Total
9615 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-14464 | 2026-01-14 | N/A | 5.3 MEDIUM | ||
|
The PDF Resume Parser plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0. This is due to the plugin registering an AJAX action handler that is accessible to unauthenticated users and exposes SMTP configuration data including credentials. This makes it possible for unauthenticated attackers to extract sensitive SMTP credentials (username and password) from the WordPress configuration, which could be leveraged to compromise email accounts ...
Show More |
|||||
| CVE-2025-55342 | 1 Quipux | 1 Quipux | 2026-01-14 | N/A | 5.3 MEDIUM |
|
Quipux 4.0.1 through e1774ac allows enumeration of usernames, and accessing the Ecuadorean identification number for all registered users via the Administracion/usuarios/cambiar_password_olvido_validar.php txt_login parameter.
|
|||||
| CVE-2024-31490 | 1 Fortinet | 1 Fortisandbox | 2026-01-14 | N/A | 4.3 MEDIUM |
|
An exposure of sensitive information to an unauthorized actor vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.4, FortiSandbox 4.2.1 through 4.2.6, FortiSandbox 4.0 all versions, FortiSandbox 3.2.2 through 3.2.4, FortiSandbox 3.1.5 allows attacker to information disclosure via HTTP get requests.
|
|||||
| CVE-2026-20805 | 1 Microsoft | 13 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 10 more | 2026-01-14 | N/A | 5.5 MEDIUM |
|
Exposure of sensitive information to an unauthorized actor in Desktop Windows Manager allows an authorized attacker to disclose information locally.
|
|||||
| CVE-2023-51787 | 1 Windriver | 1 Vxworks | 2026-01-13 | N/A | 7.5 HIGH |
|
An issue was discovered in Wind River VxWorks 7 22.09 and 23.03. If a VxWorks task or POSIX thread that uses OpenSSL exits, limited per-task memory is not freed, resulting in a memory leak.
|
|||||
| CVE-2025-14574 | 2026-01-13 | N/A | 5.3 MEDIUM | ||
|
The weDocs plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.15 via the `/wp-json/wp/v2/docs/settings` REST API endpoint. This makes it possible for unauthenticated attackers to extract sensitive data including third party services API keys.
|
|||||
| CVE-2025-14980 | 2026-01-13 | N/A | 6.5 MEDIUM | ||
|
The BetterDocs plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.3 via the scripts() function. This makes it possible for authenticated attackers, with contributor-level access and above, to extract sensitive data including the OpenAI API key stored in plugin settings.
|
|||||
| CVE-2025-15070 | 1 Gmission | 1 Web Fax | 2026-01-13 | N/A | 5.5 MEDIUM |
|
Exposure of Sensitive Information to an Unauthorized Actor, Missing Authorization vulnerability in Gmission Web Fax allows Authentication Abuse.This issue affects Web Fax: from 3.0 before 3.0.1
|
|||||
| CVE-2016-6415 | 1 Cisco | 3 Ios, Ios Xe, Ios Xr | 2026-01-12 | 5.0 MEDIUM | 7.5 HIGH |
|
The server IKEv1 implementation in Cisco IOS 12.2 through 12.4 and 15.0 through 15.6, IOS XE through 3.18S, IOS XR 4.3.x and 5.0.x through 5.2.x, and PIX before 7.0 allows remote attackers to obtain sensitive information from device memory via a Security Association (SA) negotiation request, aka Bug IDs CSCvb29204 and CSCvb36055 or BENIGNCERTAIN.
|
|||||
| CVE-2025-68436 | 1 Craftcms | 1 Craft Cms | 2026-01-12 | N/A | 6.5 MEDIUM |
|
Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, authenticated users on a Craft installation could potentially expose sensitive assets via their user profile photo via maliciously crafted requests. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.
|
|||||
| CVE-2025-67732 | 1 Dify | 1 Dify | 2026-01-12 | N/A | 6.5 MEDIUM |
|
Dify is an open-source LLM app development platform. Prior to version 1.11.0, the API key is exposed in plaintext to the frontend, allowing non-administrator users to view and reuse it. This can lead to unauthorized access to third-party services, potentially consuming limited quotas. Version 1.11.0 fixes the issue.
|
|||||
| CVE-2024-50342 | 1 Sensiolabs | 1 Httpclient | 2026-01-12 | N/A | 3.1 LOW |
|
symfony/http-client is a module for the Symphony PHP framework which provides powerful methods to fetch HTTP resources synchronously or asynchronously. When using the `NoPrivateNetworkHttpClient`, some internal information is still leaking during host resolution, which leads to possible IP/port enumeration. As of versions 5.4.46, 6.4.14, and 7.1.7 the `NoPrivateNetworkHttpClient` now filters blocked IPs earlier to prevent such leaks. All users are advised to upgrade. There are no known workaroun ...
Show More |
|||||
| CVE-2024-29720 | 1 Terrainformatica | 1 Sciter | 2026-01-09 | N/A | 5.5 MEDIUM |
|
An issue in Terra Informatica Software, Inc Sciter v.4.4.7.0 allows a local attacker to obtain sensitive information via the adopt component of the Sciter video rendering function.
|
|||||
| CVE-2021-33146 | 1 Intel | 7 Ethernet Adapter Complete Driver, Ethernet Controller I225-it, Ethernet Controller I225-it Firmware and 4 more | 2026-01-09 | N/A | 5.3 MEDIUM |
|
Improper input validation in some Intel(R) Ethernet Adapters and Intel(R) Ethernet Controller I225 Manageability firmware may allow an unauthenticated user to potentially enable information disclosure via network access.
|
|||||
| CVE-2025-14553 | 2026-01-09 | N/A | N/A | ||
|
Exposure of password hashes through an unauthenticated API response in TP-Link Tapo app on iOS and Android for Tapo cameras, allowing attackers to brute force the password in the local network. Issue can be mitigated through mobile application updates. Device firmware remains unchanged.
|
|||||
| CVE-2024-29898 | 1 Miraheze | 1 Createwiki | 2026-01-08 | N/A | 4.9 MEDIUM |
|
CreateWiki is Miraheze's MediaWiki extension for requesting & creating wikis. An oversight during the writing of the patch for CVE-2024-29897 may have exposed suppressed wiki requests to private wikis that added Special:RequestWikiQueue to the read whitelist to users without the `(read)` permission. This vulnerability is fixed in 8f8442ed5299510ea3e58416004b9334134c149c.
|
|||||
| CVE-2025-13215 | 2026-01-08 | N/A | 5.3 MEDIUM | ||
|
The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.17.13 via the auxels_ajax_search due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract titles of draft posts that they should not have access to.
|
|||||
| CVE-2025-12540 | 2026-01-08 | N/A | 4.7 MEDIUM | ||
|
The ShareThis Dashboard for Google Analytics plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.4. This is due to the Google Analytics client_ID and client_secret being stored in plaintext in the publicly visible plugin source. This can allow unauthenticated attackers to craft a link to the sharethis.com server, which will share an authorization token for Google Analytics with a malicious website, if the attacker can trick an administra ...
Show More |
|||||
| CVE-2026-20027 | 2026-01-08 | N/A | 5.3 MEDIUM | ||
|
Multiple Cisco products are affected by a vulnerability in the processing of DCE/RPC requests that could allow an unauthenticated, remote attacker to cause the Snort 3 Detection Engine to leak sensitive information or to restart, resulting in an interruption of packet inspection.
This vulnerability is due to an error in buffer handling logic when processing DCE/RPC requests, which can result in a buffer out-of-bounds read. An attacker could exploit this vulnerability by sending a large number ...
Show More |
|||||
| CVE-2025-13371 | 2026-01-08 | N/A | 8.6 HIGH | ||
|
The MoneySpace plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.13.9. This is due to the plugin storing full payment card details (PAN, card holder name, expiry month/year, and CVV) in WordPress post_meta using base64_encode(), and then embedding these values into the publicly accessible mspaylink page's inline JavaScript without any authentication or authorization check. This makes it possible for unauthenticated attackers who know or ...
Show More |
|||||
| CVE-2024-42508 | 1 Hpe | 1 Oneview | 2026-01-08 | N/A | 5.5 MEDIUM |
|
This vulnerability could be exploited, leading to unauthorized disclosure of information to authenticated users.
|
|||||
| CVE-2025-53512 | 1 Canonical | 1 Juju | 2026-01-08 | N/A | 6.5 MEDIUM |
|
The /log endpoint on a Juju controller lacked sufficient authorization checks, allowing unauthorized users to access debug messages that could contain sensitive information.
|
|||||
| CVE-2025-59716 | 1 Owncloud | 1 Guests | 2026-01-07 | N/A | 5.3 MEDIUM |
|
ownCloud Guests before 0.12.5 allows unauthenticated user enumeration via the /apps/guests/register/{email}/{token} endpoint. Because of insufficient validation of the supplied token in showPasswordForm, the server responds differently when an e-mail address corresponds to a valid pending guest user rather than a non-existent user.
|
|||||
| CVE-2025-15103 | 1 Deltaww | 2 Dvp-12se11t, Dvp-12se11t Firmware | 2026-01-06 | N/A | 8.1 HIGH |
|
DVP-12SE11T - Authentication Bypass via Partial Password Disclosure
|
|||||
| CVE-2025-68273 | 1 Signalk | 1 Signal K Server | 2026-01-06 | N/A | 5.3 MEDIUM |
|
Signal K Server is a server application that runs on a central hub in a boat. An unauthenticated information disclosure vulnerability in versions prior to 2.19.0 allows any user to retrieve sensitive system information, including the full SignalK data schema, connected serial devices, and installed analyzer tools. This exposure facilitates reconnaissance for further attacks. Version 2.19.0 patches the issue.
|
|||||
| CVE-2025-14591 | 1 Perforce | 1 Delphix Continuous Compliance | 2026-01-05 | N/A | 7.5 HIGH |
|
In Delphix Continuous Compliance version 2025.3.0 and later, following a recent bug fix to correctly handle CR+LF (Windows and DOS) End-of-Record (EOR) characters in delimited files, an issue was identified: using an incorrect EOR configuration can cause inaccurate parsing and leave personally identifiable information (PII) unmasked.
|
|||||
| CVE-2025-63662 | 1 Gtedge | 1 Gt Edge Ai | 2026-01-05 | N/A | 7.5 HIGH |
|
Insecure permissions in the /api/v1/agents API of GT Edge AI Platform before v2.0.10-dev allows unauthorized attackers to access sensitive information.
|
|||||
| CVE-2024-20445 | 1 Cisco | 36 Desk Phone 9841, Desk Phone 9841 Firmware, Desk Phone 9851 and 33 more | 2026-01-05 | N/A | 5.3 MEDIUM |
|
A vulnerability in the web UI of Cisco Desk Phone 9800 Series, Cisco IP Phone 7800 and 8800 Series, and Cisco Video Phone 8875 could allow an unauthenticated, remote attacker to access sensitive information on an affected device.
This vulnerability is due to improper storage of sensitive information within the web UI of Session Initiation Protocol (SIP)-based phone loads. An attacker could exploit this vulnerability by browsing to the IP address of a device that has Web Access enabled. A succ ...
Show More |
|||||
| CVE-2025-20336 | 1 Cisco | 34 Desk Phone 9841, Desk Phone 9841 Firmware, Desk Phone 9851 and 31 more | 2026-01-05 | N/A | 5.3 MEDIUM |
|
A vulnerability in the directory permissions of Cisco Desk Phone 9800 Series, Cisco IP Phone 7800 and 8800 Series, and Cisco Video Phone 8875 could allow an unauthenticated, remote attacker to access sensitive information on an affected device.
This vulnerability exists because the product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. An attacker could exploit this vulnerability by sending a crafted packet to the IP address of ...
Show More |
|||||
| CVE-2025-66625 | 1 Umbraco | 1 Umbraco Cms | 2026-01-02 | N/A | 4.9 MEDIUM |
|
Umbraco is an ASP.NET CMS. Due to unsafe handling and deletion of temporary files in versions 10.0.0 through 13.12.0, during the dictionary upload process an attacker with access to the backoffice can trigger predictable requests to temporary file paths. The application’s error responses (HTTP 500 when a file exists, 404 when it does not) allow the attacker to enumerate the existence of arbitrary files on the server’s filesystem. This vulnerability does not allow reading or writing file contents ...
Show More |
|||||
| CVE-2025-63094 | 1 Xiangshan | 1 Xiangshan | 2026-01-02 | N/A | 7.5 HIGH |
|
XiangShan Nanhu V2 and XiangShan Kunmighu V3 were discovered to use speculative execution and indirect branch prediction, allowing attackers to access sensitive information via side-channel analysis of the data cache.
|
|||||
| CVE-2025-68279 | 1 Weblate | 1 Weblate | 2026-01-02 | N/A | 7.7 HIGH |
|
Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to read arbitrary files from the server file system using crafted symbolic links in the repository. Version 5.15.1 fixes the issue.
|
|||||
| CVE-2025-52493 | 1 Pagerduty | 1 Runbook Automation | 2026-01-02 | N/A | 6.5 MEDIUM |
|
PagerDuty Runbook through 2025-06-12 exposes stored secrets directly in the webpage DOM at the configuration page. Although these secrets appear masked as password fields, the actual secret values are present in the page source and can be revealed by simply modifying the input field type from "password" to "text" using browser developer tools. This vulnerability is exploitable by administrative users who have access to the configuration page.
|
|||||
| CVE-2024-29883 | 1 Miraheze | 1 Createwiki | 2026-01-02 | N/A | 4.9 MEDIUM |
|
CreateWiki is Miraheze's MediaWiki extension for requesting & creating wikis. Suppression of wiki requests does not work as intended, and always restricts visibility to those with the `(createwiki)` user right regardless of the settings one sets on a given wiki request. This may expose information to users who are not supposed to be able to access it.
|
|||||
| CVE-2025-14280 | 2025-12-31 | N/A | 5.3 MEDIUM | ||
|
The PixelYourSite plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.1.5 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log files, when the "Meta API logs" setting is enabled (disabled by default). The vulnerability was partially patched in version 11.1.5 and fully patched in version 11.1.5.1.
|
|||||
| CVE-2025-15065 | 2025-12-31 | N/A | 6.3 MEDIUM | ||
|
Exposure of Sensitive Information to an Unauthorized Actor, Missing Encryption of Sensitive Data, Files or Directories Accessible to External Parties vulnerability in Kings Information & Network Co. KESS Enterprise on Windows allows Privilege Escalation, Modify Existing Service, Modify Shared File.This issue affects KESS Enterprise: before *.25.9.19.exe
|
|||||
| CVE-2025-15121 | 1 Jeecg | 1 Jeecg Boot | 2025-12-30 | 2.2 LOW | 2.4 LOW |
|
A vulnerability has been found in JeecgBoot up to 3.9.0. The affected element is the function getDeptRoleByUserId of the file /sys/sysDepartRole/getDeptRoleByUserId. Such manipulation of the argument departId leads to information disclosure. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-63958 | 1 Millensys | 1 Vision Tools Workspace | 2025-12-30 | N/A | 9.8 CRITICAL |
|
MILLENSYS Vision Tools Workspace 6.5.0.2585 exposes a sensitive configuration endpoint (/MILLENSYS/settings) that is accessible without authentication. This page leaks plaintext database credentials, file share paths, internal license server configuration, and software update parameters. An unauthenticated attacker can retrieve this information by accessing the endpoint directly, potentially leading to full system compromise. The vulnerability is due to missing access controls on a privileged ad ...
Show More |
|||||
| CVE-2025-63729 | 1 Syrotech | 2 Sy-gpon-1110-wdont, Sy-gpon-1110-wdont Firmware | 2025-12-30 | N/A | 9.0 CRITICAL |
|
An issue was discovered in Syrotech SY-GPON-1110-WDONT SYRO_3.7L_3.1.02-240517 allowing attackers to exctract the SSL Private Key, CA Certificate, SSL Certificate, and Client Certificates in .pem format in firmware in etc folder.
|
|||||
| CVE-2025-60739 | 1 Ilevia | 2 Eve X1 Server, Eve X1 Server Firmware | 2025-12-30 | N/A | 9.6 CRITICAL |
|
Cross Site Request Forgery (CSRF) vulnerability in Ilevia EVE X1 Server Firmware Version v4.7.18.0.eden and before, Logic Version v6.00 - 2025_07_21 allows a remote attacker to execute arbitrary code via the /bh_web_backend component
|
|||||