Total
98 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-27640 | 1 Oocx | 1 Tfplan2md | 2026-03-04 | N/A | 7.5 HIGH |
|
tfplan2md is software for converting Terraform plan JSON files into human-readable Markdown reports. Prior to version 1.26.1, a bug in tfplan2md affected several distinct rendering paths: AzApi resource body properties, AzureDevOps variable groups, Scriban template context variables, and hierarchical sensitivity detection. This caused reports to render values that should have been masked as "(sensitive)" instead. This issue is fixed in v1.26.1. No known workarounds are available.
|
|||||
| CVE-2022-2818 | 1 Agentejo | 1 Cockpit | 2026-02-25 | N/A | 9.8 CRITICAL |
|
Improper Removal of Sensitive Information Before Storage or Transfer in GitHub repository cockpit-hq/cockpit prior to 2.2.2.
|
|||||
| CVE-2022-1650 | 2 Debian, Eventsource | 2 Debian Linux, Eventsource | 2026-02-24 | 5.8 MEDIUM | 8.1 HIGH |
|
Improper Removal of Sensitive Information Before Storage or Transfer in GitHub repository eventsource/eventsource prior to v2.0.2.
|
|||||
| CVE-2022-0536 | 1 Follow-redirects Project | 1 Follow-redirects | 2026-02-24 | 4.3 MEDIUM | 2.6 LOW |
|
Improper Removal of Sensitive Information Before Storage or Transfer in NPM follow-redirects prior to 1.14.8.
|
|||||
| CVE-2022-0355 | 1 Simple-get Project | 1 Simple-get | 2026-02-24 | 5.0 MEDIUM | 8.8 HIGH |
|
Improper Removal of Sensitive Information Before Storage or Transfer in NPM simple-get prior to 4.0.1.
|
|||||
| CVE-2025-61594 | 1 Ruby-lang | 1 Uri | 2026-02-24 | N/A | 7.5 HIGH |
|
URI is a module providing classes to handle Uniform Resource Identifiers. In versions prior to 0.12.5, 0.13.3, and 1.0.4, a bypass exists for the fix to CVE-2025-27221 that can expose user credentials. When using the `+` operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. Versions 0.12.5, 0.13.3, and 1.0.4 fix the issue.
|
|||||
| CVE-2025-14267 | 1 M-files | 1 M-files Server | 2026-02-23 | N/A | 4.9 MEDIUM |
|
Incomplete removal of sensitive information before transfer vulnerability in M-Files Corporation M-Files Server allows data leak exposure affecting versions before 25.12.15491.7
|
|||||
| CVE-2025-8860 | 2026-02-19 | N/A | 3.3 LOW | ||
|
A flaw was found in QEMU in the uefi-vars virtual device. When the guest writes to register UEFI_VARS_REG_BUFFER_SIZE, the .write callback `uefi_vars_write` is invoked. The function allocates a heap buffer without zeroing the memory, leaving the buffer filled with residual data from prior allocations. When the guest later reads from register UEFI_VARS_REG_PIO_BUFFER_TRANSFER, the .read callback `uefi_vars_read` returns leftover metadata or other sensitive process memory from the previously alloc ...
Show More |
|||||
| CVE-2025-62483 | 1 Zoom | 5 Meeting Software Development Kit, Rooms, Rooms Controller and 2 more | 2026-01-13 | N/A | 5.3 MEDIUM |
|
Improper removal of sensitive information in certain Zoom Clients before version 6.5.10 may allow an unauthenticated user to conduct a disclosure of information via network access.
|
|||||
| CVE-2025-59955 | 1 Coollabs | 1 Coolify | 2026-01-12 | N/A | 5.7 MEDIUM |
|
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify versions prior to and including v4.0.0-beta.420.8 have an information disclosure vulnerability in the `/api/v1/teams/{team_id}/members` and `/api/v1/teams/current/members` API endpoints allows authenticated team members to access a highly sensitive `email_change_code` from other users on the same team. This code is intended for a single-use email change verification and should be kept secr ...
Show More |
|||||
| CVE-2025-68131 | 1 Agronholm | 1 Cbor2 | 2026-01-02 | N/A | 7.5 HIGH |
|
cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) serialization format. Starting in version 3.0.0 and prior to version 5.8.0, whhen a CBORDecoder instance is reused across multiple decode operations, values marked with the shareable tag (28) persist in memory and can be accessed by subsequent CBOR messages using the sharedref tag (29). This allows an attacker-controlled message to read data from previously decoded messages if the decoder is reused across tr ...
Show More |
|||||
| CVE-2025-65000 | 1 Checkmk | 1 Checkmk | 2025-12-23 | N/A | 5.3 MEDIUM |
|
SSH private keys of the "Remote alert handlers (Linux)" rule were exposed in the rule page's HTML source in Checkmk <= 2.4.0p18 and all versions of Checkmk 2.3.0. This potentially allowed unauthorized triggering of predefined alert handlers on hosts where the handler was deployed.
|
|||||
| CVE-2025-64326 | 1 Weblate | 1 Weblate | 2025-12-04 | N/A | 2.6 LOW |
|
Weblate is a web based localization tool. In versions 5.14 and below, Weblate leaks the IP address of the project member inviting the user to the project in the audit log. The audit log includes IP addresses from admin-triggered actions, which can be viewed by invited users. This issue is fixed in version 5.14.1.
|
|||||
| CVE-2025-65965 | 2025-11-25 | N/A | N/A | ||
|
Grype is a vulnerability scanner for container images and filesystems. A credential disclosure vulnerability was found in Grype, affecting versions 0.68.0 through 0.104.0. If registry credentials are defined and the output of grype is written using the --file or --output json=<file> option, the registry credentials will be included unsanitized in the output file. This issue has been patched in version 0.104.1. Users running affected versions of grype can work around this vulnerability by redirec ...
Show More |
|||||
| CVE-2024-49997 | 1 Linux | 1 Linux Kernel | 2025-11-03 | N/A | 7.5 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
net: ethernet: lantiq_etop: fix memory disclosure
When applying padding, the buffer is not zeroed, which results in memory
disclosure. The mentioned data is observed on the wire. This patch uses
skb_put_padto() to pad Ethernet frames properly. The mentioned function
zeroes the expanded buffer.
In case the packet cannot be padded it is silently dropped. Statistics
are also not incremented. This driver does not support statisti ...
Show More |
|||||
| CVE-2025-27221 | 1 Ruby-lang | 1 Uri | 2025-11-03 | N/A | 3.2 LOW |
|
In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent leakage of authentication credentials because userinfo is retained even after changing the host.
|
|||||
| CVE-2025-0011 | 2025-09-08 | N/A | 3.3 LOW | ||
|
Improper removal of sensitive information before storage or transfer in AMD Crash Defender could allow an attacker to obtain kernel address information potentially resulting in loss of confidentiality.
|
|||||
| CVE-2025-57757 | 1 Contao | 1 Contao | 2025-09-02 | N/A | 5.3 MEDIUM |
|
Contao is an Open Source CMS. In versions starting from 5.0.0 and prior to 5.3.38 and 5.6.1, if a news feed contains protected news archives, their news items are not filtered and become publicly available in the RSS feed. This issue has been patched in versions 5.3.38 and 5.6.1. A workaround involves not adding protected news archives to the news feed page.
|
|||||
| CVE-2025-58049 | 1 Xwiki | 1 Xwiki | 2025-09-02 | N/A | 5.8 MEDIUM |
|
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions from 14.4.2 to before 16.4.8, 16.5.0-rc-1 to before 16.10.7, and 17.0.0-rc-1 to before 17.4.0-rc-1, the PDF export jobs store sensitive cookies unencrypted in job statuses. XWiki shouldn't store passwords in plain text, and it shouldn't be possible to gain access to plain text passwords by gaining access to, e.g., a backup of the data directory. This vulnerability has been patched ...
Show More |
|||||
| CVE-2025-33013 | 1 Ibm | 2 Mq Operator, Supplied Mq Advanced Container Images | 2025-08-22 | N/A | 6.2 MEDIUM |
|
IBM MQ Operator LTS 2.0.0 through 2.0.29, MQ Operator CD 3.0.0, 3.0.1, 3.1.0 through 3.1.3, 3.3.0, 3.4.0, 3.4.1, 3.5.0, 3.5.1, 3.6.0, and MQ Operator SC2 3.2.0 through 3.2.13 Container could disclose sensitive information to a local user due to improper clearing of heap memory before release.
|
|||||
| CVE-2025-1759 | 1 Ibm | 1 Concert | 2025-08-21 | N/A | 5.9 MEDIUM |
|
IBM Concert Software 1.0.0 through 1.1.0 could allow a remote attacker to obtain sensitive information from allocated memory due to improper clearing of heap memory.
|
|||||
| CVE-2025-20118 | 1 Cisco | 1 Application Policy Infrastructure Controller | 2025-07-31 | N/A | 4.4 MEDIUM |
|
A vulnerability in the implementation of the internal system processes of Cisco APIC could allow an authenticated, local attacker to access sensitive information on an affected device. To exploit this vulnerability, the attacker must have valid administrative credentials.
This vulnerability is due to insufficient masking of sensitive information that is displayed through system CLI commands. An attacker could exploit this vulnerability by using reconnaissance techniques at the device CLI. A s ...
Show More |
|||||
| CVE-2025-53886 | 1 Monospace | 1 Directus | 2025-07-16 | N/A | 4.5 MEDIUM |
|
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, when using Directus Flows with the WebHook trigger all incoming request details are logged including security sensitive data like access and refresh tokens in cookies. Malicious admins with access to the logs can hijack the user sessions within the token expiration time of them triggering the Flow. Version 11.9.0 fixes the issue.
|
|||||
| CVE-2024-29120 | 1 Apache | 1 Streampark | 2025-06-23 | N/A | 5.9 MEDIUM |
|
In Streampark (version < 2.1.4), when a user logged in successfully, the Backend service would return "Authorization" as the front-end authentication credential. User can use this credential to request other users' information, including the administrator's username, password, salt value, etc.
Mitigation:
all users should upgrade to 2.1.4
|
|||||
| CVE-2025-48708 | 1 Artifex | 1 Ghostscript | 2025-06-20 | N/A | 4.0 MEDIUM |
|
gs_lib_ctx_stash_sanitized_arg in base/gslibctx.c in Artifex Ghostscript before 10.05.1 lacks argument sanitization for the # case. A created PDF document includes its password in cleartext.
|
|||||
| CVE-2024-8474 | 1 Openvpn | 1 Connect | 2025-06-10 | N/A | 7.5 HIGH |
|
OpenVPN Connect before version 3.5.0 can contain the configuration profile's clear-text private key which is logged in the application log, which an unauthorized actor can use to decrypt the VPN traffic
|
|||||
| CVE-2025-48066 | 1 Wire | 1 Wire-webapp | 2025-05-30 | N/A | 6.0 MEDIUM |
|
wire-webapp is the web application for the open-source messaging service Wire. A bug fix caused a regression causing an issue with function to delete local data. Instructing the client to delete its local database on user logout does not result in deletion. This is the case for both temporary clients (marking the device as a public computer on login) and regular clients instructing the deletion of all personal information and conversations upon logout. Access to the machine is required to access ...
Show More |
|||||
| CVE-2018-6337 | 1 Facebook | 2 Folly, Hhvm | 2025-05-06 | 5.0 MEDIUM | 7.5 HIGH |
|
folly::secureRandom will re-use a buffer between parent and child processes when fork() is called. That will result in multiple forked children producing repeat (or similar) results. This affects HHVM 3.26 prior to 3.26.3 and the folly library between v2017.12.11.00 and v2018.08.09.00.
|
|||||
| CVE-2021-33082 | 1 Intel | 14 Optane Memory H10 With Solid State Storage, Optane Memory H10 With Solid State Storage Firmware, Optane Memory H20 With Solid State Storage and 11 more | 2025-05-05 | 2.1 LOW | 4.6 MEDIUM |
|
Sensitive information in resource not removed before reuse in firmware for some Intel(R) SSD and Intel(R) Optane(TM) SSD Products may allow an unauthenticated user to potentially enable information disclosure via physical access.
|
|||||
| CVE-2021-33080 | 1 Intel | 14 Optane Memory H10 With Solid State Storage, Optane Memory H10 With Solid State Storage Firmware, Optane Memory H20 With Solid State Storage and 11 more | 2025-05-05 | 4.6 MEDIUM | 6.8 MEDIUM |
|
Exposure of sensitive system information due to uncleared debug information in firmware for some Intel(R) SSD DC, Intel(R) Optane(TM) SSD and Intel(R) Optane(TM) SSD DC Products may allow an unauthenticated user to potentially enable information disclosure or escalation of privilege via physical access.
|
|||||
| CVE-2022-39393 | 1 Bytecodealliance | 1 Wasmtime | 2025-05-02 | N/A | 8.6 HIGH |
|
Wasmtime is a standalone runtime for WebAssembly. Prior to versions 2.0.2 and 1.0.2, there is a bug in Wasmtime's implementation of its pooling instance allocator where when a linear memory is reused for another instance the initial heap snapshot of the prior instance can be visible, erroneously to the next instance. This bug has been patched and users should upgrade to Wasmtime 2.0.2 and 1.0.2. Other mitigations include disabling the pooling allocator and disabling the `memory-init-cow`.
|
|||||
| CVE-2022-3460 | 1 Octopus | 1 Octopus Server | 2025-04-10 | N/A | 7.5 HIGH |
|
In affected versions of Octopus Deploy it is possible for certain types of sensitive variables to inadvertently become unmasked when viewed in variable preview.
|
|||||
| CVE-2005-0406 | 1 Image Processing Project | 1 Image Processing | 2025-04-03 | 2.1 LOW | 5.5 MEDIUM |
|
A design flaw in image processing software that modifies JPEG images might not modify the original EXIF thumbnail, which could lead to an information leak of potentially sensitive visual information that had been removed from the main JPEG image.
|
|||||
| CVE-2002-0704 | 1 Linux | 1 Linux Kernel | 2025-04-03 | 5.0 MEDIUM | 7.5 HIGH |
|
The Network Address Translation (NAT) capability for Netfilter ("iptables") 1.2.6a and earlier leaks translated IP addresses in ICMP error messages.
|
|||||
| CVE-2024-6055 | 1 Devolutions | 1 Remote Desktop Manager | 2025-03-28 | N/A | 4.7 MEDIUM |
|
Improper removal of sensitive information in data source export feature in Devolutions Remote Desktop Manager 2024.1.32.0 and earlier on Windows allows an attacker that obtains the exported settings to recover powershell credentials configured on the data source via stealing the configuration file.
|
|||||
| CVE-2023-52376 | 1 Huawei | 2 Emui, Harmonyos | 2025-03-13 | N/A | 7.5 HIGH |
|
Information management vulnerability in the Gallery module.Successful exploitation of this vulnerability may affect service confidentiality.
|
|||||
| CVE-2023-1637 | 1 Linux | 1 Linux Kernel | 2025-02-19 | N/A | 5.5 MEDIUM |
|
A flaw that boot CPU could be vulnerable for the speculative execution behavior kind of attacks in the Linux kernel X86 CPU Power management options functionality was found in the way user resuming CPU from suspend-to-RAM. A local user could use this flaw to potentially get unauthorized access to some memory of the CPU similar to the speculative execution behavior kind of attacks.
|
|||||
| CVE-2025-24884 | 2025-01-29 | N/A | N/A | ||
|
kube-audit-rest is a simple logger of mutation/creation requests to the k8s api. If the "full-elastic-stack" example vector configuration was used for a real cluster, the previous values of kubernetes secrets would have been disclosed in the audit messages. This vulnerability is fixed in 1.0.16.
|
|||||
| CVE-2024-31493 | 1 Fortinet | 1 Fortisoar | 2025-01-21 | N/A | 6.5 MEDIUM |
|
An improper removal of sensitive information before storage or transfer vulnerability [CWE-212] in FortiSOAR version 7.3.0, version 7.2.2 and below, version 7.0.3 and below may allow an authenticated low privileged user to read Connector passwords in plain-text via HTTP responses.
|
|||||
| CVE-2023-3006 | 1 Linux | 1 Linux Kernel | 2025-01-09 | N/A | 5.5 MEDIUM |
|
A known cache speculation vulnerability, known as Branch History Injection (BHI) or Spectre-BHB, becomes actual again for the new hw AmpereOne. Spectre-BHB is similar to Spectre v2, except that malicious code uses the shared branch history (stored in the CPU Branch History Buffer, or BHB) to influence mispredicted branches within the victim's hardware context. Once that occurs, speculation caused by the mispredicted branches can cause cache allocation. This issue leads to obtaining information t ...
Show More |
|||||