Total
288 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-22537 | 2026-01-08 | N/A | N/A | ||
|
The lack of hardening of the system allows the user used to manage and maintain the charger to consult different files containing clear-text credentials or valuable information for an attacker.
|
|||||
| CVE-2025-9110 | 1 Qnap | 2 Qts, Quts Hero | 2026-01-06 | N/A | 7.5 HIGH |
|
An exposure of sensitive system information to an unauthorized control sphere vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to read application data.
We have already fixed the vulnerability in the following versions:
QTS 5.2.8.3332 build 20251128 and later
QuTS hero h5.2.8.3321 build 20251117 and later
QuTS hero h5.3.1.3250 build 20250912 and later
|
|||||
| CVE-2025-68943 | 1 Gitea | 1 Gitea | 2025-12-31 | N/A | 5.3 MEDIUM |
|
Gitea before 1.21.8 inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order.
|
|||||
| CVE-2025-36229 | 1 Ibm | 1 Aspera Faspex | 2025-12-29 | N/A | 3.1 LOW |
|
IBM Aspera Faspex 5 5.0.0 through 5.0.14.1 could allow authenticated users to enumerate sensitive information of data due by enumerating package identifiers.
|
|||||
| CVE-2019-25228 | 1 Kentico | 1 Xperience | 2025-12-24 | N/A | 5.3 MEDIUM |
|
An information disclosure vulnerability in Kentico Xperience allows attackers to leak virtual context URLs via the HTTP Referer header when users interact with third-party domains. Sensitive virtual context information can be exposed to external domains through page builder interactions and link/image loading.
|
|||||
| CVE-2019-25230 | 1 Kentico | 1 Xperience | 2025-12-24 | N/A | 4.3 MEDIUM |
|
An information disclosure vulnerability in Kentico Xperience allows authenticated users to view sensitive system objects through the live site widget properties dialog. Attackers can exploit this vulnerability to access unauthorized system information without proper access controls.
|
|||||
| CVE-2024-58320 | 1 Kentico | 1 Xperience | 2025-12-24 | N/A | 5.3 MEDIUM |
|
An information disclosure vulnerability in Kentico Xperience allows public users to access sensitive administration interface hostname details during authentication. Attackers can retrieve confidential hostname configuration information through a public endpoint, potentially exposing internal network details.
|
|||||
| CVE-2025-11545 | 2025-12-23 | N/A | N/A | ||
|
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Sharp Display Solutions projectors allows a attacker may improperly access the HTTP server and execute arbitrary actions.
|
|||||
| CVE-2025-34442 | 1 Wwbn | 1 Avideo | 2025-12-19 | N/A | 7.5 HIGH |
|
AVideo versions prior to 20.1 disclose absolute filesystem paths via multiple public API endpoints. Returned metadata includes full server paths to media files, revealing underlying filesystem structure and facilitating more effective attack chains.
|
|||||
| CVE-2025-36162 | 1 Ibm | 1 Devops Deploy | 2025-12-18 | N/A | 4.3 MEDIUM |
|
IBM DevOps Deploy / IBM UrbanCode Deploy (UCD) 8.1 before 8.1.2.2 could allow an authenticated user to obtain sensitive information about configuration on the system.
|
|||||
| CVE-2025-43471 | 1 Apple | 1 Macos | 2025-12-16 | N/A | 5.5 MEDIUM |
|
The issue was addressed with improved checks. This issue is fixed in macOS Tahoe 26.1. An app may be able to access sensitive user data.
|
|||||
| CVE-2025-43406 | 1 Apple | 1 Macos | 2025-12-16 | N/A | 5.5 MEDIUM |
|
A logic issue was addressed with improved restrictions. This issue is fixed in macOS Tahoe 26.1. An app may be able to access sensitive user data.
|
|||||
| CVE-2025-14712 | 2025-12-15 | N/A | 7.5 HIGH | ||
|
Student Learning Assessment and Support System developed by JHENG GAO has a Exposure of Sensitive Information vulnerability, allowing unauthenticated remote attackers to view a specific page and obtain test accounts and password.
|
|||||
| CVE-2025-58015 | 1 Ays-pro | 1 Quiz Maker | 2025-12-12 | N/A | 5.3 MEDIUM |
|
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Ays Pro Quiz Maker allows Retrieve Embedded Sensitive Data. This issue affects Quiz Maker: from n/a through 6.7.0.61.
|
|||||
| CVE-2025-36112 | 1 Ibm | 2 Sterling B2b Integrator, Sterling File Gateway | 2025-12-01 | N/A | 5.3 MEDIUM |
|
IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.0.0.0 through 6.1.2.7 and 6.2.0.0 through 6.2.0.5 and 6.2.1.1 could reveal sensitive server IP configuration information to an unauthorized user.
|
|||||
| CVE-2025-64061 | 1 Primakon | 1 Project Contract Management | 2025-12-01 | N/A | 4.3 MEDIUM |
|
Primakon Pi Portal 1.0.18 /api/v2/users endpoint is vulnerable to unauthorized data exposure due to deficient access control mechanisms. Any authenticated user, regardless of their privilege level (including standard or low-privileged users), can make a GET request to this endpoint and retrieve a complete, unfiltered list of all registered application users. Crucially, the API response body for this endpoint includes password hashes.
|
|||||
| CVE-2025-36160 | 1 Ibm | 1 Concert | 2025-11-21 | N/A | 5.3 MEDIUM |
|
IBM Concert 1.0.0 through 2.0.0 could disclose sensitive server information from HTTP response headers that could aid in further attacks against the system.
|
|||||
| CVE-2025-27368 | 1 Ibm | 1 Openpages | 2025-11-18 | N/A | 4.3 MEDIUM |
|
IBM OpenPages 9.0 and 9.1 is vulnerable to information disclosure of sensitive information due to a weaker than expected security for certain REST end points used by the user interface of OpenPages. An authenticated user is able to obtain certain information about system metadata for areas beyond what the user is intended to view.
|
|||||
| CVE-2022-4985 | 2025-11-18 | N/A | N/A | ||
|
Vodafone H500s devices running firmware v3.5.10 (hardware model Sercomm VFH500) expose the WiFi access point password via an unauthenticated HTTP endpoint. By sending a crafted GET request to /data/activation.json with specific headers and cookies, a remote attacker can retrieve a JSON document that contains the wifi_password field. This allows an unauthenticated attacker to obtain the WiFi credentials and gain unauthorized access to the wireless network, compromising confidentiality of network ...
Show More |
|||||
| CVE-2024-3774 | 1 Aenrich | 1 A\+hrd | 2025-11-17 | N/A | 5.3 MEDIUM |
|
aEnrich Technology a+HRD's functionality for front-end retrieval of system configuration values lacks proper restrictions on a specific parameter, allowing attackers to modify this parameter to access certain sensitive system configuration values.
|
|||||
| CVE-2025-13160 | 2025-11-14 | N/A | 5.3 MEDIUM | ||
|
IQ-Support developed by IQ Service International has a Exposure of Sensitive Information vulnerability, allowing unauthenticated remote attackers to access specific APIs to obtain sensitive information from the internal network.
|
|||||
| CVE-2025-12779 | 2025-11-10 | N/A | 8.8 HIGH | ||
|
Improper handling of the authentication token in the Amazon WorkSpaces client for Linux, versions 2023.0 through 2024.8, may expose the authentication token for DCV-based WorkSpaces to other local users on the same client machine. Under certain circumstances, a local user may be able to extract another local user's authentication token from the shared client machine and access their WorkSpace.
To mitigate this issue, users should upgrade to the Amazon WorkSpaces client for Linux version 2025.0 ...
Show More |
|||||
| CVE-2025-54459 | 1 Vertikalsystems | 1 Hospital Manager Backend Services | 2025-11-06 | N/A | 7.5 HIGH |
|
Prior to September 19, 2025, the Hospital Manager Backend Services exposed the ASP.NET tracing endpoint /trace.axd without authentication, allowing a remote attacker to obtain live request traces and sensitive information such as request metadata, session identifiers, authorization headers, server variables, and internal file paths.
|
|||||
| CVE-2025-34283 | 1 Nagios | 1 Nagios Xi | 2025-11-06 | N/A | 6.5 MEDIUM |
|
Nagios XI versions prior to 2024R1.4.2 revealed API keys to users who were not authorized for API access when using Neptune themes. An authenticated user without API privileges could view another user's or their own API key value.
|
|||||
| CVE-2025-44823 | 1 Nagios | 1 Log Server | 2025-11-06 | N/A | 9.9 CRITICAL |
|
Nagios Log Server before 2024R1.3.2 allows authenticated users to retrieve cleartext administrative API keys via a /nagioslogserver/index.php/api/system/get_users call. This is GL:NLS#475.
|
|||||
| CVE-2024-13998 | 1 Nagios | 1 Nagios Xi | 2025-11-06 | N/A | 6.5 MEDIUM |
|
Nagios XI versions prior to 2024R1.1.3, under certain circumstances, disclose sensitive user account information (including API keys and hashed passwords) to authenticated users who should not have access to that data. Exposure of API keys or password hashes could lead to account compromise, abuse of API privileges, or offline cracking attempts. CVE-2024-13995 addresses a similar vulnerability with a potentially incomplete fix for the underlying problem in earlier versions.
|
|||||
| CVE-2024-13995 | 1 Nagios | 1 Nagios Xi | 2025-11-06 | N/A | 8.8 HIGH |
|
Nagios XI versions prior to 2024R1.1.2 may (confirmed in 2024R1.1 and 2024R1.1.1) disclose sensitive user account information (including API keys and hashed passwords) to authenticated users who should not have access to that data. Exposure of API keys or password hashes could lead to account compromise, abuse of API privileges, or offline cracking attempts.
|
|||||
| CVE-2024-13999 | 1 Nagios | 1 Nagios Xi | 2025-11-06 | N/A | 9.8 CRITICAL |
|
Nagios XI versions prior to 2024R1.1.3, under certain circumstances, disclose the server's Active Directory (AD) or LDAP authentication token to an authenticated user. Exposure of the server’s AD/LDAP token could allow domain-wide authentication misuse, escalation of privileges, or further compromise of network-integrated systems.
|
|||||
| CVE-2025-62524 | 1 Thm | 1 Pilos | 2025-11-04 | N/A | 5.3 MEDIUM |
|
PILOS (Platform for Interactive Live-Online Seminars) is a frontend for BigBlueButton. PILOS before 4.8.0 exposes the PHP version via the X-Powered-By header, enabling attackers to fingerprint the server and assess potential exploits. This information disclosure vulnerability originates from PHP’s base image. Additionally, the PHP version can also be inferred through the PILOS version displayed in the footer and by examining the source code available on GitHub. This information disclosure vulner ...
Show More |
|||||
| CVE-2021-31955 | 1 Microsoft | 8 Windows 10 1809, Windows 10 1909, Windows 10 2004 and 5 more | 2025-10-30 | 2.1 LOW | 5.5 MEDIUM |
|
Windows Kernel Information Disclosure Vulnerability
|
|||||
| CVE-2024-32732 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2025-10-28 | N/A | 5.3 MEDIUM |
|
Under certain conditions SAP BusinessObjects Business Intelligence platform allows an attacker to access information which would otherwise be restricted.This has low impact on Confidentiality with no impact on Integrity and Availability of the application.
|
|||||
| CVE-2025-47699 | 2025-10-27 | N/A | 9.9 CRITICAL | ||
|
Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497) in the Gallagher Morpho integration could allow an authenticated operator with limited site permissions to make critical changes to local Morpho devices.
This issue affects Command Centre Server:
9.30 prior to vEL9.30.2482 (MR2), 9.20 prior to vEL9.20.2819 (MR4), 9.10 prior to vEL9.10.3672 (MR7), 9.00 prior to vEL9.00.3831 (MR8), all versions of 8.90 and prior.
|
|||||
| CVE-2025-34156 | 2025-10-27 | N/A | N/A | ||
|
Tibbo AggreGate Network Manager < 6.40.05 exposes sensitive system information through an unauthenticated endpoint at /cwmp/happyaxis.jsp. The page discloses Java system properties, server path details, and version information to unauthorized users, resulting in information disclosure that could aid further compromise.
|
|||||
| CVE-2025-0061 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2025-10-24 | N/A | 8.7 HIGH |
|
SAP BusinessObjects Business Intelligence Platform allows an unauthenticated attacker to perform session hijacking over the network without any user interaction, due to an information disclosure vulnerability. Attacker can access and modify all the data of the application.
|
|||||
| CVE-2025-30011 | 1 Sap | 1 Supplier Relationship Management | 2025-10-23 | N/A | 5.3 MEDIUM |
|
The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to send an malicious request to the application, which could disclose the internal version details of the affected system. This vulnerability has low impact on confidentiality, with no effect on integrity and availability of the application.
|
|||||
| CVE-2025-11151 | 2025-10-21 | N/A | 8.2 HIGH | ||
|
Exposure of Sensitive Information to an Unauthorized Actor, Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Beyaz Bilgisayar Software Design Industry and Trade Ltd. Co. CityPLus allows Detect Unpublicized Web Pages.This issue affects CityPLus: before V24.29500.1.0.
|
|||||
| CVE-2025-52616 | 1 Hcltech | 1 Unica | 2025-10-21 | N/A | 5.3 MEDIUM |
|
HCL Unica 12.1.10 can expose sensitive system information. An attacker could use this information to form an attack plan by leveraging known vulnerabilities in the application.
|
|||||
| CVE-2025-2598 | 1 Amazon | 1 Aws Cloud Development Kit | 2025-10-14 | N/A | 5.5 MEDIUM |
|
When the AWS Cloud Development Kit (AWS CDK) Command Line Interface (AWS CDK CLI) is used with a credential plugin which returns an expiration property with the retrieved AWS credentials, the credentials are printed to the console output. To mitigate this issue, users should upgrade to version 2.178.2 or later and ensure any forked or derivative code is patched to incorporate the new fixes.
|
|||||
| CVE-2025-0278 | 1 Hcltech | 1 Traveler | 2025-10-10 | N/A | 4.3 MEDIUM |
|
HCL Traveler is affected by an internal path disclosure in a Windows application when the application inadvertently reveals internal file paths, in error messages, debug logs, or responses to user requests.
|
|||||
| CVE-2025-59447 | 2025-10-08 | N/A | 2.2 LOW | ||
|
The YoSmart YoLink Smart Hub device 0382 exposes a UART debug interface. An attacker with direct physical access can leverage this interface to read a boot log, which includes network access credentials.
|
|||||