CWE-256
Plaintext Storage of a Password
The product stores a password in plaintext within resources such as memory or files.
CVE-2026-4242 (GCVE-0-2026-4242)
Vulnerability from cvelistv5 – Published: 2026-03-16 14:32 – Updated: 2026-03-16 18:41
VLAI
Title
BabyChakra Pregnancy & Parenting App app.babychakra.babychakra Configuration.java credentials storage
Summary
A security flaw has been discovered in BabyChakra Pregnancy & Parenting App up to 5.4.3.0 on Android. This affects an unknown function of the file file app/babychakra/babychakra/Configuration.java of the component app.babychakra.babychakra. Performing a manipulation of the argument SEGMENT_WRITE_KEY results in unprotected storage of credentials. The attack needs to be approached locally. The complexity of an attack is rather high. The exploitability is reported as difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.351184 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.351184 | signaturepermissions-required |
| https://vuldb.com/?submit.771429 | third-party-advisory |
| https://www.notion.so/Segment-Write-Key-Exposure-… | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| BabyChakra | Pregnancy & Parenting App |
Affected:
5.4.0
Affected: 5.4.1 Affected: 5.4.2 Affected: 5.4.3.0 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4242",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-16T18:41:11.426519Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-16T18:41:38.452Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"app.babychakra.babychakra"
],
"product": "Pregnancy \u0026 Parenting App",
"vendor": "BabyChakra",
"versions": [
{
"status": "affected",
"version": "5.4.0"
},
{
"status": "affected",
"version": "5.4.1"
},
{
"status": "affected",
"version": "5.4.2"
},
{
"status": "affected",
"version": "5.4.3.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "fxizenta (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security flaw has been discovered in BabyChakra Pregnancy \u0026 Parenting App up to 5.4.3.0 on Android. This affects an unknown function of the file file\u00a0app/babychakra/babychakra/Configuration.java of the component app.babychakra.babychakra. Performing a manipulation of the argument SEGMENT_WRITE_KEY results in unprotected storage of credentials. The attack needs to be approached locally. The complexity of an attack is rather high. The exploitability is reported as difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 2,
"baseSeverity": "LOW",
"vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 2.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 2.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 1,
"vectorString": "AV:L/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-256",
"description": "Unprotected Storage of Credentials",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-255",
"description": "Credentials Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-16T14:32:08.907Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-351184 | BabyChakra Pregnancy \u0026 Parenting App app.babychakra.babychakra Configuration.java credentials storage",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.351184"
},
{
"name": "VDB-351184 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.351184"
},
{
"name": "Submit #771429 | BabyChakra Pregnancy \u0026 Parenting App(app.babychakra.babychakra) 5.4.3.0 Segment Write Key Exposure",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.771429"
},
{
"tags": [
"exploit"
],
"url": "https://www.notion.so/Segment-Write-Key-Exposure-Leading-to-Data-Injection-and-User-Profile-Manipulation-In-app-babychakra-3192de3f97fb8084b6b5cb06f96cdf57?source=copy_link"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-15T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-03-15T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-03-16T07:33:57.000Z",
"value": "VulDB entry last update"
}
],
"title": "BabyChakra Pregnancy \u0026 Parenting App app.babychakra.babychakra Configuration.java credentials storage"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-4242",
"datePublished": "2026-03-16T14:32:08.907Z",
"dateReserved": "2026-03-15T20:46:40.333Z",
"dateUpdated": "2026-03-16T18:41:38.452Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4243 (GCVE-0-2026-4243)
Vulnerability from cvelistv5 – Published: 2026-03-16 15:02 – Updated: 2026-03-16 18:18
VLAI
Title
La Nacion App app.lanacion.activity BuildConfig.java credentials storage
Summary
A weakness has been identified in La Nacion App 10.2.25 on Android. This impacts an unknown function of the file source/app/lanacion/clublanacion/BuildConfig.java of the component app.lanacion.activity. Executing a manipulation of the argument API_KEY_WEBSOCKET_CV can lead to unprotected storage of credentials. The attack can only be executed locally. A high complexity level is associated with this attack. The exploitability is said to be difficult. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.351185 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.351185 | signaturepermissions-required |
| https://vuldb.com/?submit.771432 | third-party-advisory |
| https://www.notion.so/WebSocket-Credential-Leak-L… | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | La Nacion App |
Affected:
10.2.25
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4243",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-16T18:18:16.241233Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-16T18:18:28.414Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"app.lanacion.activity"
],
"product": "La Nacion App",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "10.2.25"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "fxizenta (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB"
}
],
"descriptions": [
{
"lang": "en",
"value": "A weakness has been identified in La Nacion App 10.2.25 on Android. This impacts an unknown function of the file source/app/lanacion/clublanacion/BuildConfig.java of the component app.lanacion.activity. Executing a manipulation of the argument API_KEY_WEBSOCKET_CV can lead to unprotected storage of credentials. The attack can only be executed locally. A high complexity level is associated with this attack. The exploitability is said to be difficult. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 2,
"baseSeverity": "LOW",
"vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 2.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 2.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 1,
"vectorString": "AV:L/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-256",
"description": "Unprotected Storage of Credentials",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-255",
"description": "Credentials Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-16T15:02:07.721Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-351185 | La Nacion App app.lanacion.activity BuildConfig.java credentials storage",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.351185"
},
{
"name": "VDB-351185 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.351185"
},
{
"name": "Submit #771432 | SA LA NACION LA NACION(app.lanacion.activity) 10.2.25 WebSocket Credential Leak",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.771432"
},
{
"tags": [
"exploit"
],
"url": "https://www.notion.so/WebSocket-Credential-Leak-Leading-to-Potential-DDoS-Attacks-in-app-lanacion-activity-3192de3f97fb80f8add6c2247abeb4eb?source=copy_link"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-15T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-03-15T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-03-15T21:53:32.000Z",
"value": "VulDB entry last update"
}
],
"title": "La Nacion App app.lanacion.activity BuildConfig.java credentials storage"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-4243",
"datePublished": "2026-03-16T15:02:07.721Z",
"dateReserved": "2026-03-15T20:48:26.368Z",
"dateUpdated": "2026-03-16T18:18:28.414Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4250 (GCVE-0-2026-4250)
Vulnerability from cvelistv5 – Published: 2026-03-16 15:32 – Updated: 2026-03-16 18:12
VLAI
Title
Albert Sağlık Hizmetleri ve Ticaret Albert Health Google Cloud Service Account Key service-account.json credentials storage
Summary
A vulnerability was found in Albert Sağlık Hizmetleri ve Ticaret Albert Health up to 1.7.3 on Android. Affected is an unknown function of the file resources/assets/service-account.json of the component Google Cloud Service Account Key Handler. Performing a manipulation results in unprotected storage of credentials. The attack requires a local approach. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.351208 | vdb-entry |
| https://vuldb.com/?ctiid.351208 | signaturepermissions-required |
| https://vuldb.com/?submit.771435 | third-party-advisory |
| https://www.notion.so/Google-Cloud-Service-Accoun… | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Albert Sağlık Hizmetleri ve Ticaret | Albert Health |
Affected:
1.7.0
Affected: 1.7.1 Affected: 1.7.2 Affected: 1.7.3 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4250",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-16T18:11:17.072584Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-16T18:12:04.287Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Google Cloud Service Account Key Handler"
],
"product": "Albert Health",
"vendor": "Albert Sa\u011fl\u0131k Hizmetleri ve Ticaret",
"versions": [
{
"status": "affected",
"version": "1.7.0"
},
{
"status": "affected",
"version": "1.7.1"
},
{
"status": "affected",
"version": "1.7.2"
},
{
"status": "affected",
"version": "1.7.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "fxizenta (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Albert Sa\u011fl\u0131k Hizmetleri ve Ticaret Albert Health up to 1.7.3 on Android. Affected is an unknown function of the file resources/assets/service-account.json of the component Google Cloud Service Account Key Handler. Performing a manipulation results in unprotected storage of credentials. The attack requires a local approach. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 2,
"baseSeverity": "LOW",
"vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 2.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 2.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 1,
"vectorString": "AV:L/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-256",
"description": "Unprotected Storage of Credentials",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-255",
"description": "Credentials Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-16T15:32:08.686Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-351208 | Albert Sa\u011fl\u0131k Hizmetleri ve Ticaret Albert Health Google Cloud Service Account Key service-account.json credentials storage",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.351208"
},
{
"name": "VDB-351208 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.351208"
},
{
"name": "Submit #771435 | albertHealth Albert Health(albert.health) 1.7.3 Google Cloud Service Account Key Exposure",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.771435"
},
{
"tags": [
"exploit"
],
"url": "https://www.notion.so/Google-Cloud-Service-Account-Key-Exposure-Leading-to-Unauthorized-Data-Access-in-albert-health-3192de3f97fb800d8ebddef9f259223b?source=copy_link"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-16T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-03-16T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-03-16T07:16:17.000Z",
"value": "VulDB entry last update"
}
],
"title": "Albert Sa\u011fl\u0131k Hizmetleri ve Ticaret Albert Health Google Cloud Service Account Key service-account.json credentials storage"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-4250",
"datePublished": "2026-03-16T15:32:08.686Z",
"dateReserved": "2026-03-16T06:06:30.949Z",
"dateUpdated": "2026-03-16T18:12:04.287Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4251 (GCVE-0-2026-4251)
Vulnerability from cvelistv5 – Published: 2026-03-16 16:02 – Updated: 2026-03-16 18:17
VLAI
Title
CityData CityChat ai.citydata.citychat credentials.json credentials storage
Summary
A vulnerability was determined in CityData CityChat up to 0.12.6 on Android. Affected by this vulnerability is an unknown functionality of the file resources/assets/flutter_assets/assets/credentials.json of the component ai.citydata.citychat. Executing a manipulation can lead to unprotected storage of credentials. The attack requires local access. A high complexity level is associated with this attack. The exploitation appears to be difficult. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.351209 | vdb-entry |
| https://vuldb.com/?ctiid.351209 | signaturepermissions-required |
| https://vuldb.com/?submit.771436 | third-party-advisory |
| https://www.notion.so/Google-Cloud-Service-Accoun… | exploit |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4251",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-16T18:17:44.521821Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-16T18:17:54.591Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"ai.citydata.citychat"
],
"product": "CityChat",
"vendor": "CityData",
"versions": [
{
"status": "affected",
"version": "0.12.0"
},
{
"status": "affected",
"version": "0.12.1"
},
{
"status": "affected",
"version": "0.12.2"
},
{
"status": "affected",
"version": "0.12.3"
},
{
"status": "affected",
"version": "0.12.4"
},
{
"status": "affected",
"version": "0.12.5"
},
{
"status": "affected",
"version": "0.12.6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "fxizenta (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was determined in CityData CityChat up to 0.12.6 on Android. Affected by this vulnerability is an unknown functionality of the file resources/assets/flutter_assets/assets/credentials.json of the component ai.citydata.citychat. Executing a manipulation can lead to unprotected storage of credentials. The attack requires local access. A high complexity level is associated with this attack. The exploitation appears to be difficult. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 2,
"baseSeverity": "LOW",
"vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 2.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 2.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 1,
"vectorString": "AV:L/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-256",
"description": "Unprotected Storage of Credentials",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-255",
"description": "Credentials Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-16T16:02:08.596Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-351209 | CityData CityChat ai.citydata.citychat credentials.json credentials storage",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.351209"
},
{
"name": "VDB-351209 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.351209"
},
{
"name": "Submit #771436 | CITYDATA CityChat(ai.citydata.citychat) 0.12.6 Google Cloud Service Account Key Exposure",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.771436"
},
{
"tags": [
"exploit"
],
"url": "https://www.notion.so/Google-Cloud-Service-Account-Key-Exposure-Leading-to-Dialogflow-Data-Access-in-ai-citydata-citychat-3192de3f97fb80ca9739ebc6329c8449?source=copy_link"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-16T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-03-16T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-03-16T07:16:06.000Z",
"value": "VulDB entry last update"
}
],
"title": "CityData CityChat ai.citydata.citychat credentials.json credentials storage"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-4251",
"datePublished": "2026-03-16T16:02:08.596Z",
"dateReserved": "2026-03-16T06:10:42.442Z",
"dateUpdated": "2026-03-16T18:17:54.591Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6500 (GCVE-0-2026-6500)
Vulnerability from cvelistv5 – Published: 2026-05-04 14:16 – Updated: 2026-05-04 15:31
VLAI
Summary
Plaintext storage of a password vulnerability in ILM Informatique OpenConcerto allows Retrieve Embedded Sensitive Data.
This issue affects OpenConcerto: 1.7.5.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-256 - Plaintext storage of a password
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.openconcerto.org/fr/version-1.7.html | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| ILM Informatique | OpenConcerto |
Affected:
1.7.5
|
Date Public
2026-05-04 14:12
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6500",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-04T15:31:35.297408Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T15:31:41.588Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.openconcerto.org/fr/telechargement.html",
"defaultStatus": "unknown",
"product": "OpenConcerto",
"vendor": "ILM Informatique",
"versions": [
{
"status": "affected",
"version": "1.7.5"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dominique Righetto"
}
],
"datePublic": "2026-05-04T14:12:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Plaintext storage of a password vulnerability in ILM Informatique OpenConcerto allows Retrieve Embedded Sensitive Data.\u003cp\u003eThis issue affects OpenConcerto: 1.7.5.\u003c/p\u003e"
}
],
"value": "Plaintext storage of a password vulnerability in ILM Informatique OpenConcerto allows Retrieve Embedded Sensitive Data.\n\nThis issue affects OpenConcerto: 1.7.5."
}
],
"impacts": [
{
"capecId": "CAPEC-37",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-37 Retrieve Embedded Sensitive Data"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-256",
"description": "CWE-256 Plaintext storage of a password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T14:16:41.970Z",
"orgId": "64c5ae8f-7972-4697-86a0-7ada793ac795",
"shortName": "TCS-CERT"
},
"references": [
{
"tags": [
"product"
],
"url": "https://www.openconcerto.org/fr/version-1.7.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "64c5ae8f-7972-4697-86a0-7ada793ac795",
"assignerShortName": "TCS-CERT",
"cveId": "CVE-2026-6500",
"datePublished": "2026-05-04T14:16:41.970Z",
"dateReserved": "2026-04-17T09:34:00.554Z",
"dateUpdated": "2026-05-04T15:31:41.588Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6597 (GCVE-0-2026-6597)
Vulnerability from cvelistv5 – Published: 2026-04-20 02:30 – Updated: 2026-04-20 11:42
VLAI
Title
langflow-ai langflow Flow Using API core.py has_api_terms credentials storage
Summary
A weakness has been identified in langflow-ai langflow up to 1.8.3. Impacted is the function remove_api_keys/has_api_terms of the file src/backend/base/langflow/api/utils/core.py of the component Flow Using API. This manipulation causes unprotected storage of credentials. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/358232 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/358232/cti | signaturepermissions-required |
| https://vuldb.com/submit/791920 | third-party-advisory |
| https://gist.github.com/chenhouser2025/b93261c6e6… | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| langflow-ai | langflow |
Affected:
1.8.0
Affected: 1.8.1 Affected: 1.8.2 Affected: 1.8.3 cpe:2.3:a:langflow:langflow:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6597",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-20T11:42:17.805708Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T11:42:32.582Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:langflow:langflow:*:*:*:*:*:*:*:*"
],
"modules": [
"Flow Using API"
],
"product": "langflow",
"vendor": "langflow-ai",
"versions": [
{
"status": "affected",
"version": "1.8.0"
},
{
"status": "affected",
"version": "1.8.1"
},
{
"status": "affected",
"version": "1.8.2"
},
{
"status": "affected",
"version": "1.8.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Eric-d (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A weakness has been identified in langflow-ai langflow up to 1.8.3. Impacted is the function remove_api_keys/has_api_terms of the file src/backend/base/langflow/api/utils/core.py of the component Flow Using API. This manipulation causes unprotected storage of credentials. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 2.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 2.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 3.3,
"vectorString": "AV:N/AC:L/Au:M/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-256",
"description": "Unprotected Storage of Credentials",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-255",
"description": "Credentials Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T02:30:14.803Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-358232 | langflow-ai langflow Flow Using API core.py has_api_terms credentials storage",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/358232"
},
{
"name": "VDB-358232 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/358232/cti"
},
{
"name": "Submit #791920 | Langflow \u003c= 1.8.3 Information Disclosure",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/791920"
},
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/chenhouser2025/b93261c6e651f14800a4f2e4365f357b"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-19T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-04-19T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-04-19T15:52:19.000Z",
"value": "VulDB entry last update"
}
],
"title": "langflow-ai langflow Flow Using API core.py has_api_terms credentials storage"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-6597",
"datePublished": "2026-04-20T02:30:14.803Z",
"dateReserved": "2026-04-19T13:46:59.741Z",
"dateUpdated": "2026-04-20T11:42:32.582Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phase: Architecture and Design
Description:
- Avoid storing passwords in easily accessible locations.
Mitigation
Phase: Architecture and Design
Description:
- Consider storing cryptographic hashes of passwords as an alternative to storing in plaintext.
Mitigation
Phases:
Description:
- A programmer might attempt to remedy the password management problem by obscuring the password with an encoding function, such as base 64 encoding, but this effort does not adequately protect the password because the encoding can be detected and decoded easily.
No CAPEC attack patterns related to this CWE.