Information Disclosure

Gogs versions prior to 0.14.2 expose authentication tokens in URL parameters, allowing credentials to be captured through server logs, browser history, and HTTP referrer headers. This information disclosure vulnerability affects self-hosted Gogs instances and could enable attackers to gain unauthorized API access if tokens are leaked through these channels. A patch is available in version 0.14.2 and later.

Security vulnerability in RustDesk remote desktop client/server. One of 6+ critical CVEs affecting the open-source remote access platform.

RustDesk Server Pro through version 1.7.5 transmits sensitive address book credentials in cleartext over the network heartbeat synchronization API, enabling attackers to intercept and obtain authentication credentials without authentication. The vulnerability affects Windows, macOS, and Linux deployments where the address book sync functionality is enabled. No patch is currently available.

RustDesk Client through version 1.4.5 transmits sensitive preset address book credentials in cleartext during heartbeat synchronization, enabling network eavesdropping attacks across Windows, macOS, Linux, iOS, and Android platforms. An attacker positioned to intercept network traffic can capture authentication credentials by sniffing the unencrypted JSON payload. No patch is currently available for this high-severity vulnerability (CVSS 8.7).

Security vulnerability in RustDesk remote desktop client/server. One of 6+ critical CVEs affecting the open-source remote access platform.

Security vulnerability in RustDesk remote desktop client/server. One of 6+ critical CVEs affecting the open-source remote access platform.

Security vulnerability in RustDesk remote desktop client/server. One of 6+ critical CVEs affecting the open-source remote access platform.

RustDesk Client through version 1.4.5 on Windows, macOS, and Linux uses weak password hashing and improper object prototype handling in its password security and configuration encryption modules, allowing local authenticated attackers to extract embedded sensitive data including passwords and machine identifiers. The vulnerability affects critical cryptographic functions including symmetric_crypt() and decrypt_str_or_original(), enabling attackers with local access and valid credentials to compromise encrypted credentials and system identifiers. No patch is currently available.

Privilege escalation in RustDesk Client through version 1.4.5 on Windows, macOS, Linux, iOS, and Android allows unauthenticated remote attackers to abuse API sync and configuration management functions. The vulnerability in the rendezvous mediator and HTTP sync modules enables attackers to gain elevated privileges without user interaction. No patch is currently available for affected users.

Xgrammar versions prior to 0.1.32 crash when processing multi-level nested syntax structures, causing a denial of service that halts the application. An attacker can trigger this segmentation fault remotely without authentication by submitting crafted input, disrupting any AI/ML system relying on this library for structured generation tasks. No patch is currently available for affected deployments.

RustDesk Server Pro through version 1.7.5 uses weak cryptographic algorithms in configuration string generation and web console export functions, enabling attackers to extract sensitive embedded data from exported configurations. This vulnerability affects Windows, macOS, and Linux deployments and requires no authentication or user interaction to exploit. No patch is currently available.

RustDesk Client through version 1.4.5 uses a broken cryptographic algorithm that allows attackers to retrieve sensitive embedded data during config import, URI scheme handling, or CLI operations across Windows, macOS, Linux, iOS, Android, and web clients. An unauthenticated remote attacker can exploit this vulnerability without user interaction to extract sensitive configuration information. No patch is currently available for this high-severity vulnerability.

Python-Markdown version 3.8 contain a vulnerability where malformed HTML-like sequences can cause html.parser.HTMLParser to raise an unhandled AssertionError during Markdown parsing. [CVSS 7.5 HIGH]

Data processing vulnerability in the certificate management module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. [CVSS 6.2 MEDIUM]

Double free vulnerability in the window module. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 5.1 MEDIUM]

HCL Sametime for iOS is impacted by a sensitive information disclosure. Hostnames information is written in application logs and certain URLs. [CVSS 3.3 LOW]

Auth bypass in Login with Salesforce WordPress plugin through 1.0.2.

Plaintext daemon credentials in IDC SFX2100 routing config files (zebra, bgpd, ospfd, ripd). CVSS 10.0. PoC available.

WP Royal Royal Elementor Addons royal-elementor-addons is affected by inclusion of functionality from untrusted control sphere (CVSS 8.2).

Axiomthemes Nirvana version 2.6 and earlier contains a local file inclusion vulnerability in its PHP include/require handling that allows unauthenticated attackers to read arbitrary files from the server. The vulnerability stems from improper filename validation and could enable information disclosure or facilitate further compromise, though no patch is currently available. With a CVSS score of 8.1 and low exploitation likelihood (0.2% EPSS), organizations running affected versions should prioritize mitigation strategies until an official patch is released.

My Tickets plugin version 2.1.0 and earlier inadvertently exposes sensitive data in outbound communications due to improper data handling. An unauthenticated remote attacker can intercept and retrieve embedded sensitive information from sent data without user interaction. No patch is currently available for this high-severity vulnerability.

Input quantity validation bypass in W3 Total Cache WordPress plugin.

Premio Chaty versions up to 3.5.1 expose sensitive data through improper handling of embedded information in outbound communications, allowing unauthenticated remote attackers to retrieve confidential data without user interaction. The vulnerability carries a high severity rating (CVSS 7.5) and currently has no available patch.

RadiusTheme Classified Listing plugin through version 5.3.4 exposes sensitive data in sent communications due to improper information handling. An authenticated attacker can retrieve embedded sensitive information from network traffic without modifying data or disrupting service. No patch is currently available for this vulnerability.

PHP Local File Inclusion in AncoraThemes FixTeam through version 1.4 enables unauthenticated remote attackers to read arbitrary files on affected systems through improper handling of file include/require statements. The vulnerability carries a high CVSS score of 8.1 with potential for information disclosure and system compromise, though no patch is currently available.

Weak PRNG in Net::NSCA::Client through 0.009002 for Perl. Patch available.

Insecure embedded zlib in Compress::Raw::Zlib through 2.219 for Perl.

Insecure session ID generation in Apache::Session::Generate::MD5 through 1.94 for Perl.

Insecure session ID generation in Plack::Middleware::Session::Simple before 0.05 for Perl. Patch available.

NetApp ONTAP 9.12.1 and later with S3 NAS buckets allows authenticated attackers to enumerate directory contents they lack authorization to access, resulting in unauthorized information disclosure. An attacker with valid credentials can exploit this to view sensitive file listings without proper permissions. No patch is currently available for this vulnerability.

Injection in Open OnDemand HPC portal Files application before 4.0.9/4.1.3.

Dark Reader is an accessibility browser extension that makes web pages colors dark. The dynamic dark mode feature of the extension works by analyzing the colors of web pages found in CSS style sheet files. [CVSS 3.4 LOW]

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. [CVSS 5.3 MEDIUM]

Cisco Secure Firewall ASA and Secure FTD devices can be remotely rebooted by unauthenticated attackers through malformed SAML 2.0 authentication messages, causing service unavailability due to insufficient input validation. The vulnerability has a high attack surface as it requires no authentication or user interaction and affects the device's core authentication mechanism. No patch is currently available.

Unauthenticated remote attackers can trigger a denial of service against Cisco Secure Firewall ASA and Secure FTD devices by sending specially crafted IKEv2 packets that trigger a memory leak in the IKEv2 parser. Exploitation exhausts system resources and forces manual device reboot to restore availability. No patch is currently available.

Memory exhaustion in Cisco Secure Firewall ASA and FTD IKEv2 implementations allows authenticated remote attackers with valid VPN credentials to trigger device reloads by sending crafted packets, disrupting firewall availability and downstream network services. The vulnerability stems from improper IKEv2 packet processing that fails to constrain memory allocation. No patch is currently available.

Unauthenticated remote attackers can trigger denial-of-service conditions in Cisco Secure Firewall ASA and Secure FTD Software by sending specially crafted IKEv2 packets that cause memory exhaustion due to improper memory management. A successful attack forces manual device reloads and can degrade network services across connected systems. No patch is currently available for this vulnerability.

Unauthenticated SSH authentication bypass in Cisco Secure Firewall ASA allows remote attackers to log in as arbitrary users by exploiting insufficient input validation during the SSH key authentication phase, requiring only knowledge of a valid username and its associated public key. This vulnerability enables attackers to execute arbitrary commands on affected ASA devices with the privileges of the compromised user account. No patch is currently available.

ArubaOS access points are vulnerable to gateway impersonation attacks when clients connect via wired or wireless interfaces, allowing unauthenticated attackers to redirect network traffic into a man-in-the-middle position. An attacker can exploit address-based spoofing to intercept or modify data streams intended for the legitimate gateway, compromising the confidentiality of client communications. No patch is currently available.

Missing BLE authentication in Pebble Prism Ultra smartwatch. PoC available.

Rancher Backup And Restore Operator is affected by insertion of sensitive information into log file (CVSS 6.8).

2N Access Commander application version 3.4.2 and prior returns HTTP 500 Internal Server Error responses when receiving malformed or manipulated requests, indicating improper handling of invalid input and potential security or availability impacts. [CVSS 6.5 MEDIUM]

Insufficient session invalidation in 2N Access Commander 3.4.2. Multiple sessions remain valid after logout.

2N Access Commander version 3.4.1 and prior is vulnerable to log pollution. Certain parameters sent over API may be included in the logs without prior validation or sanitisation. [CVSS 7.2 HIGH]

The Linux kernel's romfs filesystem fails to validate the return value of sb_set_blocksize(), allowing a local attacker with user privileges to trigger a denial of service by mounting a romfs image on a loop device configured with an incompatible block size. Public exploit code exists for this vulnerability. The flaw causes the filesystem to proceed with an invalid superblock configuration, potentially leading to system crashes or filesystem corruption.

The Linux kernel fbdev smscufx driver fails to properly copy user-supplied data to kernel memory in the UFX_IOCTL_REPORT_DAMAGE ioctl handler, instead directly referencing userspace memory which can be manipulated or invalidated. A local attacker with appropriate privileges can exploit this to cause a denial of service by triggering kernel memory access violations or crashes. No patch is currently available for this medium-severity vulnerability.

Local privilege escalation in Linux kernel f2fs sysfs attributes allows unprivileged users to trigger out-of-bounds memory access and cause denial of service by writing oversized integer values to filesystem control interfaces. The vulnerability stems from improper bounds checking when mapping sysfs attributes to kernel structures of varying integer sizes, enabling attackers to corrupt kernel memory and crash the system. No patch is currently available for this vulnerability.

A use-after-free vulnerability in the Linux kernel's f2fs filesystem allows a local attacker with user privileges to trigger memory corruption and crash the system through a race condition between I/O completion and filesystem unmount operations. The vulnerability occurs when a loop device completes write operations concurrently with an unmount that frees filesystem structures still being accessed by pending I/O handlers. This issue has no available patch and requires kernel-level access to exploit.

A revert of a Linux kernel patch introduces a potential deadlock condition in the f2fs filesystem when concurrent write operations and checkpoint operations occur, allowing a local user with write permissions to cause a denial of service through system hang. The vulnerability affects the Linux kernel's f2fs module and requires low privileges to trigger. No patch is currently available to address this issue.

In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix bsg_done() causing double free Kernel panic observed on system, [5353358.825191] BUG: unable to handle page fault for address: ff5f5e897b024000 [5353358.825194] #PF: supervisor write access in kernel mode [5353358.825195] #PF: error_code(0x0002) - not-present page [5353358.825196] PGD 100006067 P4D 0 [5353358.825198] Oops: 0002 [#1] PREEMPT SMP NOPTI [5353358.825200] CPU: 5 PID: 2132085 Comm: qlafwupdate.sub Kdump: loaded Tainted: G W L ------- --- 5.14.0-503.34.1.el9_5.x86_64 #1 [5353358.825203] Hardware name: HPE ProLiant DL360 Gen11/ProLiant DL360 Gen11, BIOS 2.44 01/17/2025 [5353358.825204] RIP: 0010:memcpy_erms+0x6/0x10 [5353358.825211] RSP: 0018:ff591da8f4f6b710 EFLAGS: 00010246 [5353358.825212] RAX: ff5f5e897b024000 RBX: 0000000000007090 RCX: 0000000000001000 [5353358.825213] RDX: 0000000000001000 RSI: ff591da8f4fed090 RDI: ff5f5e897b024000 [5353358.825214] RBP: 0000000000010000 R08: ff5f5e897b024000 R09: 0000000000000000 [5353358.825215] R10: ff46cf8c40517000 R11: 0000000000000001 R12: 0000000000008090 [5353358.825216] R13: ff591da8f4f6b720 R14: 0000000000001000 R15: 0000000000000000 [5353358.825218] FS: 00007f1e88d47740(0000) GS:ff46cf935f940000(0000) knlGS:0000000000000000 [5353358.825219] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [5353358.825220] CR2: ff5f5e897b024000 CR3: 0000000231532004 CR4: 0000000000771ef0 [5353358.825221] PKRU: 55555554 [5353358.825222] Call Trace: [5353358.825223] <TASK> [5353358.825224] ? show_trace_log_lvl+0x1c4/0x2df [5353358.825229] ? show_trace_log_lvl+0x1c4/0x2df [5353358.825232] ? sg_copy_buffer+0xc8/0x110 [5353358.825236] ? __die_body.cold+0x8/0xd [5353358.825238] ? page_fault_oops+0x134/0x170 [5353358.825242] ? kernelmode_fixup_or_oops+0x84/0x110 [5353358.825244] ? exc_page_fault+0xa8/0x150 [5353358.825247] ? asm_exc_page_fault+0x22/0x30 [5353358.825252] ? memcpy_erms+0x6/0x10 [5353358.825253] sg_copy_buffer+0xc8/0x110 [5353358.825259] qla2x00_process_vendor_specific+0x652/0x1320 [qla2xxx] [5353358.825317] qla24xx_bsg_request+0x1b2/0x2d0 [qla2xxx] Most routines in qla_bsg.c call bsg_done() only for success cases.

A Stored HTML Injection vulnerability was discovered in the CMC's Sensor Map functionality due to improper validation on connected Guardians' properties. [CVSS 4.8 MEDIUM]

A Stored HTML Injection vulnerability was discovered in the Alerted Nodes Dashboard functionality due to improper validation on an input parameter. A malicious authenticated user with the required privileges could edit a node label to inject HTML tags. [CVSS 4.4 MEDIUM]

A use-after-free vulnerability in the Linux kernel's netfilter nf_tables chain registration allows local attackers with user privileges to trigger memory corruption and cause a denial of service, potentially leading to privilege escalation. The flaw occurs when hook registration fails during chain addition, allowing concurrent operations to access freed memory without proper RCU synchronization. The vulnerability affects systems running vulnerable Linux kernels with netfilter enabled, and no patch is currently available.

Dell PowerScale OneFS versions before 9.10.1.6 and 9.11.0.0 through 9.12.0.1 contain an uncontrolled search path vulnerability that allows high-privileged local attackers to achieve privilege escalation, information disclosure, and denial of service. The vulnerability requires local access and high privileges to exploit, making it suitable primarily for insider threats or attackers who have already gained initial system access. No patch is currently available for affected systems.

Powerscale Onefs versions up to 9.10.1.6 is affected by execution with unnecessary privileges (CVSS 6.7).

Privilege escalation in Dell PowerScale OneFS versions before 9.10.1.6 and 9.11.0.0 through 9.12.0.1 stems from incorrect privilege assignment that allows local attackers with low privileges to gain elevated access. An attacker with local system access and user interaction can exploit this vulnerability to achieve complete system compromise through unauthorized privilege elevation.

Incorrect default file permissions in Dell PowerScale OneFS versions before 9.10.1.6 and 9.11.0.0 through 9.12.0.1 allow high-privileged local attackers to achieve code execution, privilege escalation, and information disclosure. The vulnerability requires local access and high privileges to exploit, but no patch is currently available. Affected organizations should implement access controls and monitor for unauthorized local activity until an update is released.

The Seraphinite Accelerator WordPress plugin through version 2.28.14 fails to validate user permissions on the `seraph_accel_api` AJAX endpoint, allowing authenticated subscribers and above to access sensitive operational data including cache status and database state. An attacker with a basic WordPress account can exploit the missing capability checks in the `OnAdminApi_GetData()` function to enumerate system information without administrative rights. No patch is currently available for this information disclosure vulnerability.

SEPPmail Secure Email Gateway versions prior to 15.0.1 fail to properly isolate decrypted PGP message content from surrounding plaintext, enabling attackers to access encrypted sensitive information over the network without authentication. This high-severity flaw affects organizations relying on SEPPmail for secure email handling and exposes confidential data despite encryption protections. No patch is currently available for this vulnerability.

Seppmail versions up to 15.0.1 is affected by improper verification of cryptographic signature (CVSS 5.3).

Seppmail versions up to 15.0.1 is affected by improper verification of cryptographic signature (CVSS 5.3).

SEPPmail Secure Email Gateway versions before 15.0.1 misinterpret email addresses in message headers, enabling attackers to spoof sender identities or decrypt encrypted communications due to inconsistent header parsing with standard mail infrastructure. This unauthenticated network-based vulnerability affects all default installations with no available patch, presenting significant risk to organizations relying on the gateway for email security.

Unauthenticated disclosure of WordPress user email addresses in Mail Mint plugin versions before 1.19.5 through an unprotected REST API endpoint allows remote attackers to enumerate users without authentication. Public exploit code exists for this vulnerability, and no patch is currently available. This affects all installations of the Mail Mint plugin below the patched version.

Behavioral control bypass in Devolutions Server 2025.3.15 allows authenticated users to exploit delete permissions.

Information disclosure in OpenEMR 5.0.2 to before 8.0.0 exposes sensitive data. PoC and patch available.

Unauthenticated token disclosure in OpenEMR before 8.0.0. CVSS 10.0. PoC and patch available.

MariaDB Server through version 11.8.5 fails to audit SQL statements when the server audit plugin is enabled and queries are prefixed with SQL comments (-- or #), allowing authenticated database users to execute DDL, DML, or DCL commands without logging. This bypass affects Relational Database Service, Aurora MySQL, and MariaDB deployments relying on audit logging for compliance and security monitoring. An attacker with database credentials could perform unauthorized administrative or data manipulation operations while evading audit trails.

Weintek cMT-3072XH2 easyweb v2.1.53, OS v20231011 was discovered to stroe credentials in plaintext in the component uac_temp.db. [CVSS 7.5 HIGH]

Tranzman versions up to 4.0 is affected by use of a broken or risky cryptographic algorithm (CVSS 7.5).

An out-of-bounds read vulnerability exists in the ABF parsing functionality of The Biosig Project libbiosig 3.9.2 and Master Branch (5462afb0). A specially crafted .abf file can lead to an information leak. [CVSS 6.1 MEDIUM]

Default admin credentials in OpenMQ message broker. Shipped with known default admin password.

in a component used in the Gallagher Hanwha VMS and Gallagher NxWitness VMS integrations allows unprivileged users with local network access to view live video streams. This issue affects all versions of Gallagher NxWitness VMS integration versions up to 9.10.017 is affected by cleartext transmission of sensitive information (CVSS 5.6).

An embedded test key and certificate could be extracted from a Poly Voice device using specialized reverse engineering tools. This extracted certificate could be accepted by a SIP service provider if the service provider does not perform proper validation of the device certificate.

Out-of-bounds read in Exiv2's CRW image parser allows remote attackers to cause denial of service and potentially disclose sensitive memory contents through crafted image files. Versions prior to 0.28.8 are affected, and public exploit code exists for this vulnerability. A patch is available that administrators should deploy immediately to prevent exploitation.

MediaProvider on Android lacks proper permission validation in the isRedactionNeededForOpenViaContentResolver function, allowing local attackers to infer the precise locations of media files without requiring special privileges or user interaction. This information disclosure vulnerability affects any application with local access to the device, and while the CVSS score is moderate, no patch is currently available.

Contact information exposure in Android's notification system allows local attackers to extract sensitive user data through a logic error in the setHideSensitive function, requiring no special privileges or user interaction. The vulnerability affects the ExpandableNotificationRow component where contact names can be inadvertently disclosed despite intended privacy protections. No patch is currently available for this medium-severity flaw.

App pinning bypass in Android's KeyguardServiceDelegate allows unauthenticated local attackers to interact with restricted applications without the lock screen knowledge factor (LSKF) due to insufficient permission validation. The vulnerability enables limited information disclosure through unauthorized app access with no additional privileges or user interaction required. No patch is currently available.

In multiple locations, there is a possible information disclosure due to SQL injection. This could lead to local escalation of privilege with no additional execution privileges needed. [CVSS 8.4 HIGH]

In jump_to_payload of payload.rs, there is a possible information disclosure due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. [CVSS 5.5 MEDIUM]

Android versions up to 14.0 contains a vulnerability that allows attackers to local escalation of privilege with no additional execution privileges needed (CVSS 7.4).

Android versions up to 14.0 is affected by cleartext transmission of sensitive information (CVSS 6.5).

NocoDB versions prior to 0.301.3 fail to invalidate refresh tokens during password resets, enabling attackers with previously compromised tokens to continue generating valid session tokens despite the victim changing their password. An authenticated attacker can exploit this to maintain unauthorized access to user accounts without requiring the new credentials. This vulnerability requires prior token compromise but allows indefinite session hijacking until the stolen token naturally expires.

NocoDB versions prior to 0.301.3 store shared view passwords in plaintext and validate them using simple string comparison, allowing attackers with database access to trivially recover authentication credentials. This affects all users relying on shared view password protection for access control. No patch is currently available for affected deployments.

NocoDB versions prior to 0.301.3 expose user enumeration through the password reset endpoint, which returns distinguishable responses for valid and invalid email addresses. An unauthenticated attacker can exploit this to identify registered users in the system. This vulnerability requires no user interaction and has a CVSS score of 5.3, though no patch is currently available.

ZimaOS 1.5.2-beta3 lacks proper path validation in its API, allowing authenticated users to bypass frontend restrictions and write files to protected system directories such as /etc and /usr. Public exploit code exists for this vulnerability, enabling attackers with valid credentials to modify critical OS files and potentially achieve code execution. No patch is currently available.

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. [CVSS 7.1 HIGH]

5G Fixed Wireless Access Platform Firmware versions up to - contains a vulnerability that allows attackers to cryptographic issue when a VoWiFi call is triggered from UE (CVSS 7.2).

Cryptographic Issue when a shared VM reference allows HLOS to boot loader and access cert chain. [CVSS 7.1 HIGH]

The CGM CLININET application respond without essential security HTTP headers, exposing users to client‑side attacks such as clickjacking, MIME sniffing, unsafe caching, weak cross‑origin isolation, and missing transport security controls. [CVSS 4.3 MEDIUM]

The CGM CLININET system provides smart card authentication; however, authentication is conducted locally on the client device, and, in reality, only the certificate number is used for access verification. [CVSS 7.8 HIGH]