Skip to main content

CWE-1230

Exposure of Sensitive Information Through Metadata

19 CVEs Avg CVSS 5.7 MITRE
0
CRITICAL
4
HIGH
12
MEDIUM
3
LOW
4
POC
0
KEV

Monthly

CVE-2025-59601 MEDIUM This Month

Sensitive device configuration is exposed to adjacent network attackers during factory reset operations conducted through the powerline interface on Qualcomm Snapdragon chipsets. An unauthenticated attacker present on the same powerline network segment can intercept unprotected configuration data at the moment of reset, gaining unauthorized access to potentially sensitive device parameters such as credentials or network settings. No public exploit has been identified at time of analysis, and Qualcomm addressed this vulnerability in its June 2026 Security Bulletin.

Authentication Bypass Information Disclosure Snapdragon
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-45544 MEDIUM PATCH This Month

Nextcloud Tables versions 0.8.0 through 1.0.3 improperly disclose view filter criteria to authenticated users holding only read-only permissions on a shared view. The flaw in ViewService.php attempted to sanitize filter arrays for low-privileged users but instead exposed the full filter rules - potentially revealing sensitive column names, threshold values, or data organization logic the view owner intended to keep confidential. No public exploit code has been identified at time of analysis, and this CVE is not listed in CISA KEV, indicating no confirmed active exploitation.

Information Disclosure Nextcloud
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-49270 MEDIUM PATCH This Month

Unauthenticated information disclosure in Apache ActiveMQ Broker allows remote attackers to enumerate all durable topic subscriptions - including client identifiers, subscription names, topic destinations, and JMS selector expressions - by sending a BrokerInfo command to a broker with syncDurableSubs enabled on a network connector. The broker incorrectly skips authentication before servicing the BrokerInfo request, exposing sensitive messaging infrastructure metadata. No public exploit identified at time of analysis, and EPSS stands at 0.02% (6th percentile), indicating very low current exploitation probability despite network-reachable attack vector.

Apache Information Disclosure
NVD VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-31959 LOW Monitor

HCL BigFix Service Management fails to strip EXIF metadata from uploaded images, allowing authenticated users to inadvertently expose sensitive location information and other metadata embedded in image files. The vulnerability requires user interaction (image upload and viewing) but poses a direct confidentiality risk to organizations handling location-sensitive imagery through the application.

Information Disclosure Bigfix Service Management Sm
NVD VulDB
CVSS 3.1
3.5
EPSS
0.0%
CVE-2026-29055 MEDIUM PATCH This Month

Tandoor Recipes versions prior to 2.6.0 fail to strip EXIF metadata from WebP and GIF image uploads, exposing sensitive information such as GPS coordinates, timestamps, and camera details to all users viewing shared recipes. This information disclosure vulnerability affects any user uploading recipe photos, particularly those using modern smartphones that default to WebP format. The vulnerability is fixed in version 2.6.0.

Information Disclosure Recipes
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-27661 MEDIUM This Month

SINEC Security Monitor versions before 4.9.0 expose sensitive metadata including contributor information and email addresses on the SSM Server, allowing authenticated attackers to obtain confidential data. The vulnerability requires valid credentials to exploit and poses a low-severity information disclosure risk with no availability or integrity impact.

Information Disclosure Sinec Security Monitor
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-13084 MEDIUM This Month

The users endpoint in the groov View API returns a list of all users and associated metadata including their API keys. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure
NVD GitHub
CVSS 4.0
6.1
EPSS
0.1%
CVE-2025-30038 HIGH This Month

The vulnerability consists of a session ID leak when saving a file downloaded from CGM CLININET. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. No vendor patch available.

Windows Information Disclosure Microsoft
NVD
CVSS 4.0
7.3
EPSS
0.0%
CVE-2025-8713 LOW Monitor

PostgreSQL optimizer statistics allow a user to read sampled data within a view that the user cannot access. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure PostgreSQL
NVD
CVSS 3.1
3.1
EPSS
0.0%
CVE-2025-47324 HIGH This Month

Information disclosure while accessing and modifying the PIB file of a remote device via powerline. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Qca7005 Firmware
NVD
CVSS 3.1
7.5
EPSS
0.0%
EPSS 0% CVSS 6.5
MEDIUM This Month

Sensitive device configuration is exposed to adjacent network attackers during factory reset operations conducted through the powerline interface on Qualcomm Snapdragon chipsets. An unauthenticated attacker present on the same powerline network segment can intercept unprotected configuration data at the moment of reset, gaining unauthorized access to potentially sensitive device parameters such as credentials or network settings. No public exploit has been identified at time of analysis, and Qualcomm addressed this vulnerability in its June 2026 Security Bulletin.

Authentication Bypass Information Disclosure Snapdragon
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Nextcloud Tables versions 0.8.0 through 1.0.3 improperly disclose view filter criteria to authenticated users holding only read-only permissions on a shared view. The flaw in ViewService.php attempted to sanitize filter arrays for low-privileged users but instead exposed the full filter rules - potentially revealing sensitive column names, threshold values, or data organization logic the view owner intended to keep confidential. No public exploit code has been identified at time of analysis, and this CVE is not listed in CISA KEV, indicating no confirmed active exploitation.

Information Disclosure Nextcloud
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Unauthenticated information disclosure in Apache ActiveMQ Broker allows remote attackers to enumerate all durable topic subscriptions - including client identifiers, subscription names, topic destinations, and JMS selector expressions - by sending a BrokerInfo command to a broker with syncDurableSubs enabled on a network connector. The broker incorrectly skips authentication before servicing the BrokerInfo request, exposing sensitive messaging infrastructure metadata. No public exploit identified at time of analysis, and EPSS stands at 0.02% (6th percentile), indicating very low current exploitation probability despite network-reachable attack vector.

Apache Information Disclosure
NVD VulDB
EPSS 0% CVSS 3.5
LOW Monitor

HCL BigFix Service Management fails to strip EXIF metadata from uploaded images, allowing authenticated users to inadvertently expose sensitive location information and other metadata embedded in image files. The vulnerability requires user interaction (image upload and viewing) but poses a direct confidentiality risk to organizations handling location-sensitive imagery through the application.

Information Disclosure Bigfix Service Management Sm
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Tandoor Recipes versions prior to 2.6.0 fail to strip EXIF metadata from WebP and GIF image uploads, exposing sensitive information such as GPS coordinates, timestamps, and camera details to all users viewing shared recipes. This information disclosure vulnerability affects any user uploading recipe photos, particularly those using modern smartphones that default to WebP format. The vulnerability is fixed in version 2.6.0.

Information Disclosure Recipes
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

SINEC Security Monitor versions before 4.9.0 expose sensitive metadata including contributor information and email addresses on the SSM Server, allowing authenticated attackers to obtain confidential data. The vulnerability requires valid credentials to exploit and poses a low-severity information disclosure risk with no availability or integrity impact.

Information Disclosure Sinec Security Monitor
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

The users endpoint in the groov View API returns a list of all users and associated metadata including their API keys. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure
NVD GitHub
EPSS 0% CVSS 7.3
HIGH This Month

The vulnerability consists of a session ID leak when saving a file downloaded from CGM CLININET. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. No vendor patch available.

Windows Information Disclosure Microsoft
NVD
EPSS 0% CVSS 3.1
LOW Monitor

PostgreSQL optimizer statistics allow a user to read sampled data within a view that the user cannot access. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure PostgreSQL
NVD
EPSS 0% CVSS 7.5
HIGH This Month

Information disclosure while accessing and modifying the PIB file of a remote device via powerline. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Qca7005 Firmware
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy