Monthly
Hardcoded cryptographic seed disclosure in ChargePoint Home Flex charging stations enables unauthenticated remote attackers to extract stored credentials via the genpw script. The vulnerability exposes a secret seed value embedded directly in source code, allowing attackers to decrypt or regenerate passwords for further system compromise. No public exploit identified at time of analysis. CVSS 7.5 (High) reflects unauthenticated network access with high confidentiality impact.
Bentley Systems iTwin Platform exposed a Cesium ion access token in web page source code, allowing unauthenticated attackers to enumerate or delete assets managed through Cesium ion services. The token was present in all versions prior to 2026-03-27 and has since been removed and revoked; no further enumeration or deletion is possible with the exposed token. This is a credential disclosure vulnerability affecting iTwin Platform users who relied on the compromised token for asset management.
Elastic Cloud Storage versions up to 3.8.1.7 is affected by inclusion of sensitive information in source code (CVSS 4.4).
IBM Planning Analytics Local 2.1.0 through 2.1.14 stores sensitive information in source code could be used in further attacks against the system. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
IBM Analytics Content Hub 2.0, 2.1, 2.2, and 2.3 is vulnerable to information exposure and further attacks due to an exposed JavaScript source map which could assist an attacker to read and debug JavaScript used in the application's API.
Critical credential exposure vulnerability where admin login credentials and property configuration passwords are embedded directly in source code, enabling unauthenticated remote attackers to gain full administrative access to the affected application. The vulnerability has a CVSS score of 7.5 (High) with a network attack vector requiring no privileges or user interaction. While specific KEV/EPSS data and POC availability are not provided in the input, the presence of hardcoded credentials in source code represents a severe and often easily discoverable weakness that typically sees rapid exploitation once disclosed.
IBM Cognos Analytics 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 12.0.0, 12.0.1, 12.0.2, 12.0.3, and 12.0.4 stores source code on the web server that could aid in further attacks against the system.
IBM Cognos Analytics Mobile 1.1 for iOS application could allow an attacker to reverse engineer the codebase to gain knowledge about the programming technique, interface, class definitions,. Rated low severity (CVSS 2.0), this vulnerability is no authentication required. No vendor patch available.
An issue in Loggrove v.1.0 allows a remote attacker to obtain sensitive information via the read.py component. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
IBM Maximo Application Suite 8.10, 8.11, and 9.0 - Monitor Component stores source code on the web server that could aid in further attacks against the system. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Hardcoded cryptographic seed disclosure in ChargePoint Home Flex charging stations enables unauthenticated remote attackers to extract stored credentials via the genpw script. The vulnerability exposes a secret seed value embedded directly in source code, allowing attackers to decrypt or regenerate passwords for further system compromise. No public exploit identified at time of analysis. CVSS 7.5 (High) reflects unauthenticated network access with high confidentiality impact.
Bentley Systems iTwin Platform exposed a Cesium ion access token in web page source code, allowing unauthenticated attackers to enumerate or delete assets managed through Cesium ion services. The token was present in all versions prior to 2026-03-27 and has since been removed and revoked; no further enumeration or deletion is possible with the exposed token. This is a credential disclosure vulnerability affecting iTwin Platform users who relied on the compromised token for asset management.
Elastic Cloud Storage versions up to 3.8.1.7 is affected by inclusion of sensitive information in source code (CVSS 4.4).
IBM Planning Analytics Local 2.1.0 through 2.1.14 stores sensitive information in source code could be used in further attacks against the system. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
IBM Analytics Content Hub 2.0, 2.1, 2.2, and 2.3 is vulnerable to information exposure and further attacks due to an exposed JavaScript source map which could assist an attacker to read and debug JavaScript used in the application's API.
Critical credential exposure vulnerability where admin login credentials and property configuration passwords are embedded directly in source code, enabling unauthenticated remote attackers to gain full administrative access to the affected application. The vulnerability has a CVSS score of 7.5 (High) with a network attack vector requiring no privileges or user interaction. While specific KEV/EPSS data and POC availability are not provided in the input, the presence of hardcoded credentials in source code represents a severe and often easily discoverable weakness that typically sees rapid exploitation once disclosed.
IBM Cognos Analytics 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 12.0.0, 12.0.1, 12.0.2, 12.0.3, and 12.0.4 stores source code on the web server that could aid in further attacks against the system.
IBM Cognos Analytics Mobile 1.1 for iOS application could allow an attacker to reverse engineer the codebase to gain knowledge about the programming technique, interface, class definitions,. Rated low severity (CVSS 2.0), this vulnerability is no authentication required. No vendor patch available.
An issue in Loggrove v.1.0 allows a remote attacker to obtain sensitive information via the read.py component. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
IBM Maximo Application Suite 8.10, 8.11, and 9.0 - Monitor Component stores source code on the web server that could aid in further attacks against the system. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.