Monthly
Credential exposure in Tigera Calico's Azure IPAM integration causes ServiceAccount tokens, client keys, and certificate authority data to be written in plaintext to a node-local log file on every pod scheduling and termination event. Affected deployments include Calico, Calico Enterprise, and Calico Cloud when the Azure IPAM plugin is in use with token-based Kubernetes authentication. Any low-privileged principal able to read /var/log/calico/cni/cni.log on an affected node can extract these credentials and leverage them for cluster-wide Calico networking administration. No public exploit code has been identified at time of analysis and CISA KEV listing is absent, but the sensitive nature of the exposed material - full Kubernetes auth credentials - makes this a meaningful lateral movement and privilege escalation risk within affected Azure-hosted Kubernetes clusters.
Credential disclosure in Tigera Calico's calicoctl CLI exposes cluster-access secrets through verbose logging output. When operators run calicoctl with --log-level=info or --log-level=debug, the tool serializes its entire connection-configuration struct (including bearer tokens, etcd passwords, and inline PEM client certificates/keys) to stderr in a single log line, making them harvestable by anyone with access to CI logs, terminal recordings, or support transcripts. The issue is patched upstream but no public exploit is identified at time of analysis; default panic-level logging means standard deployments are not exposed.
Calico's install-cni init container leaks live Kubernetes ServiceAccount bearer tokens into pod logs when Canal/Flannel-Calico deployments use the __SERVICEACCOUNT_TOKEN__ placeholder, making the credential readable by any authenticated user with pods/log permission in the calico-node namespace. The exposed token carries patch privileges on pods/status, creating a lateral movement path via annotation-based attacks against cluster workloads. This is a confirmed regression of TTA-2018-001 reported by Tigera; no public exploit has been identified at time of analysis, though upstream patches are available via GitHub.
Local privilege escalation in Veeam Agent for Microsoft Windows enables a low-privileged authenticated user to escalate to higher privileges on the host, with the CWE-532 mapping indicating sensitive information is exposed via log files that the attacker can read or abuse. CVSS 4.0 base score is 7.3 with high impact to confidentiality, integrity, and availability of the vulnerable component, and no public exploit identified at time of analysis. The flaw is tied to the broader Veeam Backup and Replication 13 ecosystem (≤13.0.1 per ENISA EUVD), making it relevant on any Windows endpoint where the Veeam Agent is deployed alongside or as part of that platform.
Sensitive information disclosure in IBM MQ Operator and IBM-supplied MQ Advanced container images exposes potentially sensitive data written to log files, readable by local users on the host or container system. Affected versions span three release tracks (LTS, CD, SC2) across both the MQ Operator (v2.0.0 through v3.9.1) and a broad range of container image releases from 9.3.x through 9.4.x. The CVSS score of 5.1 with a local attack vector and high complexity rating confines exploitation to users with existing local or container runtime access, and no public exploit has been identified at time of analysis.
Sensitive information disclosure in syslink software AG Avantra (versions before 25.3.0) on Linux and Windows allows an attacker with high privileges and adjacent network access to harvest data written into log files, with a scope-changed impact crossing trust boundaries. The flaw is tracked as CWE-532 and rated CVSS 7.5, but no public exploit identified at time of analysis and it is not listed in CISA KEV.
Information disclosure in Netatalk 2.1.0 through 4.4.2 exposes LDAP simple-bind passwords in log files, allowing any actor with read access to the affected logs to recover plaintext directory service credentials. The flaw is fixed in version 4.4.3, and no public exploit identified at time of analysis, though the CVSS 7.5 score reflects the high confidentiality impact of leaked bind credentials.
Sensitive information disclosure in Splunk Enterprise (below 10.2.2 and 10.0.5) and Splunk Cloud Platform (multiple branches below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13) allows authenticated users with a role granting access to the `_internal` index to view session cookies and response bodies containing sensitive data logged by the platform. Cisco-reported and patched by Splunk in advisory SVD-2026-0503, the issue is a CWE-532 sensitive-data-in-logs flaw rather than a remote code execution bug, with no public exploit identified at time of analysis.
TLS private key password exposure in Hyperledger fabric-chaincode-java (versions 2.3.1 through 2.5.9) leaks credentials to any local user with read access to chaincode server logs when the service runs in chaincode-as-a-service (CaaS) mode with TLS enabled. The fabric-chaincode-shim runtime logs the TLS private key password in plaintext at INFO level during server startup, classified under CWE-532. A local attacker who recovers the logged password and separately obtains the TLS private key file gains the material needed to impersonate the chaincode server, potentially intercepting or injecting chaincode communications. No public exploit code exists and the vulnerability is not listed in the CISA KEV catalog at time of analysis.
dbt MCP Server logs complete tool arguments including SQL queries and database credentials in plaintext to disk when file logging is enabled. Versions up to 1.17.0 write unredacted arguments from every tool invocation to dbt-mcp.log, with sensitive data such as raw SQL queries, credential-bearing vars payloads, and node selectors persisting indefinitely without automatic rotation. A local attacker with read access to the log file can extract credentials and SQL logic. Publicly available proof-of-concept demonstrates credential and PII extraction from log files.
Credential exposure in Tigera Calico's Azure IPAM integration causes ServiceAccount tokens, client keys, and certificate authority data to be written in plaintext to a node-local log file on every pod scheduling and termination event. Affected deployments include Calico, Calico Enterprise, and Calico Cloud when the Azure IPAM plugin is in use with token-based Kubernetes authentication. Any low-privileged principal able to read /var/log/calico/cni/cni.log on an affected node can extract these credentials and leverage them for cluster-wide Calico networking administration. No public exploit code has been identified at time of analysis and CISA KEV listing is absent, but the sensitive nature of the exposed material - full Kubernetes auth credentials - makes this a meaningful lateral movement and privilege escalation risk within affected Azure-hosted Kubernetes clusters.
Credential disclosure in Tigera Calico's calicoctl CLI exposes cluster-access secrets through verbose logging output. When operators run calicoctl with --log-level=info or --log-level=debug, the tool serializes its entire connection-configuration struct (including bearer tokens, etcd passwords, and inline PEM client certificates/keys) to stderr in a single log line, making them harvestable by anyone with access to CI logs, terminal recordings, or support transcripts. The issue is patched upstream but no public exploit is identified at time of analysis; default panic-level logging means standard deployments are not exposed.
Calico's install-cni init container leaks live Kubernetes ServiceAccount bearer tokens into pod logs when Canal/Flannel-Calico deployments use the __SERVICEACCOUNT_TOKEN__ placeholder, making the credential readable by any authenticated user with pods/log permission in the calico-node namespace. The exposed token carries patch privileges on pods/status, creating a lateral movement path via annotation-based attacks against cluster workloads. This is a confirmed regression of TTA-2018-001 reported by Tigera; no public exploit has been identified at time of analysis, though upstream patches are available via GitHub.
Local privilege escalation in Veeam Agent for Microsoft Windows enables a low-privileged authenticated user to escalate to higher privileges on the host, with the CWE-532 mapping indicating sensitive information is exposed via log files that the attacker can read or abuse. CVSS 4.0 base score is 7.3 with high impact to confidentiality, integrity, and availability of the vulnerable component, and no public exploit identified at time of analysis. The flaw is tied to the broader Veeam Backup and Replication 13 ecosystem (≤13.0.1 per ENISA EUVD), making it relevant on any Windows endpoint where the Veeam Agent is deployed alongside or as part of that platform.
Sensitive information disclosure in IBM MQ Operator and IBM-supplied MQ Advanced container images exposes potentially sensitive data written to log files, readable by local users on the host or container system. Affected versions span three release tracks (LTS, CD, SC2) across both the MQ Operator (v2.0.0 through v3.9.1) and a broad range of container image releases from 9.3.x through 9.4.x. The CVSS score of 5.1 with a local attack vector and high complexity rating confines exploitation to users with existing local or container runtime access, and no public exploit has been identified at time of analysis.
Sensitive information disclosure in syslink software AG Avantra (versions before 25.3.0) on Linux and Windows allows an attacker with high privileges and adjacent network access to harvest data written into log files, with a scope-changed impact crossing trust boundaries. The flaw is tracked as CWE-532 and rated CVSS 7.5, but no public exploit identified at time of analysis and it is not listed in CISA KEV.
Information disclosure in Netatalk 2.1.0 through 4.4.2 exposes LDAP simple-bind passwords in log files, allowing any actor with read access to the affected logs to recover plaintext directory service credentials. The flaw is fixed in version 4.4.3, and no public exploit identified at time of analysis, though the CVSS 7.5 score reflects the high confidentiality impact of leaked bind credentials.
Sensitive information disclosure in Splunk Enterprise (below 10.2.2 and 10.0.5) and Splunk Cloud Platform (multiple branches below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13) allows authenticated users with a role granting access to the `_internal` index to view session cookies and response bodies containing sensitive data logged by the platform. Cisco-reported and patched by Splunk in advisory SVD-2026-0503, the issue is a CWE-532 sensitive-data-in-logs flaw rather than a remote code execution bug, with no public exploit identified at time of analysis.
TLS private key password exposure in Hyperledger fabric-chaincode-java (versions 2.3.1 through 2.5.9) leaks credentials to any local user with read access to chaincode server logs when the service runs in chaincode-as-a-service (CaaS) mode with TLS enabled. The fabric-chaincode-shim runtime logs the TLS private key password in plaintext at INFO level during server startup, classified under CWE-532. A local attacker who recovers the logged password and separately obtains the TLS private key file gains the material needed to impersonate the chaincode server, potentially intercepting or injecting chaincode communications. No public exploit code exists and the vulnerability is not listed in the CISA KEV catalog at time of analysis.
dbt MCP Server logs complete tool arguments including SQL queries and database credentials in plaintext to disk when file logging is enabled. Versions up to 1.17.0 write unredacted arguments from every tool invocation to dbt-mcp.log, with sensitive data such as raw SQL queries, credential-bearing vars payloads, and node selectors persisting indefinitely without automatic rotation. A local attacker with read access to the log file can extract credentials and SQL logic. Publicly available proof-of-concept demonstrates credential and PII extraction from log files.