Information Disclosure

Integer overflow in pillow_heif Python library before 1.3.0 leads to out-of-bounds read when processing HEIF images, potentially causing information disclosure or crashes. PoC and patch available.

Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. [CVSS 7.3 HIGH]

Out-of-bound read vulnerability in VMware Workstation 25H1 and below on any platform allows an actor with non-administrative privileges on a guest VM to obtain limited information disclosure from the machine where VMware Workstation is installed. [CVSS 2.7 LOW]

Sl902-Swtgw124As Firmware versions up to 200.1.20 contains a vulnerability that allows attackers to change account passwords without verifying the current password (CVSS 7.1).

Sl902-Swtgw124As Firmware versions up to 200.1.20 is affected by cleartext transmission of sensitive information (CVSS 5.9).

Default credentials in SODOLA SL902-SWTGW124AS network switch firmware allow unauthenticated remote access. Default credentials are publicly known, enabling complete device takeover.

authentication configuration in PowerShell Universal versions up to 2026.1.3 is affected by cleartext storage of sensitive information.

Input validation vulnerability in Centreon Open Tickets module allows authenticated attackers to manipulate ticket data, potentially affecting monitored infrastructure integrity.

Session fixation vulnerability in PluXml CMS allows attackers to set session identifiers before authentication, enabling session hijacking after the victim logs in.

Unauthenticated RCE and information disclosure via Local File Inclusion in Johnson Controls Frick Controls. Fifth critical vulnerability in the product line, enabling arbitrary file reads and code execution.

A flaw was found in the Red Hat Ansible Automation Platform Gateway route creation component. This vulnerability allows credential theft via the creation of misleading routes using a double-slash (//) prefix in the gateway_path. [CVSS 6.7 MEDIUM]

A flaw was found in the Red Hat Ansible Automation Platform, Event-Driven Ansible (EDA) Event Streams. [CVSS 6.7 MEDIUM]

A flaw was found in the Red Hat Ansible Automation Platform, Event-Driven Ansible (EDA) Event Stream API. This vulnerability allows exposure of sensitive client credentials and internal infrastructure headers via the test_headers field when an event stream is in test mode. [CVSS 6.7 MEDIUM]

n authorization flaw in Foreman's GraphQL API allows low-privileged users to access metadata beyond their assigned permissions. Unlike the REST API, which correctly enforces access controls, the GraphQL endpoint does not apply proper filtering, leading to an authorization bypass. [CVSS 5.0 MEDIUM]

A flaw was found in uv. This vulnerability allows an attacker to execute malicious code during package resolution or installation via specially crafted ZIP (Zipped Information Package) archives that exploit parsing differentials, requiring user interaction to install an attacker-controlled package. [CVSS 6.3 MEDIUM]

Insufficient protection mechanisms in the Health Module may lead to partial information disclosure. [CVSS 3.3 LOW]

Multiple IpTIME router firmware versions (T5008, AX2004M, AX3000Q, AX6000M) through 15.26.8 contain an authentication bypass vulnerability that exposes sensitive information to unauthenticated remote attackers. An attacker can leverage this flaw to access confidential device data without valid credentials. No patch is currently available for affected devices.

An arbitrary file-read vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling unauthenticated attackers to read arbitrary files on the system, and potentially causing a denial-of-service attack. [CVSS 3.7 LOW]

Improper authorization in Free CRM's Security API endpoint allows authenticated remote attackers to bypass access controls and gain unauthorized access to sensitive data or functionality. The vulnerability affects an unknown component within /api/Security/ and has public exploit code available, though no patch is currently available from the vendor. Free CRM's rolling release model prevents specific version tracking, and the vendor has not responded to disclosure attempts.

Unauthenticated attackers can manipulate the Administrative Interface in Free CRM to achieve code execution following a redirect attack. The vulnerability affects Free CRM up to commit b83c40a and requires only network access and low privileges, with public exploit code already available. No patch is currently available, and the vendor has not responded to disclosure attempts.

Unauthenticated access to uploaded files in Initiative project management platform prior to version 0.32.2 allows remote attackers to retrieve sensitive documents by directly accessing the unprotected /uploads/ directory. The vulnerability stems from missing authentication and authorization controls on file serving, enabling disclosure of confidential project data without requiring any credentials. Initiative versions 0.32.2 and later contain patches to restrict access to uploaded documents.

Initiative project management platform versions before 0.32.4 fail to revoke JWT tokens when users change their passwords, allowing authenticated attackers with knowledge of old credentials to maintain API access through unexpired tokens. An attacker can exploit this to access protected endpoints and sensitive project data even after legitimate password changes. Public exploit code exists for this vulnerability.

Hoppscotch prior to version 2026.2.0 contains authorization bypass vulnerabilities in its environment management APIs that allow any authenticated user to read, modify, or delete other users' environments without ownership validation. The affected mutations lack proper user identity verification, enabling attackers to access stored API keys, authentication tokens, and secrets contained within targeted environments. Public exploit code exists for this vulnerability and no patch is currently available.

Information disclosure in EverShop e-commerce platform before 2.1.1 through the Forgot Password functionality. API responses reveal sensitive information when invalid data is submitted.

Weblate versions prior to 5.16.1 fail to properly restrict API access to addon data, allowing authenticated users to enumerate and access all addons across every project and component in the system. An attacker with valid credentials can query the REST API endpoints to retrieve sensitive addon information that should be scoped to their assigned permissions. This information disclosure vulnerability is fixed in version 5.16.1.

Discourse's posts_nearby function fails to properly filter whispered posts based on user permissions, allowing authenticated users with high privileges to view confidential whispers intended only for specific recipients. The vulnerability stems from inadequate post-type filtering that bypasses guardian-based access controls. No patch is currently available for affected versions prior to 2025.12.2, 2026.1.1, and 2026.2.0.

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. No vendor patch available.

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. No vendor patch available.

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. No vendor patch available.

Discourse versions prior to 2025.12.2, 2026.1.1, and 2026.2.0 contain an insecure direct object reference (IDOR) in the directory items endpoint that allows unauthenticated attackers to retrieve private user field values for all directory users. The vulnerability stems from missing authorization checks on the user_field_ids parameter, enabling bulk exfiltration of sensitive user data that should be restricted by visibility settings. No patch is currently available for affected deployments.

The discourse-policy plugin in Discourse prior to versions 2025.12.2, 2026.1.1, and 2026.2.0 fails to verify user permissions when processing policy actions, allowing authenticated users to accept or reject policies on posts they cannot access in private categories or private messages. Attackers can exploit this authorization bypass to manipulate policies on restricted content and enumerate post IDs with policies through error message differences. The vulnerability requires authentication but affects the confidentiality and integrity of policy-protected discussions.

WPVibes Elementor Addon Elements addon-elements-for-elementor-page-builder contains a security vulnerability (CVSS 6.5).

PcVue versions 12.0.0 through 16.3.3 lack Secure and SameSite cookie attributes in the GraphicalData web services and WebClient application, enabling attackers to intercept session cookies over unencrypted connections and perform cross-site request forgery attacks. This vulnerability affects organizations using the affected PcVue versions and could allow unauthorized actions on behalf of authenticated users. No patch is currently available for this medium-severity issue.

PcVue versions 12.0.0 through 16.3.3 use the deprecated OAuth Resource Owner Password Credentials flow in their web services, enabling remote attackers to steal user credentials without authentication or user interaction. The vulnerability affects WebVue, WebScheduler, TouchVue, and Snapvue components and carries a high severity rating with no patch currently available.

PcVue versions 12.0.0 through 16.3.3 lack origin validation on WebSocket connections in the GraphicalData service, enabling cross-site WebSocket hijacking attacks against authenticated users. An attacker can trick a logged-in user into visiting a malicious site to compromise the confidentiality and integrity of their PcVue session. No patch is currently available for this medium-severity vulnerability.

The Terraform Provider for Linode prior to version 3.9.0 exposes sensitive credentials including passwords and API tokens in debug logs when debug logging is explicitly enabled. Authenticated attackers with access to these logs through CI/CD pipelines, log aggregation systems, or shared debug output can extract exposed secrets. This vulnerability requires an authenticated user and debug logging activation, making it exploitable primarily in environments where logging is intentionally enabled for troubleshooting.

s standard encoding/json.Unmarshal for JSON-RPC and MCP protocol message parsing in versions up to 1.3.1. contains a security vulnerability.

Zitadel versions 2.31.0 through 3.4.6 and 4.10.x accept truncated opaque OIDC access tokens as valid when shortened to 80 characters, allowing attackers to bypass token validation and gain unauthorized access to protected resources. This affects deployments using the v2 token format where the symmetric encryption scheme fails to properly validate token length, enabling token forgery or reuse attacks.

Session hijacking in Manyfold prior to version 0.133.0 allows unauthenticated attackers to steal user session cookies through proxy cache leakage, potentially gaining unauthorized access to self-hosted 3D model collections. Public exploit code exists for this vulnerability, and no patch is currently available for affected versions. This attack requires user interaction and can result in complete account compromise without data modification capabilities.

Improper access control in the Role Handler component of fosrl Pangolin up to version 1.15.4-s.3 allows authenticated remote attackers to bypass role and API key verification checks. Public exploit code exists for this vulnerability, enabling attackers with valid credentials to gain unauthorized access to protected functionality. Users should upgrade to version 1.15.4-s.4 or later to remediate this issue.

Weak password policy in Vikunja task management before 2.0.0 allows users to set trivially guessable passwords. PoC available.

FreeRDP is a free implementation of the Remote Desktop Protocol. [CVSS 7.5 HIGH]

FreeRDP is a free implementation of the Remote Desktop Protocol. [CVSS 4.3 MEDIUM]

Rucio's WebUI login endpoint prior to versions 35.8.3, 38.5.4, and 39.3.1 discloses whether usernames exist through differential error messages, enabling unauthenticated attackers to enumerate valid accounts. Public exploit code exists for this username enumeration vulnerability. The issue affects all unpatched Rucio installations and requires upgrading to the fixed versions.

Devolutions Server 2025.3.14 and earlier stores sensitive user account information in plaintext within the database, enabling attackers with database access to extract this data without authentication. This vulnerability affects deployments where database security is compromised or where privileged users have malicious intent. No patch is currently available.

OpenEMR versions prior to 8.0.0 contain an authorization bypass in the FHIR CareTeam endpoint that allows authenticated users with patient-scoped tokens to retrieve care team information for all patients rather than only their own, potentially exposing Protected Health Information across the entire system. The vulnerability exists because the service fails to enforce patient compartment filtering, and public exploit code is available. Security professionals should prioritize patching to version 8.0.0 or later to prevent unauthorized PHI disclosure.

Misconfigured firewall rules in Meraki MR9600 (1.0.4.205530) and MX4200 (1.0.13.210200) routers accept WAN connections on source port 5222, allowing unauthenticated remote attackers to access services normally restricted to the local network. An attacker can leverage this to gain unauthorized access to sensitive internal services and information. No patch is currently available to remediate this vulnerability.

Incorrect permission assignment on critical resources in Juniper Networks On-Box Anomaly detection framework. Allows unauthorized modification of anomaly detection configuration, potentially disabling security monitoring.

Catalyst Sd-Wan Manager contains a vulnerability that allows attackers to access another affected system and gain DCA user privileges (CVSS 7.5).

Improper RSA signature validation in Ethereum Name Service (ENS) versions 1.6.2 and earlier allows attackers to forge DNS signatures for domains under .cc and .name TLDs, enabling unauthorized domain claims on ENS without actual DNS ownership. The vulnerability exploits Bleichenbacher's 2006 attack against RSA keys with low public exponents (e=3), which are used by these two TLDs' Key Signing Keys. No patch is currently available, leaving affected domains vulnerable to takeover attacks.

Telerik Ui For Asp.Net Ajax versions up to 2026.1.225 contains a vulnerability that allows attackers to collisions and file content tampering (CVSS 5.3).

Improper authorization in Sz Boot Parent up to version 1.3.2-beta allows authenticated attackers to reset arbitrary user passwords by manipulating the userId parameter in the password reset API endpoint. Public exploit code exists for this vulnerability, enabling remote password reset attacks against any user account. Upgrade to version 1.3.3-beta or later to remediate.

In JetBrains TeamCity before 2025.11.3 disabling versioned settings left a credentials config on disk [CVSS 2.3 LOW]

An Insecure Temporary File vulnerability in openSUSE sdbootutil allows local users to pre-create a directory to achieve various effects like: * gain access to possible private information found in /var/lib/pcrlock.d * manipulate the data backed up in /tmp/pcrlock.d.bak, therefore violating the integrity of the data should it be restored.

Path traversal in Kubernetes PersistentVolume creation via pathPattern parameter allows creating volumes in arbitrary host filesystem locations. CVSS 9.9 with scope change.

Configuration Manager versions up to 11.0.4-00 is affected by insertion of sensitive information into log file (CVSS 4.7).

FileBrowser Quantum versions prior to 1.1.3-stable and 1.2.6-beta expose a password bypass vulnerability in shared files, allowing unauthenticated recipients to download protected content by accessing the direct download link embedded in share details. An attacker possessing only the share link can retrieve files without providing the intended password, completely circumventing access controls. Public exploit code exists for this vulnerability, and patches are available in the patched versions.

Parse Dashboard versions 7.3.0-alpha.42 through 9.0.0-alpha.7 improperly cache master keys and read-only master keys using identical cache identifiers, allowing authenticated users to obtain privilege escalation by retrieving cached credentials not intended for their access level under race conditions. An attacker with read-only dashboard access could retrieve the full master key, while regular users could access the read-only master key, compromising Parse Server security boundaries. The vulnerability requires low privileges and specific timing conditions but is fixed in version 9.0.0-alpha.8.

OpenEMR versions prior to 8.0.0 expose complete contact details for all users, organizations, and patients to authenticated attackers with specific FHIR export and location read permissions. The vulnerability requires administrator-enabled OAuth2 confidential client access, limiting exploitation to high-trust server-to-server integrations with established relationships. This information disclosure affects OpenEMR deployments since 2023 and can be mitigated by upgrading to version 8.0.0 or later.

Configuration Manager versions up to 11.0.5-00 is affected by insertion of sensitive information into log file (CVSS 5.2).

Openemr versions up to 7.0.4 is affected by user interface (ui) misrepresentation of critical information (CVSS 5.0).

Devolutions Server 2025.3.14.0 and earlier contains insufficient access control in REST API endpoints that enables authenticated view-only users to retrieve sensitive connection data they should not access. An attacker with basic authentication credentials could exploit this to gain unauthorized visibility into protected connection information, compromising confidentiality without requiring user interaction or elevated privileges.

NVIDIA Delegated Licensing Service on all appliance platforms contains an authentication bypass that allows adjacent network attackers to access sensitive information without credentials. The vulnerability requires no user interaction and affects the confidentiality of the service, though no patch is currently available.

NATS Server versions prior to 2.11.2 and 2.12.3 fail to properly limit memory allocation during WebSocket compression, allowing unauthenticated attackers to trigger denial of service through compression bomb attacks that exhaust server memory. The vulnerability is exploitable pre-authentication since compression negotiation occurs before credential validation. A patch is available in versions 2.11.2 and 2.12.3.

Binardat 10G08-0800GSM network switch firmware versions before V300SP10260209 expose user credentials by storing passwords as reversible Base64-encoded values in web interface cookies, allowing unauthenticated attackers with cookie access to recover plaintext passwords. This high-severity vulnerability affects confidentiality of administrative credentials with no available patch, creating significant risk for network infrastructure compromise.

Binardat 10G08-0800GSM network switches version V300SP10260209 and earlier expose a hardcoded RC4 encryption key in client-side JavaScript, allowing unauthenticated remote attackers to decrypt sensitive configuration data and compromise network confidentiality. The static key weakness eliminates the intended cryptographic protection for protected values transmitted to and from the device.

Binardat 10G08-0800GSM network switch firmware prior to V300SP10260209 stores administrative credentials in plaintext within the web interface and HTTP responses, enabling unauthenticated attackers to extract valid user passwords. This information disclosure vulnerability affects network administrators and can lead to unauthorized access to critical network infrastructure. No patch is currently available.

Predictable session identifiers in Binardat 10G08-0800GSM network switch. Numeric session IDs are easily guessable, enabling session hijacking.

Download of Code Without Integrity Check vulnerability in Microchip Time Provider 4100 allows Malicious Manual Software Update.This issue affects Time Provider 4100: before 2.5. [CVSS 4.1 MEDIUM]

Actual is a local-first personal finance tool. [CVSS 7.5 HIGH]

Uninitialized memory read in Firefox Graphics Text component before 148. Text rendering may expose uninitialized memory contents.

Invalid pointer in Firefox DOM Core & HTML before 148. Incorrect pointer computation leads to memory access errors.

A use-after-free vulnerability in Firefox and Thunderbird's JavaScript WebAssembly engine allows remote attackers to achieve information disclosure or data manipulation through a malicious webpage or email attachment that requires user interaction. Affected versions include Firefox below 148 and Thunderbird below 148, with no patch currently available. The vulnerability has a network attack vector with low complexity and carries a CVSS score of 5.4.

The Settings UI component in Firefox and Thunderbird versions prior to 148 fails to properly restrict access to sensitive configuration data, enabling unauthenticated attackers to remotely disclose confidential information without user interaction. This vulnerability bypasses existing security mitigations designed to protect user settings and preferences. No patch is currently available for affected users.

Firefox and Thunderbird versions below 148 contain a race condition in the JavaScript garbage collection component that could allow an attacker to access or modify limited data through specially crafted content requiring user interaction. The vulnerability has a CVSS score of 4.2 and currently lacks an available patch.

Improper boundary condition handling in the JavaScript/WebAssembly engine of Firefox and Thunderbird before version 148 enables remote denial of service attacks without requiring user interaction or privileges. An attacker can crash affected applications or cause service unavailability by sending specially crafted content. No patch is currently available.

Use-after-free in Firefox DOM Core & HTML before 148. DOM object lifecycle error.

A use-after-free vulnerability in Firefox and Thunderbird's DOM processing allows remote attackers to execute arbitrary code through a malicious webpage or email attachment, requiring only user interaction to trigger. This affects Firefox versions below 148 and Thunderbird versions below 148, with no patch currently available.

Use-after-free in Firefox JavaScript GC before 148. Second GC UAF, different from CVE-2026-2795.

JIT miscompilation in Firefox WebAssembly before 148. The JIT compiler generates incorrect Wasm code, enabling type confusion. PoC available.

Use-after-free in Firefox JavaScript GC component before 148. GC-specific UAF affecting only mainline Firefox and Thunderbird.

Uninitialized memory in Firefox and Firefox Focus for Android versions prior to 148 enables remote attackers to read sensitive data without authentication or user interaction. The vulnerability allows information disclosure through memory that was not properly cleared before use, potentially exposing confidential user information to network-based attackers.

Use-after-free in Firefox ImageLib graphics component before 148. Image processing triggers use of freed memory.

Use-after-free in Firefox DOM Window and Location component before 148. Window/Location lifecycle management error.

Use-after-free in Firefox JavaScript Engine before 148. Fourth distinct JS engine UAF in this release.

Invalid pointer in Firefox JavaScript Engine before 148. Incorrect pointer computation leads to memory corruption.

Unauthenticated attackers can extract sensitive information from Firefox and Thunderbird users through a JavaScript engine JIT compilation flaw, affecting all versions prior to Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. The vulnerability requires no user interaction and can be exploited remotely over the network. No patch is currently available for this high-severity flaw.

Use-after-free in Firefox Audio/Video Playback component before 148. Media playback triggers memory corruption.

Undefined behavior in Firefox DOM Core & HTML component before 148. Can lead to memory corruption and potential code execution.

Use-after-free in Firefox DOM Bindings (WebIDL) component before 148. Memory corruption in the interface between JavaScript and native DOM objects.