WordPress plugin (versions 6.0.3 and earlier) allows authenticated low-privileged users to access confidential booking or guest information they should not be authorized to view. The vulnerability, classified under CWE-201, involves the plugin including sensitive data in API responses or rendered output accessible to subscriber-level WordPress accounts. No public exploit code or active exploitation has been identified at time of analysis, but the high confidentiality impact and low barrier to exploitation (only a subscriber account required) make patching a priority for any hospitality operator running this plugin.
Sensitive data exposure in the Corpkit WordPress theme (versions <= 1.0.5) allows an authenticated subscriber-level user to retrieve confidential information that should be inaccessible to that role. The CVSS vector (PR:L, C:H) confirms that any low-privileged account holder - the default registered-user role in WordPress - can trigger the disclosure over the network with no additional interaction required. No public exploit code or active exploitation has been identified at time of analysis, but the low barrier of entry (subscriber registration is often open on WordPress sites) elevates real-world risk.
Sensitive data exposure in the HubSpot (Leadin) WordPress plugin versions up to and including 11.3.51 allows a low-privileged authenticated user to retrieve embedded sensitive information that is inserted into data sent by the plugin. Reported by Patchstack and tracked as CWE-201 with a CVSS 7.4 (scope-changed), there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The realistic impact is limited to information disclosure of secrets or private data the plugin transmits, without evidence of widespread or automated exploitation.
The genucenter web interface by genua exposes SNMP authentication and encryption keys in cleartext HTTP responses to any user holding the 'Service' or 'Admin' role, enabling credential theft without any exploitation complexity beyond normal authenticated use. Affected versions are all releases prior to 8.0p11; the fix was disclosed by sba-research via a coordinated advisory in April 2026. No public exploit code or active exploitation has been identified at time of analysis, though the disclosure of SNMP v3 keys - which govern both authentication integrity and traffic encryption - represents a meaningful lateral movement risk if those keys are reused across network devices.
Sensitive configuration and secret disclosure in IBM UrbanCode Deploy (7.3-7.3.2.18) and IBM DevOps Deploy (8.0-8.2.1.0) exposes credentials and configuration data to any authenticated low-privilege user via API responses. The exposed secrets can serve as a direct launchpad for privilege escalation or lateral movement within the CI/CD pipeline and connected deployment targets. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, though the CVSS-assigned high confidentiality impact reflects real post-authentication risk.