Skip to main content

Information Disclosure

other MEDIUM

Information disclosure occurs when an application unintentionally exposes sensitive data that aids attackers in reconnaissance or directly compromises security.

How It Works

Information disclosure occurs when an application unintentionally exposes sensitive data that aids attackers in reconnaissance or directly compromises security. This happens through multiple channels: verbose error messages that display stack traces revealing internal paths and frameworks, improperly secured debug endpoints left active in production, and misconfigured servers that expose directory listings or version control artifacts like .git folders. APIs often leak excessive data in responses—returning full user objects when only a name is needed, or revealing system internals through metadata fields.

Attackers exploit these exposures systematically. They probe for common sensitive files (.env, config.php, backup archives), trigger error conditions to extract framework details, and analyze response timing or content differences to enumerate valid usernames or resources. Even subtle variations—like "invalid password" versus "user not found"—enable account enumeration. Exposed configuration files frequently contain database credentials, API keys, or internal service URLs that unlock further attack vectors.

The attack flow typically starts with passive reconnaissance: examining HTTP headers, JavaScript bundles, and public endpoints for version information and architecture clues. Active probing follows—testing predictable paths, manipulating parameters to trigger exceptions, and comparing responses across similar requests to identify information leakage patterns.

Impact

  • Credential compromise: Exposed configuration files, hardcoded secrets in source code, or API keys enable direct authentication bypass
  • Attack surface mapping: Stack traces, framework versions, and internal paths help attackers craft targeted exploits for known vulnerabilities
  • Data breach: Direct exposure of user data, payment information, or proprietary business logic through oversharing APIs or accessible backups
  • Privilege escalation pathway: Internal URLs, service discovery information, and architecture details facilitate lateral movement and SSRF attacks
  • Compliance violations: GDPR, PCI-DSS, and HIPAA penalties for exposing regulated data through preventable disclosures

Real-World Examples

A major Git repository exposure affected thousands of websites when .git folders remained accessible on production servers, allowing attackers to reconstruct entire source code histories including deleted commits containing credentials. Tools like GitDumper automated mass exploitation of this misconfiguration.

Cloud storage misconfigurations have repeatedly exposed sensitive data when companies left S3 buckets or Azure Blob containers publicly readable. One incident exposed 150 million voter records because verbose API error messages revealed the storage URL structure, and no authentication was required.

Framework debug modes left enabled in production have caused numerous breaches. Django's DEBUG=True setting exposed complete stack traces with database queries and environment variables, while Laravel's debug pages revealed encryption keys through the APP_KEY variable in environment dumps.

Mitigation

  • Generic error pages: Return uniform error messages to users; log detailed exceptions server-side only
  • Disable debug modes: Enforce production configurations that suppress stack traces, verbose logging, and debug endpoints through deployment automation
  • Access control audits: Restrict or remove development artifacts (.git, backup files, phpinfo()) and internal endpoints before deployment
  • Response minimization: API responses should return only necessary fields; implement allowlists rather than blocklists for data exposure
  • Security headers: Deploy X-Content-Type-Options, remove server version banners, and disable directory indexing
  • Timing consistency: Ensure authentication and validation responses take uniform time regardless of input validity

Recent CVEs (66654)

EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Header injection in Apache Camel's camel-kafka component allows HTTP clients to redirect Kafka messages to arbitrary topics in routes that bridge an HTTP consumer into a Kafka producer. The kafka.OVERRIDE_TOPIC, kafka.OVERRIDE_TIMESTAMP, and kafka.PARTITION_KEY Exchange header constants used non-CamelKafka-prefixed names, causing them to bypass HttpHeaderFilterStrategy - which blocks only the Camel/camel namespace - while remaining readable by KafkaProducer.evaluateTopic() as authoritative control directives. No public exploit code has been identified and no CISA KEV listing exists at time of analysis, but when the HTTP ingress is unauthenticated the attack requires only a standard HTTP client and a known Kafka topic name.

Microsoft Apache Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Header injection in Apache Camel's camel-irc component enables unauthenticated HTTP clients to redirect outgoing IRC messages to attacker-chosen channels or users by supplying non-Camel-prefixed headers (e.g., irc.sendTo) that Camel's HttpHeaderFilterStrategy fails to block. Affected versions span 4.0.0-4.14.7, 4.15.0-4.18.2, and 4.19.0-4.20.x; fixes are available in 4.14.8, 4.18.3, and 4.21.0. No public exploit code or CISA KEV listing exists at time of analysis, but the attack requires no credentials when the bridging HTTP consumer is unauthenticated, making it trivially reproducible against any qualifying deployment.

Microsoft Apache Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 1.9
LOW Monitor

Integer overflow in radare2's string utility library affects versions up to 6.1.6, allowing a local low-privileged attacker to crash the application through manipulated input processed by r_str_ndup or r_str_append in libr/util/str.c. The impact is limited to availability - no confidentiality or integrity compromise is confirmed by the CVSS 4.0 vector (VC:N/VI:N/VA:L). Publicly available exploit code exists (CVSS 4.0 E:P), though no active exploitation is confirmed and the vulnerability is not listed in the CISA KEV catalog.

Information Disclosure Radare2
NVD GitHub VulDB
EPSS 0% CVSS 1.9
LOW Monitor

Integer overflow in radare2's binary analysis function exposes local users on systems running version 6.1.6 or earlier to limited confidentiality, integrity, and availability impacts. The flaw resides in the `core_anal_bytes` function within `libr/core/cmd_anal.inc` and requires only low-privilege local access to trigger via crafted binary input. A public proof-of-concept exploit has been disclosed, though no confirmed active exploitation (CISA KEV) is recorded; the CVSS 4.0 score of 1.9 reflects the tightly constrained local-only attack surface and limited impact scope.

Information Disclosure Radare2
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Local privilege abuse in TUBITAK BILGEM Pardus-Parental-Control (versions up to and including 0.5.1, fixed in 0.7.0) lets a low-privileged local user exploit insecure file/resource permissions to tamper with the tool's DNS configuration and perform DNS spoofing. Because the CVSS scope is changed (S:C), the impact reaches beyond the application to system-wide name resolution, enabling redirection of traffic, bypass of parental filtering, and interception of connections. There is no public exploit identified at time of analysis, but the reachable local vector and low complexity make this a practical concern on shared or managed Pardus endpoints.

Information Disclosure Pardus Parental Control
NVD VulDB
EPSS 0% CVSS 7.9
HIGH PATCH This Week

Sensitive information exposure in Pardus Domain Joiner (versions 0.5.2 up to but not including 0.5.4) lets a local low-privileged user harvest secrets — most plausibly domain-join credentials — that the tool passes as visible arguments when invoking a child process. TUBITAK BILGEM's utility enrolls Pardus (a Turkish Debian-based distribution) endpoints into a directory/domain, so the leaked material can be Active Directory or LDAP bind credentials. There is no public exploit identified at time of analysis and the flaw is not in CISA KEV, but the fix in 0.5.4 confirms the issue is vendor-acknowledged.

Information Disclosure Pardus Domain Joiner
NVD VulDB
EPSS 0% CVSS 9.2
CRITICAL POC PATCH Act Now

Arbitrary MongoDB collection disclosure in cve-search allows a remote, unauthenticated attacker to read any application database collection through the POST /fetch_cve_data endpoint by manipulating the collection name, projected fields, and regex filter parameters. Attackers can dump the mgmt_users collection to harvest administrative usernames and password hashes for offline cracking. Publicly available exploit code exists (referenced in the project issue tracker) and a vendor patch is available, though no active exploitation has been reported.

Information Disclosure Cve Search
NVD GitHub VulDB
EPSS 0% CVSS 1.3
LOW POC PATCH Monitor

Weak hashing in LangGraph's Task Result Cache exposes low-privilege authenticated users to hash collision attacks that can leak cached task results across isolation boundaries. All LangGraph versions through 1.2.4 are affected via the `_freeze` function in `libs/langgraph/langgraph/_internal/_cache.py`. A public proof-of-concept is disclosed at GitHub issue #8009, though the CVSS 4.0 score of 2.3 and AC:H rating reflect genuinely high exploitation difficulty; this is not listed in CISA KEV and no active exploitation has been reported.

Information Disclosure Langgraph
NVD VulDB GitHub
EPSS 0% CVSS 2.9
LOW POC PATCH Monitor

Weak hashing in exo-explore exo up to version 1.0.71 exposes the Vision Feature Cache to hash collision attacks via the `_image_cache_key` function in `src/exo/worker/engines/mlx/vision.py`. A remote, unauthenticated attacker capable of engineering the necessary collision inputs could disclose cached vision feature data, yielding a low confidentiality impact. Publicly available exploit code exists (referenced in GitHub issue #2151), though high attack complexity (AC:H) and the absence of a CISA KEV listing indicate no confirmed widespread active exploitation at time of analysis.

Information Disclosure Exo
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Insufficient session expiration in SourceCodester Online Boat Reservation System 1.0 allows a remote, low-privileged attacker to reuse a previously issued session token after it should have been invalidated, gaining unauthorized access to authenticated application functionality. The CWE-613 root cause indicates the application fails to properly terminate sessions on logout or timeout. A publicly available exploit demonstrates the flaw, as confirmed by a Medium writeup linked in the references.

Information Disclosure Online Boat Reservation System
NVD VulDB
EPSS 0% CVSS 1.1
LOW POC PATCH Monitor

Insufficiently random temporary file naming in markdownify-mcp (zcaceres, versions through 1.1.0) exposes transiently written content to local users who can predict or race the generated file path. The saveToTempFile function in src/Markdownify.ts affects the webpage-to-markdown, youtube-to-markdown, and bing-search-to-markdown conversion pipelines, allowing a co-located attacker to read converted content before cleanup. No active exploitation has been confirmed (not in CISA KEV), though a proof-of-concept is publicly available; the overall risk is low given the local-only, high-complexity attack requirements reflected in the CVSS 4.0 score of 2.0.

Information Disclosure Markdownify Mcp
NVD VulDB GitHub
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Symlink following in zcaceres markdownify-mcp up to version 1.1.0 allows a local low-privilege user to read files outside the intended directory boundary by exploiting insufficient path resolution in the `assertPathAllowed` function of `src/Markdownify.ts`. The function evaluates the user-supplied symbolic path rather than its canonicalized target, enabling an attacker to bypass the path restriction check and disclose arbitrary local files. No public exploit code exists at time of analysis, the vulnerability is not listed in CISA KEV, and a fix is pending as an unmerged pull request.

Information Disclosure Markdownify Mcp
NVD VulDB GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Crypt::DSA versions before 1.22 for Perl draw the DSA signing nonce and private key from a biased random generator, leading to private-key recovery. "Crypt::DSA::Util::makerandom forces the high bit of every value it returns to obtain an exactly N-bit integer for prime search. The signing nonce and the private key are drawn from makerandom. Because the high bit is always set, the result is not uniform: its top bit is fixed, producing insecure values." An attacker who collects a modest number of signatures under an affected key, together with the public key, can recover the private key with a lattice attack. Keys used to sign with an affected version should be considered compromised and new keys should be generated.

Information Disclosure Crypt Red Hat
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

Partial string comparison in BettaFish's InsightEngine deduplication logic (versions up to 1.2.1) allows remote unauthenticated attackers to manipulate search-result deduplication by crafting inputs that exploit the flawed comparison in `_deduplicate_results` within `InsightEngine/agent.py`. The integrity impact is limited - attackers can cause duplicate or otherwise manipulated entries to persist in search output - but the attack requires no authentication and no user interaction, and a public proof-of-concept exploit exists. No active exploitation has been confirmed by CISA KEV; a fix pull request (PR #689) has been submitted but not yet merged.

Information Disclosure Bettafish
NVD VulDB GitHub
EPSS 0% CVSS 1.9
LOW Monitor

State corruption in HdrHistogram up to version 2.2.2 allows a local, low-privileged attacker to manipulate the Count argument of the recordValueWithCount function in AbstractHistogram.java, resulting in low-integrity corruption of histogram state. The flaw affects the core metrics-recording logic of this Java library. A proof-of-concept exploit has been publicly disclosed; the project maintainer was notified via a GitHub issue but has not yet responded with a fix, leaving affected deployments without a vendor patch.

Java Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 1.9
LOW POC Monitor

Incorrect comparison in HdrHistogram's DoubleHistogram.recordValue() range check allows a local, low-privileged attacker to manipulate histogram integrity by recording out-of-range values that bypass the bounds check. Versions up to and including 2.2.2 are affected. No public exploit identified at time of analysis - publicly available exploit code exists, and the project maintainer has not responded to the responsible disclosure, leaving the vulnerability unpatched.

Java Information Disclosure Hdrhistogram
NVD VulDB GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

The silent Just-In-Time (JIT) provisioning feature in federated authentication implementations fails to properly segregate user roles during account creation when a federated user shares a username. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Wso2 Api Manager Wso2 Identity Server +3
NVD
EPSS 0% CVSS 2.1
LOW POC PATCH Monitor

Out-of-bounds read in ONNX versions up to 1.21.x exposes limited memory contents to low-privileged remote attackers via the convPoolShapeInference_opset19 shape inference function. The CVSS 4.0 score of 2.1 reflects minimal real-world impact - confidentiality-only, low severity - yet a public proof-of-concept is available via GitHub issue #8036. No active exploitation has been confirmed by CISA KEV, and an upstream patch exists at commit a7bf3a0f1d18bb62575236ef6e4944980c40e045 via PR #8051.

Buffer Overflow Information Disclosure Onnx
NVD VulDB GitHub
EPSS 0% CVSS 1.3
LOW POC PATCH Monitor

Weak session hash generation in ForceInjection AI-fundermentals 2.0 and 3.0 exposes conversation history belonging to other users in shared deployments. The `get_conversation_history` function in the Memory Recall Handler generates `sessionowner` tokens using a cryptographically weak hash algorithm (CWE-328), allowing a low-privileged authenticated attacker to predict or brute-force another user's session identifier and retrieve their prior conversation records. A publicly available exploit exists per GitHub issue #17 and the CVSS 4.0 E:P modifier, though the high attack complexity (AC:H) and low overall score of 2.3 indicate exploitation is difficult and impact is limited to partial confidentiality loss - no integrity or availability impact is present.

Information Disclosure Ai Fundermentals
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC PATCH Monitor

Divide-by-zero in RT-Thread's lightweight process (lwp) syscall handler allows a low-privileged remote attacker to crash the RTOS by sending crafted read, write, or sys_ioctl system calls with malicious parameters to the affected handler in components/lwp/lwp_syscall.c. Affected versions are 5.2.2 and below. A public proof-of-concept exploit has been disclosed via GitHub issue #11429, though this vulnerability has not been added to the CISA KEV catalog, suggesting exploitation remains opportunistic rather than broadly weaponized. The upstream fix exists only as a pull request (PR #11453) awaiting merge acceptance.

Information Disclosure Rt Thread
NVD VulDB GitHub
EPSS 0%
PATCH Monitor

In the Linux kernel, the following vulnerability has been resolved: ipv6: account for fraggap on the paged allocation path In __ip6_append_data(), when the paged-allocation branch is taken (MSG_MORE / NETIF_F_SG / large fraglen), alloclen and pagedlen are computed as alloclen = fragheaderlen + transhdrlen; pagedlen = datalen - transhdrlen; datalen already includes fraggap (datalen = length + fraggap). When fraggap is non-zero, this is not the first skb and transhdrlen is zero. The fraggap bytes carried over from the previous skb are copied just past the fragment headers in the new skb's linear area. The linear area is therefore undersized by fraggap bytes while pagedlen is overstated by the same amount, and the copy writes past skb->end into the trailing skb_shared_info. An unprivileged user can trigger this via a UDPv6 socket using MSG_MORE together with MSG_SPLICE_PAGES. The bad accounting was introduced by commit 773ba4fe9104 ("ipv6: avoid partial copy for zc"). Before commit ce650a166335 ("udp6: Fix __ip6_append_data()'s handling of MSG_SPLICE_PAGES"), the negative copy value caused -EINVAL to be returned. That later commit allowed MSG_SPLICE_PAGES to proceed in this case, making the corruption triggerable. The non-paged branch sets alloclen to fraglen, which already accounts for fraggap because datalen does. Bring the paged branch in line by adding fraggap to alloclen and subtracting it from pagedlen. After this adjustment, copy no longer collapses to -fraggap on the paged path, so remove the stale comment describing that old arithmetic. Since a negative copy is no longer expected for a valid MSG_SPLICE_PAGES case, remove the MSG_SPLICE_PAGES exception from the negative copy check.

Linux Information Disclosure
NVD VulDB
EPSS 0%
PATCH Monitor

In the Linux kernel, the following vulnerability has been resolved: af_unix: Set gc_in_progress to true in unix_gc(). Igor Ushakov reported that unix_gc() could run with gc_in_progress being false if the work is scheduled while running: Thread 1 Thread 2 Thread 3 -------- -------- -------- unix_schedule_gc() unix_schedule_gc() `- if (!gc_in_progress) `- if (!gc_in_progress) |- gc_in_progress = true | `- queue_work() | unix_gc() <----------------/ | | |- gc_in_progress = true ... `- queue_work() | | `- gc_in_progress = false | | unix_gc() <---------------------------------------------' | ... /* gc_in_progress == false */ | `- gc_in_progress = false unix_peek_fpl() relies on gc_in_progress not to confuse GC by MSG_PEEK. Let's set gc_in_progress to true in unix_gc().

Linux Information Disclosure
NVD VulDB
EPSS 0%
Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: KVM: SEV: Require in-GHCB scratch area if GHCB v2+ is in use As per the GHCB spec, when using GHCB v2+ require the software scratch area to reside in the GHCB's shared buffer. Note, things like Page State Change (PSC) requests _rely_ on this behavior, as the guest can't provide a length when making the request, i.e. the size of the guest payload is bounded by the size of the shared buffer. Failure to force usage of the GHCB, and a slew of other flaws, lets a malicious SNP guest corrupt host kernel heap memory, and leak host heap layout information. setup_vmgexit_scratch() allocates a buffer via kvzalloc(exit_info_2), where exit_info_2 is guest-controlled. With exit_info_2=24, this yields a 24-byte allocation in kmalloc-cg-32 (32-byte slab objects). The buffer holds an 8-byte psc_hdr followed by 8-byte psc_entry structs, so only entries[0] and entries[1] are in-bounds. snp_begin_psc() validates end_entry against VMGEXIT_PSC_MAX_COUNT (253) but NOT against the actual buffer size: idx_end = hdr->end_entry; if (idx_end >= VMGEXIT_PSC_MAX_COUNT) { // checks 253, not buffer snp_complete_psc(svm, ...); return 1; } for (idx = idx_start; idx <= idx_end; idx++) { entry_start = entries[idx]; // OOB when idx >= 2 The guest sets end_entry=10+, causing the host to iterate entries[2+] which are OOB into adjacent slab objects. For each OOB entry: - The host reads 8 bytes (OOB READ / info leak oracle) - If the data passes PSC validation, __snp_complete_one_psc() writes cur_page = 1 or 512 into the entry (OOB WRITE, sev.c:3806) - If validation fails, the error response reveals whether adjacent memory is zero vs non-zero (information disclosure to guest) The guest controls allocation size (exit_info_2), entry range (cur_entry/end_entry), and can fire unlimited VMGEXITs to repeatedly hit different slab positions. By exploiting the variety of bugs, a malicious SEV-SNP guest can: - OOB read adjacent kmalloc-cg-32 objects (heap layout disclosure) - OOB write cur_page bits into adjacent objects (heap corruption) - Trigger use-after-free conditions across VMGEXITs E.g. with KASAN enabled, a single insmod of the PoC guest module produces 73 KASAN reports: BUG: KASAN: slab-out-of-bounds in snp_begin_psc+0x126/0x890 Read of size 8 at addr ffff888219ffb5e0 by task qemu-system-x86/2199 BUG: KASAN: slab-out-of-bounds in snp_begin_psc+0x468/0x890 Write of size 8 at addr ffff888351566648 by task qemu-system-x86/2199 The buggy address belongs to the object at ffff888XXXXXXXXX which belongs to the cache kmalloc-cg-32 of size 32 The buggy address is located N bytes to the right of allocated 32-byte region [ffff888XXXXXXXXX, ffff888XXXXXXXXX) Breakdown: 62 slab-out-of-bounds (reads + writes past allocation) 7 slab-use-after-free 4 use-after-free All credit to Stan for the wonderful description and reproducer! [sean: write changelog]

Linux Oracle Information Disclosure
NVD VulDB
EPSS 0%
POC PATCH Monitor

In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Fix shadow paging use-after-free due to unexpected role Commit 0cb2af2ea66ad ("KVM: x86: Fix shadow paging use-after-free due to unexpected GFN") fixed a shadow paging mismatch between stored and computed GFNs; the bug could be triggered by changing a PDE mapping from outside the guest, and then deleting a memslot. The rmap_remove() call would miss entries created after the PDE change because the GFN of the leaf SPTE does not match the GFN of the struct kvm_mmu_page. A similar hole however remains if the modified PDE points to a non-leaf page. In this case the gfn can be made to match, but the role does not match: the original large 2MB page creates a kvm_mmu_page with direct=1, while the new 4KB needs a kvm_mmu_page with direct=0. However, kvm_mmu_get_child_sp() does not compare the role, and therefore reuses the page. The next step is installing a leaf (4KB) SPTE on the new path which records an rmap entry under the gfn resolved by the walk. But when that child is zapped its parent kvm_mmu_page has direct=1 and kvm_mmu_page_get_gfn() computes the gfn for the 4KB page as sp->gfn + index instead of using sp->shadowed_translation[] (or sp->gfns[] in older kernels). It therefore fails to remove the recorded entry. When the memslot is dropped the shadow page is freed but the rmap entry survives, as in the scenario that was already fixed. Code that later walks that gfn (dirty logging, MMU notifier invalidation, and so on) dereferences an sptep that lies in the freed page, causing the use-after-free.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Protection mechanism failure in NousResearch hermes-agent (≤ 0.15.2) allows remote authenticated attackers to bypass shell execution controls via the shell.exec function in tui_gateway/server.py, resulting in low-level confidentiality, integrity, and availability impact. The vulnerability is classified under CWE-693 and carries a CVSS 4.0 score of 5.3 (Medium), with a publicly available proof-of-concept exploit hosted on GitHub. No patch has been issued - the vendor did not respond to the researcher's disclosure - meaning all deployments of hermes-agent up to and including version 0.15.2 remain exposed.

Information Disclosure Hermes Agent
NVD VulDB GitHub
EPSS 0% CVSS 1.3
LOW POC PATCH Monitor

Session data exposure in FederatedAI FATE's OSX Broker gRPC component allows an authenticated federated party to manipulate session routing arguments and access data belonging to a different federated session. Affected versions extend through FATE 2.2.0, specifically in the QueuePushReqStreamObserver.initEggroll method within the Java-based OSX Broker. No public exploit confirmed active exploitation (not in CISA KEV), though exploit code has been publicly disclosed via a GitHub issue, and the CVSS 4.0 score of 2.3 reflects the high attack complexity and limited confidentiality impact.

Java Information Disclosure Fate
NVD VulDB GitHub
EPSS 0% CVSS 2.3
LOW POC Monitor

PHP file inclusion in PHPIPAM allows authenticated API users to include and execute arbitrary PHP files from the web server's filesystem, with primary impact on application confidentiality through exposure of sensitive configuration data. Exploitation is gated behind two non-default conditions: the REST API must be deliberately enabled by an administrator, and the attacker must hold valid API credentials - constraining the realistic attack surface substantially. Publicly available exploit code exists per Project Black's research blog, though the vulnerability carries a CVSS 4.0 score of 2.3 and is absent from CISA KEV, reflecting its narrow exploitation prerequisites rather than widespread threat activity.

LFI Information Disclosure PHP +1
NVD GitHub VulDB
EPSS 0% CVSS 8.4
HIGH This Week

Local privilege escalation in Unity Parsec for Windows (all builds through v2026-05-04.0) lets an unprivileged local user coerce an instance of parsecd.exe to run as NT AUTHORITY\SYSTEM while honoring a user-controlled AppData environment variable, allowing the attacker to redirect the privileged process to resources under their control and gain SYSTEM. The flaw is a CWE-648 misuse of privileged APIs; publicly available exploit code exists (a dedicated CVE GitHub repository and a researcher write-up), and it is fixed in Parsec for Windows 150-104a. It is not listed in CISA KEV and no EPSS score was supplied, so there is no evidence of widespread active exploitation.

Microsoft Information Disclosure Parsec
NVD GitHub VulDB
EPSS 0% CVSS 1.3
LOW Monitor

Case-sensitivity bypass in NousResearch hermes-agent through version 2026.4.30 allows authenticated remote attackers to leak limited reasoning content that should have been scrubbed by the Streaming Reasoning Tag Filter. The vulnerability resides in `GatewayStreamConsumer._filter_and_accumulate` within `gateway/stream_consumer.py`, where tag matching fails to account for case variations, permitting reasoning tokens to escape filtration. A public proof-of-concept exploit has been disclosed; however, the vendor has formally declined to issue a patch, classifying the maintenance cost as disproportionate to the assessed risk.

Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Information disclosure in DeepMyst Mysti's Per-Project Auto-Memory Handler allows low-privileged remote attackers to expose resources by supplying a manipulated workspacePath argument to the initProjectMemory function in src/managers/MemoryManager.ts. EUVD-2026-41610 confirms versions 0.1 through 0.4.0 are affected. No active exploitation (CISA KEV) or public exploit code has been identified at time of analysis; the CVSS 4.0 score of 5.3 reflects a limited, confidentiality-only impact with no integrity or availability consequences.

Information Disclosure Mysti
NVD VulDB GitHub
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Cross-repository information disclosure and cross-task tampering in Gitea's self-hosted Git server (fixed in v1.26.2) arises from an HMAC signature ambiguity in the Actions Artifacts V4 signed-URL scheme, letting an authenticated low-privilege user reuse a validly signed URL outside its intended repository or task context. An attacker with access to a single Actions task can read private artifacts belonging to other repositories and write upload-state for tasks they do not own, crossing the repository trust boundary (CVSS 9.6, scope-changed). There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Jwt Attack Gitea Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Information disclosure in Gitea Open Source Git Server (through 1.26.2) allows a user whose repository access has been revoked to continue viewing private issue metadata via the Notification API, because notification records are not purged or re-authorized when permissions change. The CVSS 3.1 base score is 7.5 (C:H) and the vendor (Gitea) fixed it in 1.26.3/1.26.4. No public exploit identified at time of analysis, and EPSS is low (0.17%, 7th percentile), indicating limited near-term exploitation likelihood.

Information Disclosure Gitea Open Source Git Server
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

Information disclosure in Microsoft Edge (Chromium-based) prior to version 150.0.4078.48 enables network-based attackers to expose sensitive browser data through a use-after-resource condition (CWE-672). Exploitation requires user interaction and high attack complexity, but the changed scope (S:C) indicates the flaw breaches browser isolation boundaries, yielding high confidentiality impact. No public exploit or active exploitation has been identified at time of analysis; vendor patch is available from Microsoft MSRC.

Information Disclosure Microsoft Google +1
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Information disclosure in Microsoft Edge for Android (Chromium-based) allows a network-based attacker to expose a victim's private personal information, but only after luring the user into interacting with attacker-controlled content (UI:R). The flaw carries a CVSS 7.1 rating driven by high confidentiality impact; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. A vendor patch is available via Microsoft's MSRC update guide.

Information Disclosure Microsoft Google +1
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Information disclosure in Microsoft Edge for Android allows a remote unauthenticated attacker to exfiltrate private personal information over the network when a victim interacts with attacker-controlled content. The flaw carries a CVSS 7.1 with high confidentiality impact and stems from private data being exposed to an unauthorized actor (CWE-359); Microsoft has released a fix. No public exploit identified at time of analysis and it is not listed in CISA KEV.

Information Disclosure Microsoft Google +1
NVD VulDB
EPSS 1% CVSS 7.4
HIGH PATCH This Week

Information disclosure in Microsoft Edge (Chromium-based) lets a remote attacker read sensitive data by abusing improper symbolic/link resolution (CWE-59) when a victim interacts with attacker-controlled content. Exploitation requires user interaction (UI:R) but no authentication (PR:N), and the scope-changed impact (S:C) indicates data is exposed beyond the browser's own security boundary. Microsoft has released a fix; there is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.

Information Disclosure Microsoft Google +1
NVD VulDB
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Microsoft Edge (Chromium-based) versions prior to 150.0.4078.48 expose sensitive information to unauthorized network actors, enabling spoofing attacks against users who interact with attacker-controlled content. The vulnerability maps to CWE-200, indicating that browser-internal sensitive data (likely origin, URL, or session context) is improperly disclosed across a network boundary, allowing an attacker to impersonate trusted content or identities. No public exploit code or CISA KEV listing exists at time of analysis; however, the CVSS score of 6.5 with a network attack vector and no privilege requirement underscores meaningful real-world risk for any unpatched Edge deployment.

Google Microsoft Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 4.2
MEDIUM PATCH This Month

Race condition in Microsoft Edge (Chromium-based) permits a locally authenticated, low-privileged attacker to disclose information beyond the intended security boundary, with the CVSS scope change (S:C) indicating impact can extend outside the directly vulnerable component - potentially across process or sandbox boundaries within the browser. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog, placing it in a lower operational priority tier despite the scope change. Microsoft has released a patch via the MSRC advisory.

Information Disclosure Microsoft Race Condition +2
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Gitea versions before 1.25.5 do not consistently enforce OAuth2 authorization code expiry and single-use behavior during token exchange.

Information Disclosure Microsoft Gitea +1
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Gitea versions before 1.25.5 mishandle path resolution during template repository generation, allowing template processing to read or write through symlinked or otherwise non-regular paths.

Gitea Information Disclosure Gitea Open Source Git Server
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Gitea 1.26.2 allows unauthorized users to access labels of private organizations.

Gitea Information Disclosure Gitea Open Source Git Server
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Gitea 1.26.2 allows fork synchronization to continue after a parent repository changes from public to private, exposing data to a fork that should no longer be authorized.

Gitea Information Disclosure Gitea Open Source Git Server
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Gitea versions before 1.25.5 lack validation constraints for repository creation fields, including length-limited template fields and trust model or object format values.

Gitea Information Disclosure Gitea Open Source Git Server
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

TOTP two-factor authentication replay in Gitea 1.5.0 through 1.26.2 lets a captured valid one-time code be accepted multiple times instead of being invalidated after first use, weakening 2FA on both the web login flow and the Basic Auth X-Gitea-OTP header path. An attacker who observes a legitimate TOTP code (via interception, shoulder-surfing, or logging) can replay it within its validity window to authenticate as the victim. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the flaw is fixed in Gitea 1.26.3.

Gitea Information Disclosure Gitea Open Source Git Server
NVD GitHub
EPSS 0% CVSS 2.9
LOW Monitor

Session fixation in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0 enables remote attackers to pre-set a known session identifier in a victim's browser, then hijack the authenticated session after the victim logs in. The CVSS 4.0 score of 2.9 reflects limited impact scope (low confidentiality, integrity, and availability) combined with high attack complexity, though a public exploit has been released (E:P). No CISA KEV listing indicates no confirmed widespread active exploitation at time of analysis.

Session Fixation Information Disclosure Cet Automated Grading System With Ai Predictive Analytics
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Double-free heap corruption in Open Asset Import Library (Assimp) through version 6.0.4 allows remote low-privileged attackers to corrupt process memory by supplying a maliciously crafted PLY 3D model file to the ExportToBlob function in the PLY Model Handler. A publicly available proof-of-concept exploit was disclosed alongside the report. The CVSS 4.0 score of 5.3 (Medium) reflects limited confidentiality, integrity, and availability impact on the vulnerable system, though CWE-415 double-free conditions in C++ libraries carry latent potential for escalated impact depending on memory layout and heap state at runtime.

Information Disclosure Assimp
NVD VulDB GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Unauthorized child group disclosure in Red Hat Build of Keycloak's Fine-Grained Admin Permissions v2 (FGAP v2) exposes group names, paths, and custom attributes to delegated administrators who lack direct authorization over those child groups. When FGAP v2 is enabled and a delegated admin queries child groups through a parent group endpoint, the system omits the required per-permission filter, returning records that should be outside the caller's scope. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog, placing it in the category of a low-severity information disclosure risk that is nonetheless significant in multi-tenant IAM environments where group attribute confidentiality matters.

Information Disclosure Red Hat Build Of Keycloak Red Hat
NVD VulDB
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

Symlink-following vulnerability in Dell PowerProtect Data Domain allows a high-privileged remote attacker to traverse outside intended file paths and read arbitrary files, resulting in information disclosure. Multiple version branches are affected, including the current mainstream 8.7 release, LTS2026 builds through 8.6.1.10, LTS2025 builds through 8.3.1.30, and LTS2024 builds through 7.13.1.70. Dell published advisory DSA-2026-278 addressing this issue; no public exploit code or active exploitation has been identified at time of analysis.

Dell Information Disclosure Powerprotect Data Domain
NVD VulDB
EPSS 0% CVSS 3.3
LOW PATCH Monitor

Information exposure in Dell PowerProtect Data Domain across multiple release tracks allows a low-privileged local attacker to read sensitive residual data via an uninitialized memory resource (CWE-908). The flaw spans the mainline 7.7.1.0-8.7 branch and three LTS tracks (LTS2024, LTS2025, LTS2026), confirmed by Dell via advisory DSA-2026-278. No public exploit code exists and no active exploitation has been identified; the CVSS 3.3 score and local-only attack vector place this firmly in the low-severity tier.

Dell Information Disclosure Data Domain Operating System
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL Act Now

Out-of-bounds heap read in the Net::IP::LPM Perl module (all versions through 1.10) is triggered when an application passes an oversized CIDR prefix length (e.g. add("1.2.3.4/255") or a /255 IPv6 prefix) to the trie builder, which walks the packed address buffer by the attacker-supplied bit count without validating it against the 32-bit/128-bit address width. The read runs at most ~32 bytes past a 4- or 16-byte buffer and its contents are never returned through the module's API, so real-world impact is limited to a possible process abort under AddressSanitizer, valgrind, or a hardened allocator. No public exploit identified at time of analysis; EPSS is low (0.23%, 13th percentile) and SSVC lists exploitation status as none.

Buffer Overflow Information Disclosure
NVD VulDB
EPSS 0% CVSS 4.4
MEDIUM PATCH This Month

Dell PowerProtect Data Domain exposes sensitive file content to high-privileged local attackers through a symlink-following flaw (CWE-59), where the application fails to validate link targets before file access. Affected versions span multiple release trains including the current 8.x mainline and LTS branches. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Dell Information Disclosure Data Domain Operating System
NVD VulDB
EPSS 0% CVSS 5.8
MEDIUM PATCH This Month

Sensitive information disclosure in Dell PowerProtect Data Domain exposes credentials or configuration data to local low-privileged attackers via insufficiently protected log files. Affected are multiple release trains spanning versions 7.7.1.0 through 8.7, with specific LTS branches also impacted. No public exploit code or active exploitation has been identified at time of analysis, but the high confidentiality impact (C:H) warrants prompt patching on any appliance accessible to untrusted local users or shared administrative accounts.

Dell Information Disclosure Data Domain Operating System
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Format string exploitation in Dell PowerProtect Data Domain enables remote high-privileged attackers to disclose memory contents and crash the service across multiple concurrent release trains. Affected versions span the mainline (7.7.1.0-8.7), LTS2026 (8.6.1.0-8.6.1.10), LTS2025 (8.3.1.0-8.3.1.30), and LTS2024 (7.13.1.0-7.13.1.70) branches, creating broad organizational exposure for enterprises running any supported Data Domain release. No public exploit or confirmed active exploitation has been identified at time of analysis; the mandatory high-privilege prerequisite substantially constrains the realistic attacker pool.

Dell Denial Of Service Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 2.7
LOW PATCH Monitor

Dell PowerProtect Data Domain's handling of a less-trusted data source allows a remote, high-privileged attacker to perform limited information tampering, classified under CWE-348. Affected are multiple release trains spanning versions 7.7.1.0 through 8.7, including LTS2024, LTS2025, and LTS2026 long-term support branches. With a CVSS base score of 2.7 (Low) and no confirmed active exploitation or public proof-of-concept, real-world impact is constrained by the high privilege requirement and the limited integrity-only scope of the vulnerability.

Dell Information Disclosure Powerprotect Data Domain
NVD VulDB
EPSS 0% CVSS 4.4
MEDIUM PATCH This Month

Path traversal in Dell PowerProtect Data Domain allows a locally authenticated high-privileged attacker to read files outside restricted directories, resulting in information disclosure. Affected deployments span multiple release trains - standard releases 7.7.1.0 through 8.6, LTS2026 8.6.1.0-8.6.1.10, LTS2025 8.3.1.0-8.3.1.30, and LTS2024 7.13.1.0-7.13.1.70. No public exploit identified at time of analysis; the low CVSS score of 2.3 correctly reflects the high privilege and local access prerequisites that substantially constrain real-world exploitation scope.

Dell Path Traversal Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Cross-site WebSocket hijacking in Eclipse Theia's browser backend (versions 1.8.1 and later) lets a foreign-origin web page reach the unauthenticated /services shell-terminal RPC namespace and execute arbitrary OS commands on the victim's host. The flaw stems from fail-open Origin validation in @theia/core combined with a client-controllable fix-origin header, so simply luring a developer running Theia to a malicious site yields remote code execution. There is no public exploit identified at time of analysis, and CVSS is rated 8.8 (High) driven by the user-interaction-only barrier.

Information Disclosure Eclipse Theia
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Local File Inclusion in the RTMKit (rometheme-for-elementor) plugin for WordPress versions up to and including 2.0.7 allows authenticated attackers with Contributor-level access to include and execute arbitrary PHP code on the server. The render_templates AJAX endpoint passes the unsanitized 'template' parameter directly into a PHP require/include statement, restricted only to files ending in _templates.php. Wordfence reported this vulnerability; no public exploit code or CISA KEV listing is present at time of analysis.

WordPress LFI Information Disclosure +2
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Physical-access authentication bypass in Dell Client Platform BIOS (CWE-305) affects a sweeping range of Dell consumer, gaming, and enterprise platforms - including Inspiron, Alienware, Latitude, OptiPlex, and Precision lines. An unauthenticated attacker with physical access and the ability to meet high-complexity attack conditions can bypass the primary BIOS authentication mechanism, resulting in information disclosure and, per the CVSS integrity metric (I:H), potential high-integrity impact. Notably, the declared impact in the description is limited to 'Information Disclosure' while the supplied CVSS vector assigns I:H, a discrepancy that warrants clarification from Dell's advisory DSA-2026-195. No public exploit has been identified and this vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Dell Information Disclosure +177
NVD
EPSS 0% CVSS 6.7
MEDIUM This Month

Cleartext storage of sensitive parameters in Puppet's resource_api module (versions 1.5.0-1.9.1 and 2.0.0) causes passwords and other credential values to persist unmasked in the Puppet agent's local transaction state cache. The sensitive flag - intended to prevent exactly this exposure - is silently dropped during resource_api parameter processing, meaning any resource type built on this API and declaring sensitive parameters leaks those values to the cache filesystem. No public exploit exists and this is not listed in CISA KEV, but the confidentiality impact is high for environments where Puppet manages secrets such as database passwords or API tokens.

Information Disclosure Puppet Core Puppet Enterprise
NVD VulDB
EPSS 0% CVSS 6.0
MEDIUM This Month

Improper export of Android application components in the ASUS Router App enables any co-installed third-party application on the same Android device to send a crafted Intent that forces the ASUS Router App to navigate to an attacker-specified URL. The flaw, classified as CWE-926, allows an attacker-controlled application to abuse the exposed component as an open redirect, potentially rendering phishing content or harvesting router management credentials within the app's trusted interface context. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Information Disclosure Google Router App
NVD
MEDIUM POC PATCH This Month

CVE-2026-49838 is a vulnerability reported by Ubuntu with no description, CVSS score, CWE classification, or technical detail available at time of analysis. The CVE identifier falls in the 2026 range, suggesting this may be a recently reserved or embargoed entry. No impact, affected component, or exploitation vector can be determined from the provided data.

Information Disclosure
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Unauthenticated public listing of an Azure Blob Storage container exposes device log files across the entire Gardyn smart garden fleet to any internet-accessible actor. The misconfiguration affects all versions of Gardyn Home Firmware, Gardyn Studio Firmware, and the Gardyn Cloud API, meaning no specific patched version bounds the exposure - it is architectural rather than release-specific. Reported via ICS-CERT advisory ICSA-26-183-03, no confirmed active exploitation (CISA KEV) and no public exploit code have been identified at time of analysis, though exploitation requires zero technical prerequisites beyond internet access and knowledge of the container URL.

Microsoft Information Disclosure Gardyn Home Firmware +2
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

Denial of service in pdfcpu (the Go PDF processing library and CLI) through v0.11.1 lets a remote attacker crash any application that parses attacker-supplied PDFs by submitting a document with deeply nested objects. The parser follows nested arrays recursively via ParseObjectContext() and parseArray() with no depth cap, so a crafted file exhausts the goroutine stack and aborts the process. No public exploit is identified at time of analysis and EPSS is low (0.17%, 7th percentile), consistent with an availability-only bug rather than a code-execution risk.

Information Disclosure
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

HTTP request smuggling in Ruby's WEBrick HTTP server through v1.9.2 allows remote attackers to desynchronize front-end/back-end request parsing by exploiting how WEBrick reparses a Content-Length value supplied in chunked trailers back into the canonical request state. Any deployment fronting WEBrick with a proxy, load balancer, or CDN that disagrees on message length can have requests smuggled past it, enabling request routing manipulation and information disclosure. Publicly available exploit code exists (SSVC exploitation status: poc), though EPSS remains low at 0.16% and it is not on CISA KEV.

Request Smuggling Canonical Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Authentication-bypass leading to remote code execution in 9router (npm package 9router) lets attackers reach spawn-capable MCP routes that were meant to be loopback-only. This is an incomplete fix for CVE-2026-46339: the local-only gate in src/dashboardGuard.js decides 'local' from attacker-controllable Host and Origin headers instead of the TCP source address, so any proxied or tunneled (Cloudflare Tunnel / Tailscale) deployment can be tricked into treating remote requests as local. Combined with the deterministic, machine-ID-derived CLI token, a remote attacker can inject JSON-RPC into MCP child processes (node, python, npx, etc.) and execute code on the host; no public exploit identified at time of analysis, though detailed reproduction steps are published in the vendor advisory.

Authentication Bypass Python Information Disclosure +1
NVD GitHub
CVSS 9.8
CRITICAL Act Now

Arbitrary file read in GravitLauncher LaunchServer ≤ 5.7.11 lets an unauthenticated remote attacker retrieve any file readable by the server process via a path-traversal in the default-enabled HTTP file server on port 9274. Because the exposed files include the ECDSA key that signs access JWTs (.keys/ecdsa_id), the refresh-token salt, and database credentials, the flaw escalates from information disclosure to a full authentication bypass allowing forged admin tokens. Publicly available exploit code exists (a raw-socket PoC in the advisory); the issue is not listed in CISA KEV and no active exploitation is confirmed.

Path Traversal Authentication Bypass Nginx +2
NVD GitHub
HIGH PATCH This Week

Source-code disclosure in the Algernon web/application server (Go, xyproto/algernon, tested at v1.17.8) lets an unauthenticated remote client retrieve the raw source of any public-path server-side script on Windows hosts by appending an NTFS-equivalent suffix (::$DATA, a trailing dot, or a trailing space) to the URL. Because filepath.Ext() does an exact suffix match, these forms are not recognized as .lua/.tl/.po2/.amber/.frm and fall through to the raw-file branch, while NTFS canonicalizes the name back to the real script, exposing embedded database credentials and the SetCookieSecret value used to forge session cookies. Publicly available exploit code exists (full PoC in the GitHub advisory); no public exploit identified as actively exploited and this is not in CISA KEV.

PostgreSQL Apple Microsoft +1
NVD GitHub
CVSS 5.3
MEDIUM PATCH This Month

Unbounded memory exhaustion in zebrad's mempool download pipeline allows unauthenticated remote peers to crash Zcash full nodes by sustaining P2P transaction traffic. The root cause is that timed-out verification tasks never remove their entries from the `cancel_handles` map because `tokio::time::error::Elapsed` carries no payload, making the transaction ID unrecoverable at the timeout arm of `Downloads::poll_next()`. All nodes running zebrad up to v4.4.1 with default configuration are affected, and a working end-to-end reproduction exists on a live regtest network. No patch has been released at time of analysis; the only recovery action is a node restart.

Information Disclosure
NVD GitHub
CVSS 6.5
MEDIUM PATCH This Month

Persistent RocksDB state corruption in zebrad up to v4.4.1 arises from an asymmetric cleanup bug in the non-finalized chain fork handler: `pop_tip` omits the Sapling and Orchard note commitment subtree root cleanup that `pop_root` correctly performs, causing stale subtree root entries to survive in memory and be flushed to disk during subsequent chain finalization. The corrupted subtree root history survives node restarts and is served to downstream consumers of `z_getsubtreesbyindex` - primarily `lightwalletd` and light wallets - causing wallet synchronization failures or incorrect wallet state that requires a full database rebuild to recover. No public exploit is identified at time of analysis and this vulnerability is not listed in CISA KEV; the risk is passive silent corruption accumulating on all unpatched nodes during routine chain fork events rather than adversarial exploitation.

Information Disclosure
NVD GitHub
EPSS 1% CVSS 9.3
CRITICAL PATCH Act Now

Authentication bypass via hard-coded default credentials in AutoBangumi before 3.2.8 lets unauthenticated remote attackers log in as administrator using publicly known credentials that the application seeds at startup via add_default_user() whenever the users table is empty. Successful login grants full control over RSS feed and downloader configuration and every authenticated API endpoint (CVSS 4.0 9.3). No public exploit identified at time of analysis, but the credentials are public and exploitation is trivial against any un-upgraded, freshly-initialized instance.

Information Disclosure Auto Bangumi
NVD GitHub
HIGH PATCH This Week

Remote denial-of-service in Zebra (zebrad ≤ v4.4.1), the Zcash Foundation's Rust node, lets an unauthenticated P2P peer permanently stall a targeted node at a chosen block height. By exploiting ZIP-244 transaction malleability, an attacker crafts a poisoned block body sharing the same header hash as a valid canonical block; Zebra caches the hash before validation and never evicts it on failure, so the legitimate block is later rejected as a duplicate. This is a real availability threat against default configurations, though there is no public exploit identified at time of analysis and it is not listed in CISA KEV; the flaw was independently reproduced end-to-end by two researchers.

Information Disclosure Canonical Checkpoint
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL POC PATCH Act Now

Plaintext recovery of webflow conversation state in Apereo CAS (versions 7.3.0 up to but not including 8.0.0-RC6) lets remote unauthenticated attackers decrypt sensitive login-flow data by exploiting AES-GCM nonce reuse. Because the server encrypts client-side webflow execution tokens with a fixed all-zero initialization vector under a single long-lived key, an attacker can harvest multiple tokens from the public login page and apply known-plaintext/keystream-reuse analysis to break confidentiality (and, given GCM's nonce-reuse properties, integrity of the token). Publicly available exploit code exists; the flaw was reported by VulnCheck and carries a CVSS 4.0 base of 9.3, though no CISA KEV listing or EPSS score is provided.

Information Disclosure Cas
NVD GitHub VulDB
EPSS 0% CVSS 8.2
HIGH This Week

Authentication bypass via OIDC discovery poisoning in Dapr Sentry allows a remote unauthenticated attacker to inject an attacker-controlled issuer and jwks_uri into the /.well-known/openid-configuration document by supplying a crafted X-Forwarded-Host header. Because the endpoint honors that header without validation when no allowed-hosts list is set (the default) and caches the response publicly for one hour, relying parties that perform dynamic, unpinned OIDC discovery will fetch keys from an attacker's server and accept attacker-signed JWTs - effectively forging trusted identities. Reported by VulnCheck (CVSS 4.0 8.2); no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Information Disclosure Dapr
NVD GitHub
EPSS 0% CVSS 8.7
HIGH POC PATCH This Week

Denial of service in Pathway data-processing framework (versions through 0.31.1) lets a remote unauthenticated attacker exhaust CPU by submitting a short glob pattern packed with many ** tokens to the document store's /v1/retrieve, /v1/inputs and /v2/answer endpoints. The hand-written recursive matcher branches exponentially on each ** without memoization, so a handful of crafted requests can stall the service for tens of seconds each and deny availability. Publicly available exploit code exists and a vendor patch (commit d09722e) is available; the flaw is not listed in CISA KEV.

Information Disclosure Pathway
NVD GitHub
CVSS 6.5
MEDIUM PATCH This Month

Process termination via crafted RPC input in zebrad (Zcash Foundation's Zcash node) up to v4.4.1 allows an authenticated network attacker to kill the entire node daemon by submitting a `getblocktemplate` RPC call with a `LongPollId` parameter containing multi-byte UTF-8 characters. The root cause is unsafe byte-index string slicing in Rust, which panics when a byte offset lands mid-character; because the release profile sets `panic = "abort"`, this immediately terminates the zebrad process rather than unwinding only the RPC task. No public exploit or active exploitation is identified at time of analysis, but the attack is trivially repeatable on restart, making it a reliable denial-of-service for mining pools and infrastructure dependent on the getblocktemplate workflow.

Information Disclosure
NVD GitHub
LOW POC PATCH Monitor

Unauthenticated OAuth client secret disclosure in Dragonfly Manager (dragonflyoss/dragonfly <= v2.4.3) exposes GitHub and Google OAuth client_secret values to any host that can reach the Manager REST API port. The GET /api/v1/oauth and GET /api/v1/oauth/:id handlers omit the jwt.MiddlewareFunc() and RBAC middleware enforced on every other admin route group in the same router file - including the write methods (POST, DELETE, PATCH) in the same /oauth group - and the models.Oauth struct serializes ClientSecret without redaction. A detailed proof-of-concept with captured output is included in the advisory; no CISA KEV listing is present and EPSS data is unavailable.

Google Authentication Bypass Redis +2
NVD GitHub
HIGH PATCH This Week

Denial of service in Conform's `parseSubmission` future API allows remote attackers to exhaust server CPU by submitting FormData or URLSearchParams payloads containing many unique field names. Affecting the @conform-to/dom npm package used in React/Remix form-handling stacks, the flaw stems from the parser repeatedly scanning submitted entries during name-based value lookups, producing worst-case super-linear (effectively quadratic) synchronous work per request. There is no public exploit identified at time of analysis and no CISA KEV listing; impact is availability degradation rather than data exposure, despite the input's mislabeled 'Information Disclosure' tag.

Information Disclosure
NVD GitHub
EPSS 0% CVSS 3.3
LOW PATCH Monitor

Improper cryptographic signature verification in the CubeSpace CW0057 Reaction Wheel firmware (versions prior to 5.0.20) permits an attacker with physical access to flash arbitrary, unsigned firmware onto the device without any authentication. This affects a safety-critical spacecraft attitude control component used in CubeSat and small satellite missions, where unauthorized firmware replacement could cause mission-critical failures including attitude loss or uncontrolled spacecraft behavior. A proof-of-concept exploit exists (indicated by E:P in the CVSS 4.0 supplemental vector); no active exploitation has been confirmed by CISA KEV at time of analysis.

Jwt Attack Information Disclosure Cw0057 Reaction Wheel
NVD
MEDIUM POC PATCH This Month

{}` that carries no `CheckRedirect` policy. Because Go's `net/http` strips only the standard `Authorization`, `Cookie`, and `WWW-Authenticate` headers on cross-host redirects - not arbitrary custom headers - any 30x redirect issued by the configured `HubURI` causes both keys to be forwarded verbatim to the redirect destination. A proof-of-concept confirming the leak has been provided by the reporter; no public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Open Redirect Information Disclosure
NVD GitHub
MEDIUM POC PATCH This Month

Incorrect conditional-move output in the RustCrypto `cmov` crate's aarch64 backend causes cryptographic constant-time operations to silently produce wrong results on aarch64 platforms. The inline assembly implementations of `Cmov` and `CmovEq` compare full 32-bit register contents instead of the intended narrowed type widths when evaluating conditions, because Rust's inline assembly specification explicitly leaves upper register bits undefined for inputs smaller than the register size. A proof-of-concept demonstrating the failure is included in the advisory; the vulnerability is not listed in CISA KEV and no active exploitation has been reported.

Information Disclosure
NVD GitHub
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Stored cross-site scripting in the TP-Link Archer C5 v6.8 router web management interface lets an authenticated administrator inject persistent HTML/JavaScript into a user-controlled field that later executes in another administrator's browser session. The flaw affects ISP-managed firmware variants and can be leveraged for session hijacking and unauthorized modification of router configuration. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; exploitation requires existing admin access, sharply limiting real-world impact.

Authentication Bypass XSS Information Disclosure
NVD
EPSS 1% CVSS 8.7
HIGH This Week

Landray OA contains an unauthenticated HQL injection vulnerability that allows unauthenticated attackers to query arbitrary Hibernate entity classes by injecting malicious HQL syntax into the uid. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Information Disclosure
NVD
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Path-traversal enumeration in Erlang OTP's ssh_sftpd module allows authenticated SFTP users to determine whether arbitrary filesystem paths exist outside the configured SFTP root directory. The SSH_FXP_REALPATH handler uniquely passes Canonicalize=false to relate_file_name/3, causing dotdot traversal sequences to skip the is_within_root/2 boundary check before entering resolve_symlinks/2, which then issues read_link() syscalls on arbitrary host paths. Affected versions span OTP 17.0 through the fixed releases 29.0.3, 28.5.0.3, and 27.3.4.14; no public exploit code or active exploitation (CISA KEV) has been identified at time of analysis.

Oracle Information Disclosure Otp
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Cross-tenant entry takeover in Craft CMS 5.7.0 through 5.9.20 lets a low-privileged author overwrite another user's existing entry by smuggling a numeric id through the newAttributes parameter of the bulk-duplicate element action. Because the duplication routine re-applies attacker-controlled attributes after nulling the primary key, a UPDATE is executed against the victim's row instead of an INSERT, letting the attacker rewrite the victim's title, slug, authorId, postDate, and UID. No public exploit identified at time of analysis and it is not in CISA KEV; the flaw is fixed in version 5.9.21.

Information Disclosure PHP Cms
NVD GitHub VulDB
CVSS 9.8
CRITICAL POC PATCH Act Now

Missing authentication in mcp-memory-service's HTTP REST server exposes every route under /api/documents/* without any credential check, even when the operator has enabled MCP_API_KEY or OAuth, so remote attackers can upload, read, and delete stored memories at will. Because the sibling /api/memories router correctly enforces auth (returning 401), the gap is an inconsistent, easily-discovered authentication boundary that grants full confidentiality, integrity, and availability impact. A working PoC and vendor GitHub Security Advisory (GHSA-84hp-mqvj-3p8h) exist, so publicly available exploit code exists, though no CISA KEV listing or EPSS score was provided.

Authentication Bypass Python Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Cross-site session abuse in Ubiquiti UniFi OS lets a remote attacker who lures an authenticated operator to a malicious web page ride that user's active session to perform privileged actions on the device, stemming from a permissive CORS policy that trusts untrusted origins. The flaw affects UniFi OS Server and the console firmware running on Dream Machines, Dream Routers, Dream Wall, Cloud Gateways, Cloud Keys, Enterprise Fortress Gateway, Express 7, and Network/Enterprise Video Recorders. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; success hinges on social-engineering an already-logged-in admin (CVSS 7.5, UI:R, AC:H).

Ubiquiti Cors Misconfiguration Information Disclosure +12
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in Little Orbit's GameFirst Anti-Cheat (GFAC) kernel driver GFAC_Sys_x64.sys allows an unprivileged local user to invoke privileged driver functionality because the minifilter communication port exposes its interface without proper access control. Any local account can send crafted requests through the port to reach kernel-level operations, yielding full confidentiality, integrity, and availability impact (CVSS 7.8). A CERT/CC-coordinated advisory (VU#639124) and a public GitHub repository covering CVE-2026-12166/12167/12168 suggest exploit code is likely available, though no active exploitation is confirmed.

Information Disclosure Gamefirst Anti Cheat
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH This Week

Privilege escalation via incorrect authorization in Progress Flowmon lets an authenticated low-privileged user abuse the PDF generation workflow to have operations executed under another user's identity, exposing sensitive data and permitting unauthorized configuration changes. It affects all Flowmon releases before 12.5.9 (12.x branch) and before 13.0.10 (13.x branch). No public exploit identified at time of analysis, and it is not listed in CISA KEV; the vendor CVSS 4.0 score is 8.7 (High).

Authentication Bypass Information Disclosure Flowmon
NVD VulDB
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Remote username enumeration in GoFiber fiber v3's default BasicAuth middleware exploits a timing side-channel caused by Go's short-circuit `&&` evaluation, producing a ~1,000,000:1 response-time ratio between valid and invalid usernames when bcrypt hashing is in use. Any GoFiber v3 application relying on the default `Authorizer` with hashed credentials is affected; an unauthenticated remote attacker can enumerate valid usernames by measuring HTTP response latency, then focus credential brute-force exclusively on confirmed accounts. No public exploit code has been identified at time of analysis, and this vulnerability has not been added to the CISA KEV catalog.

Oracle Information Disclosure
NVD GitHub VulDB
EPSS 0%
PATCH Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen() l2cap_chan_close() removes the channel from conn->chan_l, which must be done under conn->lock. cleanup_listen() runs under the parent sk_lock, so acquiring conn->lock would invert the established conn->lock -> chan->lock -> sk_lock order. Instead of calling l2cap_chan_close() directly, schedule l2cap_chan_timeout with delay 0 to close the channel asynchronously. The timeout handler already acquires conn->lock and chan->lock in the correct order. The timer is only armed when chan->conn is still set: if it is already NULL, l2cap_conn_del() has already processed this channel (l2cap_chan_del + l2cap_sock_teardown_cb + l2cap_sock_close_cb), so there is nothing left to do. If l2cap_conn_del() races in after the timer is armed, __clear_chan_timer() inside l2cap_chan_del() cancels it; if the timer has already fired, the handler returns harmlessly because chan->conn was cleared.

Linux Information Disclosure
NVD VulDB
Prev Page 10 of 741 Next

Quick Facts

Typical Severity
MEDIUM
Category
other
Total CVEs
66654

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy