Information Disclosure
Monthly
Dell PowerProtect Cyber Recovery, versions prior to 19.18.0.2, contains an Insertion of Sensitive Information Into Sent Data vulnerability. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable. No vendor patch available.
A denial-of-service (DoS) vulnerability in the Simple Certificate Enrollment Protocol (SCEP) authentication feature of Palo Alto Networks PAN-OS® software enables an unauthenticated attacker to. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
When configured using SAML, a session fixation vulnerability in the GlobalProtect™ login enables an attacker to impersonate a legitimate authorized user and perform actions as that GlobalProtect. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An improper input neutralization vulnerability in the management web interface of the Palo Alto Networks PAN-OS® software enables a malicious authenticated read-write administrator to impersonate. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
An authenticated file deletion vulnerability in the Palo Alto Networks PAN-OS® software enables an authenticated attacker with network access to the management web interface to delete certain files. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
W. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation AbuseFilter. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation Parsoid.39.12, 1.42.6, 1.43.1; Parsoid: before 0.16.5, 0.19.2, 0.20.2. Rated low severity (CVSS 2.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. Rated low severity (CVSS 2.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Preservation of Permissions vulnerability in Wikimedia Foundation MediaWiki. Rated remotely exploitable, low attack complexity. No vendor patch available.
Improper Preservation of Permissions vulnerability in Wikimedia Foundation MediaWiki. Rated remotely exploitable, low attack complexity. No vendor patch available.
An Improper Link Resolution Before File Access ('Link Following') vulnerability in SonicWall NetExtender Windows (32 and 64 bit) client which allows an attacker to manipulate file paths. Rated high severity (CVSS 7.2), this vulnerability is low attack complexity. No vendor patch available.
Metabase is an open source Business Intelligence and Embedded Analytics tool. Rated low severity (CVSS 1.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
BlueCMS 1.6 suffers from Arbitrary File Deletion via the id parameter in an /publish.php?act=del request. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Vite is a frontend tooling framework for javascript. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An issue has been discovered in GitLab CE/EE affecting all versions from 17.9 before 17.9.6, and 17.10 before 17.10.4. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.
An issue has been discovered in GitLab CE/EE affecting all versions from 13.12 before 17.8.7, 17.9 before 17.9.6, and 17.10 before 17.10.4. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
MSI Center before 2.0.52.0 has Missing PE Signature Validation. Rated high severity (CVSS 8.1), this vulnerability is no authentication required. No vendor patch available.
An issue has been discovered in GitLab EE affecting all versions from 17.1 before 17.8.7, 17.9 before 17.9.6, and 17.10 before 17.10.4. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable. No vendor patch available.
In jenkins/ssh-slave Docker images based on Debian, SSH host keys are generated on image creation for images based on Debian, causing all containers based on images of the same version use the same. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In jenkins/ssh-agent Docker images 6.11.1 and earlier, SSH host keys are generated on image creation for images based on Debian, causing all containers based on images of the same version use the. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Crocoblock JetCompareWishlist allows PHP Local File Inclusion.5.9. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Rameez Iqbal Real Estate Manager allows PHP Local File Inclusion.3. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WP Messiah Ai Image Alt Text Generator for WP.0.8. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Ashan Perera EventON.3.2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in aThemes aThemes Addons for Elementor.0.15. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. No vendor patch available.
Improper neutralization of livestatus command delimiters in a specific endpoint within RestAPI of Checkmk prior to 2.2.0p39, 2.3.0p25, and 2.1.0p51 (EOL) allows arbitrary livestatus command. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Dell PowerScale OneFS, versions 9.5.0.0 through 9.10.1.0, contains a use of default password vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Dell PowerScale OneFS, versions 9.4.0.0 through 9.10.0.0, contains an exposure of information through directory listing vulnerability. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.
Yii Framework 2 before 2.0.52 contains a behavior attachment regression that allows attackers to exploit the __class array key for arbitrary class instantiation, exploited in the wild February-April 2025.
In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding. Rated medium severity (CVSS 4.3), this vulnerability is no authentication required, low attack complexity.
Dell Client Platform BIOS contains a Security Version Number Mutable to Older Versions vulnerability. Rated low severity (CVSS 3.1), this vulnerability is low attack complexity. No vendor patch available.
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. No vendor patch available.
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. No vendor patch available.
Charmed MySQL K8s operator is a Charmed Operator for running MySQL on Kubernetes. Rated medium severity (CVSS 5.0), this vulnerability is low attack complexity. No vendor patch available.
An Improper Check for Unusual or Exceptional Conditions vulnerability in the Packet Forwarding Engine (pfe) of Juniper Networks Junos OS on MX Series allows an unauthenticated, network-based attacker. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A Missing Release of Memory after Effective Lifetime vulnerability in the Anti-Virus processing of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause a. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An Exposure of Sensitive Information to an Unauthorized Actor vulnerability in the User Interface (UI) of Juniper Networks Junos OS and Junos OS Evolved allows a local, low-privileged, authenticated. Rated medium severity (CVSS 6.8), this vulnerability is low attack complexity. No vendor patch available.
Out of bounds write vulnerability due to improper bounds checking in NI LabVIEW reading CPU info from cache that may result in information disclosure or arbitrary code execution. Rated high severity (CVSS 8.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Out of bounds write vulnerability due to improper bounds checking in NI LabVIEW in InitCPUInformation() that may result in information disclosure or arbitrary code execution. Rated high severity (CVSS 8.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Shuffle WP Subscription Forms allows PHP Local File Inclusion.2.4. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wpWax Logo Showcase Ultimate allows PHP Local File Inclusion.4.4. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Bogdan Bendziukov Squeeze allows Retrieve Embedded Sensitive Data.6. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Shopware is an open source e-commerce software platform. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 67.3%.
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Microsoft Identity Web is a library which contains a set of reusable classes used in conjunction with ASP.NET Core for integrating with the Microsoft identity platform (formerly Azure AD v2.0. Rated medium severity (CVSS 4.7). No vendor patch available.
Insertion of Sensitive Information into Log File vulnerability in Apache ActiveMQ Artemis. Rated medium severity (CVSS 6.8), this vulnerability is low attack complexity. No vendor patch available.
IBM Security Guardium 11.4 and 12.1 could allow a privileged user to read any file on the system due to incorrect privilege assignment. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Insufficient Session Expiration vulnerability in Progress Software Corporation Sitefinity under some specific and uncommon circumstances allows reusing Session IDs (Session Replay Attacks).0 through. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Improper Input Validation vulnerability in Apache POI. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Apache Pulsar contains multiple connectors for integrating with Apache Kafka. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
confidentiality when a malicious user, having physical access, sets the radio in factory default mode where the product does not correctly initialize all data. Rated medium severity (CVSS 4.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
access of confidential data when a malicious user, having physical access and advanced information on the file system, sets the radio in factory default mode. Rated medium severity (CVSS 4.1), this vulnerability is no authentication required. No vendor patch available.
Availability of engineering workstation when a malicious project file is loaded by a user from the local system. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
information and potential privilege escalation following man in the middle attack. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Information disclosure of authentication information in the specific service vulnerability exists in Wi-Fi AP UNIT 'AC-WPS-11ac series'. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Cleartext transmission of sensitive information issue exists in Wi-Fi AP UNIT 'AC-WPS-11ac series'. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Incorrect privilege assignment vulnerability in the WEB UI (the setting page) exists in Wi-Fi AP UNIT 'AC-WPS-11ac series'. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper access control in Mdecservice prior to SMR Apr-2025 Release 1 allows local attackers to access arbitrary files with system privilege. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.
This vulnerability exists in TP-Link Tapo H200 V1 IoT Smart Hub due to storage of Wi-Fi credentials in plain text within the device firmware. Rated medium severity (CVSS 4.4), this vulnerability is no authentication required. No vendor patch available.
wikiplugin_includetpl in lib/wiki-plugins/wikiplugin_includetpl.php in Tiki before 28.3 mishandles input to an eval. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
GraphicsMagick before 8e56520 has a heap-based buffer over-read in ReadJXLImage in coders/jxl.c, related to an ImportViewPixelArea call. Rated medium severity (CVSS 4.0), this vulnerability is no authentication required, low attack complexity. Public exploit code available.
Improper restriction of environment variables in Elastic Defend can lead to exposure of sensitive information such as API keys and tokens via automatic transmission of unfiltered environment. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Lucee before 5.4.7.3 LTS and 6 before 6.1.1.118, when an attacker can place files on the server, is vulnerable to a protection mechanism failure that can let an attacker run code that would be. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. No vendor patch available.
ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Information Exposure vulnerability that could result in a security feature bypass. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.
ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary code execution. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A flaw was found in OpenSSL's handling of the properties argument in certain functions. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
XMP Toolkit versions 2023.12 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
XMP Toolkit versions 2023.12 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
XMP Toolkit versions 2023.12 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
XMP Toolkit versions 2023.12 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
XMP Toolkit versions 2023.12 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Rated medium severity (CVSS 4.2), this vulnerability is remotely exploitable, no authentication required.
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Rated low severity (CVSS 2.6), this vulnerability is remotely exploitable.
Improper input validation in Dynamics Business Central allows an authorized attacker to disclose information locally. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.
External control of file name or path in Azure Portal Windows Admin Center allows an unauthorized attacker to disclose information locally. Rated medium severity (CVSS 6.2), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Untrusted pointer dereference in Windows Kernel Memory allows an authorized attacker to elevate privileges locally. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Improper input validation in Windows Mobile Broadband allows an authorized attacker to elevate privileges locally. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Insecure storage of sensitive information in Windows Kerberos allows an authorized attacker to bypass a security feature locally. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. No vendor patch available.
Use of a cryptographic primitive with a risky implementation in Windows Cryptographic Services allows an authorized attacker to disclose information locally. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.
Dell PowerProtect Cyber Recovery, versions prior to 19.18.0.2, contains an Insertion of Sensitive Information Into Sent Data vulnerability. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable. No vendor patch available.
A denial-of-service (DoS) vulnerability in the Simple Certificate Enrollment Protocol (SCEP) authentication feature of Palo Alto Networks PAN-OS® software enables an unauthenticated attacker to. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
When configured using SAML, a session fixation vulnerability in the GlobalProtect™ login enables an attacker to impersonate a legitimate authorized user and perform actions as that GlobalProtect. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An improper input neutralization vulnerability in the management web interface of the Palo Alto Networks PAN-OS® software enables a malicious authenticated read-write administrator to impersonate. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
An authenticated file deletion vulnerability in the Palo Alto Networks PAN-OS® software enables an authenticated attacker with network access to the management web interface to delete certain files. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
W. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation AbuseFilter. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation Parsoid.39.12, 1.42.6, 1.43.1; Parsoid: before 0.16.5, 0.19.2, 0.20.2. Rated low severity (CVSS 2.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. Rated low severity (CVSS 2.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Preservation of Permissions vulnerability in Wikimedia Foundation MediaWiki. Rated remotely exploitable, low attack complexity. No vendor patch available.
Improper Preservation of Permissions vulnerability in Wikimedia Foundation MediaWiki. Rated remotely exploitable, low attack complexity. No vendor patch available.
An Improper Link Resolution Before File Access ('Link Following') vulnerability in SonicWall NetExtender Windows (32 and 64 bit) client which allows an attacker to manipulate file paths. Rated high severity (CVSS 7.2), this vulnerability is low attack complexity. No vendor patch available.
Metabase is an open source Business Intelligence and Embedded Analytics tool. Rated low severity (CVSS 1.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
BlueCMS 1.6 suffers from Arbitrary File Deletion via the id parameter in an /publish.php?act=del request. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Vite is a frontend tooling framework for javascript. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An issue has been discovered in GitLab CE/EE affecting all versions from 17.9 before 17.9.6, and 17.10 before 17.10.4. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.
An issue has been discovered in GitLab CE/EE affecting all versions from 13.12 before 17.8.7, 17.9 before 17.9.6, and 17.10 before 17.10.4. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
MSI Center before 2.0.52.0 has Missing PE Signature Validation. Rated high severity (CVSS 8.1), this vulnerability is no authentication required. No vendor patch available.
An issue has been discovered in GitLab EE affecting all versions from 17.1 before 17.8.7, 17.9 before 17.9.6, and 17.10 before 17.10.4. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable. No vendor patch available.
In jenkins/ssh-slave Docker images based on Debian, SSH host keys are generated on image creation for images based on Debian, causing all containers based on images of the same version use the same. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In jenkins/ssh-agent Docker images 6.11.1 and earlier, SSH host keys are generated on image creation for images based on Debian, causing all containers based on images of the same version use the. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Crocoblock JetCompareWishlist allows PHP Local File Inclusion.5.9. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Rameez Iqbal Real Estate Manager allows PHP Local File Inclusion.3. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WP Messiah Ai Image Alt Text Generator for WP.0.8. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Ashan Perera EventON.3.2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in aThemes aThemes Addons for Elementor.0.15. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. No vendor patch available.
Improper neutralization of livestatus command delimiters in a specific endpoint within RestAPI of Checkmk prior to 2.2.0p39, 2.3.0p25, and 2.1.0p51 (EOL) allows arbitrary livestatus command. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Dell PowerScale OneFS, versions 9.5.0.0 through 9.10.1.0, contains a use of default password vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Dell PowerScale OneFS, versions 9.4.0.0 through 9.10.0.0, contains an exposure of information through directory listing vulnerability. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.
Yii Framework 2 before 2.0.52 contains a behavior attachment regression that allows attackers to exploit the __class array key for arbitrary class instantiation, exploited in the wild February-April 2025.
In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding. Rated medium severity (CVSS 4.3), this vulnerability is no authentication required, low attack complexity.
Dell Client Platform BIOS contains a Security Version Number Mutable to Older Versions vulnerability. Rated low severity (CVSS 3.1), this vulnerability is low attack complexity. No vendor patch available.
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. No vendor patch available.
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. No vendor patch available.
Charmed MySQL K8s operator is a Charmed Operator for running MySQL on Kubernetes. Rated medium severity (CVSS 5.0), this vulnerability is low attack complexity. No vendor patch available.
An Improper Check for Unusual or Exceptional Conditions vulnerability in the Packet Forwarding Engine (pfe) of Juniper Networks Junos OS on MX Series allows an unauthenticated, network-based attacker. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A Missing Release of Memory after Effective Lifetime vulnerability in the Anti-Virus processing of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause a. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An Exposure of Sensitive Information to an Unauthorized Actor vulnerability in the User Interface (UI) of Juniper Networks Junos OS and Junos OS Evolved allows a local, low-privileged, authenticated. Rated medium severity (CVSS 6.8), this vulnerability is low attack complexity. No vendor patch available.
Out of bounds write vulnerability due to improper bounds checking in NI LabVIEW reading CPU info from cache that may result in information disclosure or arbitrary code execution. Rated high severity (CVSS 8.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Out of bounds write vulnerability due to improper bounds checking in NI LabVIEW in InitCPUInformation() that may result in information disclosure or arbitrary code execution. Rated high severity (CVSS 8.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Shuffle WP Subscription Forms allows PHP Local File Inclusion.2.4. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wpWax Logo Showcase Ultimate allows PHP Local File Inclusion.4.4. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Bogdan Bendziukov Squeeze allows Retrieve Embedded Sensitive Data.6. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Shopware is an open source e-commerce software platform. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 67.3%.
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Microsoft Identity Web is a library which contains a set of reusable classes used in conjunction with ASP.NET Core for integrating with the Microsoft identity platform (formerly Azure AD v2.0. Rated medium severity (CVSS 4.7). No vendor patch available.
Insertion of Sensitive Information into Log File vulnerability in Apache ActiveMQ Artemis. Rated medium severity (CVSS 6.8), this vulnerability is low attack complexity. No vendor patch available.
IBM Security Guardium 11.4 and 12.1 could allow a privileged user to read any file on the system due to incorrect privilege assignment. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Insufficient Session Expiration vulnerability in Progress Software Corporation Sitefinity under some specific and uncommon circumstances allows reusing Session IDs (Session Replay Attacks).0 through. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Improper Input Validation vulnerability in Apache POI. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Apache Pulsar contains multiple connectors for integrating with Apache Kafka. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
confidentiality when a malicious user, having physical access, sets the radio in factory default mode where the product does not correctly initialize all data. Rated medium severity (CVSS 4.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
access of confidential data when a malicious user, having physical access and advanced information on the file system, sets the radio in factory default mode. Rated medium severity (CVSS 4.1), this vulnerability is no authentication required. No vendor patch available.
Availability of engineering workstation when a malicious project file is loaded by a user from the local system. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
information and potential privilege escalation following man in the middle attack. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Information disclosure of authentication information in the specific service vulnerability exists in Wi-Fi AP UNIT 'AC-WPS-11ac series'. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Cleartext transmission of sensitive information issue exists in Wi-Fi AP UNIT 'AC-WPS-11ac series'. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Incorrect privilege assignment vulnerability in the WEB UI (the setting page) exists in Wi-Fi AP UNIT 'AC-WPS-11ac series'. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper access control in Mdecservice prior to SMR Apr-2025 Release 1 allows local attackers to access arbitrary files with system privilege. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.
This vulnerability exists in TP-Link Tapo H200 V1 IoT Smart Hub due to storage of Wi-Fi credentials in plain text within the device firmware. Rated medium severity (CVSS 4.4), this vulnerability is no authentication required. No vendor patch available.
wikiplugin_includetpl in lib/wiki-plugins/wikiplugin_includetpl.php in Tiki before 28.3 mishandles input to an eval. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
GraphicsMagick before 8e56520 has a heap-based buffer over-read in ReadJXLImage in coders/jxl.c, related to an ImportViewPixelArea call. Rated medium severity (CVSS 4.0), this vulnerability is no authentication required, low attack complexity. Public exploit code available.
Improper restriction of environment variables in Elastic Defend can lead to exposure of sensitive information such as API keys and tokens via automatic transmission of unfiltered environment. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Lucee before 5.4.7.3 LTS and 6 before 6.1.1.118, when an attacker can place files on the server, is vulnerable to a protection mechanism failure that can let an attacker run code that would be. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. No vendor patch available.
ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Information Exposure vulnerability that could result in a security feature bypass. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.
ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary code execution. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A flaw was found in OpenSSL's handling of the properties argument in certain functions. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
XMP Toolkit versions 2023.12 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
XMP Toolkit versions 2023.12 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
XMP Toolkit versions 2023.12 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
XMP Toolkit versions 2023.12 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
XMP Toolkit versions 2023.12 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Rated medium severity (CVSS 4.2), this vulnerability is remotely exploitable, no authentication required.
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Rated low severity (CVSS 2.6), this vulnerability is remotely exploitable.
Improper input validation in Dynamics Business Central allows an authorized attacker to disclose information locally. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.
External control of file name or path in Azure Portal Windows Admin Center allows an unauthorized attacker to disclose information locally. Rated medium severity (CVSS 6.2), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Untrusted pointer dereference in Windows Kernel Memory allows an authorized attacker to elevate privileges locally. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Improper input validation in Windows Mobile Broadband allows an authorized attacker to elevate privileges locally. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Insecure storage of sensitive information in Windows Kerberos allows an authorized attacker to bypass a security feature locally. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. No vendor patch available.
Use of a cryptographic primitive with a risky implementation in Windows Cryptographic Services allows an authorized attacker to disclose information locally. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.