CVE-2026-41018 — The Elasticsearch logging provider, when configured with a `host` URL that embeds credentials (for example `https://user:password@server.example.com:9200`), wrote the full host URL — including the emb — CVE Database · The Intelligence Room