https://vulnerability.circl.lu Contains only the most 10 recent sightings. http://www.rssboard.org/rss-specification python-feedgen en Thu, 18 Jun 2026 17:44:02 +0000 https://vulnerability.circl.lu/sighting/058cfe85-dc12-4999-a1aa-6deb9e115193/export {"uuid": "058cfe85-dc12-4999-a1aa-6deb9e115193", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-50870", "type": "seen", "source": "https://gist.github.com/pyuysig/b15055668de5fa09d08448ce830bba10", "content": "# Vulnerability Report: CVE-2026-50870 - whoogle-search - BYOK configuration values can disclose Google Custom Search credentials\n\n## Vulnerability Summary\nBen Busby whoogle-search 1.2.3 contains an information disclosure issue in configuration serialization and rendering. When Google Custom Search BYOK settings are enabled, a remote attacker can request configuration-bearing pages or endpoints and recover the configured cse_api_key and cse_id.\n\n## Affected Product\n- **Vendor**: Ben Busby\n- **Product**: whoogle-search\n- **Version**: 1.2.3\n- **Vulnerable Component**: app/models/config.py, GET /config in app/routes.py, app/templates/index.html, app/templates/header.html\n\n## Vulnerability Details\n- **Vulnerability Type**: Information Disclosure\n- **Weakness**: CWE-201\n- **Attack Conditions**: Remote request to /, /search, or GET /config on a reachable Whoogle instance with BYOK enabled.\n\n## Report Body\n\n### Summary\nBen Busby whoogle-search 1.2.3 contains an information disclosure issue in configuration serialization and rendering. When Google Custom Search BYOK settings are enabled, a remote attacker can request configuration-bearing pages or endpoints and recover the configured cse_api_key and cse_id.\n\n### Details\nBYOK settings are included in configuration data that is serialized or rendered back to clients. This exposes secret configuration values to unauthenticated or unintended readers of the generated page or configuration endpoint.\n\n### PoC\n1. Prepare an environment matching the affected product and version above.\n2. Trigger the vulnerable component under the attack conditions described for CVE-2026-50870.\n3. Confirm the security result: Requesting the affected configuration-bearing pages on a BYOK-enabled instance exposes or allows decoding of cse_api_key and cse_id values.\n\n### Impact\nDisclosure of Google Custom Search BYOK credentials configured in the Whoogle instance.\n\n## Remediation\nNever serialize or render secret BYOK values to clients. Return only non-secret metadata or masked values, and keep API keys server-side.\n\n## Credit\n- Discoverer(s): Yuming Zhang and Song Li of Zhejiang University\n\n## Notes\nThis public reference is intended to support the CVE record with concise, factual vulnerability details. It intentionally avoids a full exploit release.\n", "creation_timestamp": "2026-06-13T12:45:35.000000Z"} {"uuid": "058cfe85-dc12-4999-a1aa-6deb9e115193", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-50870", "type": "seen", "source": "https://gist.github.com/pyuysig/b15055668de5fa09d08448ce830bba10", "content": "# Vulnerability Report: CVE-2026-50870 - whoogle-search - BYOK configuration values can disclose Google Custom Search credentials\n\n## Vulnerability Summary\nBen Busby whoogle-search 1.2.3 contains an information disclosure issue in configuration serialization and rendering. When Google Custom Search BYOK settings are enabled, a remote attacker can request configuration-bearing pages or endpoints and recover the configured cse_api_key and cse_id.\n\n## Affected Product\n- **Vendor**: Ben Busby\n- **Product**: whoogle-search\n- **Version**: 1.2.3\n- **Vulnerable Component**: app/models/config.py, GET /config in app/routes.py, app/templates/index.html, app/templates/header.html\n\n## Vulnerability Details\n- **Vulnerability Type**: Information Disclosure\n- **Weakness**: CWE-201\n- **Attack Conditions**: Remote request to /, /search, or GET /config on a reachable Whoogle instance with BYOK enabled.\n\n## Report Body\n\n### Summary\nBen Busby whoogle-search 1.2.3 contains an information disclosure issue in configuration serialization and rendering. When Google Custom Search BYOK settings are enabled, a remote attacker can request configuration-bearing pages or endpoints and recover the configured cse_api_key and cse_id.\n\n### Details\nBYOK settings are included in configuration data that is serialized or rendered back to clients. This exposes secret configuration values to unauthenticated or unintended readers of the generated page or configuration endpoint.\n\n### PoC\n1. Prepare an environment matching the affected product and version above.\n2. Trigger the vulnerable component under the attack conditions described for CVE-2026-50870.\n3. Confirm the security result: Requesting the affected configuration-bearing pages on a BYOK-enabled instance exposes or allows decoding of cse_api_key and cse_id values.\n\n### Impact\nDisclosure of Google Custom Search BYOK credentials configured in the Whoogle instance.\n\n## Remediation\nNever serialize or render secret BYOK values to clients. Return only non-secret metadata or masked values, and keep API keys server-side.\n\n## Credit\n- Discoverer(s): Yuming Zhang and Song Li of Zhejiang University\n\n## Notes\nThis public reference is intended to support the CVE record with concise, factual vulnerability details. It intentionally avoids a full exploit release.\n", "creation_timestamp": "2026-06-13T12:45:35.000000Z"} https://vulnerability.circl.lu/sighting/058cfe85-dc12-4999-a1aa-6deb9e115193/export Sat, 13 Jun 2026 12:45:35 +0000