Search Results (2330 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2008-0996 1 Apple 2 Mac Os X, Mac Os X Server 2026-04-23 N/A
The Printing component in Apple Mac OS X 10.5.2 might save authentication credentials to disk when starting a job on an authenticated print queue, which might allow local users to obtain the credentials.
CVE-2008-5104 2 Dcgrendel, Ubuntu 2 Vmbuilder, Ubuntu Linux 2026-04-23 N/A
Ubuntu 6.06 LTS, 7.10, 8.04 LTS, and 8.10, when installed as a virtual machine by (1) python-vm-builder or (2) ubuntu-vm-builder in VMBuilder 0.9 in Ubuntu 8.10, have ! (exclamation point) as the default root password, which allows attackers to bypass intended login restrictions.
CVE-2008-3859 1 Davlin 1 Thickbox Gallery 2026-04-23 N/A
Davlin Thickbox Gallery 2 allows remote attackers to obtain the administrative username and MD5 password hash via a direct request to conf/admins.php.
CVE-2007-5191 6 Canonical, Debian, Fedoraproject and 3 more 6 Ubuntu Linux, Debian Linux, Fedora and 3 more 2026-04-23 N/A
mount and umount in util-linux and loop-aes-utils call the setuid and setgid functions in the wrong order and do not check the return values, which might allow attackers to gain privileges via helpers such as mount.nfs.
CVE-2008-4646 1 Websense 1 Enterpise 2026-04-23 N/A
The Websense Reporter Module in Websense Enterprise 6.3.2 stores the SQL database system administrator password in plaintext in CreateDbInstall.log, which allows local users to gain privileges to the database.
CVE-2006-6239 1 Mailenable 2 Netwebadmin Enterprise, Netwebadmin Professional 2026-04-23 N/A
webadmin in MailEnable NetWebAdmin Professional 2.32 and Enterprise 2.32 allows remote attackers to authenticate using an empty password.
CVE-2009-0632 1 Cisco 1 Unified Communications Manager 2026-04-23 N/A
The IP Phone Personal Address Book (PAB) Synchronizer feature in Cisco Unified Communications Manager (aka CUCM, formerly CallManager) 4.1, 4.2 before 4.2(3)SR4b, 4.3 before 4.3(2)SR1b, 5.x before 5.1(3e), 6.x before 6.1(3), and 7.0 before 7.0(2) sends privileged directory-service account credentials to the client in cleartext, which allows remote attackers to modify the CUCM configuration and perform other privileged actions by intercepting these credentials, and then using them in requests unrelated to the intended synchronization task, as demonstrated by (1) DC Directory account credentials in CUCM 4.x and (2) TabSyncSysUser account credentials in CUCM 5.x through 7.x.
CVE-2026-4250 1 Albert Sağlık Hizmetleri Ve Ticaret 1 Albert Health 2026-04-22 2.5 Low
A vulnerability was found in Albert Sağlık Hizmetleri ve Ticaret Albert Health up to 1.7.3 on Android. Affected is an unknown function of the file resources/assets/service-account.json of the component Google Cloud Service Account Key Handler. Performing a manipulation results in unprotected storage of credentials. The attack requires a local approach. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2026-4217 1 Xreal 1 Nebula App 2026-04-22 2.5 Low
A security vulnerability has been detected in XREAL Nebula App up to 3.2.1 on Android. This impacts an unknown function of the file in ai/nreal/nebula/flutterPlugin/CloudStoragePlugin.java of the component ai.nreal.nebula.universal. Such manipulation of the argument accessKey/secretAccessKey/securityToken leads to unprotected storage of credentials. The attack can only be performed from a local environment. The attack requires a high level of complexity. The exploitability is said to be difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2026-4216 1 I-sens 1 Smartlog App 2026-04-22 5.3 Medium
A weakness has been identified in i-SENS SmartLog App up to 2.6.8 on Android. This affects an unknown function of the component air.SmartLog.android. This manipulation causes hard-coded credentials. The attack can only be executed locally. The exploit has been made available to the public and could be used for attacks. The vendor explains: "The function referenced in the report currently exists in our deployed system. It is related to a developer mode used during the configuration process for Bluetooth pairing between the blood glucose meter and the SmartLog application. This function is intended for configuration purposes related to device integration and testing. (...) [I]n a future application update, we plan to review measures to either remove the developer mode function or restrict access to it."
CVE-2026-4219 1 Index Conferences & Exhibitions Organization 1 Ywf Bpof Apgcs App 2026-04-22 3.3 Low
A flaw has been found in INDEX Conferences & Exhibitions Organization YWF BPOF APGCS App up to 1.0.2 on Android. Affected by this vulnerability is an unknown functionality of the file com/index/event/BuildConfig.java of the component ae.index.apgcs. Executing a manipulation of the argument ACCESS_KEY/HASH_KEY can lead to hard-coded credentials. The attack is restricted to local execution. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2026-4243 1 La Nacion App 1 La Nacion App 2026-04-22 2.5 Low
A weakness has been identified in La Nacion App 10.2.25 on Android. This impacts an unknown function of the file source/app/lanacion/clublanacion/BuildConfig.java of the component app.lanacion.activity. Executing a manipulation of the argument API_KEY_WEBSOCKET_CV can lead to unprotected storage of credentials. The attack can only be executed locally. A high complexity level is associated with this attack. The exploitability is said to be difficult. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2026-4475 1 Yitechnology 1 Yi Home Camera 2026-04-22 8.8 High
A vulnerability has been found in Yi Technology YI Home Camera 2 2.1.1_20171024151200. The affected element is an unknown function of the file home/web/ipc. Such manipulation leads to hard-coded credentials. Access to the local network is required for this attack to succeed. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2026-4242 1 Babychakra 1 Pregnancy & Parenting App 2026-04-22 2.5 Low
A security flaw has been discovered in BabyChakra Pregnancy & Parenting App up to 5.4.3.0 on Android. This affects an unknown function of the file file app/babychakra/babychakra/Configuration.java of the component app.babychakra.babychakra. Performing a manipulation of the argument SEGMENT_WRITE_KEY results in unprotected storage of credentials. The attack needs to be approached locally. The complexity of an attack is rather high. The exploitability is reported as difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2026-4251 1 Citydata 1 Citychat 2026-04-22 2.5 Low
A vulnerability was determined in CityData CityChat up to 0.12.6 on Android. Affected by this vulnerability is an unknown functionality of the file resources/assets/flutter_assets/assets/credentials.json of the component ai.citydata.citychat. Executing a manipulation can lead to unprotected storage of credentials. The attack requires local access. A high complexity level is associated with this attack. The exploitation appears to be difficult. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2026-6574 1 Osuuu 1 Lightpicture 2026-04-22 7.3 High
A vulnerability has been found in osuuu LightPicture up to 1.2.2. This issue affects some unknown processing of the file /public/install/lp.sql of the component API Upload Endpoint. Such manipulation of the argument key leads to hard-coded credentials. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2026-6610 1 Liangliangyy 1 Djangoblog 2026-04-22 3.7 Low
A vulnerability has been found in liangliangyy DjangoBlog up to 2.1.0.0. The impacted element is an unknown function of the file djangoblog/settings.py of the component Setting Handler. Such manipulation of the argument USER/PASSWORD leads to hard-coded credentials. The attack may be launched remotely. The attack requires a high level of complexity. The exploitability is regarded as difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2026-6578 1 Liangliangyy 1 Djangoblog 2026-04-22 5.6 Medium
A security flaw has been discovered in liangliangyy DjangoBlog up to 2.1.0.0. This affects an unknown function of the file djangoblog/settings.py of the component Setting Handler. The manipulation of the argument SECRET_KEY results in hard-coded credentials. The attack can be launched remotely. The attack requires a high level of complexity. The exploitability is reported as difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2026-6597 1 Langflow 1 Langflow 2026-04-22 2.7 Low
A weakness has been identified in langflow-ai langflow up to 1.8.3. Impacted is the function remove_api_keys/has_api_terms of the file src/backend/base/langflow/api/utils/core.py of the component Flow Using API. This manipulation causes unprotected storage of credentials. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2014-1812 1 Microsoft 6 Windows 7, Windows 8, Windows 8.1 and 3 more 2026-04-22 8.8 High
The Group Policy implementation in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 does not properly handle distribution of passwords, which allows remote authenticated users to obtain sensitive credential information and consequently gain privileges by leveraging access to the SYSVOL share, as exploited in the wild in May 2014, aka "Group Policy Preferences Password Elevation of Privilege Vulnerability."