Information Disclosure

Improper boundary condition handling in the JavaScript/WebAssembly engine of Firefox and Thunderbird before version 148 enables remote denial of service attacks without requiring user interaction or privileges. An attacker can crash affected applications or cause service unavailability by sending specially crafted content. No patch is currently available.

Use-after-free in Firefox DOM Core & HTML before 148. DOM object lifecycle error.

A use-after-free vulnerability in Firefox and Thunderbird's DOM processing allows remote attackers to execute arbitrary code through a malicious webpage or email attachment, requiring only user interaction to trigger. This affects Firefox versions below 148 and Thunderbird versions below 148, with no patch currently available.

Use-after-free in Firefox JavaScript GC before 148. Second GC UAF, different from CVE-2026-2795.

JIT miscompilation in Firefox WebAssembly before 148. The JIT compiler generates incorrect Wasm code, enabling type confusion. PoC available.

Use-after-free in Firefox JavaScript GC component before 148. GC-specific UAF affecting only mainline Firefox and Thunderbird.

Uninitialized memory in Firefox and Firefox Focus for Android versions prior to 148 enables remote attackers to read sensitive data without authentication or user interaction. The vulnerability allows information disclosure through memory that was not properly cleared before use, potentially exposing confidential user information to network-based attackers.

Use-after-free in Firefox ImageLib graphics component before 148. Image processing triggers use of freed memory.

Use-after-free in Firefox DOM Window and Location component before 148. Window/Location lifecycle management error.

Use-after-free in Firefox JavaScript Engine before 148. Fourth distinct JS engine UAF in this release.

Invalid pointer in Firefox JavaScript Engine before 148. Incorrect pointer computation leads to memory corruption.

Unauthenticated attackers can extract sensitive information from Firefox and Thunderbird users through a JavaScript engine JIT compilation flaw, affecting all versions prior to Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. The vulnerability requires no user interaction and can be exploited remotely over the network. No patch is currently available for this high-severity flaw.

Use-after-free in Firefox Audio/Video Playback component before 148. Media playback triggers memory corruption.

Undefined behavior in Firefox DOM Core & HTML component before 148. Can lead to memory corruption and potential code execution.

Use-after-free in Firefox DOM Bindings (WebIDL) component before 148. Memory corruption in the interface between JavaScript and native DOM objects.

A use-after-free vulnerability in the IndexedDB storage component of Firefox and Thunderbird allows remote attackers to achieve arbitrary code execution through user interaction. Affected versions include Firefox below 148, Firefox ESR below 115.33 and 140.8, and Thunderbird below 148 and 140.8. No patch is currently available for this high-severity flaw.

Use-after-free in Firefox JavaScript WebAssembly component before 148. WebAssembly-specific memory management bug.

Use-after-free in Firefox JavaScript JIT compiler before 148. Second JIT-related UAF in this release, different from CVE-2026-2764.

Use-after-free in Firefox JavaScript Engine before 148 and Thunderbird ESR 140.8. Separate UAF from CVE-2026-2763 and CVE-2026-2758.

JIT miscompilation causing use-after-free in Firefox JavaScript JIT compiler before 148. JIT bugs are highly exploitable due to their deterministic nature.

Use-after-free in Firefox JavaScript Engine before 148. One of multiple JS engine UAFs fixed in this release.

Second sandbox escape in Firefox WebRender component. CVSS 10.0 — independent path from CVE-2026-2760 to escape the content process sandbox.

Sandbox escape via boundary violation in Firefox WebRender graphics component. CVSS 10.0 — allows escaping the content sandbox to execute code with elevated privileges.

Boundary violation in Firefox ImageLib graphics component before 148 enables memory corruption through crafted images.

Use-after-free in Firefox JavaScript garbage collector before 148 allows remote code execution through crafted JavaScript.

Boundary violation in Firefox WebRTC Audio/Video component before 148 allows remote code execution through crafted WebRTC media streams.

Address bar spoofing in Firefox before 148 allows malicious scripts to desynchronize the displayed URL from actual web content before receiving a response, enabling phishing attacks.

Improper access control in REB500 firmware allows authenticated users with low privileges to read and modify unauthorized directories via the DAC protocol. An attacker with valid credentials can escalate their file system access beyond their intended permissions, potentially compromising sensitive data or system integrity. No patch is currently available for this vulnerability.

Authenticated users with Installer role in REB500 firmware can bypass directory access controls to read and modify files outside their authorized scope. This privilege escalation affects systems where installer accounts are provisioned, enabling unauthorized data access and manipulation. No patch is currently available.

Authenticated users in Apache Superset versions before 6.0.0 can access sensitive user information including password hashes and email addresses through the Tag endpoint API, which improperly exposes user objects without proper field filtering. An attacker with low-privilege credentials (such as Gamma role) can exploit this to retrieve authentication data that should remain hidden. The vulnerability only affects instances with the TAGGING_SYSTEM enabled, which is disabled by default.

Improper access controls in RTU500 series firmware (RTU520, RTU530, RTU540, RTU560) expose sensitive user management data to unauthenticated attackers who leverage browser developer tools to bypass web interface restrictions. An attacker without privileges can read confidential user information that should require authentication, though the vulnerability requires direct access to development utilities rather than simple network requests. No patch is currently available for this medium-severity exposure.

Airflow versions before 2.11.1 have a vulnerability that allows authenticated users with audit log access to see sensitive values in audit logs which they should not see. When sensitive connection parameters were set via airflow CLI, values of those variables appeared in the audit log and were stored unencrypted in the Airflow database. While this risk is limited to users with audit log access, it is recommended to upgrade to Airflow 2.11.1 or a later version, which addresses this issue. User...

Medium severity vulnerability in ImageMagick. A heap out-of-bounds read vulnerability exists in the `coders/dcm.c` module. When processing DICOM files with a specific configuration, the decoder loop incorrectly reads bytes per iteration. This causes the function to read past the end of the allocated buffer, potentially leading to a Denial of Service (crash) or Information Disclosure (leaking heap memory into the image).

ImageMagick's UIL and XPM image encoders fail to validate pixel index values before using them as array subscripts, allowing an attacker to craft malicious images that trigger out-of-bounds reads in HDRI builds. Exploitation can result in information disclosure or denial of service through process crashes. Versions prior to 7.1.2-15 and 6.9.13-40 are affected, and no patch is currently available.

Information disclosure in free5GC UDR versions up to 1.4.1 allows remote attackers to obtain detailed internal parsing error messages through the NEF component's Nnef_PfdManagement service, enabling service fingerprinting and reconnaissance. Public exploit code exists for this vulnerability, and all deployments using the affected service are at risk. A patch is available in pull request 56 and should be applied immediately, as no application-level workarounds exist.

Heap memory disclosure in ImageMagick's PSD file parser allows unauthenticated remote attackers to leak sensitive information from process memory by crafting malicious Photoshop files with improperly compressed layer data. Affected versions prior to 7.1.2-15 and 6.9.13-40 fail to properly validate decompressed data sizes, exposing uninitialized heap contents in generated output images. No patch is currently available for this vulnerability.

free5GC is an open-source project for 5th generation (5G) mobile core networks. Versions up to and including 1.4.1 of the User Data Repository are affected by Improper Error Handling with Information Exposure. [CVSS 5.3 MEDIUM]

Insecure random number generation in Smolder 1.51 Perl testing framework. Uses rand() for cryptographic operations instead of a CSPRNG, enabling prediction of security tokens.

free5GC UDR is the user data repository (UDR) for free5GC, an an open-source project for 5th generation (5G) mobile core networks. Versions prior to 1.4.1 contain an Improper Error Handling vulnerability with Information Exposure. [CVSS 5.3 MEDIUM]

Simple Ajax Chat through version 20251121 exposes sensitive system information to unauthorized access due to improper data protection controls. An unauthenticated remote attacker can retrieve embedded sensitive data from the application with minimal effort. No patch is currently available to remediate this vulnerability.

libtiff up to v4.7.1 was discovered to contain a double free via the component tools/tiffcrop.c. [CVSS 5.0 MEDIUM]

F3 Firmware contains a vulnerability that allows attackers to the response to be stored in client-side caches and recovered by other local use (CVSS 6.5).

An information exposure vulnerability exists in Vulnerability in HCL Software ZIE for Web. The application transmits sensitive session tokens and authentication identifiers within the URL query parameters . [CVSS 5.9 MEDIUM]

FastApiAdmin versions up to 2.2.0 contain an information disclosure vulnerability in the file download endpoint that allows authenticated attackers to read arbitrary files through path traversal manipulation. Public exploit code exists for this vulnerability, enabling remote exploitation by users with valid credentials. The vulnerability affects the download_controller function and currently has no available patch.

FastApiAdmin versions up to 2.2.0 expose sensitive information through the reset_api_docs function in the Custom Documentation Endpoint, allowing unauthenticated remote attackers to access confidential data. Public exploit code is available for this vulnerability, increasing the risk of active exploitation. No patch is currently available to remediate this issue.

Improper input sanitization in Datapizza AI 0.0.2's Jinja2 template handler allows remote attackers with high privileges to inject malicious template syntax through the ChatPromptTemplate function, potentially enabling code execution or information disclosure. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early notification.

A security vulnerability has been detected in Cesanta Mongoose up to 7.20. This affects the function getpeer of the file /src/net_builtin.c of the component TCP Sequence Number Handler. [CVSS 3.7 LOW]

Funadmin versions up to 7.1.0-rc4 contain an information disclosure vulnerability in the password recovery function that allows unauthenticated remote attackers to access sensitive user data. Public exploit code is available for this vulnerability, and the vendor has not released a patch despite early notification. The low CVSS score of 5.3 reflects limited impact, though organizations running affected versions should implement compensating controls until an update is available.

CollabPlatform's misconfigured CORS policy allows credentialed cross-origin requests from attacker-controlled domains, enabling unauthorized access to sensitive user account data including email addresses, account identifiers, and MFA status. All versions of the application are affected by this vulnerability, which remains unpatched and exploitable through simple web-based attacks requiring user interaction.

OpenClaw CLI versions 2026.2.13 and earlier terminate processes based on command-line pattern matching without verifying process ownership, allowing unrelated processes to be killed on shared hosts. An attacker or unprivileged user on a multi-tenant system could leverage this to disrupt services or cause denial of service by triggering process cleanup routines that match their target applications. The vulnerability has been patched in version 2026.2.14.

Openclaw contains a vulnerability that allows attackers to potential unintentional disclosure of local files from the packaging machine int (CVSS 4.4).

Static Web Server versions up to 2.40.1 contains a vulnerability that allows attackers to identify valid users by exploiting early responses for invalid usernames, enabli (CVSS 5.3).

BigBlueButton is an open-source virtual classroom. In versions 3.0.19 and below, when first joining a session with the microphone muted, the client sends audio to the server regardless of mute state. [CVSS 2.0 LOW]

Asn1 Ts library versions 11.0.5 and below expose sensitive data through unintended ArrayBuffer leakage during INTEGER decoding operations in BER/DER codec processing. Applications using affected versions could inadvertently disclose memory contents to remote attackers without requiring authentication or user interaction. A patch is available in version 11.0.6 and later.

Information disclosure in Foswiki versions up to 2.1.10 allows unauthenticated remote attackers to access sensitive data through the Changes/Viewfile/Oops component. Public exploit code exists for this vulnerability. Upgrading to version 2.1.11 or later resolves the issue.

Arbitrary host file exfiltration from Cloud Hypervisor VMM versions 34.0-50.0. CVSS 10.0. Patch available.

Feathersjs versions 5.0.39 and below store unencrypted HTTP headers in base64-encoded session cookies, allowing attackers with network access to decode and retrieve sensitive internal infrastructure details such as API keys, service tokens, and internal IP addresses. Authenticated users can exploit this vulnerability in deployments behind reverse proxies or API gateways to gain unauthorized access to sensitive information. A patch is available for affected installations.

When a DAG failed during parsing, Airflow’s error-reporting in the UI could include the full kwargs passed to the operators. If those kwargs contained sensitive values (such as secrets), they might be exposed in the UI tracebacks to authenticated users who had permission to view that DAG. [CVSS 6.5 MEDIUM]

RustDesk Client for Windows file transfer functionality allows local attackers with low-privileged code execution to read arbitrary files through symlink injection, potentially disclosing sensitive information with SYSTEM-level access. An attacker can exploit the Transfer File feature by uploading a specially crafted symbolic link to bypass access controls and access protected files on the target system. No patch is currently available for this vulnerability.

Certain Samsung MultiXpress Multifunction Printers may be vulnerable to information disclosure, potentially exposing address book entries and other device configuration information through specific APIs without proper authorization.

Global Facilities Management Software versions up to 20230721a contains a security vulnerability (CVSS 7.1).

Blank admin credentials allowed in device web management. Admin can set empty password, making device fully accessible.

HTTP Basic Authentication over unencrypted connections in the device's embedded web interface allows attackers on the same network to passively intercept and capture user credentials. This cleartext transmission of authentication data exposes administrative access to network-based eavesdropping attacks. The lack of HTTPS/TLS support creates a significant credential compromise risk for affected devices with no available patch.

Insertion of Sensitive Information Into Sent Data vulnerability in themeglow JobBoard Job listing job-board-light allows Retrieve Embedded Sensitive Data.This issue affects JobBoard Job listing: from n/a through <= 1.2.8. [CVSS 5.9 MEDIUM]

Connections versions up to 7.0 contains a vulnerability that allows attackers to obtain limited information when a single piece of internal metadata is returned (CVSS 3.5).

Seraphinite Solutions Seraphinite Accelerator seraphinite-accelerator is affected by missing authorization (CVSS 4.3).

uTLS versions 1.6.0 through 1.8.0 fail to properly mimic Chrome's cipher suite selection behavior when using GREASE ECH, randomly choosing ChaCha20 for encrypted client hello while consistently using AES for the outer handshake—a mismatch that does not occur in actual Chrome and creates detectable fingerprints. This inconsistency affects users relying on uTLS for fingerprinting resistance and could enable network observers to distinguish uTLS traffic from legitimate Chrome connections. A patch is available to correct the cipher suite selection logic.

Tanium addressed an insertion of sensitive information into log file vulnerability in TanOS. [CVSS 5.3 MEDIUM]

Tanium Interact logs sensitive information that authenticated users can access, potentially exposing confidential data through log file inspection. The vulnerability requires valid credentials and does not allow modification or service disruption, limiting its impact to information disclosure.

OpenClaw versions prior to 2026.2.15 allow authenticated administrators to write files outside the skill installation directory due to insufficient validation of the targetDir parameter during skill installation. An admin user could exploit this path traversal vulnerability to place malicious files in arbitrary locations on the system. A patch is available in version 2026.2.15 and later.

OpenClaw AI assistant versions prior to 2026.2.15 allow local authenticated users to access session transcripts across peer accounts in multi-user shared-agent deployments due to insufficient session targeting restrictions. Additionally, Telegram webhook mode may fail to properly validate per-account secrets, potentially allowing unauthorized webhook access. The vulnerability primarily impacts multi-user environments with untrusted peers, while single-user or trusted deployments face limited practical risk.

Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Versions 1.634.6 and below allow non-admin users to obtain Slack OAuth client secrets, which should only be accessible to workspace administrators. [CVSS 2.7 LOW]

Libredesk is a self-hosted customer support desk application. Versions prior to 1.0.2-0.20260215211005-727213631ce6 fail to validate destination URLs for webhooks, allowing an attacker posing as an authenticated "Application Admin" to force the server to make HTTP requests to arbitrary internal destinations. This could compromise the underlying cloud infrastructure or internal corporate network...

Tanium addressed an insertion of sensitive information into log file vulnerability in Trends. [CVSS 6.5 MEDIUM]

OpenClaw versions prior to 2026.2.14 expose sensitive configuration secrets through the skills.status endpoint to clients with operator.read privileges, allowing authenticated attackers to retrieve raw credential values including Discord tokens. The vulnerability affects AI/ML deployments where read-scoped access is intended to be non-sensitive; affected users should upgrade to version 2026.2.14 or later and rotate any exposed Discord tokens.

FormaLMS 4.1.18 and earlier allows unauthenticated attackers to enumerate valid usernames through the password recovery endpoint by observing differential error messages. This user enumeration vulnerability could enable an attacker to build a list of active accounts for targeted attacks. No patch is currently available for this medium-severity issue.

httpsig-hyper versions prior to 0.0.23 fail to properly validate HTTP message digest headers due to improper use of Rust's matches! macro, allowing attackers to forge or modify message bodies without detection. This vulnerability affects applications using the library for HTTP signature verification, enabling attackers to bypass integrity checks on signed requests. A patch is available in version 0.0.23 and later.

Penpot before version 2.13.2 contains a path traversal vulnerability in the font creation endpoint that allows authenticated users with team edit permissions to read arbitrary files from the server filesystem. By supplying local file paths such as `/etc/passwd` as font data, attackers can retrieve sensitive files including system configuration, application secrets, and credentials. Public exploit code exists for this vulnerability, which could enable further server compromise depending on the Penpot process permissions.

Unauthenticated attackers can bypass access controls in Alfresco Content Services to retrieve sensitive files from protected directories such as WEB-INF through the /share/page/resource/ endpoint. This vulnerability exposes critical configuration data and credentials without requiring authentication or user interaction. No patch is currently available for this remotely exploitable issue affecting Alfresco deployments.

Missing authorization validation in Pterodactyl Wings prior to version 1.12.1 allows authenticated nodes to access and manipulate servers across different nodes without proper ownership verification. An attacker with a valid node secret token can retrieve sensitive installation scripts, alter server installation states, and modify transfer statuses for servers they should not have access to. The vulnerability requires network access and valid node credentials but carries high impact due to potential exposure of secrets and cross-node server manipulation.

strongMan's credential encryption uses a static initialization vector with AES-CTR mode, causing all database fields to be encrypted with identical key streams. An attacker with database access can leverage publicly stored certificates to derive the key stream and decrypt stored private keys and EAP secrets. No patch is currently available for this high-severity vulnerability affecting strongSwan management deployments.

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. No vendor patch available.

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. No vendor patch available.

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. No vendor patch available.

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. No vendor patch available.

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. No vendor patch available.

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. No vendor patch available.

Dell PowerProtect Data Manager versions prior to 19.22 contain an incorrect privilege assignment flaw that allows remote attackers with low-level credentials to escalate their privileges on affected systems. The vulnerability requires network access and valid authentication but no user interaction, making it exploitable by insiders or attackers who have obtained legitimate credentials. No patch is currently available.

villatheme Sales Countdown Timer for WooCommerce and WordPress sctv-sales-countdown-timer is affected by php remote file inclusion (CVSS 7.5).

Dell Unisphere for PowerMax 10.2 contains a file path control vulnerability that allows authenticated remote attackers to disclose sensitive information. The vulnerability requires low-privileged credentials and network access but no user interaction, making it accessible to internal threats or compromised accounts. Currently no patch is available to remediate this issue.