Skip to main content

Information Disclosure

other MEDIUM

Information disclosure occurs when an application unintentionally exposes sensitive data that aids attackers in reconnaissance or directly compromises security.

How It Works

Information disclosure occurs when an application unintentionally exposes sensitive data that aids attackers in reconnaissance or directly compromises security. This happens through multiple channels: verbose error messages that display stack traces revealing internal paths and frameworks, improperly secured debug endpoints left active in production, and misconfigured servers that expose directory listings or version control artifacts like .git folders. APIs often leak excessive data in responses—returning full user objects when only a name is needed, or revealing system internals through metadata fields.

Attackers exploit these exposures systematically. They probe for common sensitive files (.env, config.php, backup archives), trigger error conditions to extract framework details, and analyze response timing or content differences to enumerate valid usernames or resources. Even subtle variations—like "invalid password" versus "user not found"—enable account enumeration. Exposed configuration files frequently contain database credentials, API keys, or internal service URLs that unlock further attack vectors.

The attack flow typically starts with passive reconnaissance: examining HTTP headers, JavaScript bundles, and public endpoints for version information and architecture clues. Active probing follows—testing predictable paths, manipulating parameters to trigger exceptions, and comparing responses across similar requests to identify information leakage patterns.

Impact

  • Credential compromise: Exposed configuration files, hardcoded secrets in source code, or API keys enable direct authentication bypass
  • Attack surface mapping: Stack traces, framework versions, and internal paths help attackers craft targeted exploits for known vulnerabilities
  • Data breach: Direct exposure of user data, payment information, or proprietary business logic through oversharing APIs or accessible backups
  • Privilege escalation pathway: Internal URLs, service discovery information, and architecture details facilitate lateral movement and SSRF attacks
  • Compliance violations: GDPR, PCI-DSS, and HIPAA penalties for exposing regulated data through preventable disclosures

Real-World Examples

A major Git repository exposure affected thousands of websites when .git folders remained accessible on production servers, allowing attackers to reconstruct entire source code histories including deleted commits containing credentials. Tools like GitDumper automated mass exploitation of this misconfiguration.

Cloud storage misconfigurations have repeatedly exposed sensitive data when companies left S3 buckets or Azure Blob containers publicly readable. One incident exposed 150 million voter records because verbose API error messages revealed the storage URL structure, and no authentication was required.

Framework debug modes left enabled in production have caused numerous breaches. Django's DEBUG=True setting exposed complete stack traces with database queries and environment variables, while Laravel's debug pages revealed encryption keys through the APP_KEY variable in environment dumps.

Mitigation

  • Generic error pages: Return uniform error messages to users; log detailed exceptions server-side only
  • Disable debug modes: Enforce production configurations that suppress stack traces, verbose logging, and debug endpoints through deployment automation
  • Access control audits: Restrict or remove development artifacts (.git, backup files, phpinfo()) and internal endpoints before deployment
  • Response minimization: API responses should return only necessary fields; implement allowlists rather than blocklists for data exposure
  • Security headers: Deploy X-Content-Type-Options, remove server version banners, and disable directory indexing
  • Timing consistency: Ensure authentication and validation responses take uniform time regardless of input validity

Recent CVEs (66657)

EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in Little Orbit's GameFirst Anti-Cheat (GFAC) kernel driver GFAC_Sys_x64.sys allows an unprivileged local user to invoke privileged driver functionality because the minifilter communication port exposes its interface without proper access control. Any local account can send crafted requests through the port to reach kernel-level operations, yielding full confidentiality, integrity, and availability impact (CVSS 7.8). A CERT/CC-coordinated advisory (VU#639124) and a public GitHub repository covering CVE-2026-12166/12167/12168 suggest exploit code is likely available, though no active exploitation is confirmed.

Information Disclosure Gamefirst Anti Cheat
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH This Week

Privilege escalation via incorrect authorization in Progress Flowmon lets an authenticated low-privileged user abuse the PDF generation workflow to have operations executed under another user's identity, exposing sensitive data and permitting unauthorized configuration changes. It affects all Flowmon releases before 12.5.9 (12.x branch) and before 13.0.10 (13.x branch). No public exploit identified at time of analysis, and it is not listed in CISA KEV; the vendor CVSS 4.0 score is 8.7 (High).

Authentication Bypass Information Disclosure Flowmon
NVD VulDB
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Remote username enumeration in GoFiber fiber v3's default BasicAuth middleware exploits a timing side-channel caused by Go's short-circuit `&&` evaluation, producing a ~1,000,000:1 response-time ratio between valid and invalid usernames when bcrypt hashing is in use. Any GoFiber v3 application relying on the default `Authorizer` with hashed credentials is affected; an unauthenticated remote attacker can enumerate valid usernames by measuring HTTP response latency, then focus credential brute-force exclusively on confirmed accounts. No public exploit code has been identified at time of analysis, and this vulnerability has not been added to the CISA KEV catalog.

Oracle Information Disclosure
NVD GitHub VulDB
EPSS 0%
PATCH Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen() l2cap_chan_close() removes the channel from conn->chan_l, which must be done under conn->lock. cleanup_listen() runs under the parent sk_lock, so acquiring conn->lock would invert the established conn->lock -> chan->lock -> sk_lock order. Instead of calling l2cap_chan_close() directly, schedule l2cap_chan_timeout with delay 0 to close the channel asynchronously. The timeout handler already acquires conn->lock and chan->lock in the correct order. The timer is only armed when chan->conn is still set: if it is already NULL, l2cap_conn_del() has already processed this channel (l2cap_chan_del + l2cap_sock_teardown_cb + l2cap_sock_close_cb), so there is nothing left to do. If l2cap_conn_del() races in after the timer is armed, __clear_chan_timer() inside l2cap_chan_del() cancels it; if the timer has already fired, the handler returns harmlessly because chan->conn was cleared.

Linux Information Disclosure
NVD VulDB
EPSS 0%
PATCH Monitor

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del() bt_accept_dequeue() unlinks a not-yet-accepted child from the parent accept queue and release_sock()s it before returning, so the returned sk has no caller reference and is unlocked. l2cap_sock_cleanup_listen() walks these children on listening-socket close. A concurrent HCI disconnect drives hci_rx_work -> l2cap_conn_del() which runs l2cap_chan_del() + l2cap_sock_kill() and frees the child sk and its l2cap_chan; cleanup_listen() then uses both: BUG: KASAN: slab-use-after-free in l2cap_sock_kill l2cap_sock_kill / l2cap_sock_cleanup_listen / __x64_sys_close Freed by: l2cap_conn_del -> l2cap_sock_close_cb -> l2cap_sock_kill This is distinct from the two fixes already in this area: commit e83f5e24da741 ("Bluetooth: serialize accept_q access") serialises the accept_q list/poll and takes temporary refs inside bt_accept_dequeue(), and CVE-2025-39860 serialises the userspace close()/accept() race by calling cleanup_listen() under lock_sock() in l2cap_sock_release(). Neither covers l2cap_conn_del() running from hci_rx_work, so this UAF still reproduces on current bluetooth/master. Take the reference at the source: bt_accept_dequeue() does sock_hold() while sk is still locked, before release_sock(); callers sock_put(). cleanup_listen() pins the chan with l2cap_chan_hold_unless_zero() under a brief child sk lock (serialising vs l2cap_sock_teardown_cb()), drops it before l2cap_chan_lock(), and skips a duplicate l2cap_sock_kill() on SOCK_DEAD. conn->lock is not taken here: cleanup_listen() runs under the parent sk lock and that would invert conn->lock -> chan->lock -> sk_lock (lockdep). KASAN/SMP: an unprivileged listen/close vs HCI-disconnect race produced 12 use-after-free reports per run before this change; 0, and no lockdep report, over 1600+ raced iterations after it on bluetooth/master.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated sensitive data exposure in the Kit (formerly ConvertKit) for WooCommerce WordPress plugin versions 2.1.5 and below allows remote unauthenticated attackers to access sensitive information without any credentials or user interaction. The vulnerability is classified under CWE-497, indicating the plugin inadvertently surfaces system or application-level sensitive data to an unauthorized control sphere - likely including API keys, subscriber data, or configuration secrets tied to the Kit email marketing integration. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

WordPress Information Disclosure Kit Formerly Convertkit For Woocommerce
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Local File Inclusion in the SportsPress Pro WordPress plugin (versions 2.7.29 and earlier) lets an authenticated user holding at least Contributor privileges cause the application to include and disclose arbitrary local files on the server. Because the flaw is rooted in unsafe PHP file inclusion (CWE-98), a successful attacker can read sensitive files such as wp-config.php and, depending on which local files can be included, potentially escalate toward code execution. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, though the finding is documented by Patchstack.

LFI Information Disclosure PHP +1
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Local File Inclusion in the Shopify (Shopify Help Center) WordPress plugin through version 1.0.0 allows an authenticated user with at least Contributor privileges to include and read arbitrary local files on the server, potentially escalating to code execution via CWE-98-style file-inclusion abuse. The flaw was reported by Patchstack and carries a CVSS 7.5 rating driven by high confidentiality, integrity, and availability impact but with high attack complexity. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

LFI Information Disclosure PHP +1
NVD
EPSS 0% CVSS 4.8
MEDIUM This Month

Broken authentication in VillaTheme's ALD - Dropshipping and Fulfillment for AliExpress and WooCommerce (all versions up to and including 2.2.0) permits remote unauthenticated attackers to bypass authentication controls under high-complexity conditions, yielding limited read and write access to protected plugin functionality. Assigned CVSS 3.1 score of 4.8 with AV:N/AC:H/PR:N, the high attack complexity signals that exploitation requires specific preconditions rather than a trivial request. No public exploit code or active exploitation has been identified at time of analysis, and CISA KEV listing is absent.

WordPress Information Disclosure Ald Dropshipping And Fulfillment For Aliexpress And Woocommerce
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Sensitive subscriber data exposure in the Hotel Booking Lite WordPress plugin (versions 6.0.3 and earlier) allows authenticated low-privileged users to access confidential booking or guest information they should not be authorized to view. The vulnerability, classified under CWE-201, involves the plugin including sensitive data in API responses or rendered output accessible to subscriber-level WordPress accounts. No public exploit code or active exploitation has been identified at time of analysis, but the high confidentiality impact and low barrier to exploitation (only a subscriber account required) make patching a priority for any hospitality operator running this plugin.

Information Disclosure Hotel Booking Lite
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated Local File Inclusion in the Audrey WordPress theme (elated-themes) affects all versions up to and including 1.5, letting remote attackers coerce the PHP application into including arbitrary files. Because CWE-98 covers PHP file-inclusion flaws, a successful include can leak sensitive files (wp-config.php, credentials) and, where remote or attacker-controlled content is includable, escalate to code execution. No public exploit is identified at time of analysis and the issue is not listed in CISA KEV, though the network-reachable, unauthenticated nature (CVSS 8.1) makes it a meaningful patching priority for sites running this theme.

LFI Information Disclosure PHP +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local File Inclusion in the Pearl - Corporate Business WordPress theme (StyleMixThemes) versions 3.4.10 and earlier lets unauthenticated remote attackers coerce the application into including arbitrary local files, exposing sensitive server-side content such as configuration files and credentials. Rated CVSS 8.1 by Patchstack, the flaw requires no authentication (PR:N) but carries high attack complexity (AC:H), and depending on include handling could escalate from information disclosure toward code execution. There is no public exploit identified at time of analysis, no CISA KEV listing, and no EPSS score supplied in the source data.

LFI Information Disclosure PHP +1
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Local File Inclusion in the GoodLayers Tourmaster WordPress plugin (versions <= 5.4.5) allows low-privileged authenticated users at the Subscriber level to include and read arbitrary local files from the server, exposing sensitive data such as configuration files and credentials. Reported through Patchstack and mapped to CWE-98, the flaw carries a CVSS 7.5 (High) score with high attack complexity; no public exploit code has been identified at time of analysis, and it is not listed in CISA KEV.

LFI Information Disclosure PHP +1
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Sensitive data exposure in the Corpkit WordPress theme (versions <= 1.0.5) allows an authenticated subscriber-level user to retrieve confidential information that should be inaccessible to that role. The CVSS vector (PR:L, C:H) confirms that any low-privileged account holder - the default registered-user role in WordPress - can trigger the disclosure over the network with no additional interaction required. No public exploit code or active exploitation has been identified at time of analysis, but the low barrier of entry (subscriber registration is often open on WordPress sites) elevates real-world risk.

Information Disclosure Corpkit
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated Local File Inclusion in the AncoraThemes 'Lighthouse' WordPress theme (versions 1.2.12 and earlier, classified under CWE-98) lets remote attackers with no credentials coerce the theme's PHP include/require logic into loading attacker-influenced file paths. Because CWE-98 covers PHP remote/local file inclusion, a successful attack can disclose sensitive server files (wp-config.php, credentials) and, depending on server configuration, escalate to code execution, which is why NVD scores full C/I/A impact. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.

LFI Information Disclosure PHP +1
NVD
EPSS 1% CVSS 6.0
MEDIUM PATCH This Month

Memory leak in OpenVPN (pre-2.7.5) allows network-accessible unauthenticated attackers to exhaust server memory, resulting in high availability impact and denial of service. The flaw, classified CWE-401, requires specific attack prerequisites (CVSS 4.0 AT:P) and passive client interaction (UI:P), meaning it is not trivially exploitable against all default deployments. No active exploitation has been confirmed in CISA KEV and no public exploit code has been identified at time of analysis; vendor patch v2.7.5 is available.

Microsoft Information Disclosure Openvpn +2
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Denial-of-service in OpenVPN via a reachable assertion (CWE-617) allows a remote, low-privileged attacker to crash the OpenVPN daemon under high-complexity, timing-specific conditions. All OpenVPN deployments running versions prior to v2.7.5 are affected; the fix is available in the v2.7.5 release disclosed pre-NVD via GitHub. No public exploit code or CISA KEV listing has been identified at time of analysis; the CVSS 4.0 score of 5.9 (Medium) reflects the constrained exploitation path, though VPN service disruption carries meaningful operational impact for affected operators.

Microsoft Information Disclosure Openvpn +2
NVD GitHub
PATCH Awaiting Data

Pre-NVD disclosure via GitHub release 'v2.7.5' (openvpn/openvpn). ### Security fixes: - openvpnserv (windows): fix DNS SearchList state pollution on (dis)connect. specific combinations of `--dns` config entries plus local DNS config could lead to corruption of pre-openvpn DNS config ([CVE-2026-13379](https://www.cve.org/CVERecord?id=CVE-2026-13379)) Bug found by 章鱼哥 (www.aipyaipy.com). - Fix use-after-free bug in ack_write_buf(), triggerable by a well-timed sequence of control channel + authentication packets ([CVE-2026-12996](https://www

Microsoft Information Disclosure
NVD GitHub
PATCH Awaiting Data

Pre-NVD disclosure via GitHub release 'v2.7.5' (openvpn/openvpn). ### Security fixes: - openvpnserv (windows): fix DNS SearchList state pollution on (dis)connect. specific combinations of `--dns` config entries plus local DNS config could lead to corruption of pre-openvpn DNS config ([CVE-2026-13379](https://www.cve.org/CVERecord?id=CVE-2026-13379)) Bug found by 章鱼哥 (www.aipyaipy.com). - Fix use-after-free bug in ack_write_buf(), triggerable by a well-timed sequence of control channel + authentication packets ([CVE-2026-12996](https://www

Microsoft Information Disclosure
NVD GitHub
PATCH Awaiting Data

Pre-NVD disclosure via GitHub release 'v2.7.5' (openvpn/openvpn). ### Security fixes: - openvpnserv (windows): fix DNS SearchList state pollution on (dis)connect. specific combinations of `--dns` config entries plus local DNS config could lead to corruption of pre-openvpn DNS config ([CVE-2026-13379](https://www.cve.org/CVERecord?id=CVE-2026-13379)) Bug found by 章鱼哥 (www.aipyaipy.com). - Fix use-after-free bug in ack_write_buf(), triggerable by a well-timed sequence of control channel + authentication packets ([CVE-2026-12996](https://www

Microsoft Information Disclosure
NVD GitHub
PATCH Awaiting Data

Pre-NVD disclosure via GitHub release 'v2.7.5' (openvpn/openvpn). ### Security fixes: - openvpnserv (windows): fix DNS SearchList state pollution on (dis)connect. specific combinations of `--dns` config entries plus local DNS config could lead to corruption of pre-openvpn DNS config ([CVE-2026-13379](https://www.cve.org/CVERecord?id=CVE-2026-13379)) Bug found by 章鱼哥 (www.aipyaipy.com). - Fix use-after-free bug in ack_write_buf(), triggerable by a well-timed sequence of control channel + authentication packets ([CVE-2026-12996](https://www

Microsoft Information Disclosure
NVD GitHub
PATCH Awaiting Data

Pre-NVD disclosure via GitHub release 'v2.7.5' (openvpn/openvpn). ### Security fixes: - openvpnserv (windows): fix DNS SearchList state pollution on (dis)connect. specific combinations of `--dns` config entries plus local DNS config could lead to corruption of pre-openvpn DNS config ([CVE-2026-13379](https://www.cve.org/CVERecord?id=CVE-2026-13379)) Bug found by 章鱼哥 (www.aipyaipy.com). - Fix use-after-free bug in ack_write_buf(), triggerable by a well-timed sequence of control channel + authentication packets ([CVE-2026-12996](https://www

Microsoft Information Disclosure
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

DPoP (Demonstrating Proof-of-Possession) proof verification in OpenIDC's liboauth2 C library incorrectly accepts malformed proofs that embed private Elliptic Curve (EC) key material in the JWK header, directly violating RFC 9449 §4.3 step 7. The `oauth2_token_verify()` function returns success instead of rejecting such proofs, subverting DPoP's core token-binding security guarantee and enabling information disclosure of private key material. No active exploitation is confirmed (not in CISA KEV), no public exploit code has been identified, and a patch is available in liboauth2 2.3.0.

Information Disclosure Liboauth2
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Secret credential leakage in StormShield Network Security's CLI tool exposes the proxy CA passphrase or TPM password to other users sharing an SSH session on the firewall appliance. Affected versions span three distinct branches - 4.3.0-4.3.41, 4.8.0-4.8.15, and 5.0.0-5.0.5 - and exploitation is gated behind SSH multiuser mode being explicitly enabled. No active exploitation has been confirmed by CISA KEV and no public proof-of-concept has been identified at time of analysis, though the leaked secrets carry high downstream value for privilege escalation or certificate authority abuse.

Information Disclosure Stormshield Network Security
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated sensitive information exposure in the Kirki - Freeform Page Builder, Website Builder & Customizer WordPress plugin (versions through 6.0.11) permits any remote attacker to retrieve the full builder metadata and rendered HTML of any kirki_symbol post - including unpublished drafts - by issuing a crafted AJAX request with a sequential WordPress post ID. The root cause is a missing authorization check (CWE-862) in the get_single_symbol AJAX handler registered in includes/Ajax.php, confirmed by Wordfence. No active exploitation is confirmed in CISA KEV, and no EPSS data was provided, but the trivially automatable nature of post ID enumeration against an unauthenticated network endpoint elevates practical risk above the raw CVSS 5.3 score suggests.

Authentication Bypass WordPress Information Disclosure +1
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Broken access control in MLflow prior to 3.14.0 lets any authenticated user read, modify, or delete traces belonging to experiments they are not authorized to access, defeating experiment-level authorization when authentication is enabled. The flaw stems from the trace API endpoints being omitted from the `_before_request` authorization handler, so requests reach these endpoints without any validator running. No public exploit has been identified at time of analysis, though a fix commit and huntr bounty report are public.

Authentication Bypass Information Disclosure Mlflow Mlflow
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Payment enforcement bypass in the User Registration & Membership WordPress plugin before 5.2.0 allows any visitor to self-register a free account and then activate a paid membership subscription without completing payment, gaining unauthorized access to gated premium content. The flaw is a business logic failure: the plugin activates the paid plan upon subscription initiation rather than upon confirmed payment receipt. No public exploit or CISA KEV listing exists at time of analysis, but exploitation is trivially low-effort given the plugin's open registration model and the CVSS vector of AV:N/AC:L/PR:N/UI:N.

WordPress Information Disclosure
NVD WPScan VulDB
EPSS 0% CVSS 2.7
LOW PATCH Monitor

Broken access control in the Adminify WordPress plugin before 4.2.10 allows authenticated Contributor-level users to enumerate sensitive site data through an administration search feature that omits per-user read-capability checks. Affected data includes other authors' unpublished post titles, pending comment content, installed plugin inventory, and registered user account names - all information WordPress's native capability model would otherwise restrict. No public exploit has been identified at time of analysis, and a vendor-released patch is available at version 4.2.10.

WordPress Information Disclosure
NVD WPScan VulDB
EPSS 0% CVSS 2.7
LOW PATCH Monitor

Broken access control in Fluent Forms WordPress plugin before 6.2.5 allows a restricted Manager role to permanently delete form submission entries belonging to forms outside their authorized scope. The flaw stems from missing authorization checks on the deletion endpoint, which fails to verify that the target submission belongs to a form the Manager is permitted to administer. This affects only installations where an administrator has explicitly created a restricted Manager account tied to specific forms - no public exploit or active exploitation (CISA KEV) has been identified at time of analysis.

WordPress Information Disclosure
NVD WPScan VulDB
EPSS 0% CVSS 8.3
HIGH This Week

Out-of-bounds array indexing in GeoVision's GeoWebPlayer addon (also branded 'Web Plugin' in GV-VMS and 'WS Player' in VMS-Cloud) allows a remote attacker to leak memory or crash the local WebSocket service by delivering a malformed 'pause' command. The addon runs a WebSocket server that backs the browser interfaces of GeoVision products such as GV-VMS and GV-Cloud, so any browser tricked into connecting to it can trigger the flaw. No public exploit identified at time of analysis; the issue was reported by the vendor (GeoVision) and documented by Cisco Talos (TALOS-2026-2373).

Information Disclosure Geowebplayer
NVD
EPSS 0% CVSS 8.3
HIGH This Week

Out-of-bounds array access in GeoVision GeoWebPlayer (a.k.a. "Web Plugin"/"WS Player"), a websocket-server addon bundled with GV-VMS, GV-Cloud and related GeoVision software, lets an attacker who lures a victim to a malicious web page reach the localhost websocket and supply an unvalidated `index` to leak memory and corrupt state (CWE-129). The play command in particular accepts an attacker-controlled index used to index internal arrays without a range check, enabling information disclosure and potential code-path corruption. No public exploit identified at time of analysis and the issue is not in CISA KEV, but the vendor has published a security advisory and Talos has released a detailed report.

Information Disclosure Geowebplayer
NVD
EPSS 0% CVSS 8.3
HIGH This Week

Out-of-bounds array access in GeoVision's GeoWebPlayer (a.k.a. 'Web Plugin' / 'WS Player') addon lets an attacker read memory, corrupt state, or crash the local WebSocket helper bundled with GV-VMS, GV-Cloud, and related surveillance software. The plugin's localhost WebSocket server processes commands (such as 'disconnect') that carry an attacker-controlled 'index' used to dereference internal arrays without bounds checking (CWE-129), yielding high confidentiality, integrity, and availability impact. The CVSS 3.1 vector (AV:N/UI:R/S:C) reflects a cross-origin browser-driven vector where a victim lured to a malicious page has their browser relay commands to the local WebSocket; there is no public exploit identified at time of analysis and no CISA KEV listing.

Information Disclosure Geowebplayer
NVD
EPSS 0% CVSS 8.3
HIGH This Week

Out-of-bounds array access in GeoVision's GeoWebPlayer (the 'Web Plugin'/'WS Player' addon bundled with GV-VMS, GV-Cloud and related software) lets an attacker abuse the local WebSocket server's snapshot command by supplying an unchecked 'index' value that indexes arrays beyond their bounds. Because the CVSS vector is AV:N/UI:R with a scope change, a victim who visits a malicious web page can have their browser drive the localhost WebSocket into out-of-bounds reads/writes, yielding information disclosure and potential memory corruption (C:H/I:H/A:H). There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Information Disclosure Geowebplayer
NVD
EPSS 0% CVSS 8.3
HIGH This Week

Out-of-bounds array access in GeoVision's GeoWebPlayer addon (also branded 'Web Plugin' in GV-VMS and 'WS Player' for VMS-Cloud) lets an attacker corrupt memory or leak sensitive data by sending a 2wayAudio WebSocket command with an unchecked index value. The addon runs a localhost WebSocket server that expands GeoVision web interfaces, and its command handlers use caller-supplied index values to index internal arrays without validating their range. Reported by GeoVision and Talos (TALOS-2026-2373); no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Information Disclosure Geowebplayer
NVD
EPSS 0% CVSS 8.3
HIGH This Week

Memory-disclosure and denial-of-service in GeoVision's GeoWebPlayer (also branded 'Web Plugin' in GV-VMS and 'WS Player' in VMS-Cloud) stems from an unvalidated `index` parameter in its localhost WebSocket command handler (audio command path), letting an attacker read and act on out-of-bounds array elements. Because the WebSocket listener is reachable cross-origin, a victim who is lured to a malicious web page can have their browser drive the local service, so the effective attack vector is network-based despite the server binding to localhost. No public exploit code is identified at time of analysis, though a Cisco Talos advisory (TALOS-2026-2373) documents the flaw; it is not listed in CISA KEV.

Information Disclosure Geowebplayer
NVD
EPSS 0% CVSS 8.3
HIGH This Week

Out-of-bounds array access in GeoVision's GeoWebPlayer (also branded 'Web Plugin' in GV-VMS and 'WS Player' in VMS-Cloud) lets an attacker corrupt or read process memory by sending crafted WebSocket commands to the localhost server the addon exposes. The specific 'setPIP' command accepts an attacker-controlled 'index' that is used to index internal arrays without range validation, yielding information disclosure and potential memory corruption. There is no public exploit identified at time of analysis, though a Cisco Talos technical report (TALOS-2026-2373) documents the flaw; it is not listed in CISA KEV and no EPSS score is provided.

Information Disclosure Geowebplayer
NVD
EPSS 0% CVSS 8.3
HIGH This Week

Out-of-bounds array access in GeoVision's GeoWebPlayer (also branded 'Web Plugin' in GV-VMS and 'WS Player' in VMS-Cloud) lets an attacker abuse the addon's localhost WebSocket server via a crafted 'setStream' command whose attacker-controlled 'index' is used to index arrays without range validation (CWE-129), enabling memory disclosure and possible corruption. Because a victim's browser can be steered into connecting to the local WebSocket service, the vendor rates this AV:N/UI:R (CVSS 8.3) - a remote web page can pivot to the local service after the user visits it. No public exploit is identified at time of analysis and it is not in CISA KEV, so this is not confirmed as actively exploited.

Information Disclosure Geowebplayer
NVD
EPSS 0% CVSS 8.3
HIGH This Week

Out-of-bounds array access in GeoVision GeoWebPlayer (the "Web Plugin"/"WS Player" addon bundled with GV-VMS, GV-Cloud and related software) lets a remote attacker corrupt memory via the local WebSocket server's connectInfo command. Because the server trusts an attacker-supplied index without range validation, a victim lured to a malicious web page can trigger high-impact confidentiality, integrity and availability effects (CVSS 8.3, scope-changed). No public exploit identified at time of analysis; the flaw was reported by the vendor (GV) and documented by Cisco Talos.

Information Disclosure Geowebplayer
NVD
EPSS 0% CVSS 6.0
MEDIUM POC PATCH This Month

Server-side file exfiltration in Craft CMS versions 4.0.0-RC1 through 4.17.x and 5.0.0-RC1 through 5.9.x allows any control panel user granted the utility:system-messages permission to embed a dataUrl() Twig payload into system email templates, causing the server to read and base64-encode arbitrary files - including the .env file - into outbound email bodies. Exfiltration of CRAFT_SECURITY_KEY from the .env file enables an attacker to forge valid session tokens and escalate to full administrator account takeover, chaining a confidentiality breach into complete privilege escalation. No public exploit has been identified at time of analysis; patches are available in 4.18.0 and 5.10.0.

Information Disclosure
NVD GitHub VulDB
MEDIUM PATCH This Month

Insufficient data to produce analysis. CVE-2026-48029 description is marked as unknown; no CVSS, CWE, EPSS, KEV status, or technical details provided. Only source is vendor:ubuntu attribution.

Information Disclosure
NVD
MEDIUM PATCH This Month

Insufficient data to analyze. CVE-2026-47254 is reported by Ubuntu but no description, CVSS score, vector, or CWE information is available. Cannot determine attack vector, affected product, version, or real-world impact without vulnerability details.

Information Disclosure
NVD
EPSS 0% CVSS 9.1
CRITICAL Act Now

Out-of-bounds read in ArduPilot's MAVLink ground-control-station handler (through Plane-4.6.3) lets a remote attacker on the MAVLink link send a crafted SERIAL_CONTROL message that reads memory beyond intended bounds in GCS_MAVLINK::handle_serial_control(), potentially disclosing adjacent flight-controller memory and/or crashing the autopilot. The CVSS 9.1 rating reflects high confidentiality and availability impact over an unauthenticated network vector, though EPSS is low (0.17%, 6th percentile) and no public exploit is identified at time of analysis. An upstream fix is proposed via GitHub PR #32587 (issue #32524), but no tagged patched release is independently confirmed.

Buffer Overflow Information Disclosure N A
NVD GitHub
MEDIUM This Month

Insufficient data exists to characterize this vulnerability. CVE-2026-47251 was reported by Ubuntu but carries no description, CVSS score, CVSS vector, CWE classification, or reference links at the time of this analysis. No impact, affected product, or exploitation mechanism can be determined from the available intelligence. Security teams should treat this as unresolved pending vendor disclosure.

Information Disclosure
NVD
MEDIUM This Month

CVE-2026-47247 has been reported by Ubuntu but carries no public description, CVSS score, CWE classification, or technical details at time of analysis. The affected product, vulnerability class, and impact are entirely unknown. No meaningful synthesis is possible from available data - this CVE should be treated as a placeholder or pre-disclosure record pending vendor publication.

Information Disclosure
NVD
MEDIUM PATCH This Month

Insufficient intelligence to synthesize. CVE-2026-47709 description is marked unknown, CVSS vector is not available, CWE is not available, and no product name or affected versions are specified - only that Ubuntu reported it. Comprehensive vulnerability analysis requires description, CVSS vector, affected product details, and remediation data.

Information Disclosure
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Session hijacking in ntopng versions through 6.6 arises because HTTP session identifiers are generated with weak, time-seeded pseudo-randomness in src/HTTPserver.cpp, making freshly issued authenticated session cookies predictable or collision-prone. Remote attackers who can influence or observe login timing can forecast a valid session token and take over an authenticated user's session without credentials. No public exploit identified at time of analysis, and EPSS is low (0.15%, 5th percentile) despite the 9.8 CVSS rating.

Information Disclosure N A
NVD GitHub VulDB
MEDIUM PATCH This Month

CVE-2026-47714 is a vulnerability reported by Ubuntu with no public description, CVSS score, CWE classification, or technical details available at time of analysis. The affected product, vulnerability class, and impact cannot be determined from the available intelligence. No exploitation status, patch availability, or affected version range has been confirmed.

Information Disclosure
NVD
EPSS 0% CVSS 7.6
HIGH This Week

TLS certificate misissuance affecting Cloudflare Universal SSL zones lets an attacker who controls an ACME account at a CA in the auto-managed CAA RRset obtain a browser-trusted certificate for a victim domain, because Cloudflare's authoritative DNS serves a permissive auto-managed CAA RRset that supersedes customer-set records and drops RFC 8657 accounturi/validationmethods bindings. The result is a bypass of account-binding and validation-method-binding protections end-to-end, enabling MITM against the affected domain. Reported by Cloudflare (researcher David Osipov) with no public exploit identified at time of analysis; CVSS 4.0 base score is 7.6 with high attack complexity and a present attack requirement.

Information Disclosure Universal Ssl
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Uninitialized Use in Dawn in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Uninitialized Use in Dawn in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Uninitialized memory use in Dawn, Chrome's WebGPU implementation, on ChromeOS prior to version 150.0.7871.46 enables remote attackers to read potentially sensitive contents from GPU process memory by serving a crafted HTML page. The flaw (CWE-457) allows stale or uninitialized buffer data to be exposed back to the requesting JavaScript context without proper sanitization. No public exploit has been identified at time of analysis, and CISA SSVC rates this as non-automatable with partial technical impact, though the CVSS confidentiality rating is High.

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Sandbox escape in Google Chrome's ANGLE graphics layer (versions prior to 150.0.7871.46) lets a remote attacker who has already compromised the renderer process break out of the browser sandbox via a crafted HTML page. The flaw is an uninitialized-memory use (CWE-457) in ANGLE, reported by Google's own Chrome team and fixed in the June 2026 Stable channel update. No public exploit is identified at time of analysis, and CISA's SSVC framework records exploitation status as none, but the total technical impact and sandbox-escape nature make it a high-priority browser patch.

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome's ANGLE graphics subsystem (all versions prior to 150.0.7871.46) enables remote attackers to read sensitive data from other browser origins by luring a victim to a crafted HTML page. The flaw stems from uninitialized memory use in ANGLE, Chrome's GPU abstraction layer, which may expose stale cross-origin pixel buffers or texture memory to attacker-controlled JavaScript. No public exploit has been identified and CISA's SSVC framework rates exploitation as none with a non-automatable attack path, indicating limited immediate real-world threat despite the network-accessible vector.

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Uninitialized Use in ANGLE in Google Chrome on Windows prior to 150.0.7871.46 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)

Information Disclosure Microsoft Google +1
NVD
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Sandbox escape via type confusion in Tint, the WGSL shader compiler within Chrome's Dawn/WebGPU stack, affects Google Chrome desktop versions prior to 150.0.7871.46. A remote attacker who lures a victim to a crafted HTML page can trigger the flaw (CWE-843) to potentially break out of the renderer/GPU sandbox and gain broader access on the host. Rated High by Chromium with a CVSS 9.6 (scope-changed), though there is no public exploit identified at time of analysis and CISA SSVC currently records exploitation status as 'none'.

Memory Corruption Information Disclosure Google +1
NVD
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Out of bounds read in V8 in Google Chrome prior to 150.0.7871.46 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitive information from process memory via a crafted Chrome Extension. (Chromium security severity: Medium)

Google Buffer Overflow Information Disclosure +1
NVD
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Out-of-bounds read in the Dawn WebGPU implementation of Google Chrome before 150.0.7871.46 lets a remote attacker who lures a victim to a crafted HTML page potentially escape the renderer sandbox and disclose out-of-bounds memory. The upstream Chromium team rated the security severity as Low, yet the associated CVSS 3.1 base score is 9.6 due to a scope change and high triad impact. There is no public exploit identified at time of analysis, and the CISA SSVC decision framework records exploitation as none and automatable as no.

Google Buffer Overflow Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Out of bounds read in ANGLE in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)

Google Buffer Overflow Information Disclosure +1
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Out-of-bounds read in ANGLE (Chrome's cross-platform graphics abstraction layer) prior to version 150.0.7871.46 allows a remote attacker to extract potentially sensitive data from the browser's process memory by directing a victim to a crafted HTML page. The CVSS vector confirms network delivery with no authentication required but mandates user interaction, and the High confidentiality impact (C:H) indicates that in-memory data such as session tokens, cached credentials, or page content could be exposed. SSVC assessment records no active exploitation and the flaw is absent from the CISA KEV catalog; a vendor patch has been released and no public exploit code has been identified at time of analysis.

Google Buffer Overflow Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Cross-origin data exfiltration in Google Chrome's ANGLE graphics layer exposes sensitive browser memory contents to remote attackers who can induce a victim to visit a crafted HTML page. The out-of-bounds read in ANGLE (Chrome's cross-platform graphics abstraction engine) affects all Chrome desktop versions prior to 150.0.7871.46, confirmed by Google's stable channel advisory. No public exploit code or active exploitation has been identified at time of analysis; an EPSS of 0.17% (7th percentile) reflects minimal current weaponization pressure despite the high confidentiality impact assigned in CVSS.

Google Buffer Overflow Information Disclosure +1
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome on Windows prior to 150.0.7871.46 stems from an out-of-bounds read in ANGLE, the browser's graphics abstraction layer. Remote attackers can exploit this by serving a crafted HTML page to a Windows user, causing the ANGLE subsystem to read memory beyond its intended buffer boundary and exposing data belonging to a separate web origin. No public exploit code has been identified at time of analysis, and the EPSS score of 0.18% (8th percentile) indicates low exploitation probability in the near term.

Google Microsoft Buffer Overflow +2
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Out-of-bounds memory access in Google Chrome's Tint component (the WGSL shader translator inside the Dawn/WebGPU stack) affects all desktop builds prior to 150.0.7871.46 and lets a remote attacker corrupt memory when a victim opens a crafted HTML page. Chromium rates the severity High and the CVSS 3.1 score is 8.8, driven by high confidentiality, integrity, and availability impact requiring only that the user visit a malicious page. No public exploit identified at time of analysis, and the low EPSS score (0.19%, 9th percentile) indicates exploitation is not currently widespread.

Google Buffer Overflow Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Sandbox escape in Google Chrome's Dawn WebGPU implementation prior to 150.0.7871.46 lets a remote attacker use a crafted HTML page to trigger an out-of-bounds read and write, potentially breaking out of the renderer sandbox. Rated Critical by Chromium with a CVSS of 9.6 (scope-changed), it requires the victim to visit a malicious page but no authentication. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Google Buffer Overflow Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Integer overflow in ANGLE in Google Chrome on Windows prior to 150.0.7871.46 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)

Information Disclosure Microsoft Google +1
NVD
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Sandbox escape in Google Chrome (Skia graphics library) prior to 150.0.7871.46 allows a remote attacker who has already compromised the renderer process to escape the browser sandbox via a crafted HTML page, elevating a contained renderer compromise into a full-privilege breakout on the host. Rated High severity by Chromium, it carries a CVSS 3.1 score of 8.3 (scope-changed) with no public exploit identified at time of analysis and CISA SSVC recording exploitation status as none. It is a second-stage vulnerability that must be chained with a prior renderer exploit, so it is not directly exploitable against a fresh browser.

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Insufficient validation of untrusted input in Skia in Google Chrome prior to 150.0.7871.46 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Sandbox escape in Google Chrome on Android (versions prior to 150.0.7871.46) lets an attacker who has already compromised the renderer process break out of the browser sandbox via a crafted HTML page that abuses insufficient input validation in the Dawn WebGPU component. Google rates the Chromium severity as High, and the flaw carries a CVSS 8.3 with a scope-changing impact. There is no public exploit identified at time of analysis, and CISA SSVC records exploitation status as none.

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Sandbox escape in Google Chrome's ANGLE graphics layer (versions prior to 150.0.7871.46) lets a remote attacker who has already compromised the renderer process break out of the browser sandbox by luring a victim to a crafted HTML page. This is a second-stage bug that chains with a prior renderer-level exploit rather than a standalone entry point; Chromium rates it High severity. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, with SSVC recording exploitation status as none.

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Sandbox escape in Google Chrome's ANGLE graphics component before 150.0.7871.46 lets a remote attacker break out of the renderer sandbox when a victim loads a malicious web page. The flaw stems from insufficient validation of untrusted input (CWE-20) in ANGLE and carries a CVSS 9.6 due to scope change and full CIA impact, though exploitation requires the user to visit attacker-controlled content. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, with SSVC exploitation status assessed as none.

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Sandbox escape in Google Chrome's ANGLE graphics layer (versions prior to 150.0.7871.46) lets a remote attacker break out of the renderer sandbox when a victim visits a crafted HTML page. The flaw stems from insufficient validation of untrusted input (CWE-20) in ANGLE and carries a critical 9.6 CVSS score due to the scope-changing sandbox escape. Google has shipped a fix and rates the Chromium severity as High; there is no public exploit identified at time of analysis and CISA SSVC records exploitation status as none.

Information Disclosure Google Suse
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Sandbox escape in Google Chrome's ANGLE graphics component on Android (versions prior to 150.0.7871.46) allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page. Rated High by Chromium and CVSS 8.3, the flaw stems from improper validation of untrusted input in ANGLE and requires renderer compromise plus user interaction as prerequisites. There is no public exploit identified at time of analysis, and CISA SSVC lists exploitation status as none.

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

UI spoofing in Google Chrome's WebAppInstalls component (versions prior to 150.0.7871.46) enables remote attackers to misrepresent security indicators during Progressive Web App installation prompts via a crafted HTML page. The incorrect security UI (CWE-451) can deceive users into believing they are installing a legitimate, trusted application when they are not, resulting in a low-integrity impact. EPSS is 0.18% (8th percentile), no public exploit code exists, and this vulnerability has not been added to CISA KEV, indicating minimal active exploitation risk at time of analysis.

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

UI spoofing in Google Chrome's Skia graphics engine (versions prior to 150.0.7871.46) allows a remote attacker who has already compromised the renderer process to mislead users through a crafted HTML page. The attack requires renderer process compromise as a prerequisite, making this a chained exploit component rather than a standalone threat. EPSS at 0.18% (8th percentile) and absence from CISA KEV confirm no known active exploitation; Chromium's own team rated this Low severity.

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

UI spoofing via a crafted PDF file in Google Chrome's PDFium rendering engine allows a remote, unauthenticated attacker to visually mislead users into performing unintended actions or trusting falsified content. All Chrome versions prior to 150.0.7871.46 are affected. Exploitation requires the victim to open a malicious PDF - no special configuration is needed beyond default Chrome behavior. No public exploit identified at time of analysis, and CISA SSVC rates exploitation as none with partial technical impact.

Information Disclosure Google Suse
NVD
CVSS 5.9
MEDIUM PATCH This Month

Download-limit enforcement in goshs (Go Simple HTTP Server) v2.0.9 and earlier can be bypassed by racing concurrent HTTP requests against a limited-use share token, allowing a single token to be redeemed more times than the operator configured. The TOCTOU flaw in `ShareHandler` means every concurrent goroutine observes the same pre-increment `Downloaded` counter, each passes the limit check, and each is served the file - completely defeating one-shot or low-count share-link controls. A working proof-of-concept is publicly documented in the GitHub security advisory (GHSA-j48m-h7xq-2xpj) with 5/5 consistent reproductions; no active exploitation is confirmed in CISA KEV.

Race Condition Information Disclosure
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

OpenTelemetry Java Instrumentation prior to 2.28.0 leaks clear-text database passwords into distributed trace span attributes when JDBC auto-instrumentation encounters double-quoted passwords in SQL CONNECT statements, bypassing the sanitization logic. These poisoned spans are then exported to any configured observability backend - Jaeger, Zipkin, OTLP collectors, or third-party SaaS monitoring - making database credentials visible to all parties with telemetry read access. No public exploit or confirmed active exploitation exists at time of analysis, but the impact of credential exposure is high given downstream database access risk.

Java Information Disclosure Opentelemetry Java Instrumentation
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Authorization bypass in Wagtail CMS allows authenticated low-privilege users to create translations for pages beyond their permitted scope. Versions prior to 7.0.8, 7.3.3, and 7.4.2 fail to enforce page-level permission checks when a user submits a translation request, exposing content of restricted pages to anyone holding the 'Can submit translation' permission. No public exploit code or active exploitation (CISA KEV) has been identified, but the low attack complexity and network-accessible vector make this straightforward to abuse for information disclosure.

Python Information Disclosure Wagtail
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Missing authorization on the image preview endpoint in Wagtail CMS allows any authenticated admin-panel user to render previews of images they do not have permission to access. Affected across three maintained release branches - all Wagtail versions prior to 7.0.8, 7.3.3, and 7.4.2. No public exploit has been identified at time of analysis, and exploitation is strictly bounded to users holding valid Wagtail admin credentials, making this a privileged-insider or compromised-account risk rather than an external threat.

Python Information Disclosure Wagtail
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Wagtail's Documents and Images chooser endpoint leaks asset metadata - including filenames, display names, and URLs - to authenticated admin users who have been explicitly denied collection-level choose permissions. Versions prior to 7.0.8, 7.3.3, and 7.4.2 are affected across the 7.0, 7.3, and 7.4 release branches. An attacker with a valid Wagtail admin account can enumerate restricted media assets across collections beyond their authorized scope, bypassing the collection permission model. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis.

Python Information Disclosure Wagtail
NVD GitHub
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Privilege-escalation via admission-control bypass in Rancher Fleet allows an attacker with git push access to a Fleet-monitored repository to overwrite Pod Security Standards (PSS) enforcement labels on target namespaces. Because Fleet's agent-side deployer failed to filter security-sensitive keys (notably the `pod-security.kubernetes.io/` prefix) from `namespaceLabels` in `fleet.yaml` or `BundleDeployment.spec.options.namespaceLabels`, an attacker can downgrade namespace admission enforcement and deploy privileged or otherwise restricted workloads that PSS would normally block. No public exploit identified at time of analysis; the flaw was privately reported through responsible disclosure by a NATO NCSC researcher and is not listed in CISA KEV.

Kubernetes Information Disclosure
NVD GitHub VulDB
CVSS 9.1
CRITICAL Act Now

Server impersonation in erlang_quic (Benoît Chesneau's Erlang QUIC/HTTP/3 library) before 1.4.4 arises because the QUIC client performed no server authentication during the TLS 1.3 handshake - the CertificateVerify signature, certificate chain, and hostname were all left unchecked, making the `verify` option a no-op. An on-path attacker can present any certificate to impersonate any server and transparently read or modify traffic, breaking both confidentiality and integrity (CVSS 9.1). No public exploit has been identified at time of analysis, and PSK-based session resumption handshakes are unaffected because the peer is authenticated by the PSK binder.

Information Disclosure
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Prototype Pollution in Jodit Editor (versions prior to 4.12.18) allows network-reachable attackers to mutate Object.prototype by supplying crafted configuration payloads to Jodit.configure(), exploiting unfiltered merging in the internal ConfigMerge and ConfigProto helpers. Specifically, keys such as __proto__ or constructor nested inside legitimate option namespaces like controls can propagate to the global JavaScript prototype chain, corrupting runtime behavior for all JavaScript executing in the same environment. No public exploit is identified at time of analysis and the vulnerability is not listed in CISA KEV; however, exploitation is contingent on the host application forwarding user-controlled input into Jodit.configure(), a pattern common in configurable WYSIWYG deployments.

Information Disclosure Prototype Pollution Jodit
NVD GitHub
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Resource exhaustion in Wasmtime's native WASIp1 implementation allows low-privileged WebAssembly guests to exhaust host-level file descriptors and OS resources by repeatedly invoking fd_renumber in a loop. The affected versions span four distinct release branches - all pre-24.0.10, 25.x-35.x, 37.x-44.x, and 45.0.0-45.0.1 - but only runtimes that both expose fd_renumber and grant guests the ability to open files are vulnerable. No public exploit code exists and the issue is not listed in CISA KEV; however, the attack is mechanically straightforward once the conditions are met, making patching the primary defense.

Information Disclosure Wasmtime
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

Timestamp forgery in sigstore-js allows an attacker supplying a crafted bundle v0.2 to manipulate certificate validity window checks by controlling the `integratedTime` field in an inclusionProof-only tlog entry. Because the inclusionProof-only code path in `@sigstore/verify` does not cryptographically bind `integratedTime` (unlike the signed inclusionPromise/set path), a low-privileged attacker who can present an untrusted bundle can cause the verifier to accept expired or not-yet-valid signing certificates as currently valid. A publicly available proof-of-concept exists; this vulnerability is not in CISA KEV.

Canonical Microsoft Information Disclosure
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Remote denial of service in pion/dtls (Go's DTLS implementation) versions prior to 3.1.4 allows an unauthenticated network attacker to crash any application built on this library by sending a crafted ECDHE_PSK ServerKeyExchange message during the DTLS handshake. The CWE-125 out-of-bounds read triggers a Go runtime panic, immediately terminating the host process. No public exploit code has been identified and this vulnerability is not listed in CISA KEV; a vendor-released patch exists in version 3.1.4.

Denial Of Service Buffer Overflow Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 8.7
HIGH POC This Week

Author spoofing in NodeBB's ActivityPub federation allows a remote federated actor to forge posts and private messages attributed to arbitrary local users, including the administrator (uid 1). Because the inbound middleware validates the HTTP-signature actor and the origin of object.id but never binds attributedTo to the authenticated sender, an attacker with a valid remote signature can impersonate any local account. Publicly available exploit code exists (reported by VulnCheck), though there is no public exploit identified in CISA KEV and the flaw only affects instances with federation enabled.

Information Disclosure Nodebb
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM POC PATCH This Month

Cross-user attribute structure leakage in API Platform Core's JSON:API and HAL serializers exposes the schema layout of security-gated properties to lower-privileged users through improper cache reuse. Versions from 2.6.0 up to 4.1.29, 4.2.26, and 4.3.12 are affected across the core, hal, and json-api packages. The component structure computed for a higher-privileged user's request can be served from cache to a subsequent lower-privileged user's request, bypassing the per-request evaluation of #[ApiProperty(security: ...)] predicates. No public exploit identified at time of analysis; vendor-released patches are available.

Information Disclosure Core Api Platform Hal +1
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Type confusion in API Platform Core's AbstractItemNormalizer allows authenticated API consumers to corrupt relational data by supplying IRIs pointing to resources of the wrong type during write operations (POST/PUT/PATCH). The root cause is that getResourceFromIri() omits the $operation context when calling IriConverter::getResourceFromIri(), silently bypassing the is_a type guard at IriConverter.php:86. All 4.1.x, 4.2.x, and 4.3.x releases prior to the patched versions are affected; no public exploit or CISA KEV listing has been identified at time of analysis.

Memory Corruption Information Disclosure PHP +1
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Heap buffer over-write in ImageMagick's JP2 (JPEG 2000) encoder - present in all versions prior to 7.1.2-26 - allows an attacker to crash the process by supplying a maliciously crafted JP2 image file, resulting in a denial-of-service condition. The root cause is CWE-682 (Incorrect Calculation): argument handling logic in the JP2 encoder computes incorrect bounds, leading to an out-of-bounds heap write. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Information Disclosure Imagemagick
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Repomix 1.14.0's MCP server exposes a file-read safety bypass allowing any MCP-connected client to retrieve arbitrary local `.json`, `.txt`, `.md`, or `.xml` files without triggering the project's `runSecretLint()` secret-scanning guard. The `attach_packed_output` tool accepts arbitrary local paths, validates only by file extension, reads the file without invoking the secret check, and registers the path under an `outputId`; `read_repomix_output` then returns the full file contents-entirely circumventing the boundary enforced by the dedicated `file_system_read_file` tool. No CISA KEV listing or EPSS data is available, but the advisory includes a reproduction harness that confirmed the bypass end-to-end against repomix@1.14.0.

Information Disclosure
NVD GitHub
Prev Page 11 of 741 Next

Quick Facts

Typical Severity
MEDIUM
Category
other
Total CVEs
66657

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy