Total
9615 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-11028 | 1 Vvveb | 1 Vvveb | 2025-10-07 | 5.0 MEDIUM | 5.3 MEDIUM |
|
A security flaw has been discovered in givanz Vvveb up to 1.0.7.2. This affects an unknown part of the component Image Handler. Performing manipulation results in information disclosure. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. Once again the project maintainer reacted very professional: "I accept the existence of these vulnerabilities. (...) I fixed the code to remove these vulnerabilities and will push the code to github a ...
Show More |
|||||
| CVE-2025-56463 | 1 Mercusys | 2 Mw305r, Mw305r Firmware | 2025-10-07 | N/A | 6.8 MEDIUM |
|
Mercusys MW305R 3.30 and below is has a Transport Layer Security (TLS) certificate private key disclosure.
|
|||||
| CVE-2025-61665 | 1 Wegia | 1 Wegia | 2025-10-07 | N/A | 7.5 HIGH |
|
WeGIA is an open source web manager with a focus on charitable institutions. Versions 3.4.12 and below contain a Broken Access Control vulnerability, identified in the get_relatorios_socios.php endpoint. This vulnerability allows unauthenticated attackers to directly access sensitive personal and financial information of members without requiring authentication or authorization. This issue is fixed in version 3.5.0.
|
|||||
| CVE-2024-43046 | 1 Qualcomm | 620 315 5g Iot Modem, 315 5g Iot Modem Firmware, 9205 Lte Modem and 617 more | 2025-10-06 | N/A | 5.5 MEDIUM |
|
There may be information disclosure during memory re-allocation in TZ Secure OS.
|
|||||
| CVE-2014-2368 | 1 Advantech | 1 Advantech Webaccess | 2025-10-06 | 7.5 HIGH | N/A |
|
The BrowseFolder method in the bwocxrun ActiveX control in Advantech WebAccess before 7.2 allows remote attackers to read arbitrary files via a crafted call.
|
|||||
| CVE-2014-2367 | 1 Advantech | 1 Advantech Webaccess | 2025-10-06 | 7.5 HIGH | N/A |
|
The ChkCookie subroutine in an ActiveX control in broadweb/include/gChkCook.asp in Advantech WebAccess before 7.2 allows remote attackers to read arbitrary files via a crafted call.
|
|||||
| CVE-2014-2366 | 1 Advantech | 1 Advantech Webaccess | 2025-10-06 | 9.0 HIGH | N/A |
|
upAdminPg.asp in Advantech WebAccess before 7.2 allows remote authenticated users to discover credentials by reading HTML source code.
|
|||||
| CVE-2025-9209 | 2025-10-06 | N/A | 9.8 CRITICAL | ||
|
The RestroPress – Online Food Ordering System plugin for WordPress is vulnerable to Authentication Bypass in versions 3.0.0 to 3.1.9.2. This is due to the plugin exposing user private tokens and API data via the /wp-json/wp/v2/users REST API endpoint. This makes it possible for unauthenticated attackers to forge JWT tokens for other users, including administrators, and authenticate as them.
|
|||||
| CVE-2025-61679 | 2025-10-06 | N/A | 7.7 HIGH | ||
|
Anyquery is an SQL query engine built on top of SQLite. Versions 0.4.3 and below allow attackers who have already gained access to localhost, even with low privileges, to use the http server through the port unauthenticated, and access private integration data like emails, without any warning of a foreign login from the provider. This issue is fixed in version 0.4.4.
|
|||||
| CVE-2025-40803 | 1 Siemens | 2 Ruggedcom Rst2428p, Ruggedcom Rst2428p Firmware | 2025-10-03 | N/A | 3.1 LOW |
|
A vulnerability has been identified in RUGGEDCOM RST2428P (6GK6242-6PA00) (All versions). The affected device exposes certain non-critical information from the device. This could allow an unauthenticated attacker to access sensitive data, potentially leading to a breach of confidentiality.
|
|||||
| CVE-2025-45994 | 1 Arandasoft | 1 Passrecovery | 2025-10-03 | N/A | 7.5 HIGH |
|
An issue in Aranda PassRecovery v1.0 allows attackers to enumerate valid user accounts in Active Directory via sending a crafted POST request to /user/existdirectory/1.
|
|||||
| CVE-2014-2356 | 1 Innominate | 1 Mguard Firmware | 2025-10-03 | 4.3 MEDIUM | N/A |
|
Innominate mGuard before 7.6.4 and 8.x before 8.0.3 does not require authentication for snapshot downloads, which allows remote attackers to obtain sensitive information via a crafted HTTPS request.
|
|||||
| CVE-2025-11079 | 1 Campcodes | 1 Farm Management System | 2025-10-03 | 5.0 MEDIUM | 5.3 MEDIUM |
|
A security flaw has been discovered in Campcodes Farm Management System 1.0. Affected by this issue is some unknown functionality. The manipulation results in file and directory information exposure. The attack may be performed from remote. The exploit has been released to the public and may be exploited.
|
|||||
| CVE-2014-2347 | 1 Amtelco | 1 Misecuremessages | 2025-10-02 | 7.0 HIGH | N/A |
|
Amtelco miSecureMessages (aka MSM) 6.2 does not properly manage sessions, which allows remote authenticated users to obtain sensitive information via a modified message request.
|
|||||
| CVE-2025-10321 | 1 Wavlink | 2 Wl-wn578w2, Wl-wn578w2 Firmware | 2025-10-02 | 5.0 MEDIUM | 5.3 MEDIUM |
|
A flaw has been found in Wavlink WL-WN578W2 221110. Impacted is an unknown function of the file /live_online.shtml. Executing manipulation can lead to information disclosure. The attack can be executed remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-10744 | 2025-10-02 | N/A | 5.3 MEDIUM | ||
|
The File Manager, Code Editor, and Backup by Managefy plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.6.1 through publicly exposed log files. This makes it possible for unauthenticated attackers to view information like full paths and full paths to backup files information contained in the exposed log files.
|
|||||
| CVE-2025-40645 | 2025-10-02 | N/A | N/A | ||
|
Exposure of sensitive information in Viday. This vulnerability could allow an unauthenticated attacker to obtain sensitive information about customers by sending an HTTP GET request to “/api/reserva/web/clients” using the “phone” parameter.
|
|||||
| CVE-2025-54468 | 2025-10-02 | N/A | 4.7 MEDIUM | ||
|
A vulnerability has been identified within Rancher Manager whereby `Impersonate-Extra-*` headers are being sent to an external entity, for example `amazonaws.com`, via the `/meta/proxy` Rancher endpoint. These headers may contain identifiable and/or sensitive information e.g. email addresses.
|
|||||
| CVE-2025-51643 | 1 Meitrack | 2 T366l-g, T366l-g Firmware | 2025-10-02 | N/A | 2.4 LOW |
|
Meitrack T366G-L GPS Tracker devices contain an SPI flash chip (Winbond 25Q64JVSIQ) that is accessible without authentication or tamper protection. An attacker with physical access to the device can use a standard SPI programmer to extract the firmware using flashrom. This results in exposure of sensitive configuration data such as APN credentials, backend server information, and network parameter
|
|||||
| CVE-2025-53804 | 1 Microsoft | 14 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 11 more | 2025-10-02 | N/A | 5.5 MEDIUM |
|
Exposure of sensitive information to an unauthorized actor in Windows Kernel allows an authorized attacker to disclose information locally.
|
|||||
| CVE-2025-55243 | 1 Microsoft | 1 Officeplus | 2025-10-02 | N/A | 7.5 HIGH |
|
Exposure of sensitive information to an unauthorized actor in Microsoft Office Plus allows an unauthorized attacker to perform spoofing over a network.
|
|||||
| CVE-2025-46659 | 1 4cstrategies | 1 Exonaut | 2025-10-02 | N/A | 7.5 HIGH |
|
An issue was discovered in ExonautWeb in 4C Strategies Exonaut 21.6. Information disclosure can occur via an external HTTPS request.
|
|||||
| CVE-2024-8612 | 2025-10-02 | N/A | 3.8 LOW | ||
|
A flaw was found in QEMU, in the virtio-scsi, virtio-blk, and virtio-crypto devices. The size for virtqueue_push as set in virtio_scsi_complete_req / virtio_blk_req_complete / virito_crypto_req_complete could be larger than the true size of the data which has been sent to guest. Once virtqueue_push() finally calls dma_memory_unmap to ummap the in_iov, it may call the address_space_write function to write back the data. Some uninitialized data may exist in the bounce.buffer, leading to an informa ...
Show More |
|||||
| CVE-2025-33045 | 1 Ami | 1 Aptio V | 2025-10-02 | N/A | 8.2 HIGH |
|
APTIOV contains vulnerabilities in the BIOS where a privileged user may cause “Write-what-where Condition” and “Exposure of Sensitive Information to an Unauthorized Actor” through local access. The successful exploitation of these vulnerabilities can lead to information disclosure, arbitrary data writing, and impact Confidentiality, Integrity, and Availability.
|
|||||
| CVE-2023-46669 | 1 Elastic | 2 Elastic Agent, Endpoint Security | 2025-10-01 | N/A | 6.2 MEDIUM |
|
Exposure of sensitive information to local unauthorized actors in Elastic Agent and Elastic Security Endpoint can lead to loss of confidentiality and impersonation of Endpoint to the Elastic Stack. This issue was identified by Elastic engineers and Elastic has no indication that it is known or has been exploited by malicious actors.
|
|||||
| CVE-2024-52523 | 1 Nextcloud | 1 Nextcloud Server | 2025-10-01 | N/A | 4.6 MEDIUM |
|
Nextcloud Server is a self hosted personal cloud system. After setting up a user or administrator defined external storage with fixed credentials, the API returns them and adds them into the frontend again, allowing to read them in plain text when an attacker already has access to an active session of a user. It is recommended that the Nextcloud Server is upgraded to 28.0.12, 29.0.9 or 30.0.2 and Nextcloud Enterprise Server is upgraded to 25.0.13.14, 26.0.13.10, 27.1.11.10, 28.0.12, 29.0.9 or 30 ...
Show More |
|||||
| CVE-2024-52508 | 1 Nextcloud | 1 Mail | 2025-10-01 | N/A | 8.2 HIGH |
|
Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. When a user is trying to set up a mail account with an email address like [email protected] that does not support auto configuration, and an attacker managed to register autoconfig.tld, the used email details would be send to the server of the attacker. It is recommended that the Nextcloud Mail app is upgraded to 1.14.6, 1.15.4, 2.2.11, 3.6.3, 3.7.7 or 4.0.0.
|
|||||
| CVE-2024-52513 | 1 Nextcloud | 1 Nextcloud Server | 2025-10-01 | N/A | 2.6 LOW |
|
Nextcloud Server is a self hosted personal cloud system. After receiving a "Files drop" or "Password protected" share link a malicious user was able to download attachments that are referenced in Text files without providing the password. It is recommended that the Nextcloud Server is upgraded to 28.0.11, 29.0.8 or 30.0.1 and Nextcloud Enterprise Server is upgraded to 25.0.13.13, 26.0.13.9, 27.1.11.9, 28.0.11, 29.0.8 or 30.0.1.
|
|||||
| CVE-2024-43707 | 1 Elastic | 1 Kibana | 2025-09-30 | N/A | 7.7 HIGH |
|
An issue was identified in Kibana where a user without access to Fleet can view Elastic Agent policies that could contain sensitive information. The nature of the sensitive information depends on the integrations enabled for the Elastic Agent and their respective versions.
|
|||||
| CVE-2022-28224 | 1 Tigera | 2 Calico, Calico Enterprise | 2025-09-30 | 5.5 MEDIUM | 5.5 MEDIUM |
|
Clusters using Calico (version 3.22.1 and below), Calico Enterprise (version 3.12.0 and below), may be vulnerable to route hijacking with the floating IP feature. Due to insufficient validation, a privileged attacker may be able to set a floating IP annotation to a pod even if the feature is not enabled. This may allow the attacker to intercept and reroute traffic to their compromised pod.
|
|||||
| CVE-2024-34029 | 1 Mattermost | 1 Mattermost Server | 2025-09-30 | N/A | 4.3 MEDIUM |
|
Mattermost versions 9.5.x <= 9.5.3, 9.7.x <= 9.7.1 and 8.1.x <= 8.1.12 fail to perform a proper authorization check in the /api/v4/groups/<group-id>/channels/<channel-id>/link endpoint which allows a user to learn the members of an AD/LDAP group that is linked to a team by adding the group to a channel, even if the user has no access to the team.
|
|||||
| CVE-2025-10093 | 1 Dlink | 2 Dir-852, Dir-852 Firmware | 2025-09-29 | 5.0 MEDIUM | 5.3 MEDIUM |
|
A vulnerability was identified in D-Link DIR-852 up to 1.00CN B09. Affected by this vulnerability is the function phpcgi_main of the file /getcfg.php of the component Device Configuration Handler. Such manipulation leads to information disclosure. The attack may be performed from remote. The exploit is publicly available and might be used. This vulnerability only affects products that are no longer supported by the maintainer.
|
|||||
| CVE-2025-59535 | 1 Dnnsoftware | 1 Dotnetnuke | 2025-09-29 | N/A | 6.5 MEDIUM |
|
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.1.0, arbitrary themes can be loaded through query parameters. If an installed theme had a vulnerability, even if it was not used on any page, this could be loaded on unsuspecting clients without knowledge of the site owner. This issue has been patched in version 10.1.0.
|
|||||
| CVE-2024-56136 | 1 Zulip | 1 Zulip Server | 2025-09-27 | N/A | 5.3 MEDIUM |
|
Zulip server provides an open-source team chat that helps teams stay productive and focused. Zulip Server 7.0 and above are vulnerable to an information disclose attack, where, if a Zulip server is hosting multiple organizations, an unauthenticated user can make a request and determine if an email address is in use by a user. Zulip Server 9.4 resolves the issue, as does the `main` branch of Zulip Server. Users are advised to upgrade. There are no known workarounds for this issue.
|
|||||
| CVE-2024-52323 | 1 Zohocorp | 1 Manageengine Analytics Plus | 2025-09-26 | N/A | 8.1 HIGH |
|
Zohocorp ManageEngine Analytics Plus versions below 6100 are vulnerable to authenticated sensitive data exposure which allows the users to retrieve sensitive tokens associated to the org-admin account.
|
|||||
| CVE-2025-10952 | 2025-09-26 | 5.0 MEDIUM | 5.3 MEDIUM | ||
|
A security flaw has been discovered in geyang ml-logger up to acf255bade5be6ad88d90735c8367b28cbe3a743. Affected by this issue is the function stream_handler of the file ml_logger/server.py of the component File Handler. Performing manipulation of the argument key results in information disclosure. The attack can be initiated remotely. The exploit has been released to the public and may be exploited. Continious delivery with rolling releases is used by this product. Therefore, no version details ...
Show More |
|||||
| CVE-2025-59019 | 1 Typo3 | 1 Typo3 | 2025-09-26 | N/A | 4.3 MEDIUM |
|
Missing authorization checks in the CSV download feature of TYPO3 CMS versions 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to disclose information from arbitrary database tables stored within the users' web mounts without having access to them.
|
|||||
| CVE-2025-59018 | 1 Typo3 | 1 Typo3 | 2025-09-26 | N/A | 6.5 MEDIUM |
|
Missing authorization checks in the Workspace Module of TYPO3 CMS versions 9.0.0‑9.5.54, 10.0.0‑10.4.53, 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to directly invoke the corresponding AJAX backend route to disclose sensitive information without having access.
|
|||||
| CVE-2025-46813 | 1 Discourse | 1 Discourse | 2025-09-26 | N/A | 5.8 MEDIUM |
|
Discourse is an open-source community platform. A data leak vulnerability affects sites deployed between commits 10df7fdee060d44accdee7679d66d778d1136510 and 82d84af6b0efbd9fa2aeec3e91ce7be1a768511b. On login-required sites, the leak meant that some content on the site's homepage could be visible to unauthenticated users. Only login-required sites that got deployed during this timeframe are affected, roughly between April 30 2025 noon EDT and May 2 2025, noon EDT. Sites on the stable branch are ...
Show More |
|||||
| CVE-2024-28242 | 1 Discourse | 1 Discourse | 2025-09-26 | N/A | 5.3 MEDIUM |
|
Discourse is an open source platform for community discussion. In affected versions an attacker can learn that secret categories exist when they have backgrounds set. The issue is patched in the latest stable, beta and tests-passed version of Discourse. Users are advised to upgrade. Users unable to upgrade should temporarily remove category backgrounds.
|
|||||