Skip to main content

CWE-359

Exposure of Private Personal Information to an Unauthorized Actor

157 CVEs Avg CVSS 6.1 MITRE
4
CRITICAL
55
HIGH
85
MEDIUM
11
LOW
20
POC
0
KEV

Monthly

CVE-2026-50657 MEDIUM PATCH Exploit Unlikely This Month

Exposure of private personal information to an unauthorized actor in Microsoft Defender allows an authorized attacker to disclose information locally.

Microsoft Information Disclosure Microsoft Defender For Endpoint For Mac
NVD
CVSS 3.1
4.7
EPSS
0.4%
CVE-2026-58297 HIGH PATCH This Week

Information disclosure in Microsoft Edge for Android (Chromium-based) allows a network-based attacker to expose a victim's private personal information, but only after luring the user into interacting with attacker-controlled content (UI:R). The flaw carries a CVSS 7.1 rating driven by high confidentiality impact; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. A vendor patch is available via Microsoft's MSRC update guide.

Information Disclosure Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-58296 HIGH PATCH This Week

Information disclosure in Microsoft Edge for Android allows a remote unauthenticated attacker to exfiltrate private personal information over the network when a victim interacts with attacker-controlled content. The flaw carries a CVSS 7.1 with high confidentiality impact and stems from private data being exposed to an unauthorized actor (CWE-359); Microsoft has released a fix. No public exploit identified at time of analysis and it is not listed in CISA KEV.

Information Disclosure Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57960 HIGH This Week

Unauthenticated attendee PII exposure in Hi.Events through 1.9.0 lets remote attackers retrieve full attendee lists — including names, emails, and personal information — by hitting the public check-in list endpoints, which treat the check-in list's short_id as the only access control. Beyond reading data, an attacker who knows or guesses a short_id can also create and delete check-in records without authentication. No public exploit identified at time of analysis; the issue was reported by VulnCheck and is tracked via an upstream GitHub fix.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
8.3
EPSS
0.3%
CVE-2026-56124 HIGH PATCH This Week

Unauthenticated information disclosure in phpUploader before 2.0.2 lets remote attackers harvest the entire uploaded-files database table simply by loading any page of the application. The index model runs an unbounded SELECT and serializes the full result set into an inline JSON script block, leaking uploader IP addresses, Argon2ID key hashes, internal filenames, and SHA-256 fingerprints. No public exploit identified at time of analysis, but the data is exposed in plain HTML source on every page, making extraction trivial; CVSS 4.0 base is 8.7 (High).

Information Disclosure Phpuploader
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-49344 HIGH PATCH This Week

Authorization bypass in Mercator information system mapping application prior to version 2025.05.19 allows any authenticated user - including the read-only Auditor role - to query arbitrary Eloquent models via the unprotected `/admin/queries/execute` endpoint. The flaw permits enumeration of the `User` model and even allows the supposedly `$hidden` `password` column to be probed via `LIKE` filter predicates, enabling blind extraction of password hashes. No public exploit identified at time of analysis, but the vendor advisory (GHSA-q3r8-3h7c-96w3) confirms the issue and ships a fix.

Information Disclosure Mercator
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.3%
CVE-2019-25762 HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP Joomproject
NVD Exploit-DB
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-48615 HIGH PATCH This Week

Sensitive information disclosure in Node.js (versions 26.3.0, 24.16.0, and 22.22.3) leaks embedded proxy credentials when a CONNECT tunnel connection fails, because the full proxy URL - including username and password - is included verbatim in the resulting tunnel error message rather than being redacted. Anyone able to read those error strings (application logs, error responses, monitoring/telemetry pipelines) can recover the proxy authentication secret. This is a Medium-rated, post-disclosure security-release fix (fixed in v26.3.1); there is no public exploit identified at time of analysis and EPSS is low at 0.38% (30th percentile).

Information Disclosure Node Js Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2025-30459 MEDIUM PATCH This Month

Unauthorized sensitive user data access in Apple macOS prior to Sequoia 15.4 allows a locally installed app to read private user information due to the presence of vulnerable code that has since been removed. The flaw is classified under CWE-359 (Exposure of Private Personal Information), indicating an API or code path exposed protected data to apps without proper entitlement or permission checks. No active exploitation has been confirmed (not listed in CISA KEV), and no public exploit code has been identified at time of analysis; SSVC assesses exploitation as none and technical impact as partial.

Apple Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-25699 MEDIUM This Month

Apache Answer's Timeline API endpoints through version 2.0.0 fail to enforce authorization, exposing deleted, private, and unapproved content - along with full revision histories - to any authenticated regular user. The vulnerability is an information disclosure flaw affecting all Apache Answer deployments (community forums, help centers, knowledge platforms) running 2.0.0 or earlier. No public exploit has been identified and no KEV listing exists; however, in community deployments where user accounts are freely self-registered, the authentication prerequisite provides limited real-world protection.

Authentication Bypass Apache
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
EPSS 0% CVSS 4.7
MEDIUM PATCH Exploit Unlikely This Month

Exposure of private personal information to an unauthorized actor in Microsoft Defender allows an authorized attacker to disclose information locally.

Microsoft Information Disclosure Microsoft Defender For Endpoint For Mac
NVD
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Information disclosure in Microsoft Edge for Android (Chromium-based) allows a network-based attacker to expose a victim's private personal information, but only after luring the user into interacting with attacker-controlled content (UI:R). The flaw carries a CVSS 7.1 rating driven by high confidentiality impact; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. A vendor patch is available via Microsoft's MSRC update guide.

Information Disclosure Microsoft Google +1
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Information disclosure in Microsoft Edge for Android allows a remote unauthenticated attacker to exfiltrate private personal information over the network when a victim interacts with attacker-controlled content. The flaw carries a CVSS 7.1 with high confidentiality impact and stems from private data being exposed to an unauthorized actor (CWE-359); Microsoft has released a fix. No public exploit identified at time of analysis and it is not listed in CISA KEV.

Information Disclosure Microsoft Google +1
NVD VulDB
EPSS 0% CVSS 8.3
HIGH This Week

Unauthenticated attendee PII exposure in Hi.Events through 1.9.0 lets remote attackers retrieve full attendee lists — including names, emails, and personal information — by hitting the public check-in list endpoints, which treat the check-in list's short_id as the only access control. Beyond reading data, an attacker who knows or guesses a short_id can also create and delete check-in records without authentication. No public exploit identified at time of analysis; the issue was reported by VulnCheck and is tracked via an upstream GitHub fix.

Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Unauthenticated information disclosure in phpUploader before 2.0.2 lets remote attackers harvest the entire uploaded-files database table simply by loading any page of the application. The index model runs an unbounded SELECT and serializes the full result set into an inline JSON script block, leaking uploader IP addresses, Argon2ID key hashes, internal filenames, and SHA-256 fingerprints. No public exploit identified at time of analysis, but the data is exposed in plain HTML source on every page, making extraction trivial; CVSS 4.0 base is 8.7 (High).

Information Disclosure Phpuploader
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Authorization bypass in Mercator information system mapping application prior to version 2025.05.19 allows any authenticated user - including the read-only Auditor role - to query arbitrary Eloquent models via the unprotected `/admin/queries/execute` endpoint. The flaw permits enumeration of the `User` model and even allows the supposedly `$hidden` `password` column to be probed via `LIKE` filter predicates, enabling blind extraction of password hashes. No public exploit identified at time of analysis, but the vendor advisory (GHSA-q3r8-3h7c-96w3) confirms the issue and ships a fix.

Information Disclosure Mercator
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP Joomproject
NVD Exploit-DB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Sensitive information disclosure in Node.js (versions 26.3.0, 24.16.0, and 22.22.3) leaks embedded proxy credentials when a CONNECT tunnel connection fails, because the full proxy URL - including username and password - is included verbatim in the resulting tunnel error message rather than being redacted. Anyone able to read those error strings (application logs, error responses, monitoring/telemetry pipelines) can recover the proxy authentication secret. This is a Medium-rated, post-disclosure security-release fix (fixed in v26.3.1); there is no public exploit identified at time of analysis and EPSS is low at 0.38% (30th percentile).

Information Disclosure Node Js Red Hat +1
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Unauthorized sensitive user data access in Apple macOS prior to Sequoia 15.4 allows a locally installed app to read private user information due to the presence of vulnerable code that has since been removed. The flaw is classified under CWE-359 (Exposure of Private Personal Information), indicating an API or code path exposed protected data to apps without proper entitlement or permission checks. No active exploitation has been confirmed (not listed in CISA KEV), and no public exploit code has been identified at time of analysis; SSVC assesses exploitation as none and technical impact as partial.

Apple Information Disclosure
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Apache Answer's Timeline API endpoints through version 2.0.0 fail to enforce authorization, exposing deleted, private, and unapproved content - along with full revision histories - to any authenticated regular user. The vulnerability is an information disclosure flaw affecting all Apache Answer deployments (community forums, help centers, knowledge platforms) running 2.0.0 or earlier. No public exploit has been identified and no KEV listing exists; however, in community deployments where user accounts are freely self-registered, the authentication prerequisite provides limited real-world protection.

Authentication Bypass Apache
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy