Information Disclosure

Shescape is a simple shell escape library for JavaScript. versions up to 2.1.9 is affected by information exposure.

Heap over-read in ImageMagick's MAT decoder prior to versions 7.1.2-16 and 6.9.13-41 results from incorrect arithmetic parenthesization, allowing remote attackers to leak sensitive memory contents and cause denial of service through crafted MAT image files. The vulnerability requires no authentication or user interaction and affects systems using vulnerable ImageMagick versions for image processing. No patch is currently available, leaving users dependent on upgrading to patched versions when released.

High severity vulnerability in ImageMagick. An uninitialized pointer dereference vulnerability exists in the JBIG decoder due to a missing check.

ScadaBR 1.12.4 is vulnerable to Session Fixation. The application assigns a JSESSIONID session cookie to unauthenticated users and does not regenerate the session identifier after successful authentication. [CVSS 4.8 MEDIUM]

An incorrect access control vulnerability exists in Tenda W15E V02.03.01.26_cn. [CVSS 7.5 HIGH]

An issue pertaining to CWE-312: Cleartext Storage of Sensitive Information was discovered in lesspass lesspass v9.6.9 which allows attackers to obtain sensitive information. [CVSS 6.5 MEDIUM]

An issue pertaining to CWE-319: Cleartext Transmission of Sensitive Information was discovered in Nexusoft NexusInterface v3.2.0-beta.2. [CVSS 7.5 HIGH]

Inclusion of functionality from untrusted control sphere in Miazzy oa-front-service allows executing code from untrusted sources.

An issue pertaining to CWE-532: Insertion of Sensitive Information into Log File was discovered in LupinLin1 jimeng-web-mcp v2.1.2. This allows an attacker to obtain sensitive information. [CVSS 5.3 MEDIUM]

Domain spoofing in Focus for iOS versions prior to 148.2 allows remote attackers to display malicious content under trusted domain names through navigation stalling and iframe redirection techniques, without requiring user interaction beyond the initial page load. An attacker can leverage this to conduct phishing attacks or distribute misleading content by presenting spoofed trusted domains in the browser UI. No patch is currently available for this vulnerability.

Improper GPU system call handling in the DDK allows non-privileged users to bypass memory protections on user-mode wrapped memory regions and gain unauthorized write access. An attacker with local access could exploit this to modify read-only memory structures, potentially compromising system integrity or escalating privileges. No patch is currently available for this medium-severity vulnerability.

The rtsol(8) and rtsold(8) programs do not validate the domain search list options provided in router advertisement messages; the option body is passed to resolvconf(8) unmodified. resolvconf(8) is a shell script which does not validate its input. [CVSS 7.2 HIGH]

Rejected reason: The reporter agreed to not assign CVE ID. No vendor patch available.

An unauthenticated remote attacker can obtain valid session tokens because they are exposed in plaintext within the URL parameters of the wwwupdate.cgi endpoint in UBR. [CVSS 7.5 HIGH]

A low‑privileged remote attacker can directly interact with the wwwdnload.cgi endpoint to download any resource available to administrators, including system backups and certificate request files. [CVSS 6.5 MEDIUM]

An unauthenticated attacker can abuse the weak hash of the backup generated by the wwwdnload.cgi endpoint to gain unauthorized access to sensitive data, including password hashes and certificates. [CVSS 6.2 MEDIUM]

An administrator may attempt to block all traffic by configuring a pass filter with an empty table. However, in UBR, an empty list does not enforce any restrictions and allows all network traffic to pass unfiltered. [CVSS 4.9 MEDIUM]

An administrator may attempt to block all networks by specifying "\*" or "all" as the network identifier. However, these values are not supported and do not trigger any validation error. [CVSS 4.9 MEDIUM]

A low-privileged remote attacker can exploit the ubr-editfile method in wwwubr.cgi, an undocumented and unused API endpoint to write arbitrary files on the system. [CVSS 8.1 HIGH]

A low-privileged remote attacker can exploit the ubr-logread method in wwwubr.cgi to read arbitrary files on the system. [CVSS 6.5 MEDIUM]

A low-privileged remote attacker can exploit the ubr-editfile method in wwwubr.cgi, an undocumented and unused API endpoint to read arbitrary files on the system. [CVSS 6.5 MEDIUM]

Qax Internet Control Gateway versions up to 2025-10 contains a vulnerability that allows attackers to improper access controls (CVSS 5.3).

Improper authorization in SourceCodester Pet Grooming Management Software 1.0 allows authenticated remote attackers to gain unauthorized access to the Financial Report Page, potentially viewing or modifying sensitive financial data. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected installations at risk of information disclosure and data manipulation.

SmartAdmin versions up to 3.29 contain a template injection vulnerability in the FreeMarker template handler that allows authenticated remote attackers to manipulate template content and achieve code execution. The flaw exists in the MailService component's freemarkerResolverContent function and has a public exploit available. Since no patch is available and the vendor has not responded, organizations using affected versions should immediately assess exposure and consider alternative solutions.

A vulnerability was determined in mkj Dropbear up to 2025.89. Impacted is the function unpackneg of the file src/curve25519.c of the component S Range Check. This manipulation causes improper verification of cryptographic signature. The attack can be initiated remotely. The attack is considered to have high complexity. The exploitability is considered difficult. The exploit has been publicly di...

Improper resource identifier validation in Shy2593666979 AgentChat versions up to 2.3.0 allows unauthenticated remote attackers to manipulate the user_id parameter in the user endpoint, potentially gaining unauthorized access to or modifying user data. Public exploit code exists for this vulnerability, and the vendor has not responded to disclosure attempts. No patch is currently available.

Argument injection in welovemedia FFmate versions up to 2.0.15 allows authenticated attackers to manipulate the FFmpeg execution function in /internal/service/ffmpeg/ffmpeg.go, potentially leading to unauthorized command execution. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early disclosure notification.

Improper authorization in the FakeAppReceiver component of Freedom Factory dGEN1 (up to version 20260221) allows local attackers with user privileges to manipulate application permissions. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. The attack requires local access but can result in unauthorized data access, modification, or service disruption.

Improper authorization in the FakeAppProvider component of Freedom Factory dGEN1 (versions up to 20260221) allows local authenticated users to bypass access controls and modify system data. Public exploit code exists for this vulnerability, though no patch is currently available from the vendor.

A flaw has been found in Freedom Factory dGEN1 versions up to 20260221. contains a vulnerability that allows attackers to improper authorization (CVSS 3.3).

Improper authorization in Freedom Factory dGEN1's com.dgen.alarm component (up to version 20260221) allows local authenticated users to bypass access controls and modify system settings. Public exploit code exists for this vulnerability, and the vendor has not provided a patch or responded to disclosure attempts. The attack requires local access and valid credentials but poses a moderate risk to system integrity and confidentiality.

Improper authorization in the AlarmService component of Freedom Factory dGEN1 (up to version 20260221) allows local users with limited privileges to gain unauthorized access to alarm functionality. The vulnerability requires local access and has been publicly disclosed with exploit code available, though the vendor has not provided a patch or responded to initial contact.

A vulnerability was detected in Mendi Neurofeedback Headset V4. Affected by this vulnerability is an unknown functionality of the component Bluetooth Low Energy Handler. [CVSS 3.1 LOW]

WeKnora versions prior to 0.2.12 suffer from inadequate tenant isolation in database queries, permitting any authenticated user to access sensitive data from other tenants including API keys, model configurations, and private messages. The vulnerability affects multi-tenant deployments where account-level access controls fail to prevent cross-tenant data exfiltration. No patch is currently available for affected versions.

Improper authorization in the FakeAppService function of Freedom Factory dGEN1 (up to version 20260221) allows local users with standard privileges to gain unauthorized access to protected resources. Public exploit code is available for this vulnerability, though no patch has been released by the vendor despite early notification.

UptimeFlare's configuration management fails to segregate server-only sensitive data from client-side code, causing the workerConfig object containing confidential settings to be exposed in the JavaScript bundle delivered to all website visitors. This information disclosure allows attackers to view sensitive configuration details without authentication. The vulnerability affects UptimeFlare instances prior to commit 377a596 and has been patched.

DSA Study Hub stores JWT authentication tokens in unencrypted HTTP cookies, allowing attackers to extract and replay user credentials to gain unauthorized access to accounts. An unauthenticated remote attacker can intercept these tokens through network traffic analysis or client-side inspection to impersonate legitimate users. A patch is available in commit d527fba and should be applied immediately.

Backstage is an open framework for building developer portals. versions up to 3.1.4 is affected by insertion of sensitive information into log file (CVSS 2.0).

Checkmate versions prior to 3.4.0 allow unauthenticated attackers to retrieve unpublished status pages and internal monitoring data through the GET /api/v1/status-page/:url endpoint due to missing authentication checks. Public exploit code exists for this information disclosure vulnerability, enabling remote attackers to access sensitive server hardware, uptime, and incident details without credentials. No patch is currently available for affected deployments.

Unauthenticated attackers can query the integration.all endpoint in Homarr prior to version 1.54.0 to enumerate all configured integrations and expose sensitive metadata including internal service URLs and integration details. Public exploit code exists for this information disclosure vulnerability. The vulnerability is patched in version 1.54.0 and later.

On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. [CVSS 2.5 LOW]

Improper validation of multi-constraint email certificates allows attackers to bypass certificate chain verification by exploiting a logic error that only processes the final constraint when multiple constraints share common local portions. This affects any system relying on certificate validation for email authentication, enabling an attacker to present a malicious certificate that would normally be rejected. No patch is currently available for this denial-of-service vulnerability.

url.Parse insufficiently validated the host/authority component and accepted some invalid URLs. [CVSS 7.5 HIGH]

OliveTin prior to version 3000.11.1 fails to enforce view permission checks on dashboard and API endpoints, allowing authenticated users to enumerate action bindings, titles, IDs, icons, and argument metadata despite having restricted access. While command execution remains properly denied, this information disclosure enables attackers to map available actions and their configurations. Public exploit code exists for this medium-severity vulnerability, and a patch is available.

Agentgateway versions prior to 0.12.0 fail to sanitize input parameters (path, query, and header values) when converting MCP tool requests to OpenAPI calls, allowing authenticated users to inject malicious data that could lead to unauthorized information disclosure or data modification. An attacker with valid credentials could exploit this input validation weakness to manipulate API requests across agent frameworks. No patch is currently available for affected deployments.

TSPortal versions prior to 30 contain a logic flaw where empty strings are converted to null values, enabling attackers to forge Data Protection Act reports as legitimate user deletion requests. This affects the WikiTide Foundation's Trust and Safety platform and could allow misuse of the reporting system to obscure malicious activity. Public exploit code exists, and no patch is currently available for affected deployments.

Wekan versions 8.31.0 through 8.33 expose global webhook configurations including sensitive URLs and authentication tokens through an unauthenticated server-side publication, allowing any network-based attacker to retrieve webhook credentials without authentication. An attacker exploiting this vulnerability could hijack webhook integrations and gain unauthorized access to connected external services. The vulnerability has been patched in version 8.34.

Wekan versions 8.31.0 through 8.33 expose webhook URLs and authentication tokens to all board members through unfiltered publication of integration data, allowing any user with board access—including read-only members and users on public boards—to retrieve sensitive credentials. Attackers can leverage these exposed tokens to make unauthorized requests to connected external services and trigger unintended actions. The vulnerability affects Wekan's board composite publication mechanism and has been patched in version 8.34.

Cryptomator encrypts data being stored on cloud infrastructure. Prior to version 1.19.0, in non-debug mode Cryptomator might leak cleartext paths into the log file. This can reveal meta information about the files stored inside a vault at a time, where the actual vault is closed. Not every cleartext path is logged. Only if a filesystem request fails for some reason (e.g. damaged encrypted file,...

Incorrect access control in the REST API of Ibexa & Ciril GROUP eZ Platform / Ciril Platform 2.x allows unauthenticated attackers to access sensitive data via enumerating object IDs. [CVSS 7.5 HIGH]

The /api/ais-data endpoint in Navtor NavBox leaks sensitive information through unhandled exception error messages, allowing unauthenticated remote attackers to obtain verbose .NET stack traces containing internal class names, method calls, and library dependencies. This information disclosure (CWE-209) enables attackers to map the application's internal structure and identify potential attack vectors. No patch is currently available for this medium-severity vulnerability affecting .NET implementations.

EverSync 0.5 contains an arbitrary file download vulnerability that allows unauthenticated attackers to access sensitive files by requesting them directly from the files directory. [CVSS 7.5 HIGH]

Unauthenticated file read/write via AppEngine Fileaccess over HTTP.

Filesystem access via CROWN REST interface on industrial device. EPSS 0.25%.

Arbitrary file read in changedetection.io prior to 0.54.4 allows unauthenticated remote attackers to access sensitive files by injecting malicious XPath expressions into content filters, exploiting the unparsed-text() function in the elementpath library. The application fails to validate or sanitize XPath input, enabling attackers to read any file accessible to the application process. Public exploit code exists for this vulnerability.

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. [CVSS 6.4 MEDIUM]

OpenShift versions prior to 1.6.3-alpha leak sensitive information through multiple vectors, including raw exception strings in API responses and authentication tokens exposed in UI rendering and token rotation endpoints. An unauthenticated remote attacker can obtain this information over the network to compromise user sessions or gain insight into application internals. No patch is currently available for affected deployments.

TinyWeb versions prior to 2.04 fail to properly sanitize control characters and encoded sequences (CR, LF, NUL) in HTTP request headers, allowing attackers to inject malicious values into CGI environment variables and bypass parser validation. This network-accessible vulnerability enables header injection attacks that could lead to data corruption or denial of service without requiring authentication. No patch is currently available for affected deployments.

Unrestricted zip file extraction in MarkUs prior to version 2.9.4 allows authenticated users to trigger denial of service through resource exhaustion by uploading specially crafted archives with excessive file counts or sizes. Instructors and students can exploit this during assignment configuration uploads or submission handling to consume server resources and impact system availability. No patch is currently available for affected installations.

animation and page builder block versions up to 12.8.3 is affected by information exposure (CVSS 5.3).

Improper access control in Acronis Cyber Protect 17 (Linux and Windows) prior to build 41186 allows authenticated users to view sensitive information they should not have access to. The vulnerability requires valid credentials and network access but does not enable data modification or system availability impacts. No patch is currently available for this medium-severity disclosure risk.

Acronis Cyber Protect 17 on Linux and Windows (before build 41186) exposes sensitive information through insecure headless browser configuration, allowing local authenticated users to read confidential data without modifying or disrupting system operations. The vulnerability requires local access and valid credentials but poses a direct confidentiality risk to organizations using affected versions. No patch is currently available.

Improper authorization checks in Acronis Cyber Protect 17 (Linux, Windows) before build 41186 allow local authenticated users to access sensitive information and modify data. This medium-severity vulnerability requires local access and user privileges but poses no availability risk. No patch is currently available for this issue.

Improper authorization checks in Acronis Cyber Protect 17 (Linux and Windows) before build 41186 allow authenticated users to access sensitive information they should not have permission to view. An attacker with valid credentials can exploit this vulnerability to disclose confidential data without performing any additional actions. No patch is currently available for this medium-severity issue.

Acronis Cyber Protect 17 before build 41186 transmits sensitive cryptographic material unnecessarily, allowing adjacent network attackers to potentially intercept and obtain this sensitive data under specific conditions. The vulnerability requires user interaction and affects both Linux and Windows deployments. No patch is currently available.

Acronis Cyber Protect and Agent virtual appliances on VMware contain hardcoded default credentials for local privileged accounts, allowing attackers with network access and user interaction to gain high-level system access and potentially modify or disrupt backup operations. The vulnerability affects Cyber Protect Cloud Agent (VMware) before build 36943 and Cyber Protect 17 (VMware) before build 41186, with no patch currently available. An attacker exploiting this could achieve privilege escalation and lateral movement within virtualized environments.

Improper authentication in Acronis Cyber Protect 17.

Credentials are not deleted from Acronis Agent after plan revocation. The following products are affected: Acronis Cyber Protect Cloud Agent (Linux, macOS, Windows) before build 40497, Acronis Cyber Protect 17 (Linux, macOS, Windows) before build 41186. [CVSS 4.4 MEDIUM]

Sensitive information disclosure and manipulation due to insufficient authorization checks. The following products are affected: Acronis Cyber Protect 17 (Linux, macOS, Windows) before build 41186, Acronis Cyber Protect Cloud Agent (Linux, macOS, Windows) before build 41124. [CVSS 5.5 MEDIUM]

Credentials are not deleted from Acronis Agent after plan revocation. The following products are affected: Acronis Cyber Protect Cloud Agent (Linux, macOS, Windows) before build 41124. [CVSS 4.4 MEDIUM]

'.../...//' in Azure Compute Gallery allows an authorized attacker to elevate privileges locally. [CVSS 6.7 MEDIUM]

Unauthorized information disclosure in Azure Compute Gallery occurs due to insecure default initialization settings that authenticated users can exploit to access sensitive data remotely. An authorized attacker can leverage this vulnerability to read confidential information without requiring user interaction. No patch is currently available for Microsoft products and ACI Confidential Containers.

Privilege escalation in Azure Compute Gallery's regex validation enables high-privileged local users to gain unauthorized system access on affected Microsoft and ACI Confidential Containers systems. An authenticated attacker with elevated permissions can exploit the permissive pattern matching to bypass security controls and achieve full system compromise. No patch is currently available, making this a medium-severity risk for environments running vulnerable versions.

OpenClaw versions 2026.1.30 and earlier leak authentication bearer tokens to untrusted domains when the optional MS Teams attachment downloader extension is enabled, due to overly permissive suffix-based domain allowlisting during download retries. An attacker could harvest these tokens from allowed domains to compromise authenticated sessions. No patch is currently available, affecting users of the vulnerable versions.

OpenClaw versions up to 2026.2.15 is affected by use of a broken or risky cryptographic algorithm (CVSS 7.5).

OpenClaw versions before 2026.2.13 are vulnerable to timing side-channel attacks on hook token validation due to use of non-constant-time string comparison. Remote attackers can exploit this weakness by measuring response times across multiple requests to gradually recover authentication tokens for the hooks endpoint. This affects confidentiality and integrity of OpenClaw deployments accessible over the network.

OpenClaw versions before 2026.2.12 are vulnerable to timing-based token extraction attacks due to non-constant-time string comparison in hook authentication. A network-based attacker can exploit this side-channel vulnerability to gradually recover the hook validation token through repeated timing measurements across multiple requests. The vulnerability requires repeated probing but poses a confidentiality risk to systems using vulnerable versions.

Openclaw versions up to 2026.2.1 is affected by missing authentication for critical function (CVSS 8.1).

OpenClaw versions before 2026.2.12 with the Nostr plugin enabled contain unauthenticated API endpoints that allow remote attackers to read and modify Nostr profiles without authentication when the gateway HTTP port is network-accessible. Attackers can exploit this to steal sensitive profile data, alter gateway configuration, and sign malicious Nostr events using the bot's private key. A patch is available for affected installations.

Insufficient session expiration in hexpm. Password reset tokens never expire, enabling persistent account takeover.

Cloudfoundry UAA versions 77.30.0 through 78.7.0 and Cloudfoundry Deployment versions 48.7.0 through 54.10.0 contain a logic error in the token revocation endpoint that allows authenticated users to inadvertently revoke tokens belonging to other users. An attacker with valid credentials could exploit this flaw to disrupt service availability by invalidating legitimate user sessions without authorization.

An observable timing discrepancy in @perfood/couch-auth v0.26.0 allows attackers to access sensitive information via a timing side-channel. [CVSS 7.5 HIGH]

Trivy Vulnerability Scanner is a VS Code extension that helps find vulnerabilities.

Traefik versions 2.11.9-2.11.37 and 3.1.3-3.6.8 contain a case-sensitivity bypass in Connection header handling that allows unauthenticated remote attackers to remove critical X-Forwarded headers by using lowercase Connection tokens, potentially enabling header spoofing attacks. An attacker can exploit this to manipulate forwarded client information such as IP addresses and hostnames, compromising the integrity of upstream application data. A patch is available for affected versions.

Gogs versions prior to 0.14.2 expose authentication tokens in URL parameters, allowing credentials to be captured through server logs, browser history, and HTTP referrer headers. This information disclosure vulnerability affects self-hosted Gogs instances and could enable attackers to gain unauthorized API access if tokens are leaked through these channels. A patch is available in version 0.14.2 and later.

Security vulnerability in RustDesk remote desktop client/server. One of 6+ critical CVEs affecting the open-source remote access platform.

RustDesk Server Pro through version 1.7.5 transmits sensitive address book credentials in cleartext over the network heartbeat synchronization API, enabling attackers to intercept and obtain authentication credentials without authentication. The vulnerability affects Windows, macOS, and Linux deployments where the address book sync functionality is enabled. No patch is currently available.

RustDesk Client through version 1.4.5 transmits sensitive preset address book credentials in cleartext during heartbeat synchronization, enabling network eavesdropping attacks across Windows, macOS, Linux, iOS, and Android platforms. An attacker positioned to intercept network traffic can capture authentication credentials by sniffing the unencrypted JSON payload. No patch is currently available for this high-severity vulnerability (CVSS 8.7).

Security vulnerability in RustDesk remote desktop client/server. One of 6+ critical CVEs affecting the open-source remote access platform.

Security vulnerability in RustDesk remote desktop client/server. One of 6+ critical CVEs affecting the open-source remote access platform.