Information Disclosure

OliveTin prior to version 3000.11.1 fails to enforce view permission checks on dashboard and API endpoints, allowing authenticated users to enumerate action bindings, titles, IDs, icons, and argument metadata despite having restricted access. While command execution remains properly denied, this information disclosure enables attackers to map available actions and their configurations. Public exploit code exists for this medium-severity vulnerability, and a patch is available.

Agentgateway versions prior to 0.12.0 fail to sanitize input parameters (path, query, and header values) when converting MCP tool requests to OpenAPI calls, allowing authenticated users to inject malicious data that could lead to unauthorized information disclosure or data modification. An attacker with valid credentials could exploit this input validation weakness to manipulate API requests across agent frameworks. No patch is currently available for affected deployments.

TSPortal versions prior to 30 contain a logic flaw where empty strings are converted to null values, enabling attackers to forge Data Protection Act reports as legitimate user deletion requests. This affects the WikiTide Foundation's Trust and Safety platform and could allow misuse of the reporting system to obscure malicious activity. Public exploit code exists, and no patch is currently available for affected deployments.

Wekan versions 8.31.0 through 8.33 expose global webhook configurations including sensitive URLs and authentication tokens through an unauthenticated server-side publication, allowing any network-based attacker to retrieve webhook credentials without authentication. An attacker exploiting this vulnerability could hijack webhook integrations and gain unauthorized access to connected external services. The vulnerability has been patched in version 8.34.

Wekan versions 8.31.0 through 8.33 expose webhook URLs and authentication tokens to all board members through unfiltered publication of integration data, allowing any user with board access—including read-only members and users on public boards—to retrieve sensitive credentials. Attackers can leverage these exposed tokens to make unauthorized requests to connected external services and trigger unintended actions. The vulnerability affects Wekan's board composite publication mechanism and has been patched in version 8.34.

Cryptomator encrypts data being stored on cloud infrastructure. Prior to version 1.19.0, in non-debug mode Cryptomator might leak cleartext paths into the log file. This can reveal meta information about the files stored inside a vault at a time, where the actual vault is closed. Not every cleartext path is logged. Only if a filesystem request fails for some reason (e.g. damaged encrypted file,...

Incorrect access control in the REST API of Ibexa & Ciril GROUP eZ Platform / Ciril Platform 2.x allows unauthenticated attackers to access sensitive data via enumerating object IDs. [CVSS 7.5 HIGH]

The /api/ais-data endpoint in Navtor NavBox leaks sensitive information through unhandled exception error messages, allowing unauthenticated remote attackers to obtain verbose .NET stack traces containing internal class names, method calls, and library dependencies. This information disclosure (CWE-209) enables attackers to map the application's internal structure and identify potential attack vectors. No patch is currently available for this medium-severity vulnerability affecting .NET implementations.

EverSync 0.5 contains an arbitrary file download vulnerability that allows unauthenticated attackers to access sensitive files by requesting them directly from the files directory. [CVSS 7.5 HIGH]

Unauthenticated file read/write via AppEngine Fileaccess over HTTP.

Filesystem access via CROWN REST interface on industrial device. EPSS 0.25%.

Arbitrary file read in changedetection.io prior to 0.54.4 allows unauthenticated remote attackers to access sensitive files by injecting malicious XPath expressions into content filters, exploiting the unparsed-text() function in the elementpath library. The application fails to validate or sanitize XPath input, enabling attackers to read any file accessible to the application process. Public exploit code exists for this vulnerability.

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. [CVSS 6.4 MEDIUM]

OpenShift versions prior to 1.6.3-alpha leak sensitive information through multiple vectors, including raw exception strings in API responses and authentication tokens exposed in UI rendering and token rotation endpoints. An unauthenticated remote attacker can obtain this information over the network to compromise user sessions or gain insight into application internals. No patch is currently available for affected deployments.

TinyWeb versions prior to 2.04 fail to properly sanitize control characters and encoded sequences (CR, LF, NUL) in HTTP request headers, allowing attackers to inject malicious values into CGI environment variables and bypass parser validation. This network-accessible vulnerability enables header injection attacks that could lead to data corruption or denial of service without requiring authentication. No patch is currently available for affected deployments.

Unrestricted zip file extraction in MarkUs prior to version 2.9.4 allows authenticated users to trigger denial of service through resource exhaustion by uploading specially crafted archives with excessive file counts or sizes. Instructors and students can exploit this during assignment configuration uploads or submission handling to consume server resources and impact system availability. No patch is currently available for affected installations.

animation and page builder block versions up to 12.8.3 is affected by information exposure (CVSS 5.3).

Improper access control in Acronis Cyber Protect 17 (Linux and Windows) prior to build 41186 allows authenticated users to view sensitive information they should not have access to. The vulnerability requires valid credentials and network access but does not enable data modification or system availability impacts. No patch is currently available for this medium-severity disclosure risk.

Acronis Cyber Protect 17 on Linux and Windows (before build 41186) exposes sensitive information through insecure headless browser configuration, allowing local authenticated users to read confidential data without modifying or disrupting system operations. The vulnerability requires local access and valid credentials but poses a direct confidentiality risk to organizations using affected versions. No patch is currently available.

Improper authorization checks in Acronis Cyber Protect 17 (Linux, Windows) before build 41186 allow local authenticated users to access sensitive information and modify data. This medium-severity vulnerability requires local access and user privileges but poses no availability risk. No patch is currently available for this issue.

Improper authorization checks in Acronis Cyber Protect 17 (Linux and Windows) before build 41186 allow authenticated users to access sensitive information they should not have permission to view. An attacker with valid credentials can exploit this vulnerability to disclose confidential data without performing any additional actions. No patch is currently available for this medium-severity issue.

Acronis Cyber Protect 17 before build 41186 transmits sensitive cryptographic material unnecessarily, allowing adjacent network attackers to potentially intercept and obtain this sensitive data under specific conditions. The vulnerability requires user interaction and affects both Linux and Windows deployments. No patch is currently available.

Acronis Cyber Protect and Agent virtual appliances on VMware contain hardcoded default credentials for local privileged accounts, allowing attackers with network access and user interaction to gain high-level system access and potentially modify or disrupt backup operations. The vulnerability affects Cyber Protect Cloud Agent (VMware) before build 36943 and Cyber Protect 17 (VMware) before build 41186, with no patch currently available. An attacker exploiting this could achieve privilege escalation and lateral movement within virtualized environments.

Improper authentication in Acronis Cyber Protect 17.

Credentials are not deleted from Acronis Agent after plan revocation. The following products are affected: Acronis Cyber Protect Cloud Agent (Linux, macOS, Windows) before build 40497, Acronis Cyber Protect 17 (Linux, macOS, Windows) before build 41186. [CVSS 4.4 MEDIUM]

Sensitive information disclosure and manipulation due to insufficient authorization checks. The following products are affected: Acronis Cyber Protect 17 (Linux, macOS, Windows) before build 41186, Acronis Cyber Protect Cloud Agent (Linux, macOS, Windows) before build 41124. [CVSS 5.5 MEDIUM]

Credentials are not deleted from Acronis Agent after plan revocation. The following products are affected: Acronis Cyber Protect Cloud Agent (Linux, macOS, Windows) before build 41124. [CVSS 4.4 MEDIUM]

'.../...//' in Azure Compute Gallery allows an authorized attacker to elevate privileges locally. [CVSS 6.7 MEDIUM]

Unauthorized information disclosure in Azure Compute Gallery occurs due to insecure default initialization settings that authenticated users can exploit to access sensitive data remotely. An authorized attacker can leverage this vulnerability to read confidential information without requiring user interaction. No patch is currently available for Microsoft products and ACI Confidential Containers.

Privilege escalation in Azure Compute Gallery's regex validation enables high-privileged local users to gain unauthorized system access on affected Microsoft and ACI Confidential Containers systems. An authenticated attacker with elevated permissions can exploit the permissive pattern matching to bypass security controls and achieve full system compromise. No patch is currently available, making this a medium-severity risk for environments running vulnerable versions.

OpenClaw versions 2026.1.30 and earlier leak authentication bearer tokens to untrusted domains when the optional MS Teams attachment downloader extension is enabled, due to overly permissive suffix-based domain allowlisting during download retries. An attacker could harvest these tokens from allowed domains to compromise authenticated sessions. No patch is currently available, affecting users of the vulnerable versions.

OpenClaw versions up to 2026.2.15 is affected by use of a broken or risky cryptographic algorithm (CVSS 7.5).

OpenClaw versions before 2026.2.13 are vulnerable to timing side-channel attacks on hook token validation due to use of non-constant-time string comparison. Remote attackers can exploit this weakness by measuring response times across multiple requests to gradually recover authentication tokens for the hooks endpoint. This affects confidentiality and integrity of OpenClaw deployments accessible over the network.

OpenClaw versions before 2026.2.12 are vulnerable to timing-based token extraction attacks due to non-constant-time string comparison in hook authentication. A network-based attacker can exploit this side-channel vulnerability to gradually recover the hook validation token through repeated timing measurements across multiple requests. The vulnerability requires repeated probing but poses a confidentiality risk to systems using vulnerable versions.

Openclaw versions up to 2026.2.1 is affected by missing authentication for critical function (CVSS 8.1).

OpenClaw versions before 2026.2.12 with the Nostr plugin enabled contain unauthenticated API endpoints that allow remote attackers to read and modify Nostr profiles without authentication when the gateway HTTP port is network-accessible. Attackers can exploit this to steal sensitive profile data, alter gateway configuration, and sign malicious Nostr events using the bot's private key. A patch is available for affected installations.

Insufficient session expiration in hexpm. Password reset tokens never expire, enabling persistent account takeover.

Cloudfoundry UAA versions 77.30.0 through 78.7.0 and Cloudfoundry Deployment versions 48.7.0 through 54.10.0 contain a logic error in the token revocation endpoint that allows authenticated users to inadvertently revoke tokens belonging to other users. An attacker with valid credentials could exploit this flaw to disrupt service availability by invalidating legitimate user sessions without authorization.

An observable timing discrepancy in @perfood/couch-auth v0.26.0 allows attackers to access sensitive information via a timing side-channel. [CVSS 7.5 HIGH]

Trivy Vulnerability Scanner is a VS Code extension that helps find vulnerabilities.

Traefik versions 2.11.9-2.11.37 and 3.1.3-3.6.8 contain a case-sensitivity bypass in Connection header handling that allows unauthenticated remote attackers to remove critical X-Forwarded headers by using lowercase Connection tokens, potentially enabling header spoofing attacks. An attacker can exploit this to manipulate forwarded client information such as IP addresses and hostnames, compromising the integrity of upstream application data. A patch is available for affected versions.

Gogs versions prior to 0.14.2 expose authentication tokens in URL parameters, allowing credentials to be captured through server logs, browser history, and HTTP referrer headers. This information disclosure vulnerability affects self-hosted Gogs instances and could enable attackers to gain unauthorized API access if tokens are leaked through these channels. A patch is available in version 0.14.2 and later.

Security vulnerability in RustDesk remote desktop client/server. One of 6+ critical CVEs affecting the open-source remote access platform.

RustDesk Server Pro through version 1.7.5 transmits sensitive address book credentials in cleartext over the network heartbeat synchronization API, enabling attackers to intercept and obtain authentication credentials without authentication. The vulnerability affects Windows, macOS, and Linux deployments where the address book sync functionality is enabled. No patch is currently available.

RustDesk Client through version 1.4.5 transmits sensitive preset address book credentials in cleartext during heartbeat synchronization, enabling network eavesdropping attacks across Windows, macOS, Linux, iOS, and Android platforms. An attacker positioned to intercept network traffic can capture authentication credentials by sniffing the unencrypted JSON payload. No patch is currently available for this high-severity vulnerability (CVSS 8.7).

Security vulnerability in RustDesk remote desktop client/server. One of 6+ critical CVEs affecting the open-source remote access platform.

Security vulnerability in RustDesk remote desktop client/server. One of 6+ critical CVEs affecting the open-source remote access platform.

Security vulnerability in RustDesk remote desktop client/server. One of 6+ critical CVEs affecting the open-source remote access platform.

RustDesk Client through version 1.4.5 on Windows, macOS, and Linux uses weak password hashing and improper object prototype handling in its password security and configuration encryption modules, allowing local authenticated attackers to extract embedded sensitive data including passwords and machine identifiers. The vulnerability affects critical cryptographic functions including symmetric_crypt() and decrypt_str_or_original(), enabling attackers with local access and valid credentials to compromise encrypted credentials and system identifiers. No patch is currently available.

Privilege escalation in RustDesk Client through version 1.4.5 on Windows, macOS, Linux, iOS, and Android allows unauthenticated remote attackers to abuse API sync and configuration management functions. The vulnerability in the rendezvous mediator and HTTP sync modules enables attackers to gain elevated privileges without user interaction. No patch is currently available for affected users.

Xgrammar versions prior to 0.1.32 crash when processing multi-level nested syntax structures, causing a denial of service that halts the application. An attacker can trigger this segmentation fault remotely without authentication by submitting crafted input, disrupting any AI/ML system relying on this library for structured generation tasks. No patch is currently available for affected deployments.

RustDesk Server Pro through version 1.7.5 uses weak cryptographic algorithms in configuration string generation and web console export functions, enabling attackers to extract sensitive embedded data from exported configurations. This vulnerability affects Windows, macOS, and Linux deployments and requires no authentication or user interaction to exploit. No patch is currently available.

RustDesk Client through version 1.4.5 uses a broken cryptographic algorithm that allows attackers to retrieve sensitive embedded data during config import, URI scheme handling, or CLI operations across Windows, macOS, Linux, iOS, Android, and web clients. An unauthenticated remote attacker can exploit this vulnerability without user interaction to extract sensitive configuration information. No patch is currently available for this high-severity vulnerability.

Python-Markdown version 3.8 contain a vulnerability where malformed HTML-like sequences can cause html.parser.HTMLParser to raise an unhandled AssertionError during Markdown parsing. [CVSS 7.5 HIGH]

Data processing vulnerability in the certificate management module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. [CVSS 6.2 MEDIUM]

Double free vulnerability in the window module. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 5.1 MEDIUM]

HCL Sametime for iOS is impacted by a sensitive information disclosure. Hostnames information is written in application logs and certain URLs. [CVSS 3.3 LOW]

Plaintext daemon credentials in IDC SFX2100 routing config files (zebra, bgpd, ospfd, ripd). CVSS 10.0. PoC available.

WP Royal Royal Elementor Addons royal-elementor-addons is affected by inclusion of functionality from untrusted control sphere (CVSS 8.2).

Axiomthemes Nirvana version 2.6 and earlier contains a local file inclusion vulnerability in its PHP include/require handling that allows unauthenticated attackers to read arbitrary files from the server. The vulnerability stems from improper filename validation and could enable information disclosure or facilitate further compromise, though no patch is currently available. With a CVSS score of 8.1 and low exploitation likelihood (0.2% EPSS), organizations running affected versions should prioritize mitigation strategies until an official patch is released.

My Tickets plugin version 2.1.0 and earlier inadvertently exposes sensitive data in outbound communications due to improper data handling. An unauthenticated remote attacker can intercept and retrieve embedded sensitive information from sent data without user interaction. No patch is currently available for this high-severity vulnerability.

Input quantity validation bypass in W3 Total Cache WordPress plugin.

Premio Chaty versions up to 3.5.1 expose sensitive data through improper handling of embedded information in outbound communications, allowing unauthenticated remote attackers to retrieve confidential data without user interaction. The vulnerability carries a high severity rating (CVSS 7.5) and currently has no available patch.

RadiusTheme Classified Listing plugin through version 5.3.4 exposes sensitive data in sent communications due to improper information handling. An authenticated attacker can retrieve embedded sensitive information from network traffic without modifying data or disrupting service. No patch is currently available for this vulnerability.

PHP Local File Inclusion in AncoraThemes FixTeam through version 1.4 enables unauthenticated remote attackers to read arbitrary files on affected systems through improper handling of file include/require statements. The vulnerability carries a high CVSS score of 8.1 with potential for information disclosure and system compromise, though no patch is currently available.

Weak PRNG in Net::NSCA::Client through 0.009002 for Perl. Patch available.

Insecure embedded zlib in Compress::Raw::Zlib through 2.219 for Perl.

Insecure session ID generation in Apache::Session::Generate::MD5 through 1.94 for Perl.

Insecure session ID generation in Plack::Middleware::Session::Simple before 0.05 for Perl. Patch available.

NetApp ONTAP 9.12.1 and later with S3 NAS buckets allows authenticated attackers to enumerate directory contents they lack authorization to access, resulting in unauthorized information disclosure. An attacker with valid credentials can exploit this to view sensitive file listings without proper permissions. No patch is currently available for this vulnerability.

Injection in Open OnDemand HPC portal Files application before 4.0.9/4.1.3.

Dark Reader is an accessibility browser extension that makes web pages colors dark. The dynamic dark mode feature of the extension works by analyzing the colors of web pages found in CSS style sheet files. [CVSS 3.4 LOW]

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. [CVSS 5.3 MEDIUM]

ArubaOS access points are vulnerable to gateway impersonation attacks when clients connect via wired or wireless interfaces, allowing unauthenticated attackers to redirect network traffic into a man-in-the-middle position. An attacker can exploit address-based spoofing to intercept or modify data streams intended for the legitimate gateway, compromising the confidentiality of client communications. No patch is currently available.

Missing BLE authentication in Pebble Prism Ultra smartwatch. PoC available.

Rancher Backup And Restore Operator is affected by insertion of sensitive information into log file (CVSS 6.8).

2N Access Commander application version 3.4.2 and prior returns HTTP 500 Internal Server Error responses when receiving malformed or manipulated requests, indicating improper handling of invalid input and potential security or availability impacts. [CVSS 6.5 MEDIUM]

Insufficient session invalidation in 2N Access Commander 3.4.2. Multiple sessions remain valid after logout.

2N Access Commander version 3.4.1 and prior is vulnerable to log pollution. Certain parameters sent over API may be included in the logs without prior validation or sanitisation. [CVSS 7.2 HIGH]

The Linux kernel's romfs filesystem fails to validate the return value of sb_set_blocksize(), allowing a local attacker with user privileges to trigger a denial of service by mounting a romfs image on a loop device configured with an incompatible block size. Public exploit code exists for this vulnerability. The flaw causes the filesystem to proceed with an invalid superblock configuration, potentially leading to system crashes or filesystem corruption.

The Linux kernel fbdev smscufx driver fails to properly copy user-supplied data to kernel memory in the UFX_IOCTL_REPORT_DAMAGE ioctl handler, instead directly referencing userspace memory which can be manipulated or invalidated. A local attacker with appropriate privileges can exploit this to cause a denial of service by triggering kernel memory access violations or crashes. No patch is currently available for this medium-severity vulnerability.

Local privilege escalation in Linux kernel f2fs sysfs attributes allows unprivileged users to trigger out-of-bounds memory access and cause denial of service by writing oversized integer values to filesystem control interfaces. The vulnerability stems from improper bounds checking when mapping sysfs attributes to kernel structures of varying integer sizes, enabling attackers to corrupt kernel memory and crash the system. No patch is currently available for this vulnerability.

A use-after-free vulnerability in the Linux kernel's f2fs filesystem allows a local attacker with user privileges to trigger memory corruption and crash the system through a race condition between I/O completion and filesystem unmount operations. The vulnerability occurs when a loop device completes write operations concurrently with an unmount that frees filesystem structures still being accessed by pending I/O handlers. This issue has no available patch and requires kernel-level access to exploit.

A revert of a Linux kernel patch introduces a potential deadlock condition in the f2fs filesystem when concurrent write operations and checkpoint operations occur, allowing a local user with write permissions to cause a denial of service through system hang. The vulnerability affects the Linux kernel's f2fs module and requires low privileges to trigger. No patch is currently available to address this issue.

In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix bsg_done() causing double free Kernel panic observed on system, [5353358.825191] BUG: unable to handle page fault for address: ff5f5e897b024000 [5353358.825194] #PF: supervisor write access in kernel mode [5353358.825195] #PF: error_code(0x0002) - not-present page [5353358.825196] PGD 100006067 P4D 0 [5353358.825198] Oops: 0002 [#1] PREEMPT SMP NOPTI [5353358.825200] CPU: 5 PID: 2132085 Comm: qlafwupdate.sub Kdump: loaded Tainted: G W L ------- --- 5.14.0-503.34.1.el9_5.x86_64 #1 [5353358.825203] Hardware name: HPE ProLiant DL360 Gen11/ProLiant DL360 Gen11, BIOS 2.44 01/17/2025 [5353358.825204] RIP: 0010:memcpy_erms+0x6/0x10 [5353358.825211] RSP: 0018:ff591da8f4f6b710 EFLAGS: 00010246 [5353358.825212] RAX: ff5f5e897b024000 RBX: 0000000000007090 RCX: 0000000000001000 [5353358.825213] RDX: 0000000000001000 RSI: ff591da8f4fed090 RDI: ff5f5e897b024000 [5353358.825214] RBP: 0000000000010000 R08: ff5f5e897b024000 R09: 0000000000000000 [5353358.825215] R10: ff46cf8c40517000 R11: 0000000000000001 R12: 0000000000008090 [5353358.825216] R13: ff591da8f4f6b720 R14: 0000000000001000 R15: 0000000000000000 [5353358.825218] FS: 00007f1e88d47740(0000) GS:ff46cf935f940000(0000) knlGS:0000000000000000 [5353358.825219] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [5353358.825220] CR2: ff5f5e897b024000 CR3: 0000000231532004 CR4: 0000000000771ef0 [5353358.825221] PKRU: 55555554 [5353358.825222] Call Trace: [5353358.825223] <TASK> [5353358.825224] ? show_trace_log_lvl+0x1c4/0x2df [5353358.825229] ? show_trace_log_lvl+0x1c4/0x2df [5353358.825232] ? sg_copy_buffer+0xc8/0x110 [5353358.825236] ? __die_body.cold+0x8/0xd [5353358.825238] ? page_fault_oops+0x134/0x170 [5353358.825242] ? kernelmode_fixup_or_oops+0x84/0x110 [5353358.825244] ? exc_page_fault+0xa8/0x150 [5353358.825247] ? asm_exc_page_fault+0x22/0x30 [5353358.825252] ? memcpy_erms+0x6/0x10 [5353358.825253] sg_copy_buffer+0xc8/0x110 [5353358.825259] qla2x00_process_vendor_specific+0x652/0x1320 [qla2xxx] [5353358.825317] qla24xx_bsg_request+0x1b2/0x2d0 [qla2xxx] Most routines in qla_bsg.c call bsg_done() only for success cases.

A Stored HTML Injection vulnerability was discovered in the CMC's Sensor Map functionality due to improper validation on connected Guardians' properties. [CVSS 4.8 MEDIUM]

A Stored HTML Injection vulnerability was discovered in the Alerted Nodes Dashboard functionality due to improper validation on an input parameter. A malicious authenticated user with the required privileges could edit a node label to inject HTML tags. [CVSS 4.4 MEDIUM]

A use-after-free vulnerability in the Linux kernel's netfilter nf_tables chain registration allows local attackers with user privileges to trigger memory corruption and cause a denial of service, potentially leading to privilege escalation. The flaw occurs when hook registration fails during chain addition, allowing concurrent operations to access freed memory without proper RCU synchronization. The vulnerability affects systems running vulnerable Linux kernels with netfilter enabled, and no patch is currently available.

Dell PowerScale OneFS versions before 9.10.1.6 and 9.11.0.0 through 9.12.0.1 contain an uncontrolled search path vulnerability that allows high-privileged local attackers to achieve privilege escalation, information disclosure, and denial of service. The vulnerability requires local access and high privileges to exploit, making it suitable primarily for insider threats or attackers who have already gained initial system access. No patch is currently available for affected systems.

Powerscale Onefs versions up to 9.10.1.6 is affected by execution with unnecessary privileges (CVSS 6.7).