CWE-359
Exposure of Private Personal Information to an Unauthorized Actor
Monthly
Exposure of private personal information to an unauthorized actor in Microsoft Defender allows an authorized attacker to disclose information locally.
Information disclosure in Microsoft Edge for Android (Chromium-based) allows a network-based attacker to expose a victim's private personal information, but only after luring the user into interacting with attacker-controlled content (UI:R). The flaw carries a CVSS 7.1 rating driven by high confidentiality impact; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. A vendor patch is available via Microsoft's MSRC update guide.
Information disclosure in Microsoft Edge for Android allows a remote unauthenticated attacker to exfiltrate private personal information over the network when a victim interacts with attacker-controlled content. The flaw carries a CVSS 7.1 with high confidentiality impact and stems from private data being exposed to an unauthorized actor (CWE-359); Microsoft has released a fix. No public exploit identified at time of analysis and it is not listed in CISA KEV.
Unauthenticated attendee PII exposure in Hi.Events through 1.9.0 lets remote attackers retrieve full attendee lists — including names, emails, and personal information — by hitting the public check-in list endpoints, which treat the check-in list's short_id as the only access control. Beyond reading data, an attacker who knows or guesses a short_id can also create and delete check-in records without authentication. No public exploit identified at time of analysis; the issue was reported by VulnCheck and is tracked via an upstream GitHub fix.
Unauthenticated information disclosure in phpUploader before 2.0.2 lets remote attackers harvest the entire uploaded-files database table simply by loading any page of the application. The index model runs an unbounded SELECT and serializes the full result set into an inline JSON script block, leaking uploader IP addresses, Argon2ID key hashes, internal filenames, and SHA-256 fingerprints. No public exploit identified at time of analysis, but the data is exposed in plain HTML source on every page, making extraction trivial; CVSS 4.0 base is 8.7 (High).
Authorization bypass in Mercator information system mapping application prior to version 2025.05.19 allows any authenticated user - including the read-only Auditor role - to query arbitrary Eloquent models via the unprotected `/admin/queries/execute` endpoint. The flaw permits enumeration of the `User` model and even allows the supposedly `$hidden` `password` column to be probed via `LIKE` filter predicates, enabling blind extraction of password hashes. No public exploit identified at time of analysis, but the vendor advisory (GHSA-q3r8-3h7c-96w3) confirms the issue and ships a fix.
Joomla!. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Sensitive information disclosure in Node.js (versions 26.3.0, 24.16.0, and 22.22.3) leaks embedded proxy credentials when a CONNECT tunnel connection fails, because the full proxy URL - including username and password - is included verbatim in the resulting tunnel error message rather than being redacted. Anyone able to read those error strings (application logs, error responses, monitoring/telemetry pipelines) can recover the proxy authentication secret. This is a Medium-rated, post-disclosure security-release fix (fixed in v26.3.1); there is no public exploit identified at time of analysis and EPSS is low at 0.38% (30th percentile).
Unauthorized sensitive user data access in Apple macOS prior to Sequoia 15.4 allows a locally installed app to read private user information due to the presence of vulnerable code that has since been removed. The flaw is classified under CWE-359 (Exposure of Private Personal Information), indicating an API or code path exposed protected data to apps without proper entitlement or permission checks. No active exploitation has been confirmed (not listed in CISA KEV), and no public exploit code has been identified at time of analysis; SSVC assesses exploitation as none and technical impact as partial.
Apache Answer's Timeline API endpoints through version 2.0.0 fail to enforce authorization, exposing deleted, private, and unapproved content - along with full revision histories - to any authenticated regular user. The vulnerability is an information disclosure flaw affecting all Apache Answer deployments (community forums, help centers, knowledge platforms) running 2.0.0 or earlier. No public exploit has been identified and no KEV listing exists; however, in community deployments where user accounts are freely self-registered, the authentication prerequisite provides limited real-world protection.
Exposure of private personal information to an unauthorized actor in Microsoft Defender allows an authorized attacker to disclose information locally.
Information disclosure in Microsoft Edge for Android (Chromium-based) allows a network-based attacker to expose a victim's private personal information, but only after luring the user into interacting with attacker-controlled content (UI:R). The flaw carries a CVSS 7.1 rating driven by high confidentiality impact; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. A vendor patch is available via Microsoft's MSRC update guide.
Information disclosure in Microsoft Edge for Android allows a remote unauthenticated attacker to exfiltrate private personal information over the network when a victim interacts with attacker-controlled content. The flaw carries a CVSS 7.1 with high confidentiality impact and stems from private data being exposed to an unauthorized actor (CWE-359); Microsoft has released a fix. No public exploit identified at time of analysis and it is not listed in CISA KEV.
Unauthenticated attendee PII exposure in Hi.Events through 1.9.0 lets remote attackers retrieve full attendee lists — including names, emails, and personal information — by hitting the public check-in list endpoints, which treat the check-in list's short_id as the only access control. Beyond reading data, an attacker who knows or guesses a short_id can also create and delete check-in records without authentication. No public exploit identified at time of analysis; the issue was reported by VulnCheck and is tracked via an upstream GitHub fix.
Unauthenticated information disclosure in phpUploader before 2.0.2 lets remote attackers harvest the entire uploaded-files database table simply by loading any page of the application. The index model runs an unbounded SELECT and serializes the full result set into an inline JSON script block, leaking uploader IP addresses, Argon2ID key hashes, internal filenames, and SHA-256 fingerprints. No public exploit identified at time of analysis, but the data is exposed in plain HTML source on every page, making extraction trivial; CVSS 4.0 base is 8.7 (High).
Authorization bypass in Mercator information system mapping application prior to version 2025.05.19 allows any authenticated user - including the read-only Auditor role - to query arbitrary Eloquent models via the unprotected `/admin/queries/execute` endpoint. The flaw permits enumeration of the `User` model and even allows the supposedly `$hidden` `password` column to be probed via `LIKE` filter predicates, enabling blind extraction of password hashes. No public exploit identified at time of analysis, but the vendor advisory (GHSA-q3r8-3h7c-96w3) confirms the issue and ships a fix.
Joomla!. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Sensitive information disclosure in Node.js (versions 26.3.0, 24.16.0, and 22.22.3) leaks embedded proxy credentials when a CONNECT tunnel connection fails, because the full proxy URL - including username and password - is included verbatim in the resulting tunnel error message rather than being redacted. Anyone able to read those error strings (application logs, error responses, monitoring/telemetry pipelines) can recover the proxy authentication secret. This is a Medium-rated, post-disclosure security-release fix (fixed in v26.3.1); there is no public exploit identified at time of analysis and EPSS is low at 0.38% (30th percentile).
Unauthorized sensitive user data access in Apple macOS prior to Sequoia 15.4 allows a locally installed app to read private user information due to the presence of vulnerable code that has since been removed. The flaw is classified under CWE-359 (Exposure of Private Personal Information), indicating an API or code path exposed protected data to apps without proper entitlement or permission checks. No active exploitation has been confirmed (not listed in CISA KEV), and no public exploit code has been identified at time of analysis; SSVC assesses exploitation as none and technical impact as partial.
Apache Answer's Timeline API endpoints through version 2.0.0 fail to enforce authorization, exposing deleted, private, and unapproved content - along with full revision histories - to any authenticated regular user. The vulnerability is an information disclosure flaw affecting all Apache Answer deployments (community forums, help centers, knowledge platforms) running 2.0.0 or earlier. No public exploit has been identified and no KEV listing exists; however, in community deployments where user accounts are freely self-registered, the authentication prerequisite provides limited real-world protection.