Information Disclosure

A use-after-free vulnerability in the Linux kernel's netfilter nf_tables chain registration allows local attackers with user privileges to trigger memory corruption and cause a denial of service, potentially leading to privilege escalation. The flaw occurs when hook registration fails during chain addition, allowing concurrent operations to access freed memory without proper RCU synchronization. The vulnerability affects systems running vulnerable Linux kernels with netfilter enabled, and no patch is currently available.

Dell PowerScale OneFS versions before 9.10.1.6 and 9.11.0.0 through 9.12.0.1 contain an uncontrolled search path vulnerability that allows high-privileged local attackers to achieve privilege escalation, information disclosure, and denial of service. The vulnerability requires local access and high privileges to exploit, making it suitable primarily for insider threats or attackers who have already gained initial system access. No patch is currently available for affected systems.

Powerscale Onefs versions up to 9.10.1.6 is affected by execution with unnecessary privileges (CVSS 6.7).

Privilege escalation in Dell PowerScale OneFS versions before 9.10.1.6 and 9.11.0.0 through 9.12.0.1 stems from incorrect privilege assignment that allows local attackers with low privileges to gain elevated access. An attacker with local system access and user interaction can exploit this vulnerability to achieve complete system compromise through unauthorized privilege elevation.

Incorrect default file permissions in Dell PowerScale OneFS versions before 9.10.1.6 and 9.11.0.0 through 9.12.0.1 allow high-privileged local attackers to achieve code execution, privilege escalation, and information disclosure. The vulnerability requires local access and high privileges to exploit, but no patch is currently available. Affected organizations should implement access controls and monitor for unauthorized local activity until an update is released.

The Seraphinite Accelerator WordPress plugin through version 2.28.14 fails to validate user permissions on the `seraph_accel_api` AJAX endpoint, allowing authenticated subscribers and above to access sensitive operational data including cache status and database state. An attacker with a basic WordPress account can exploit the missing capability checks in the `OnAdminApi_GetData()` function to enumerate system information without administrative rights. No patch is currently available for this information disclosure vulnerability.

SEPPmail Secure Email Gateway versions prior to 15.0.1 fail to properly isolate decrypted PGP message content from surrounding plaintext, enabling attackers to access encrypted sensitive information over the network without authentication. This high-severity flaw affects organizations relying on SEPPmail for secure email handling and exposes confidential data despite encryption protections. No patch is currently available for this vulnerability.

Seppmail versions up to 15.0.1 is affected by improper verification of cryptographic signature (CVSS 5.3).

Seppmail versions up to 15.0.1 is affected by improper verification of cryptographic signature (CVSS 5.3).

SEPPmail Secure Email Gateway versions before 15.0.1 misinterpret email addresses in message headers, enabling attackers to spoof sender identities or decrypt encrypted communications due to inconsistent header parsing with standard mail infrastructure. This unauthenticated network-based vulnerability affects all default installations with no available patch, presenting significant risk to organizations relying on the gateway for email security.

Behavioral control bypass in Devolutions Server 2025.3.15 allows authenticated users to exploit delete permissions.

Information disclosure in OpenEMR 5.0.2 to before 8.0.0 exposes sensitive data. PoC and patch available.

Unauthenticated token disclosure in OpenEMR before 8.0.0. CVSS 10.0. PoC and patch available.

MariaDB Server through version 11.8.5 fails to audit SQL statements when the server audit plugin is enabled and queries are prefixed with SQL comments (-- or #), allowing authenticated database users to execute DDL, DML, or DCL commands without logging. This bypass affects Relational Database Service, Aurora MySQL, and MariaDB deployments relying on audit logging for compliance and security monitoring. An attacker with database credentials could perform unauthorized administrative or data manipulation operations while evading audit trails.

Weintek cMT-3072XH2 easyweb v2.1.53, OS v20231011 was discovered to stroe credentials in plaintext in the component uac_temp.db. [CVSS 7.5 HIGH]

Tranzman versions up to 4.0 is affected by use of a broken or risky cryptographic algorithm (CVSS 7.5).

An out-of-bounds read vulnerability exists in the ABF parsing functionality of The Biosig Project libbiosig 3.9.2 and Master Branch (5462afb0). A specially crafted .abf file can lead to an information leak. [CVSS 6.1 MEDIUM]

Default admin credentials in OpenMQ message broker. Shipped with known default admin password.

in a component used in the Gallagher Hanwha VMS and Gallagher NxWitness VMS integrations allows unprivileged users with local network access to view live video streams. This issue affects all versions of Gallagher NxWitness VMS integration versions up to 9.10.017 is affected by cleartext transmission of sensitive information (CVSS 5.6).

An embedded test key and certificate could be extracted from a Poly Voice device using specialized reverse engineering tools. This extracted certificate could be accepted by a SIP service provider if the service provider does not perform proper validation of the device certificate.

Out-of-bounds read in Exiv2's CRW image parser allows remote attackers to cause denial of service and potentially disclose sensitive memory contents through crafted image files. Versions prior to 0.28.8 are affected, and public exploit code exists for this vulnerability. A patch is available that administrators should deploy immediately to prevent exploitation.

MediaProvider on Android lacks proper permission validation in the isRedactionNeededForOpenViaContentResolver function, allowing local attackers to infer the precise locations of media files without requiring special privileges or user interaction. This information disclosure vulnerability affects any application with local access to the device, and while the CVSS score is moderate, no patch is currently available.

Contact information exposure in Android's notification system allows local attackers to extract sensitive user data through a logic error in the setHideSensitive function, requiring no special privileges or user interaction. The vulnerability affects the ExpandableNotificationRow component where contact names can be inadvertently disclosed despite intended privacy protections. No patch is currently available for this medium-severity flaw.

App pinning bypass in Android's KeyguardServiceDelegate allows unauthenticated local attackers to interact with restricted applications without the lock screen knowledge factor (LSKF) due to insufficient permission validation. The vulnerability enables limited information disclosure through unauthorized app access with no additional privileges or user interaction required. No patch is currently available.

In multiple locations, there is a possible information disclosure due to SQL injection. This could lead to local escalation of privilege with no additional execution privileges needed. [CVSS 8.4 HIGH]

In jump_to_payload of payload.rs, there is a possible information disclosure due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. [CVSS 5.5 MEDIUM]

Android versions up to 14.0 contains a vulnerability that allows attackers to local escalation of privilege with no additional execution privileges needed (CVSS 7.4).

Android versions up to 14.0 is affected by cleartext transmission of sensitive information (CVSS 6.5).

NocoDB versions prior to 0.301.3 fail to invalidate refresh tokens during password resets, enabling attackers with previously compromised tokens to continue generating valid session tokens despite the victim changing their password. An authenticated attacker can exploit this to maintain unauthorized access to user accounts without requiring the new credentials. This vulnerability requires prior token compromise but allows indefinite session hijacking until the stolen token naturally expires.

NocoDB versions prior to 0.301.3 store shared view passwords in plaintext and validate them using simple string comparison, allowing attackers with database access to trivially recover authentication credentials. This affects all users relying on shared view password protection for access control. No patch is currently available for affected deployments.

NocoDB versions prior to 0.301.3 expose user enumeration through the password reset endpoint, which returns distinguishable responses for valid and invalid email addresses. An unauthenticated attacker can exploit this to identify registered users in the system. This vulnerability requires no user interaction and has a CVSS score of 5.3, though no patch is currently available.

ZimaOS 1.5.2-beta3 lacks proper path validation in its API, allowing authenticated users to bypass frontend restrictions and write files to protected system directories such as /etc and /usr. Public exploit code exists for this vulnerability, enabling attackers with valid credentials to modify critical OS files and potentially achieve code execution. No patch is currently available.

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. [CVSS 7.1 HIGH]

5G Fixed Wireless Access Platform Firmware versions up to - contains a vulnerability that allows attackers to cryptographic issue when a VoWiFi call is triggered from UE (CVSS 7.2).

Cryptographic Issue when a shared VM reference allows HLOS to boot loader and access cert chain. [CVSS 7.1 HIGH]

The CGM CLININET application respond without essential security HTTP headers, exposing users to client‑side attacks such as clickjacking, MIME sniffing, unsafe caching, weak cross‑origin isolation, and missing transport security controls. [CVSS 4.3 MEDIUM]

The CGM CLININET system provides smart card authentication; however, authentication is conducted locally on the client device, and, in reality, only the certificate number is used for access verification. [CVSS 7.8 HIGH]

Device unique identifiers in the preloader of Openwrt, Android, Yocto, RDK-B, and Zephyr can be read by attackers with physical access due to a logic error, leading to local information disclosure without requiring additional privileges or user interaction. This vulnerability affects multiple embedded and IoT platforms where the preloader executes before operating system initialization. No patch is currently available for this issue.

Android's display component fails to validate buffer boundaries during read operations, allowing a system-privileged attacker to access sensitive memory contents without user interaction. This out-of-bounds read vulnerability enables local information disclosure to any malicious process running with System privileges. No patch is currently available to address this issue.

Android's display component contains an out-of-bounds read vulnerability stemming from insufficient bounds validation, allowing system-privileged attackers to disclose sensitive memory contents without user interaction. The vulnerability requires pre-existing system-level access but poses a high confidentiality risk through local information disclosure. No patch is currently available.

A vulnerability has been found in Dataease SQLBot up to 1.4.0. This affects an unknown function of the file backend/apps/system/api/assistant.py of the component API Endpoint. [CVSS 6.3 MEDIUM]

Web-Based Pharmacy Product Management System versions up to 1.0 is affected by insufficient session expiration (CVSS 3.1).

wpForo Forum 2.4.14 fails to properly enforce access controls on its RSS feed endpoint, enabling unauthenticated attackers to enumerate and access private or unapproved forum topics. By omitting the forum ID parameter in RSS feed requests, attackers bypass privacy filters that would normally restrict visibility of sensitive content. This information disclosure vulnerability affects forum administrators and users who rely on topic privacy settings to protect sensitive discussions.

Malcontent versions before 1.21.0 fail to preserve nested archives that cannot be extracted, potentially allowing malicious content to evade detection during supply-chain compromise analysis. An attacker could exploit this by embedding malicious payloads in problematic nested archives that the tool would discard without scanning. The vulnerability has a patch available in version 1.21.0 and later.

Dify versions prior to 1.9.0 leak information through inconsistent API responses that distinguish between registered and non-registered email addresses, enabling attackers to enumerate valid user accounts. Public exploit code exists for this vulnerability, and affected users should upgrade to version 1.9.0 or later to remediate the information disclosure risk.

Integer overflow in pillow_heif Python library before 1.3.0 leads to out-of-bounds read when processing HEIF images, potentially causing information disclosure or crashes. PoC and patch available.

Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. [CVSS 7.3 HIGH]

Out-of-bound read vulnerability in VMware Workstation 25H1 and below on any platform allows an actor with non-administrative privileges on a guest VM to obtain limited information disclosure from the machine where VMware Workstation is installed. [CVSS 2.7 LOW]

Sl902-Swtgw124As Firmware versions up to 200.1.20 contains a vulnerability that allows attackers to change account passwords without verifying the current password (CVSS 7.1).

Sl902-Swtgw124As Firmware versions up to 200.1.20 is affected by cleartext transmission of sensitive information (CVSS 5.9).

Default credentials in SODOLA SL902-SWTGW124AS network switch firmware allow unauthenticated remote access. Default credentials are publicly known, enabling complete device takeover.

authentication configuration in PowerShell Universal versions up to 2026.1.3 is affected by cleartext storage of sensitive information.

Input validation vulnerability in Centreon Open Tickets module allows authenticated attackers to manipulate ticket data, potentially affecting monitored infrastructure integrity.

Session fixation vulnerability in PluXml CMS allows attackers to set session identifiers before authentication, enabling session hijacking after the victim logs in.

Unauthenticated RCE and information disclosure via Local File Inclusion in Johnson Controls Frick Controls. Fifth critical vulnerability in the product line, enabling arbitrary file reads and code execution.

A flaw was found in the Red Hat Ansible Automation Platform Gateway route creation component. This vulnerability allows credential theft via the creation of misleading routes using a double-slash (//) prefix in the gateway_path. [CVSS 6.7 MEDIUM]

A flaw was found in the Red Hat Ansible Automation Platform, Event-Driven Ansible (EDA) Event Streams. [CVSS 6.7 MEDIUM]

A flaw was found in the Red Hat Ansible Automation Platform, Event-Driven Ansible (EDA) Event Stream API. This vulnerability allows exposure of sensitive client credentials and internal infrastructure headers via the test_headers field when an event stream is in test mode. [CVSS 6.7 MEDIUM]

n authorization flaw in Foreman's GraphQL API allows low-privileged users to access metadata beyond their assigned permissions. Unlike the REST API, which correctly enforces access controls, the GraphQL endpoint does not apply proper filtering, leading to an authorization bypass. [CVSS 5.0 MEDIUM]

A flaw was found in uv. This vulnerability allows an attacker to execute malicious code during package resolution or installation via specially crafted ZIP (Zipped Information Package) archives that exploit parsing differentials, requiring user interaction to install an attacker-controlled package. [CVSS 6.3 MEDIUM]

Insufficient protection mechanisms in the Health Module may lead to partial information disclosure. [CVSS 3.3 LOW]

Multiple IpTIME router firmware versions (T5008, AX2004M, AX3000Q, AX6000M) through 15.26.8 contain an authentication bypass vulnerability that exposes sensitive information to unauthenticated remote attackers. An attacker can leverage this flaw to access confidential device data without valid credentials. No patch is currently available for affected devices.

An arbitrary file-read vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling unauthenticated attackers to read arbitrary files on the system, and potentially causing a denial-of-service attack. [CVSS 3.7 LOW]

Improper authorization in Free CRM's Security API endpoint allows authenticated remote attackers to bypass access controls and gain unauthorized access to sensitive data or functionality. The vulnerability affects an unknown component within /api/Security/ and has public exploit code available, though no patch is currently available from the vendor. Free CRM's rolling release model prevents specific version tracking, and the vendor has not responded to disclosure attempts.

Unauthenticated attackers can manipulate the Administrative Interface in Free CRM to achieve code execution following a redirect attack. The vulnerability affects Free CRM up to commit b83c40a and requires only network access and low privileges, with public exploit code already available. No patch is currently available, and the vendor has not responded to disclosure attempts.

Unauthenticated access to uploaded files in Initiative project management platform prior to version 0.32.2 allows remote attackers to retrieve sensitive documents by directly accessing the unprotected /uploads/ directory. The vulnerability stems from missing authentication and authorization controls on file serving, enabling disclosure of confidential project data without requiring any credentials. Initiative versions 0.32.2 and later contain patches to restrict access to uploaded documents.

Initiative project management platform versions before 0.32.4 fail to revoke JWT tokens when users change their passwords, allowing authenticated attackers with knowledge of old credentials to maintain API access through unexpired tokens. An attacker can exploit this to access protected endpoints and sensitive project data even after legitimate password changes. Public exploit code exists for this vulnerability.

Hoppscotch prior to version 2026.2.0 contains authorization bypass vulnerabilities in its environment management APIs that allow any authenticated user to read, modify, or delete other users' environments without ownership validation. The affected mutations lack proper user identity verification, enabling attackers to access stored API keys, authentication tokens, and secrets contained within targeted environments. Public exploit code exists for this vulnerability and no patch is currently available.

Information disclosure in EverShop e-commerce platform before 2.1.1 through the Forgot Password functionality. API responses reveal sensitive information when invalid data is submitted.

Weblate versions prior to 5.16.1 fail to properly restrict API access to addon data, allowing authenticated users to enumerate and access all addons across every project and component in the system. An attacker with valid credentials can query the REST API endpoints to retrieve sensitive addon information that should be scoped to their assigned permissions. This information disclosure vulnerability is fixed in version 5.16.1.

Discourse's posts_nearby function fails to properly filter whispered posts based on user permissions, allowing authenticated users with high privileges to view confidential whispers intended only for specific recipients. The vulnerability stems from inadequate post-type filtering that bypasses guardian-based access controls. No patch is currently available for affected versions prior to 2025.12.2, 2026.1.1, and 2026.2.0.

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. No vendor patch available.

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. No vendor patch available.

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. No vendor patch available.

Discourse versions prior to 2025.12.2, 2026.1.1, and 2026.2.0 contain an insecure direct object reference (IDOR) in the directory items endpoint that allows unauthenticated attackers to retrieve private user field values for all directory users. The vulnerability stems from missing authorization checks on the user_field_ids parameter, enabling bulk exfiltration of sensitive user data that should be restricted by visibility settings. No patch is currently available for affected deployments.

The discourse-policy plugin in Discourse prior to versions 2025.12.2, 2026.1.1, and 2026.2.0 fails to verify user permissions when processing policy actions, allowing authenticated users to accept or reject policies on posts they cannot access in private categories or private messages. Attackers can exploit this authorization bypass to manipulate policies on restricted content and enumerate post IDs with policies through error message differences. The vulnerability requires authentication but affects the confidentiality and integrity of policy-protected discussions.

WPVibes Elementor Addon Elements addon-elements-for-elementor-page-builder contains a security vulnerability (CVSS 6.5).

PcVue versions 12.0.0 through 16.3.3 lack Secure and SameSite cookie attributes in the GraphicalData web services and WebClient application, enabling attackers to intercept session cookies over unencrypted connections and perform cross-site request forgery attacks. This vulnerability affects organizations using the affected PcVue versions and could allow unauthorized actions on behalf of authenticated users. No patch is currently available for this medium-severity issue.

PcVue versions 12.0.0 through 16.3.3 use the deprecated OAuth Resource Owner Password Credentials flow in their web services, enabling remote attackers to steal user credentials without authentication or user interaction. The vulnerability affects WebVue, WebScheduler, TouchVue, and Snapvue components and carries a high severity rating with no patch currently available.

PcVue versions 12.0.0 through 16.3.3 lack origin validation on WebSocket connections in the GraphicalData service, enabling cross-site WebSocket hijacking attacks against authenticated users. An attacker can trick a logged-in user into visiting a malicious site to compromise the confidentiality and integrity of their PcVue session. No patch is currently available for this medium-severity vulnerability.

The Terraform Provider for Linode prior to version 3.9.0 exposes sensitive credentials including passwords and API tokens in debug logs when debug logging is explicitly enabled. Authenticated attackers with access to these logs through CI/CD pipelines, log aggregation systems, or shared debug output can extract exposed secrets. This vulnerability requires an authenticated user and debug logging activation, making it exploitable primarily in environments where logging is intentionally enabled for troubleshooting.

Zitadel versions 2.31.0 through 3.4.6 and 4.10.x accept truncated opaque OIDC access tokens as valid when shortened to 80 characters, allowing attackers to bypass token validation and gain unauthorized access to protected resources. This affects deployments using the v2 token format where the symmetric encryption scheme fails to properly validate token length, enabling token forgery or reuse attacks.

Session hijacking in Manyfold prior to version 0.133.0 allows unauthenticated attackers to steal user session cookies through proxy cache leakage, potentially gaining unauthorized access to self-hosted 3D model collections. Public exploit code exists for this vulnerability, and no patch is currently available for affected versions. This attack requires user interaction and can result in complete account compromise without data modification capabilities.

Improper access control in the Role Handler component of fosrl Pangolin up to version 1.15.4-s.3 allows authenticated remote attackers to bypass role and API key verification checks. Public exploit code exists for this vulnerability, enabling attackers with valid credentials to gain unauthorized access to protected functionality. Users should upgrade to version 1.15.4-s.4 or later to remediate this issue.

Weak password policy in Vikunja task management before 2.0.0 allows users to set trivially guessable passwords. PoC available.

FreeRDP is a free implementation of the Remote Desktop Protocol. [CVSS 7.5 HIGH]

FreeRDP is a free implementation of the Remote Desktop Protocol. [CVSS 4.3 MEDIUM]

Rucio's WebUI login endpoint prior to versions 35.8.3, 38.5.4, and 39.3.1 discloses whether usernames exist through differential error messages, enabling unauthenticated attackers to enumerate valid accounts. Public exploit code exists for this username enumeration vulnerability. The issue affects all unpatched Rucio installations and requires upgrading to the fixed versions.

Devolutions Server 2025.3.14 and earlier stores sensitive user account information in plaintext within the database, enabling attackers with database access to extract this data without authentication. This vulnerability affects deployments where database security is compromised or where privileged users have malicious intent. No patch is currently available.

OpenEMR versions prior to 8.0.0 contain an authorization bypass in the FHIR CareTeam endpoint that allows authenticated users with patient-scoped tokens to retrieve care team information for all patients rather than only their own, potentially exposing Protected Health Information across the entire system. The vulnerability exists because the service fails to enforce patient compartment filtering, and public exploit code is available. Security professionals should prioritize patching to version 8.0.0 or later to prevent unauthorized PHI disclosure.