Monthly
Credential hash exposure in Splunk Enterprise and Splunk Cloud Platform allows low-privileged users - those without the 'admin' or 'power' roles - to retrieve stored credential hashes by issuing the `|rest` SPL command against the `/servicesNS/-/-/storage/passwords` endpoint, which incorrectly returns the `encr_password` field. Affected are Splunk Enterprise branches below 10.4.1, 10.2.5, 10.0.8, and 9.4.13, and multiple Splunk Cloud Platform versions. No public exploit has been identified at time of analysis and this CVE is not in CISA KEV, but the real-world impact is significant wherever Splunk stores credentials for external services such as databases, APIs, or cloud accounts.
Permission control bypass in the Settings module of Huawei HarmonyOS and EMUI exposes sensitive service data to unauthorized local actors. A locally-installed application without elevated privileges can exploit the flaw (CWE-200) during user interaction with the Settings UI to read confidential configuration or service data - with a CVSS-rated High confidentiality impact (C:H). No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Unauthenticated information disclosure in TP-Link Kasa EC70 v4 and EC71 v4 exposes sensitive geolocation data to any attacker on the same local network segment. The flaw resides in the devices' local discovery mechanism, which returns geolocation-related information in response to crafted network probes without requiring any credentials. Impact is limited to confidentiality; no integrity or availability compromise is possible through this vector. No public exploit exists and no active exploitation has been confirmed.
Information disclosure in andreimarcu Linx (linx-server) versions 1.0 through 2.3.8 lets remote attackers retrieve sensitive data through the uploadRemote function in upload.go, which fetches attacker-supplied remote URLs on the server's behalf. The flaw carries a CVSS 9.1 rating with a network, unauthenticated, low-complexity vector, so exploitation requires no credentials or user interaction. No public exploit is identified, though a third-party vulnerability report is published for the CVE.
In multi-tenant HTTP mode (`ENABLE_MULTI_TENANT=true`), an authenticated tenant could, under certain conditions, reach n8n-mcp's local default-scope `workflow_versions` backups instead of being confined to its own tenant scope. This affects n8n-mcp's own local workflow-version storage, not a normal n8n API capability. An authenticated MCP HTTP tenant could read or delete workflow-version backups stored in the default (single-tenant) scope - for example backups left from a prior single-tenant deployment or a migration period. Workflow snapshots may contain sensitive workflow configuration depending on their contents. Single-tenant and stdio deployments are not affected. `<= 2.57.3` `2.57.4` Upgrade to n8n-mcp `2.57.4` or later. The fix requires a complete tenant context in multi-tenant mode and fails closed for workflow-version access that cannot be attributed to a specific tenant. - Restrict network access to the HTTP endpoint (firewall / reverse proxy / VPN) so only trusted callers can reach it. - Run in stdio mode, which has no multi-tenant HTTP surface. - If default-scope backups from a prior single-tenant deployment are not needed, removing them eliminates the exposure. Reported by @DavidCarliez.
Adobe Commerce is affected by an Information Exposure vulnerability that could lead to a limited disclosure of sensitive information. Exploit depends on conditions beyond the attacker's control. Exploitation of this issue does not require user interaction.
Applications built with the Auth0 Symphony SDK, using the Authorizer security authenticator to protect HTTP routes may accept OAuth 2.0 bearer access tokens provided through a URL query parameter, in addition to the standard Authorization header, which may increase the risk of access token exposure and replay against protected API endpoints. Upgrade auth0/symfony to version 5.9.0 or greater. Okta would like to thank Alex Yeara for their discovery.
Devolutions Server 2026.1.22.0 and 2026.2.11.0 exposes Azure Key Vault client secrets in cleartext within Recovery Kit response files, defeating an explicit 'exclude sensitive data' option that administrators rely on. Any party who obtains a copy of the generated response file can trivially read the credential without any decryption or tooling. No public exploit code exists and the vulnerability is not in CISA KEV; however, because successful exploitation yields a reusable cloud credential, the downstream blast radius in Azure environments substantially exceeds what the 3.3 CVSS base score suggests. A vendor-released patch is available.
Exposure of sensitive information to an unauthorized actor in Windows Win32K allows an unauthorized attacker to elevate privileges locally.
Exposure of sensitive information to an unauthorized actor in Windows Win32K allows an authorized attacker to disclose information locally.
Credential hash exposure in Splunk Enterprise and Splunk Cloud Platform allows low-privileged users - those without the 'admin' or 'power' roles - to retrieve stored credential hashes by issuing the `|rest` SPL command against the `/servicesNS/-/-/storage/passwords` endpoint, which incorrectly returns the `encr_password` field. Affected are Splunk Enterprise branches below 10.4.1, 10.2.5, 10.0.8, and 9.4.13, and multiple Splunk Cloud Platform versions. No public exploit has been identified at time of analysis and this CVE is not in CISA KEV, but the real-world impact is significant wherever Splunk stores credentials for external services such as databases, APIs, or cloud accounts.
Permission control bypass in the Settings module of Huawei HarmonyOS and EMUI exposes sensitive service data to unauthorized local actors. A locally-installed application without elevated privileges can exploit the flaw (CWE-200) during user interaction with the Settings UI to read confidential configuration or service data - with a CVSS-rated High confidentiality impact (C:H). No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Unauthenticated information disclosure in TP-Link Kasa EC70 v4 and EC71 v4 exposes sensitive geolocation data to any attacker on the same local network segment. The flaw resides in the devices' local discovery mechanism, which returns geolocation-related information in response to crafted network probes without requiring any credentials. Impact is limited to confidentiality; no integrity or availability compromise is possible through this vector. No public exploit exists and no active exploitation has been confirmed.
Information disclosure in andreimarcu Linx (linx-server) versions 1.0 through 2.3.8 lets remote attackers retrieve sensitive data through the uploadRemote function in upload.go, which fetches attacker-supplied remote URLs on the server's behalf. The flaw carries a CVSS 9.1 rating with a network, unauthenticated, low-complexity vector, so exploitation requires no credentials or user interaction. No public exploit is identified, though a third-party vulnerability report is published for the CVE.
In multi-tenant HTTP mode (`ENABLE_MULTI_TENANT=true`), an authenticated tenant could, under certain conditions, reach n8n-mcp's local default-scope `workflow_versions` backups instead of being confined to its own tenant scope. This affects n8n-mcp's own local workflow-version storage, not a normal n8n API capability. An authenticated MCP HTTP tenant could read or delete workflow-version backups stored in the default (single-tenant) scope - for example backups left from a prior single-tenant deployment or a migration period. Workflow snapshots may contain sensitive workflow configuration depending on their contents. Single-tenant and stdio deployments are not affected. `<= 2.57.3` `2.57.4` Upgrade to n8n-mcp `2.57.4` or later. The fix requires a complete tenant context in multi-tenant mode and fails closed for workflow-version access that cannot be attributed to a specific tenant. - Restrict network access to the HTTP endpoint (firewall / reverse proxy / VPN) so only trusted callers can reach it. - Run in stdio mode, which has no multi-tenant HTTP surface. - If default-scope backups from a prior single-tenant deployment are not needed, removing them eliminates the exposure. Reported by @DavidCarliez.
Adobe Commerce is affected by an Information Exposure vulnerability that could lead to a limited disclosure of sensitive information. Exploit depends on conditions beyond the attacker's control. Exploitation of this issue does not require user interaction.
Applications built with the Auth0 Symphony SDK, using the Authorizer security authenticator to protect HTTP routes may accept OAuth 2.0 bearer access tokens provided through a URL query parameter, in addition to the standard Authorization header, which may increase the risk of access token exposure and replay against protected API endpoints. Upgrade auth0/symfony to version 5.9.0 or greater. Okta would like to thank Alex Yeara for their discovery.
Devolutions Server 2026.1.22.0 and 2026.2.11.0 exposes Azure Key Vault client secrets in cleartext within Recovery Kit response files, defeating an explicit 'exclude sensitive data' option that administrators rely on. Any party who obtains a copy of the generated response file can trivially read the credential without any decryption or tooling. No public exploit code exists and the vulnerability is not in CISA KEV; however, because successful exploitation yields a reusable cloud credential, the downstream blast radius in Azure environments substantially exceeds what the 3.3 CVSS base score suggests. A vendor-released patch is available.
Exposure of sensitive information to an unauthorized actor in Windows Win32K allows an unauthorized attacker to elevate privileges locally.
Exposure of sensitive information to an unauthorized actor in Windows Win32K allows an authorized attacker to disclose information locally.