Skip to main content

Information Disclosure

other MEDIUM

Information disclosure occurs when an application unintentionally exposes sensitive data that aids attackers in reconnaissance or directly compromises security.

How It Works

Information disclosure occurs when an application unintentionally exposes sensitive data that aids attackers in reconnaissance or directly compromises security. This happens through multiple channels: verbose error messages that display stack traces revealing internal paths and frameworks, improperly secured debug endpoints left active in production, and misconfigured servers that expose directory listings or version control artifacts like .git folders. APIs often leak excessive data in responses—returning full user objects when only a name is needed, or revealing system internals through metadata fields.

Attackers exploit these exposures systematically. They probe for common sensitive files (.env, config.php, backup archives), trigger error conditions to extract framework details, and analyze response timing or content differences to enumerate valid usernames or resources. Even subtle variations—like "invalid password" versus "user not found"—enable account enumeration. Exposed configuration files frequently contain database credentials, API keys, or internal service URLs that unlock further attack vectors.

The attack flow typically starts with passive reconnaissance: examining HTTP headers, JavaScript bundles, and public endpoints for version information and architecture clues. Active probing follows—testing predictable paths, manipulating parameters to trigger exceptions, and comparing responses across similar requests to identify information leakage patterns.

Impact

  • Credential compromise: Exposed configuration files, hardcoded secrets in source code, or API keys enable direct authentication bypass
  • Attack surface mapping: Stack traces, framework versions, and internal paths help attackers craft targeted exploits for known vulnerabilities
  • Data breach: Direct exposure of user data, payment information, or proprietary business logic through oversharing APIs or accessible backups
  • Privilege escalation pathway: Internal URLs, service discovery information, and architecture details facilitate lateral movement and SSRF attacks
  • Compliance violations: GDPR, PCI-DSS, and HIPAA penalties for exposing regulated data through preventable disclosures

Real-World Examples

A major Git repository exposure affected thousands of websites when .git folders remained accessible on production servers, allowing attackers to reconstruct entire source code histories including deleted commits containing credentials. Tools like GitDumper automated mass exploitation of this misconfiguration.

Cloud storage misconfigurations have repeatedly exposed sensitive data when companies left S3 buckets or Azure Blob containers publicly readable. One incident exposed 150 million voter records because verbose API error messages revealed the storage URL structure, and no authentication was required.

Framework debug modes left enabled in production have caused numerous breaches. Django's DEBUG=True setting exposed complete stack traces with database queries and environment variables, while Laravel's debug pages revealed encryption keys through the APP_KEY variable in environment dumps.

Mitigation

  • Generic error pages: Return uniform error messages to users; log detailed exceptions server-side only
  • Disable debug modes: Enforce production configurations that suppress stack traces, verbose logging, and debug endpoints through deployment automation
  • Access control audits: Restrict or remove development artifacts (.git, backup files, phpinfo()) and internal endpoints before deployment
  • Response minimization: API responses should return only necessary fields; implement allowlists rather than blocklists for data exposure
  • Security headers: Deploy X-Content-Type-Options, remove server version banners, and disable directory indexing
  • Timing consistency: Ensure authentication and validation responses take uniform time regardless of input validity

Recent CVEs (66671)

EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote denial of service in Envoy proxy allows attackers to crash the process by resolving a DNS name exactly 255 octets long through a configured UDP DNS filter. An off-by-one runtime precondition assumes query names are strictly less than 255 octets, contradicting RFC 1035 which permits names of up to 255 octets, so a maximally-long name that resolves successfully triggers abnormal process termination. There is no public exploit identified at time of analysis, EPSS is low (0.37%), and CISA SSVC rates exploitation as none with only partial technical impact.

Information Disclosure Envoy
NVD GitHub
EPSS 0% CVSS 4.4
MEDIUM PATCH This Month

Certificate SAN validation in Envoy Proxy is bypassed when an attacker-controlled upstream serves a TLS certificate containing an embedded NUL byte in the dNSName Subject Alternative Name field. Envoy versions prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1 are affected, allowing an attacker who controls or can impersonate an upstream TLS endpoint to pass Envoy's configured SAN match check with a fraudulent certificate and intercept proxied traffic. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Information Disclosure Envoy
NVD GitHub VulDB
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

The OAuth2 HTTP filter in Envoy Proxy prior to versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1 implements AES-256-CBC encryption for the PKCE CodeVerifier cookie without any authentication tag, creating a classic padding oracle through differential HTTP responses on the /callback endpoint. An attacker who obtains the victim's encrypted CodeVerifier cookie and a stolen authorization code can recover the plaintext PKCE code_verifier in approximately 6,200 crafted requests (~100 seconds), then complete the OAuth token exchange to hijack the victim's access token. No public exploit code or CISA KEV listing has been identified at time of analysis; vendor-confirmed patches are available in all four current release branches.

Oracle Microsoft Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote denial of service in DragonflyDB before 1.39.0 lets an unauthenticated attacker crash the entire server with a single ~24-byte RESTORE command carrying a malformed listpack payload, triggering an out-of-bounds read (SIGSEGV). Because Dragonfly ships with no authentication enabled by default and RESTORE is an ordinary keyspace command, any client that can reach the port can repeatedly kill the process. No CISA KEV listing exists, but the fixing pull request publishes the exact crash payloads as regression tests, so working trigger data is effectively public.

Denial Of Service Buffer Overflow Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Sensitive information disclosure in Fluentd's Monitor Agent plugin (in_monitor_agent) at versions <= 1.19.2 allows anyone with HTTP access to the metrics API (default TCP port 24220) to read internal instance variables of loaded plugins via /api/plugins.json and related endpoints. Because plugins frequently hold database passwords, API keys, and cloud credentials in instance variables, those secrets can be returned in plain text to unauthenticated callers. No public exploit identified at time of analysis and the issue is not in CISA KEV, but the vendor fixed it in v1.19.3 by changing the default visibility of config, retry, and debug information.

Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Information disclosure in Podman (1.8.1 through 5.8.3) lets a malicious OCI container image leak host environment variables into the container by embedding an image env entry with a key but no value; an asterisk (*) entry causes Podman to forward ALL host session variables. Because the launching session frequently holds secrets (registry credentials, API tokens, proxy auth), a crafted image run by a victim can harvest them. No public exploit is identified beyond the proof-of-concept test shipped with the fix, and it is not listed in CISA KEV.

Information Disclosure Podman
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Arbitrary file write in Dokku before 0.38.2 lets an attacker with deploy-level access escalate to full shell access on the host. The git:from-archive and certs:add commands extract attacker-supplied tar/zip archives without sanitizing member paths, and because GNU tar creates and then follows symlinks during extraction, a crafted archive can plant files anywhere the dokku user can write - most damagingly ~/.ssh/authorized_keys. There is no public exploit identified at time of analysis and CISA SSVC records exploitation as none, but the technical impact is rated total.

Information Disclosure Docker Dokku
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

OS command execution on the Dokku host is possible through the openresty-vhosts plugin in versions prior to 0.38.2, where custom OpenResty include filenames from an app's git repository are interpolated unescaped into a single-quoted shell string that is later run through eval. An attacker who can deploy a Dokku app with the openresty proxy enabled can plant a file whose name contains a single quote to break the quoting and inject a command substitution, executing arbitrary commands as the dokku user on the next deploy. There is no public exploit identified at time of analysis and it is not in CISA KEV, though the upstream advisory and a security regression test document the mechanism precisely.

Code Injection Information Disclosure Docker +1
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Insufficiently protected credential storage in Dokku prior to 0.38.2 exposes git authentication secrets stored in $DOKKU_ROOT/.netrc to any local user who can traverse the Dokku home directory. The git:auth command pre-creates the .netrc file using bash's touch, which applies the process umask (0644) before the netrc binary runs - defeating the netrc binary's own 0600 enforcement because the file already exists at write time. No public exploit code exists and the vulnerability is not in CISA KEV, but the confidentiality impact is rated High given that plaintext git credentials (hostnames, usernames, passwords) are directly readable without any special tooling.

Information Disclosure Docker Dokku
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

Improper authorization in PayloadCMS 3.84.1 allows low-privilege authenticated users to invoke the account unlock operation without sufficient access control, effectively bypassing the brute-force lockout mechanism protecting other user accounts. Reported by Fluid Attacks, this flaw has both a confidentiality and integrity dimension: attackers can disclose account state information and manipulate the lock status of accounts they do not own. No public exploit code or CISA KEV listing has been identified at time of analysis.

Information Disclosure Payloadcms
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

Local privilege/availability abuse in Safetica Endpoint Client (x64) versions 10.5.75.0 and 11.11.4.0 lets an unprivileged user send crafted IOCTLs to the bundled kernel driver ProcessMonitorDriver.sys to terminate protected system processes, including the DLP agent's own self-protection components. This effectively allows a low-privileged local user to disable endpoint security enforcement. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV; CERT/CC (VU#818729) coordinated the disclosure.

Information Disclosure Endpoint Client
NVD VulDB
EPSS 0% CVSS 9.6
CRITICAL Act Now

Code execution against the shared multi-tenant Java runtime in Wolfram Cloud 14.2 is possible because the default JVM resolves classpath artifacts from a world-accessible `/tmp/` location shared across tenants on the same cloud instance. A co-tenant attacker who can write to `/tmp/UserTemporaryFiles/` can plant a malicious `.jar` or directory referenced by the JVM's `-init` startup file so the victim JVM loads attacker-controlled classes ahead of the legitimate library, executing code in the victim's session. No public exploit identified at time of analysis, though CVSS rates the issue 9.6 with a scope change reflecting cross-user/cross-tenant impact.

Information Disclosure Cloud
NVD GitHub VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Improper privilege handling in Imagination Technologies' Graphics DDK GPU driver lets privileged kernel code inside a Host VM submit crafted commands to the GPU firmware, coercing the firmware into reading or writing host memory outside the range the host kernel is permitted to touch. Affecting Graphics DDK 1.18, 23.2, 24.2, 25.1-25.3 and 26.1 RTM, the flaw enables out-of-bounds host memory access (information disclosure and corruption) through the firmware's elevated memory privileges. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the local code-execution impact (CVSS 7.8) makes it a meaningful local privilege/boundary-bypass concern.

Information Disclosure Graphics Ddk
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

Credential exposure in Mattermost Plugins (all branches ≤11.6, fixed in 10.18.11, 11.3.6, and 11.6.5.0) leaks valid or partially reconstructable OpenAI API keys into mattermost.log when the OpenAI API returns authentication failure responses. Any user with privileged read access to server logs or downloadable support packets can recover the key and authenticate to the victim organization's OpenAI account. No public exploit code or CISA KEV listing exists at time of analysis, but the CVSS Scope:Changed rating reflects that successful exploitation grants unauthorized access to an external, out-of-scope resource - the OpenAI account - with full confidentiality impact.

Mattermost Information Disclosure
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Sensitive data exposure in the Bopo - WooCommerce Product Bundle Builder plugin for WordPress (versions ≤ 1.1.6) allows low-privileged authenticated users to access information that should be restricted to higher-trust roles. The flaw is classified under CWE-497, indicating the plugin exposes sensitive system or application data to an unauthorized control sphere - likely via an improperly protected REST API endpoint or AJAX action lacking appropriate capability checks. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

WordPress Information Disclosure
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Local File Inclusion in the Panorama Viewer - 360 Degree Image + Video Viewer WordPress plugin (versions 1.6.1 and earlier) allows authenticated users with Contributor-level access to coerce the application into including arbitrary local files on the server. Cataloged under CWE-98 and reported by Patchstack, the flaw can expose sensitive files (e.g., wp-config.php credentials) and, depending on server conditions, escalate toward code execution. No public exploit identified at time of analysis and it is not listed in CISA KEV; the CVSS 3.1 base score is 7.5 with high attack complexity.

LFI Information Disclosure PHP
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated sensitive data exposure in the WCBoost - Products Compare WordPress plugin (versions <= 1.1.0) allows any remote attacker to access sensitive information without credentials. The CVSS vector confirms network-accessible exploitation requiring no authentication, no user interaction, and low complexity, yielding a partial confidentiality breach. No public exploit code or active exploitation has been identified at time of analysis, though the zero-barrier entry point makes opportunistic scanning trivial.

Information Disclosure
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Sensitive data exposure in the Site Reviews WordPress plugin (versions through 8.0.11) allows authenticated users holding at minimum a subscriber-level account to access private or sensitive review-related data they should not be permitted to view, resulting in high confidentiality impact. The CVSS vector (PR:L, AV:N, AC:L) confirms the flaw is network-exploitable at low complexity with no user interaction required beyond possessing a basic WordPress account. No public exploit code or active exploitation has been identified at time of analysis, though the low barrier to exploitation (any registered user) elevates practical risk.

Information Disclosure
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Sensitive data exposure in GetGenie WordPress plugin (versions through 4.4.2) permits authenticated subscribers to access data outside their authorization scope. The vulnerability, classified under CWE-497, enables low-privilege WordPress users - those with subscriber-level accounts - to retrieve sensitive information that should be restricted to higher-privilege roles. No active exploitation has been confirmed by CISA KEV and no public exploit code has been identified at time of analysis, but the low attack complexity and broad user-privilege threshold make this a realistic risk on any multi-user WordPress deployment running an affected version.

Information Disclosure
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated information disclosure in the Print Invoice & Delivery Notes for WooCommerce plugin (versions 7.1.1 and earlier) lets remote attackers retrieve sensitive order data - such as invoices and delivery notes - without any credentials. The CVSS 3.1 score of 7.5 reflects a network-reachable, no-interaction confidentiality breach. No public exploit is identified at time of analysis and it is not listed in CISA KEV, so exploitation appears unproven but trivially feasible given the access profile.

WordPress Information Disclosure
NVD
EPSS 0% CVSS 8.6
HIGH This Week

Information disclosure and related weaknesses in the BitFire Security WordPress firewall plugin (versions 5.0.3 and earlier) let remote unauthenticated attackers extract sensitive data and tamper with limited integrity, per a Patchstack-reported advisory. The CVSS 3.1 base score of 8.6 reflects network-reachable, no-privilege exploitation (AV:N/AC:L/PR:N/UI:N) with high confidentiality impact, ironic for a product whose purpose is to harden WordPress sites. No public exploit code has been identified at time of analysis, and the issue is not on the CISA KEV list; EPSS data was not provided.

Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Authentication bypass in the CorvusPay WooCommerce Payment Gateway plugin for WordPress (versions 2.7.4 and earlier) lets unauthenticated remote attackers manipulate the payment/integration workflow without valid credentials, per the CVSS 3.1 vector (AV:N/PR:N) and CWE-288. The flaw scores 7.5 with integrity impact only (I:H, C:N, A:N), meaning an attacker can tamper with trusted state - most plausibly forging payment confirmation/callback validation - rather than steal data or take a site down. No public exploit is identified at time of analysis and the issue is not listed in CISA KEV.

WordPress Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Sensitive data exposure in the Trinity Backup WordPress plugin (versions 2.0.9 and earlier) allows remote unauthenticated attackers to retrieve confidential information without any credentials. Because the plugin manages full-site backups, the exposed data may include database dumps, configuration files, and credentials. The flaw was reported by Patchstack and carries a CVSS 7.5; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Information Disclosure
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Sensitive data exposure in the WordPress plugin Object Cache 4 everyone (versions 2.3.2 and earlier) lets remote unauthenticated attackers retrieve information the application intended to keep private, per the Patchstack advisory and a CVSS 3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N, confidentiality-only impact). The flaw, classed as CWE-201, stems from the caching layer inadvertently exposing sensitive cached content to unauthorized requestors. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Information Disclosure
NVD
EPSS 0% CVSS 7.4
HIGH This Week

Unauthenticated backdoor in the WordPress "Enable CORS" plugin (versions <= 2.0.3) lets remote attackers leverage a hard-coded cryptographic key (CWE-321) to bypass access controls and read or alter protected data without any credentials. Reported by Patchstack and tagged as Information Disclosure, the issue carries a CVSS 7.4; no public exploit and no CISA KEV listing exist at the time of analysis, and despite the network attack vector the CVSS marks high attack complexity, indicating exploitation is non-trivial.

Information Disclosure
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated information disclosure in the Ads by WPQuads (Quick AdSense Reloaded) WordPress plugin versions 3.0.3 and earlier lets remote attackers read sensitive data without any credentials or user interaction. The flaw, reported by Patchstack and classified as CWE-497, exposes information to an unauthorized control sphere over the network. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Information Disclosure
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Local File Inclusion in the Goya Core WordPress plugin (versions before 1.0.9.4) lets authenticated Contributor-level users coerce the application into including arbitrary local files, exposing sensitive server-side content such as configuration files and PHP source. Reported by Patchstack and classified CWE-98, the flaw carries a CVSS 3.1 base score of 7.5 (AV:N/AC:H/PR:L), and no public exploit identified at time of analysis. Exploitation requires a valid low-privilege account and the high attack complexity reflects non-trivial preconditions.

LFI Information Disclosure PHP
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Local File Inclusion in the Splash - Sport Club WordPress theme (versions 4.4.3 and earlier) lets an authenticated Contributor-level user supply a controlled filename to a PHP include/require sink, exposing local server files and potentially escalating to code execution. The flaw was reported by Patchstack and carries a CVSS 7.5; no public exploit identified at time of analysis, and it is not listed in CISA KEV. Exploitation requires an existing low-privilege account and overcomes elevated attack complexity, narrowing realistic abuse to multi-author sites.

WordPress LFI Information Disclosure +1
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Information disclosure in Ollama's model quantization engine (confirmed affected in v0.13.5) allows remote, unauthenticated attackers to read and exfiltrate the server's heap memory, exposing sensitive in-process data such as model contents, API keys, or other secrets resident in memory. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) indicates trivial network exploitation against an exposed Ollama instance with no authentication. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Information Disclosure Ollama Buffer Overflow
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Prototype pollution in JetBrains YouTrack's websandbox bridge (all versions before 2026.2.16593) lets an attacker who can reach the sandbox boundary corrupt JavaScript Object.prototype, potentially escaping the sandbox or disclosing information. The flaw was internally reported by JetBrains and classed as CWE-1321; it carries a vendor-published CVSS of 9.8, but no public exploit has been identified at time of analysis and EPSS rates exploitation probability low at 0.40% (32nd percentile).

Information Disclosure Prototype Pollution Youtrack
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Client-side memory-safety failure in libnfs (through 6.0.2, fixed by commit f0b109d/935b8db) lets a malicious or compromised NFS server trigger an unsigned integer underflow in the RPC record-marker handling of rpc_read_from_socket(). When a victim application using libnfs connects to a crafted server, the server can supply a record marker whose declared xid/pdu length is smaller than the size libnfs expects to read, wrapping the length value and driving an oversized READ_IOVEC read with corresponding heap memory disclosure or corruption. There is no public exploit identified at time of analysis and it is not in CISA KEV; exploitation requires the victim to initiate a connection to an attacker-controlled NFS endpoint.

Integer Overflow Information Disclosure Libnfs +1
NVD GitHub VulDB
EPSS 0% CVSS 5.8
MEDIUM PATCH This Month

Credential brute-force exposure in Reolink Home Hub (versions prior to v3.3.0.456_26031911) enables adjacent-network attackers to crack authentication credentials used between the Hub and its associated cameras. The netclient and factory services transmit or store credentials in a manner susceptible to brute-force attack, allowing an adversary on the same local network to intercept Hub-to-camera traffic and recover camera credentials. No public exploit or CISA KEV listing is present at time of analysis; however, the CVSS 4.0 subsequent-system impact is rated High across confidentiality, integrity, and availability, reflecting full camera compromise potential once credentials are cracked.

Information Disclosure Home Hub
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Unauthorized information disclosure in Johnson & Johnson's Audit Tracking Management System (ATMS) allowed remote attackers to view sensitive audit meeting minutes and transcripts without authentication in instances deployed before 2026-04-21. The flaw stems from client-side enforcement of access controls (CWE-602), meaning the server failed to verify authorization before returning confidential audit records. A public security research write-up by Eaton Works documents the issue, though no weaponized exploit or active exploitation (KEV) has been confirmed, and no public exploit code was identified at time of analysis.

Information Disclosure Audit Tracking Management System
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Information disclosure in Johnson & Johnson's Campus Recruiting web application (versions prior to the 2025-10-31 fix) allows remote unauthenticated attackers to view sensitive data submitted by recruited students as well as private notes interviewers entered about those candidates. The flaw stems from the server relying on client-side restrictions rather than enforcing authorization server-side (CWE-602). No CISA KEV listing or formal exploit code is published, though an independent security researcher (Eaton Works) documented the issue in a public write-up.

Information Disclosure Campus Recruiting
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Predictable secret generation in the Perl module Bytes::Random::Secure::Tiny (versions through 1.011) occurs because a PRNG object initialized before a fork() shares its ISAAC engine state across all child processes, causing every child to emit identical 'random' streams. Multiprocess Perl applications (e.g., preforking web servers) that create one generator and reuse it after forking will produce duplicate session tokens, keys, salts, or nonces across workers. Reported by CPANSec with an upstream fix; EPSS is low (0.16%, 5th percentile) and there is no public exploit identified at time of analysis.

Information Disclosure Bytes
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Predictable secret generation in the Perl module Bytes::Random::Secure (versions through 0.29) occurs because the module fails to detect process forks, causing parent and child processes to share identical PRNG internal state. Applications that instantiate a generator object before fork()ing - or that use the module's functional (procedural) interface - will emit identical random streams across processes, making session tokens, keys, salts, and other secrets predictable across workers. No public exploit is identified at time of analysis, and EPSS is low (0.16%, 6th percentile); CPANSec reported it and an upstream fix is available.

Information Disclosure Bytes
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH This Week

Unauthenticated format string flaw in the vlsvr service of GeoVision GV-LPC2011 and GV-LPC2211 license plate recognition cameras (firmware V1.12 and earlier) lets remote attackers send crafted login data that the device passes unsanitized into a log-formatting routine. Successful exploitation can leak memory contents, corrupt memory, or crash the service, with the high availability impact (CVSS 8.6) reflecting denial of service as the most reliable outcome. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Denial Of Service Information Disclosure Gv Lpclpc2011 2211
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Arbitrary file read in GeoVision GV-LPC2011 and GV-LPC2211 license plate recognition appliances (firmware V1.12 and earlier) lets a remote, unauthenticated attacker traverse the filesystem via the get_fcont.cgi endpoint and retrieve any file readable by the CGI process. Because the CGI fails to validate the user-supplied file path, a single crafted HTTP request can disclose configuration files, credentials, or other sensitive data. There is no public exploit identified at time of analysis, but the network-reachable, no-authentication nature (CVSS 7.5) makes it straightforward to weaponize.

Path Traversal Information Disclosure Gv Lpclpc2011 2211
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Cleartext data-channel exposure in the Apache Airflow FTP provider (apache-airflow-providers-ftp before 3.15.1) lets a network attacker positioned on the data path read file contents and credentials moved over FTPS. The FTPSHook.get_conn() method established an ftplib.FTP_TLS control connection but never issued PROT P, so payloads transferred via FTPSHook or FTPSFileTransmitOperator traveled in plaintext despite the TLS-protected control channel. There is no public exploit identified at time of analysis, EPSS is very low (0.10%, 1st percentile), and it is not on CISA KEV.

Information Disclosure Apache Apache Airflow Ftp Provider
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM POC This Month

Permanent deletion of arbitrary WordPress posts and pages is possible via the Frontend File Manager Plugin (all versions through 23.6), which omits ownership verification before executing delete operations. Any authenticated user holding author-level access or higher can permanently destroy content they do not own; when an administrator enables the 'Allow guest uploads' setting, the same endpoint becomes reachable by completely unauthenticated users. A public proof-of-concept exists via WPScan; no confirmed actively exploited status (KEV), and EPSS sits at just 0.18% (8th percentile), but the unauthenticated attack path under a non-default configuration is the highest-severity scenario.

WordPress Information Disclosure Frontend File Manager Plugin
NVD WPScan VulDB
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Information disclosure in the YMC Filter WordPress plugin before 3.11.3 lets unauthenticated remote attackers read the titles and content of private, draft, and other non-public posts by abusing a REST API endpoint that lacks proper authorization and fails to validate a user-supplied query parameter. WPScan reported the flaw, a public exploit exists, and a vendor patch is available; the CVSS 3.1 score is 7.5 reflecting high confidentiality impact with no integrity or availability effect.

WordPress Information Disclosure Ymc Filter
NVD WPScan VulDB
EPSS 0% CVSS 9.2
CRITICAL Act Now

Authentication bypass in the Setracker2 Android companion app (com.tgelec.setracker) versions 3.1.5 and prior lets an attacker who possesses a user's stored password hash authenticate directly to the backend and gain full account access. Because the backend treats the password hash itself as the secret credential, the hash is password-equivalent and does not need to be cracked back to plaintext. No public exploit identified at time of analysis; the issue was disclosed through CISA/ICS-CERT (advisory VA-26-176-01) and carries a high CVSS 4.0 score of 9.2.

Information Disclosure Google
NVD
EPSS 0% CVSS 8.7
HIGH This Week

Session hijacking in the Setracker2 Android companion app (com.tgelec.setracker) version 3.1.5 and earlier stems from the use of MD5 to generate the request signature that authenticates traffic between the mobile client and the backend REST API. Because MD5 is cryptographically broken, an attacker who can observe a signed request may reverse the signature to recover the embedded session ID and then impersonate the legitimate user, issuing authenticated API calls against the kids'/GPS-tracker backend. Reported by CISA ICS-CERT (DHS) and tracked in a CSAF advisory; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Information Disclosure Google
NVD
EPSS 0% CVSS 8.7
HIGH This Week

Cleartext recovery of Setracker2 GPS-watch traffic is possible because the com.tgelec.setracker Android companion app (versions 3.1.5 and prior) protects watch-to-backend requests with static, hardcoded AES keys and initialization vectors. Any attacker who can observe the encrypted traffic - or who extracts the keys from the freely distributed APK - can decrypt communications between the wearable tracker and its cloud backend, exposing location and account data of the (frequently child) wearers. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.

Information Disclosure Google
NVD
EPSS 0% CVSS 8.3
HIGH This Week

Unauthorized device enrollment in the Setracker2 Android companion app (com.tgelec.setracker) versions 3.1.5 and prior lets remote attackers hijack other users' GPS smartwatches by guessing their registration ID. The registration ID is predictably derived from the device IMEI, and the enrollment workflow performs no secondary authentication before binding a watch to an account, so an attacker who learns or calculates the ID can take over the target's tracker. No public exploit has been identified at time of analysis, and the issue carries a CVSS 4.0 base score of 8.3 with high confidentiality impact, reflecting exposure of a child's or wearer's location data.

Information Disclosure Google
NVD
EPSS 0% CVSS 4.2
MEDIUM This Month

Symlink-following in KubeVirt's virt-handler permits a container-level attacker to overwrite arbitrary host files and change their ownership. An attacker with access to the virt-launcher container can plant a symlink at the network cache file path expected by the `WriteToCachedFile` function; virt-handler then follows that symlink when calling `os.WriteFile` and `os.Chown`, enabling writes of attacker-influenced JSON content to any path accessible by virt-handler on the host. This represents a partial container-to-host escape - a scope change from the container context to the underlying node - with no public exploit identified at time of analysis.

Information Disclosure Kubevirt Openshift Virtualization
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

CPU and heap exhaustion in Apicurio Registry's XML artifact processing pipeline allows authenticated users with artifact-write permission to cause denial of service via billion-laughs entity expansion. The DocumentBuilderAccessor correctly blocks external DTD and schema resolution - preventing SSRF/XXE - but omits two complementary protections: disabling DOCTYPE declarations entirely and enabling JAXP's FEATURE_SECURE_PROCESSING flag, leaving the parser exposed to recursive internal entity expansion. No active exploitation (CISA KEV) or confirmed public exploit code has been identified at time of analysis; EPSS data was not provided in the input.

Information Disclosure Build Of Apicurio Registry
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Lansweeper lsrunase 2.0 and lsencrypt 2.0 use RC4 encryption with a hardcoded 142-byte static key array to encrypt credentials. An 8-character prefix is stored in cleartext alongside the ciphertext. This allows an attacker with local access to recover any encrypted password to plaintext using a single SHA-1 hash and RC4 decryption operation, with no brute force required.

Information Disclosure N A
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Persistent session hijacking in Flowise 3.0.7 and earlier (fixed in 3.0.10) lets an attacker retain authenticated access to a victim's account even after the victim changes their password, because the application never invalidates pre-existing sessions or session tokens on credential rotation (CWE-613). Anyone holding a stolen token or a device left logged in keeps full access, defeating the primary remediation users rely on after a suspected compromise. A working proof-of-concept is published in the vendor's GHSA advisory; publicly available exploit code exists, but there is no public exploit identified as actively exploited in the wild and it is not on the CISA KEV list.

Information Disclosure Flowise
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Account takeover in Flowise (the open-source low-code LLM application builder) before version 3.0.10 stems from the account settings Security section accepting a password change without requiring the current password or any re-verification. Any authenticated user - or an attacker who hijacks or coerces an existing authenticated session - can silently reset the account credential and seize full control of the account. Publicly available exploit code exists (documented PoC with repro steps and screenshot in the GitHub Security Advisory GHSA-fjh6-8679-9pch), but there is no public exploit identified as actively exploited and it is not listed in CISA KEV.

Information Disclosure Flowise
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Parse Server before 4.10.0 was affected by a supply chain incident in which incorrect version tags were pushed to the official repository pointing to an unreviewed personal fork of a contributor with. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Parse Server
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Parse Server before 4.10.0 contains a supply chain vulnerability where incorrect version tags were pushed to the repository linking to unreviewed code in a personal fork. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Parse Server
NVD GitHub VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Signer confusion in wolfSSL's PKCS7_verify implementation allows a crafted PKCS#7 message to report a trusted certificate as the signer even when an attacker-controlled certificate produced the actual signature. Any application using wolfSSL for PKCS#7 signature verification - including JWT workflows flagged in the CVE tags - may incorrectly authorize operations as if from a trusted party. No public exploit has been identified at time of analysis, but the upstream fix is available as GitHub PR #10203 and the vulnerability is straightforwardly reproducible by anyone familiar with PKCS#7 certificate bundle structure.

Jwt Attack Information Disclosure Wolfssl
NVD GitHub VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

MAC forgery in wolfSSL 5.9.0 and later allows an attacker to authenticate arbitrary tampered messages when HMAC-BLAKE2 is used with keys exceeding the BLAKE2 block size. The wc_Blake2bHmacFinal and wc_Blake2sHmacFinal functions incorrectly reused the running message hash state to process oversized keys, discarding accumulated message data and producing a MAC that depends solely on the key, not the message. No public exploit has been identified at time of analysis, but the integrity failure is straightforward to exploit in any protocol or application that uses wolfSSL HMAC-BLAKE2 with keys longer than 128 bytes (BLAKE2b) or 64 bytes (BLAKE2s).

Information Disclosure Wolfssl
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

OCSP certificate status lookup in wolfSSL returns the wrong certificate's revocation status when a same-issuer SingleResponse serial number is a byte-prefix of the requested certificate's serial. The `wolfSSL_OCSP_resp_find_status` function in `src/ocsp.c` compared serial bytes via XMEMCMP without first verifying that both serial lengths are equal, allowing a 2-byte serial `01:02` in an OCSP response to satisfy a lookup for a 3-byte certificate serial `01:02:03`. No public exploit has been identified at time of analysis, but the integrity consequence is concrete: a revoked certificate could be incorrectly reported as valid if an attacker can supply a crafted OCSP response.

Information Disclosure Wolfssl
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW PATCH Monitor

wolfSSL's TLS 1.2 handshake logic silently downgrades Encrypt-then-MAC (ETM) to MAC-then-Encrypt when a client presents a stale session ID during a failed resumption attempt, affecting all builds compiled with HAVE_ENCRYPT_THEN_MAC using CBC-mode cipher suites. This ETM extension silent-disable (CWE-757) exposes the downgraded connection to CBC-mode side-channel attacks such as Lucky Thirteen, exploitable by an adjacent-network attacker. No public exploit identified at time of analysis and no confirmed active exploitation; vendor patch is available upstream via PR #10167.

Information Disclosure Wolfssl
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

PKCS#12 MAC verification in wolfSSL accepts truncated or zero-length MACs because the comparison uses an attacker-controlled length field parsed from the input structure rather than the expected digest size, completely defeating HMAC integrity protection on PKCS#12 key stores. Any wolfSSL-based application that parses PKCS#12 files from untrusted sources - including certificate import endpoints, VPN provisioning services, or key management systems - can be tricked into accepting a structurally tampered PKCS#12 bundle as MAC-verified. No public exploit code or CISA KEV listing has been identified; the upstream fix is available as GitHub PR #10192 but a tagged patched release has not been independently confirmed.

Jwt Attack Information Disclosure Wolfssl
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

wolfSSL's ML-KEM ARM64 NEON decapsulation path compares only half of the re-encrypted ciphertext during the Fujisaki-Okamoto implicit rejection step, breaking the IND-CCA2 security proof for post-quantum key exchange on that architecture. This affects any ARM64 deployment of wolfSSL with ML-KEM (FIPS 203) compiled in and in active use. An attacker who can submit adaptively chosen ciphertexts to a decapsulating party - for example via man-in-the-middle position during a post-quantum TLS handshake - may exploit the broken comparison to bypass implicit rejection, potentially enabling shared-secret recovery through repeated adaptive queries. No public exploit has been identified and the vulnerability is not listed in the CISA KEV at time of analysis.

Information Disclosure Wolfssl
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL Emergency

Authentication bypass in Evoke Systems' Evoke CSMS (EV Charging Station Management System) lets remote unauthenticated attackers connect to its WebSocket endpoints and impersonate legitimate charging stations. Because the OCPP-style WebSocket channel performs no authentication, an attacker can read sensitive station/session data and issue unauthorized commands, leading to privilege escalation and potential compromise of the broader charging backend. CVSS 4.0 rates this 9.3 (Critical); there is no public exploit identified at time of analysis and it is not listed in CISA KEV, though it is the subject of a CISA ICS advisory (ICSA-26-176-02).

Authentication Bypass Privilege Escalation Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 2.1
LOW PATCH Monitor

HMAC tag forgery in wolfSSL's OpenSSL-compatibility layer allows a zero-length or arbitrarily truncated HMAC tag to pass verification in EVP_DigestVerifyFinal, undermining message authentication for any application relying on this API path. Applications compiled with the OPENSSL_EXTRA flag that use EVP_DigestVerifyFinal for HMAC verification - including JWT validation libraries and message authentication flows - are affected across all currently-known wolfSSL versions. The root length check only enforced that the supplied tag did not exceed the MAC size, not that it equaled it, so an attacker controlling the tag buffer or length argument could present an empty signature and bypass integrity verification. No public exploit has been identified at time of analysis, and CISA KEV does not list this CVE.

Jwt Attack OpenSSL Information Disclosure +1
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM This Month

Evoke CSMS exposes charging station authentication identifiers through public web-based mapping platforms, allowing unauthenticated network actors to harvest credentials with no special access or interaction. Classified under CWE-522 (Insufficiently Protected Credentials) and reported by ICS-CERT via advisory ICSA-26-176-02, this flaw affects all tracked versions of the Evoke Charging Station Management System across its entire version history per the wildcard CPE. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified, but the zero-prerequisite exposure in an OT/energy infrastructure context represents a meaningful credential leakage risk for affected operators.

Information Disclosure Evoke Csms
NVD GitHub
EPSS 0% CVSS 2.3
LOW PATCH Monitor

wolfSSL's certificate chain verification accepted MD5-signed certificates when MD5 was compiled in for any purpose (e.g., TLS 1.0 PRF or HMAC), violating RFC 8446 compliance and the fundamental prohibition on broken hash algorithms in certificate signatures. An attacker with low-level positioning who can influence the certificate chain presented to a wolfSSL-based application could potentially bypass chain integrity checks by presenting an MD5-signed leaf certificate. No public exploit has been identified and no CISA KEV listing exists; the CVSS 4.0 score of 2.3 reflects the high complexity and constrained impact of realistic exploitation.

Information Disclosure Wolfssl
NVD GitHub VulDB
EPSS 0% CVSS 2.3
LOW Monitor

Use-after-free in wolfSSL's TLS 1.3 PQC hybrid KeyShare processing exposes clients built with post-quantum hybrid support to a crash or memory corruption when connecting to a malicious server. This is a bypass of the incomplete fix for CVE-2026-5460 shipped in 5.9.1 - the pointer alias between keyShareEntry->key and ecc_kse->key in TLSX_KeyShare_ProcessPqcHybridClient is not re-synchronized after the inner ECC processing function frees its copy, leaving a dangling pointer that TLSX_KeyShare_FreeAll later passes to wc_ecc_free and XFREE. No public exploit or CISA KEV listing exists; the CVSS 4.0 score of 2.3 reflects limited real-world impact due to high attack complexity and non-default build requirements.

Memory Corruption Use After Free Information Disclosure +1
NVD GitHub VulDB
EPSS 0% CVSS 8.3
HIGH This Week

Cryptographic decapsulation flaw in wolfSSL's ML-KEM-1024 (Kyber) x86-64 AVX2 code path (versions 5.7.0 through 5.9.1) breaks IND-CCA2 security by failing to compare the final 32-byte block of the 1568-byte ciphertext during the constant-time check, so the Fujisaki-Okamoto transform's mandatory implicit rejection is bypassed. An attacker acting as a chosen-ciphertext oracle can submit ciphertexts altered only in those trailing bytes and have decapsulation return the genuine shared secret rather than a rejection value. There is no public exploit identified at time of analysis, the EPSS score is very low (0.15%, 5th percentile), and CISA SSVC rates exploitation as none with partial technical impact.

Information Disclosure Wolfssl
NVD GitHub
EPSS 0% CVSS 1.0
LOW PATCH Monitor

Integer underflow in wolfSSL's PKCS#7 ORI decryption path allows a local low-privileged attacker to cause incorrect length computation during EnvelopedData parsing, resulting in low-severity availability impact. Specifically, when the OID embedded inside an implicit `[4] CONSTRUCTED` Other Recipient Info sequence consumes more bytes than the field's declared length, the `word32` subtraction for `oriValueSz` wraps around to a near-maximal unsigned value, feeding corrupted length data to downstream decryption logic. No public exploit has been identified and no CISA KEV listing exists; exploitation requires local access, high complexity, and passive processing of crafted input by the target application.

Integer Overflow Information Disclosure Wolfssl
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

The TIFF decoder does not set a limit on the size of tiles in tiled images, permitting a malicious or corrupt image containing a very large tile to cause unbounded memory consumption.

Information Disclosure Golang Org X Image Tiff
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

The webp decoder can panic when processing a VP8 chunk with dimensions that do not match the canvas size.

Information Disclosure Golang Org X Image Webp Red Hat
NVD VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Out-of-bounds heap read in wolfSSL's SM2/SM3 certificate parser exposes applications to remote denial of service when processing malformed certificates. During Subject Key Identifier computation in SM3wSM2 certificate verification, the library unconditionally reads 65 bytes from the public key field without first validating that the key is at least that long - a crafted certificate with a sub-65-byte public key triggers a heap over-read, crashing the process. This vulnerability is scoped exclusively to wolfSSL builds compiled with SM2 support (--enable-sm2 or --enable-all), and no public exploit or CISA KEV listing exists at time of analysis.

Denial Of Service Buffer Overflow Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Certificate chain validation bypass in wolfSSL's OpenSSL-compatibility layer permits a crafted intermediate CA certificate asserting CA:TRUE but missing the keyCertSign key usage bit to be accepted as a valid signing CA during path building. Affected deployments are those compiled with OPENSSL_EXTRA or OPENSSL_ALL that use the X509_verify_cert/X509_STORE API; native wolfSSL verification is entirely unaffected. No public exploit identified at time of analysis, and no CISA KEV listing exists, but the integrity risk is concrete for any application relying on wolfSSL's OpenSSL-compat path for mutual TLS or client certificate authentication.

OpenSSL Information Disclosure Wolfssl
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM POC This Month

Out-of-bounds read in RTKLIB through 2.4.3 exposes users to denial of service and potential memory disclosure when processing maliciously crafted RINEX observation files. The getcodepri function fails to validate unrecognized observation codes, performing negative array indexing into the codepris table - producing reliable crashes and leaking adjacent global data segments. A publicly available proof-of-concept exists via the upstream GitHub issue tracker; this CVE is not listed in the CISA KEV catalog, and no EPSS data was provided in available intelligence.

Denial Of Service Buffer Overflow Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Server-side request forgery in NewsBlur's add_url endpoint allows any authenticated user to direct the server to issue arbitrary HTTP requests to private, loopback, or link-local addresses, including cloud instance metadata services. All NewsBlur deployments prior to version 14.5.0 (CPE: cpe:2.3:a:samuelclay:newsblur) are affected. An attacker with a valid account can supply a URL resolving to 169.254.169.254 or other internal addresses, enabling exfiltration of cloud provider IAM credentials and internal network reconnaissance. No public exploit identified at time of analysis, though patch commits are publicly available on GitHub and document the exact missing validation check.

SSRF Information Disclosure Newsblur
NVD GitHub
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Out-of-bounds read in Horner Automation Cscape prior to 10.2 SP3 lets an attacker who supplies a malicious CSP project file disclose memory contents and, per the advisory, achieve arbitrary code execution within the engineering workstation. Cscape is the configuration/programming environment for Horner OCS controllers, so the target is the engineer's PC rather than the PLC itself. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

RCE Buffer Overflow Information Disclosure +1
NVD
CVSS 7.5
HIGH PATCH This Week

Unauthenticated authentication bypass in OpenAM Community Edition (Open Identity Platform fork) through version 16.0.6 lets a network attacker spoof a RADIUS Access-Accept response and obtain a valid OpenAM session for any RADIUS-mapped username, without knowing the shared secret. The flaw stems from the RADIUS client accepting the first inbound UDP datagram as authoritative while skipping source, identifier, and Response Authenticator checks, making it materially easier to exploit than BlastRADIUS (CVE-2024-3596) since no MD5 chosen-prefix forgery is needed. No public exploit identified at time of analysis and the issue is not in CISA KEV, but the fix is confirmed in version 16.1.1.

Jwt Attack Information Disclosure
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

{ENV_VAR} placeholders from repository-controlled .npmrc and pnpm-workspace.yaml files into registry request URLs and credentials. When a developer clones and runs pnpm install in a crafted repository, the package manager resolves dependency requests against attacker-controlled registry endpoints, transmitting whatever environment variables (tokens, API keys, credentials) the victim has set in their shell. Critically, this exfiltration occurs during dependency resolution - before lifecycle scripts execute - meaning mitigations like --ignore-scripts do not prevent the data leak. No public exploit or CISA KEV listing is identified at time of analysis.

Information Disclosure Pnpm
NVD GitHub VulDB
EPSS 0% CVSS 4.8
MEDIUM POC PATCH This Month

Missing integrity verification in pnpm's GitHub codeload dependency resolution (versions prior to 10.33.4 and 11.0.7) enables a compromised or man-in-the-middle `codeload.github.com` server to deliver arbitrary malicious tarballs that pnpm installs without hash validation. Any developer project that sources dependencies from GitHub via pnpm is exposed when running `pnpm install` on affected versions, with potential for arbitrary code execution during the install lifecycle. No public exploit code exists and there is no CISA KEV listing, but the theoretical impact includes full developer workstation compromise and downstream supply chain contamination.

Information Disclosure Pnpm
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Credential leakage in pnpm package manager versions prior to 10.34.0 and 11.4.0 exposes a developer's unscoped npm authentication token to attacker-controlled registries. When a project-level .npmrc overrides the registry URL without supplying its own auth token, pnpm incorrectly inherits and forwards the user's globally-configured unscoped _authToken to that foreign registry as an Authorization header. No public exploit has been identified at time of analysis, though the real-world impact is severe - a captured npm token can enable supply chain attacks via malicious package publishing.

Node.js Information Disclosure Pnpm
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW PATCH Monitor

Keystream reuse in wolfSSL's streaming AES-GCM API exposes ciphertext to partial plaintext recovery when a single session accumulates more than 64 GiB of data, violating NIST SP 800-38D counter limits due to unguarded internal counter wrap. All wolfSSL versions are affected per wildcard CPE (cpe:2.3:a:wolfssl:wolfssl:*:*:*:*:*:*:*:*), with the flaw present in both AES-GCM and AES-CCM streaming paths. Exploitation is constrained to local access with low privileges, high attack complexity, and the operationally unusual prerequisite of processing tens of gigabytes in a single uninterrupted streaming session; no public exploit identified at time of analysis.

Information Disclosure Wolfssl
NVD GitHub VulDB
EPSS 0% CVSS 4.4
MEDIUM PATCH This Month

Insecure temporary file handling in Claude Code's `/copy` command exposes privileged users on multi-user systems to two distinct local attacks: passive response disclosure and symlink-based arbitrary file write. The command unconditionally writes AI response content to `/tmp/claude/response.md` - a static, world-readable path in a world-traversable directory - enabling any local user to read output that may contain secrets, credentials, or sensitive data. A more capable local attacker can pre-plant a symlink at the predictable path, causing a privileged process's `/copy` invocation to overwrite an attacker-chosen file. Affected versions span `@anthropic-ai/claude-code` 2.1.59 through 2.1.127; no public exploit has been identified at time of analysis, and no CISA KEV listing exists.

Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Signature-verification bypass in wolfSSL's OpenSSL compatibility layer allows a degenerate (certs-only) PKCS#7 object - one with empty signerInfos and no actual signature - to be falsely reported as verified by wolfSSL_PKCS7_verify(). Applications using the PKCS7_verify() compat API to authenticate attacker-supplied PKCS#7/CMS bundles can be tricked into treating unsigned content as authentic, undermining integrity guarantees. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the underlying defect is a classic improper-signature-verification (CWE-347) issue with a CVSS 4.0 base score of 8.2.

Jwt Attack OpenSSL Information Disclosure +1
NVD GitHub VulDB
EPSS 0% CVSS 7.3
HIGH POC PATCH This Week

Arbitrary command execution in pnpm before 10.34.0 and 11.4.0 allows a malicious lockfile to run code on a developer's machine during `pnpm install`. Because pnpm passes the lockfile-controlled `resolution.commit` to `git fetch`/`git checkout` without a `--` separator or 40-hex-character validation, an attacker can substitute the expected commit hash with a Git option such as `--upload-pack=<command>`, which Git executes for SSH and local (file://) transports. Publicly available exploit code exists (POC), but there is no public exploit identified as actively exploited; EPSS is low (0.17%, 7th percentile), consistent with a developer-targeted supply-chain vector rather than mass internet scanning.

Information Disclosure Pnpm
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Lockfile integrity bypass in the pnpm package manager (versions below 10.34.0, and 11.0.0 through 11.4.0) lets a malicious or compromised registry override a package version's previously recorded hash. On a plain `pnpm install` in non-frozen mode, pnpm detects the tarball-vs-lockfile integrity mismatch, warns, then silently performs a 'resolution repair' that accepts the registry's new integrity, rewrites pnpm-lock.yaml, and installs the substituted content while exiting 0. Publicly available exploit code exists (a full reproduction scenario is published in the GitHub advisory), but there is no public exploit identified as used in active attacks; EPSS is low at 0.11%.

Information Disclosure Pnpm
NVD GitHub
EPSS 0% CVSS 8.1
HIGH POC PATCH This Week

Integrity-check bypass in the pnpm package manager (versions before 10.34.0/10.34.1 and 11.0.0-11.3.x) lets tampered packages install silently because the tarball extraction worker skips hash verification whenever the lockfile resolution has no `integrity` field. An attacker who can both edit `pnpm-lock.yaml` to drop the `integrity:` line and cause the referenced registry URL to serve altered content can push a malicious package through `pnpm install --frozen-lockfile` without any integrity error - a fail-open gap that npm's `npm ci` does not share. Publicly available exploit code exists; EPSS is low (0.12%, 2nd percentile) and the issue is not in CISA KEV.

Node.js Information Disclosure Pnpm
NVD GitHub
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

Certificate chain validation bypass in wolfSSL's OpenSSL compatibility layer allows a network attacker to present a chain terminating at an untrusted intermediate they control, which is accepted as valid when X509_V_FLAG_PARTIAL_CHAIN is enabled. The flaw (CWE-295) resided in wolfSSL_X509_verify_cert, where the partial-chain fallback confirmed only that some intermediate was temporarily loaded into the CertManager during path building - not that the terminal certificate was in the caller's actual trust store. No public exploit code exists and no CISA KEV listing is present, but successful exploitation defeats certificate validation entirely, enabling impersonation or MITM in affected configurations.

OpenSSL Information Disclosure Wolfssl
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

wolfSSL's PKCS#7 EnvelopedData decryption leaks RSA PKCS#1 v1.5 padding validity through distinguishable error codes, enabling a classic Bleichenbacher-style padding oracle attack that allows incremental recovery of the Content Encryption Key (CEK). All wolfSSL versions using PKCS#7 Key Transport Recipient Info (KTRI) with RSA PKCS#1 v1.5 are affected when the decryption interface exposes caller-observable error differentiation. A low-privileged attacker able to submit crafted EnvelopedData messages and observe server error responses can mount an adaptive chosen-ciphertext attack to recover session keys without knowledge of the RSA private key; no public exploit or CISA KEV listing has been identified at time of analysis.

Oracle Information Disclosure Wolfssl
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Build-script approval bypass in the pnpm package manager (versions before 10.34.2, and 11.0.0 through 11.5.2) lets an attacker-controlled dependency source run lifecycle scripts that a user only approved for a different, legitimate source. The generic peer-suffix normalizer stripped parenthesized text from opaque locators (git, URL, tarball, file), so two distinct sources could normalize to the same allowBuilds key - meaning approval of foo@https://host/pkg.tgz also authorized foo@https://host/pkg.tgz(evil). Publicly available exploit code exists (SSVC: poc) and technical impact is total, though EPSS is low at 0.11% and it is not in CISA KEV.

Information Disclosure Pnpm
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Heap buffer overread in wolfSSL's PKCS7 EnvelopedData parser allows network-reachable attackers to trigger a low-impact availability disruption or potential memory disclosure by supplying a crafted S/MIME or CMS message. The root cause is a missing integer-overflow-safe bounds check before XMEMCPY calls in wc_PKCS7_DecodeEnvelopedData, wc_PKCS7_DecodeAuthEnvelopedData, and wc_PKCS7_DecodeEncryptedData - all three paths lacked validation that idx + encryptedContentSz does not exceed the input buffer. No public exploit code has been identified at time of analysis, and wolfSSL's own CVSS 4.0 vector classifies attack requirements as present (AT:P), meaning exploitation is not straightforwardly reliable.

Buffer Overflow Information Disclosure Wolfssl
NVD GitHub VulDB
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

Red Hat Build of Keycloak allows realm administrators holding the 'manage-realm' role to probe arbitrary filesystem paths by submitting unsanitized path values as keystore parameters during key provider component creation. The Keycloak process's file access attempt reveals whether a given path exists and is readable, functioning as a filesystem oracle for authenticated attackers. No public exploit code or active exploitation has been identified at time of analysis; the CVSS score of 4.9 (PR:H) reflects the significant constraint of requiring realm administrator credentials prior to exploitation.

Path Traversal Information Disclosure Red Hat Build Of Keycloak
NVD
EPSS 0% CVSS 4.6
MEDIUM PATCH This Month

Authorization bypass in Red Hat Build of Keycloak's UMA engine lets an authenticated user who holds a valid permission ticket for a single resource escalate access to all resources of the same type on the resource server by crafting a specific permission request prefix. The bypass is silently permitted when the resource server operates in PERMISSIVE enforcement mode with ownerManagedAccess enabled and no explicit type-level policy in place. No public exploit code exists and this CVE is not listed in CISA KEV at time of analysis, but the low attack complexity and network vector make this a credible internal-privilege escalation path in affected Keycloak deployments.

Authentication Bypass Information Disclosure Red Hat Build Of Keycloak
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Keycloak's client registration service fails to invalidate Registration Access Tokens (RATs) when an administrator explicitly disables a client, allowing any holder of a previously issued RAT to re-enable that client and reset its secret. Affected product is Red Hat Build of Keycloak (all versions per available CPE data). An attacker who retains or obtains a valid RAT for a disabled client can restore its operational status, reset OAuth2/OIDC credentials, and resume unauthorized API access - directly undermining an administrator's intentional revocation action. No public exploit code and no CISA KEV listing have been identified at time of analysis.

Information Disclosure Red Hat Build Of Keycloak
NVD
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Access-token theft in LibreChat before 0.8.5 lets a malicious MCP (Model Context Protocol) server hijack OAuth tokens minted for a legitimate server, because the client never checks that the RFC 9728 resource parameter matches the configured MCP server URL. Any LibreChat operator who connects their instance to an attacker-controlled MCP server can have the OAuth access tokens intended for a trusted server silently exfiltrated. SSVC rates technical impact as total and a proof-of-concept is referenced, but there is no public exploit weaponization and EPSS exploitation probability is very low (0.11%); it is fixed in 0.8.5.

Information Disclosure Librechat
NVD GitHub VulDB
Prev Page 17 of 741 Next

Quick Facts

Typical Severity
MEDIUM
Category
other
Total CVEs
66671

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy