Monthly
Cleartext storage and exposure of WPA2 credentials, and missing authentication on the rr/wr memory read/write commands, in the unauthenticated UART debug console of the Tenda N300 F3 (V603) allow a physically proximate attacker to obtain stored WPA2 credentials in cleartext and to read or write arbitrary memory via the serial console.
Jenkins Job Configuration History Plugin version 1356.ve360da_6c523a_ and earlier exposes encrypted secret values to any Jenkins user holding Extended Read permission by failing to apply Jenkins' standard secret redaction when rendering historical job and agent configurations. Encrypted credential values that Jenkins would normally mask are displayed in full within the plugin's history view, potentially enabling offline analysis of those values. No public exploit or active exploitation has been identified; SSVC rates this as non-automatable with partial technical impact.
Grav CMS (getgrav/grav < 1.7.53) exposes admin bcrypt password hashes, SMTP credentials, and full site configuration to any actor who can obtain a session-static admin-nonce value - via XSS, Referrer header leakage, browser history, or proxy logs - because the backup download endpoint enforces only a single URL-embedded nonce with no form-level CSRF token and no session binding. The default backup profile archives the entire GRAV_ROOT directory including user/accounts/ and user/config/ without exclusions, and the download handler Base64-encodes the absolute filesystem path in the response URL, leaking server internals. A fully functional public PoC is available; no CISA KEV listing exists at time of analysis, but downstream risk includes offline hashcat cracking followed by unauthenticated admin login with no server-side rate limiting.
Steeltoe.Configuration.Abstractions 4.0.0-4.1.0 permanently exposes TLS client private key material to world-readable temporary files on Linux when Cloud Foundry MySQL or PostgreSQL service bindings supply SSL credentials via VCAP_SERVICES. The Connectors library writes SSL certificate, private key, and CA files to Path.GetTempPath() using File.CreateText, which on Linux creates files at mode 0644 (owner read/write, group read, world read) with no cleanup mechanism, leaving key material readable by any co-located process for the container's lifetime. Vendor-released patch 4.2.0 resolves both the permission issue (restricting new temp files to mode 0600) and the missing cleanup via IDisposable; no public exploit has been identified at time of analysis.
Plaintext credential exposure in SolidInvoice open-source invoicing platform prior to 2.3.17 allows any actor with read access to the application database to harvest every user's REST API token directly from the api_tokens table. Because tokens are stored unhashed, secondary exposures such as SQL injection, stolen backups, replicated databases, or insider access become full account-takeover paths against the API. No public exploit is identified at time of analysis and the issue is not listed in CISA KEV, but the patch in 2.3.17 (commit 8645391) introduces HMAC-SHA256 token hashing keyed by SOLIDINVOICE_APP_SECRET.
Cleartext credential exposure in Devolutions Server allows an authenticated low-privileged user to retrieve plaintext credentials stored for configured ticketing integrations via a crafted API request. Affected versions include Devolutions Server 2026.2.4.0 and all 2026.1.x releases up to and including 2026.1.20.0. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis; the vulnerability was self-disclosed by Devolutions via advisory DEVO-2026-0015.
Plaintext exposure of pre-signed Backblaze B2 upload URLs in GNCC GP5 camera firmware v7.1.76 allows physically-proximate attackers with serial UART access to harvest live cloud storage tokens. The leaked PUT URLs enable unauthorized write operations against the device's Backblaze B2 cloud storage bucket until the tokens expire. No public exploit identified at time of analysis, though a public research write-up describing the issue is referenced.
StrongDM Desktop Application on Microsoft Windows exposes authentication secrets - including JSON Web Tokens and asymmetric key material - by writing them in cleartext to C:\Users\<username>\.sdm\state.kv, a per-user state file protected solely by default NTFS user-level permissions. Versions prior to Desktop Application 23.74.0 and Desktop Client 53.77.0 are affected. A local attacker meeting the required access prerequisites could read this file and extract live credentials, potentially enabling impersonation of the victim against StrongDM-managed infrastructure. No public exploit code exists and the vulnerability is not in the CISA KEV catalog; the low CVSS 4.0 score of 2.0 reflects the constrained local attack surface and required attack conditions.
RustFS distributed object storage (all versions prior to 1.0.0-beta.2) leaks sensitive credentials - including SessionTokens (JWT), SecretAccessKeys, and full JWT claim payloads - in plaintext to server logs when debug-level logging is active. Any authenticated party with read access to those log files can harvest live credentials for lateral movement or unauthorized storage access. No public exploit identified at time of analysis, but the impact of credential exposure is high if debug logging is inadvertently enabled in production. A vendor-released patch is available in 1.0.0-beta.2.
This vulnerability exists in CP Plus Wi-Fi Camera due to improper protection of sensitive information in runtime memory. An attacker with physical access could exploit this vulnerability by accessing the UART interface and performing memory extraction to obtain sensitive information, including cryptographic private keys, Wi-Fi credentials and configuration data stored in RAM of the targeted device. Successful exploitation of this vulnerability could allow unauthorized access to encrypted communications and connected wireless network of the targeted device.
Cleartext storage and exposure of WPA2 credentials, and missing authentication on the rr/wr memory read/write commands, in the unauthenticated UART debug console of the Tenda N300 F3 (V603) allow a physically proximate attacker to obtain stored WPA2 credentials in cleartext and to read or write arbitrary memory via the serial console.
Jenkins Job Configuration History Plugin version 1356.ve360da_6c523a_ and earlier exposes encrypted secret values to any Jenkins user holding Extended Read permission by failing to apply Jenkins' standard secret redaction when rendering historical job and agent configurations. Encrypted credential values that Jenkins would normally mask are displayed in full within the plugin's history view, potentially enabling offline analysis of those values. No public exploit or active exploitation has been identified; SSVC rates this as non-automatable with partial technical impact.
Grav CMS (getgrav/grav < 1.7.53) exposes admin bcrypt password hashes, SMTP credentials, and full site configuration to any actor who can obtain a session-static admin-nonce value - via XSS, Referrer header leakage, browser history, or proxy logs - because the backup download endpoint enforces only a single URL-embedded nonce with no form-level CSRF token and no session binding. The default backup profile archives the entire GRAV_ROOT directory including user/accounts/ and user/config/ without exclusions, and the download handler Base64-encodes the absolute filesystem path in the response URL, leaking server internals. A fully functional public PoC is available; no CISA KEV listing exists at time of analysis, but downstream risk includes offline hashcat cracking followed by unauthenticated admin login with no server-side rate limiting.
Steeltoe.Configuration.Abstractions 4.0.0-4.1.0 permanently exposes TLS client private key material to world-readable temporary files on Linux when Cloud Foundry MySQL or PostgreSQL service bindings supply SSL credentials via VCAP_SERVICES. The Connectors library writes SSL certificate, private key, and CA files to Path.GetTempPath() using File.CreateText, which on Linux creates files at mode 0644 (owner read/write, group read, world read) with no cleanup mechanism, leaving key material readable by any co-located process for the container's lifetime. Vendor-released patch 4.2.0 resolves both the permission issue (restricting new temp files to mode 0600) and the missing cleanup via IDisposable; no public exploit has been identified at time of analysis.
Plaintext credential exposure in SolidInvoice open-source invoicing platform prior to 2.3.17 allows any actor with read access to the application database to harvest every user's REST API token directly from the api_tokens table. Because tokens are stored unhashed, secondary exposures such as SQL injection, stolen backups, replicated databases, or insider access become full account-takeover paths against the API. No public exploit is identified at time of analysis and the issue is not listed in CISA KEV, but the patch in 2.3.17 (commit 8645391) introduces HMAC-SHA256 token hashing keyed by SOLIDINVOICE_APP_SECRET.
Cleartext credential exposure in Devolutions Server allows an authenticated low-privileged user to retrieve plaintext credentials stored for configured ticketing integrations via a crafted API request. Affected versions include Devolutions Server 2026.2.4.0 and all 2026.1.x releases up to and including 2026.1.20.0. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis; the vulnerability was self-disclosed by Devolutions via advisory DEVO-2026-0015.
Plaintext exposure of pre-signed Backblaze B2 upload URLs in GNCC GP5 camera firmware v7.1.76 allows physically-proximate attackers with serial UART access to harvest live cloud storage tokens. The leaked PUT URLs enable unauthorized write operations against the device's Backblaze B2 cloud storage bucket until the tokens expire. No public exploit identified at time of analysis, though a public research write-up describing the issue is referenced.
StrongDM Desktop Application on Microsoft Windows exposes authentication secrets - including JSON Web Tokens and asymmetric key material - by writing them in cleartext to C:\Users\<username>\.sdm\state.kv, a per-user state file protected solely by default NTFS user-level permissions. Versions prior to Desktop Application 23.74.0 and Desktop Client 53.77.0 are affected. A local attacker meeting the required access prerequisites could read this file and extract live credentials, potentially enabling impersonation of the victim against StrongDM-managed infrastructure. No public exploit code exists and the vulnerability is not in the CISA KEV catalog; the low CVSS 4.0 score of 2.0 reflects the constrained local attack surface and required attack conditions.
RustFS distributed object storage (all versions prior to 1.0.0-beta.2) leaks sensitive credentials - including SessionTokens (JWT), SecretAccessKeys, and full JWT claim payloads - in plaintext to server logs when debug-level logging is active. Any authenticated party with read access to those log files can harvest live credentials for lateral movement or unauthorized storage access. No public exploit identified at time of analysis, but the impact of credential exposure is high if debug logging is inadvertently enabled in production. A vendor-released patch is available in 1.0.0-beta.2.
This vulnerability exists in CP Plus Wi-Fi Camera due to improper protection of sensitive information in runtime memory. An attacker with physical access could exploit this vulnerability by accessing the UART interface and performing memory extraction to obtain sensitive information, including cryptographic private keys, Wi-Fi credentials and configuration data stored in RAM of the targeted device. Successful exploitation of this vulnerability could allow unauthorized access to encrypted communications and connected wireless network of the targeted device.