SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, API tokens used to authenticate all REST API requests are stored as plaintext strings in the api_tokens database table. Any attacker who obtains read access to the database — through SQL injection, a leaked backup, a misconfigured replica, or insider access — immediately obtains all API credentials for every user with no f

Improper access control in the ticketing integration settings in Devolutions Server allows an authenticated low-privileged user to obtain cleartext credentials for configured ticketing integrations via a crafted API request. This issue affects : * Devolutions Server 2026.2.4.0 * Devolutions Server 2026.1.20.0 and earlier

StrongDM Desktop Application before 23.74.0 (Desktop Client before 53.77.0) on Microsoft Windows stores authentication state, including a JSON Web Token and asymmetric key material, in cleartext in a per-user state file located at C:\Users\\.sdm\state.kv. The file is protected only by default user-level NTFS permissions. Exploitation requires local read access to the affected user's profile dir

该漏洞影响 Windows 平台上的 StrongDM Desktop Application 版本低于 23.74.0（Desktop Client 低于 53.77.0）。漏洞根源在于应用程序将用户的认证状态（包括 JSON Web Token 和非对称密钥材料）以明文形式存储在用户目录下的 `C:\Users\<username>\.sdm\state.kv` 文件中。该文件仅受默认的用户级 NTFS 权限保护，这意味着任何能够以同一用户身份登录或具有本地读取权限的攻击者（如恶意软件、本地提权后的进程、共享计算机上的其他用户）均可访问该文件，从而窃取认证令牌和密钥材料。利用条件要求攻击者已具备受影响用户的配置文件目录的本地读访问权限，并且目标主机上还需满足额外的部署和执行条件。该漏洞由 Hope Walker (SpecterOps) 通过协调披露报告给厂商。受影响的用户应尽快升级到 StrongDM Desktop Application 23.74.0 或更高版本以及 Desktop Client 53.77.0 或更高版本，以消除明文存储敏感信息的安全风险。

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, RustFS suffers from sensitive information leakage in log outputs. When the server is run with RUST_LOG=debug sensitive credentials including SessionToken (JWT), SecretAccessKey, and full JWT claims are printed in plaintext to the server logs. This vulnerability is fixed in 1.0.0-beta.2.

Cleartext storage of sensitive information in the ModelBuilder/Serve component in Amazon SageMaker Python SDK before v2.257.2 and v3 before v3.8.0 might allow a remote authenticated actor to extract the HMAC signing key from SageMaker API responses and forge valid integrity signatures for specially crafted model artifacts, achieving code execution in inference containers. This issue requires a rem

CWE-312: Cleartext Storage of Sensitive Information vulnerability exists that could cause the disclosure of a sensitive information which could result in revealing protected source code and loss of confidentiality, When an authorized attacker accesses the source code for editing or compiling it.

When BIG-IP DNS is provisioned, a vulnerability exists in an undisclosed TMOS Shell (tmsh) command that may allow a highly privileged authenticated attacker to view sensitive information.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

When BIG-IP DNS is provisioned, a vulnerability exists in an undisclosed TMOS Shell (tmsh) command that may allow a highly privileged authenticated attacker to view sensitive information.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

When BIG-IP DNS is provisioned, a vulnerability exists in the gtm_add and bigip_add iControl REST commands that return the ssh-password parameter in cleartext in the iControl REST response and is also logged in the audit log. This may allow a highly privileged, authenticated attacker with access to the audit log to view sensitive information.  Note: Software versions which have reached End of Tech

JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, every MCP write tool (send_tokens, execute_contract, instantiate_contract, upload_wasm, ibc_transfer, etc.) accepted 'mnemonic: string' as an explicit tool-call parameter. The BIP-39 seed was consequently embedded in the LLM tool-call JSON, exposing it to any transport, log, or telemetry surface in the path betwee

Sangoma Switchvox before 8.4 places cleartext SIP authentication credentials in a backup file.

Sangoma Switchvox before 8.4 places cleartext SIP authentication credentials in a backup file.

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.17.15, 1.18.9, and 1.19.3, the output of cilium-bugtool can contain sensitive data when the tool is run against Cilium deployments with WireGuard encryption enabled. This issue has been patched in versions 1.17.15, 1.18.9, and 1.19.3.

### Impact The `getConstants()` IPC handler in `src/app/lib/ipc-sync.js` serialises the entire `process.env` object and sends it to the renderer. The data is stored as `window.pre.env` and is accessible from any JavaScript running in the renderer (e.g., via the DevTools console or a compromised webview context). On developer and CI machines, `process.env` routinely contains secrets such as: - `

electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. In versions 3.8.15 and prior, the getConstants() IPC handler in src/app/lib/ipc-sync.js serialises the entire process.env object and sends it to the renderer. The data is stored as window.pre.env and is accessible from any JavaScript running in the renderer (e.g., via the DevTools console or a compromised web

### Impact Users who use Azure AD remote write with OAuth authentication are impacted. The `client_secret` field in the Azure AD remote write OAuth configuration (`storage/remote/azuread`) was typed as `string` instead of `Secret`. Prometheus redacts fields of type `Secret` when serving the configuration via the `/-/config` HTTP API endpoint. Because the field was a plain string, the Azure OAuth

Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the client_secret field in the Azure AD remote write OAuth configuration (storage/remote/azuread) was typed as string instead of Secret. Prometheus redacts fields of type Secret when serving the configuration via the /-/config HTTP API endpoint. Because the field was a plain string, the Azu

A vulnerability in the assisted-service REST API, an optional Assisted Installer (assisted-service) component in the Multicluster Engine (MCE), allows an authenticated user with minimal namespace-scoped privileges to obtain administrative credentials for arbitrary clusters provisioned through the hub. The credentials download endpoint (GET /v2/clusters/{cluster_id}/credentials, which returns the