Skip to main content

Information Disclosure

other MEDIUM

Information disclosure occurs when an application unintentionally exposes sensitive data that aids attackers in reconnaissance or directly compromises security.

How It Works

Information disclosure occurs when an application unintentionally exposes sensitive data that aids attackers in reconnaissance or directly compromises security. This happens through multiple channels: verbose error messages that display stack traces revealing internal paths and frameworks, improperly secured debug endpoints left active in production, and misconfigured servers that expose directory listings or version control artifacts like .git folders. APIs often leak excessive data in responses—returning full user objects when only a name is needed, or revealing system internals through metadata fields.

Attackers exploit these exposures systematically. They probe for common sensitive files (.env, config.php, backup archives), trigger error conditions to extract framework details, and analyze response timing or content differences to enumerate valid usernames or resources. Even subtle variations—like "invalid password" versus "user not found"—enable account enumeration. Exposed configuration files frequently contain database credentials, API keys, or internal service URLs that unlock further attack vectors.

The attack flow typically starts with passive reconnaissance: examining HTTP headers, JavaScript bundles, and public endpoints for version information and architecture clues. Active probing follows—testing predictable paths, manipulating parameters to trigger exceptions, and comparing responses across similar requests to identify information leakage patterns.

Impact

  • Credential compromise: Exposed configuration files, hardcoded secrets in source code, or API keys enable direct authentication bypass
  • Attack surface mapping: Stack traces, framework versions, and internal paths help attackers craft targeted exploits for known vulnerabilities
  • Data breach: Direct exposure of user data, payment information, or proprietary business logic through oversharing APIs or accessible backups
  • Privilege escalation pathway: Internal URLs, service discovery information, and architecture details facilitate lateral movement and SSRF attacks
  • Compliance violations: GDPR, PCI-DSS, and HIPAA penalties for exposing regulated data through preventable disclosures

Real-World Examples

A major Git repository exposure affected thousands of websites when .git folders remained accessible on production servers, allowing attackers to reconstruct entire source code histories including deleted commits containing credentials. Tools like GitDumper automated mass exploitation of this misconfiguration.

Cloud storage misconfigurations have repeatedly exposed sensitive data when companies left S3 buckets or Azure Blob containers publicly readable. One incident exposed 150 million voter records because verbose API error messages revealed the storage URL structure, and no authentication was required.

Framework debug modes left enabled in production have caused numerous breaches. Django's DEBUG=True setting exposed complete stack traces with database queries and environment variables, while Laravel's debug pages revealed encryption keys through the APP_KEY variable in environment dumps.

Mitigation

  • Generic error pages: Return uniform error messages to users; log detailed exceptions server-side only
  • Disable debug modes: Enforce production configurations that suppress stack traces, verbose logging, and debug endpoints through deployment automation
  • Access control audits: Restrict or remove development artifacts (.git, backup files, phpinfo()) and internal endpoints before deployment
  • Response minimization: API responses should return only necessary fields; implement allowlists rather than blocklists for data exposure
  • Security headers: Deploy X-Content-Type-Options, remove server version banners, and disable directory indexing
  • Timing consistency: Ensure authentication and validation responses take uniform time regardless of input validity

Recent CVEs (66671)

EPSS 0% CVSS 2.1
LOW POC Monitor

Insufficient session expiration in LiteLLM's SSO authentication flow exposes deployments running versions 1.82.0 through 1.82.2 to unauthorized persistent session access by low-privileged authenticated users. The flaw resides in the `get_redirect_response_from_openid` function within the OpenID Connect callback handling code, allowing manipulation of the SSO redirect response to bypass session lifetime enforcement. No confirmed active exploitation (not in CISA KEV), but a publicly available proof-of-concept exploit on GitHub lowers the barrier to abuse, and the CVSS 4.0 vector explicitly encodes the exploit availability modifier E:P.

Information Disclosure Litellm
NVD VulDB GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Improper session authorization in the Linux kernel's in-kernel SMB3 server (ksmbd) lets an authenticated SMB client reach sessions it never bound to. Because the connection-wide conn->binding flag stays set after a binding SESSION_SETUP, the global lookup in ksmbd_session_lookup_all() would resolve any session by ID, allowing a low-privileged remote user to access another user's session (Information Disclosure tagged). No public exploit identified at time of analysis; EPSS is low (0.18%, 7th percentile) and it is not in CISA KEV.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Insufficient session expiration in LiteLLM's proxy authentication layer (versions 1.82.0 through 1.82.2) allows remote low-privileged users to reuse or manipulate session tokens generated by the PROXY_ADMIN API Key Generator beyond their intended validity window. The flaw resides in the `authenticate_user` function within `litellm/proxy/auth/login_utils.py`, where session/API key lifecycle management does not enforce expiration correctly per CWE-613. A public proof-of-concept exploit exists (GitHub gist), though no active exploitation has been confirmed via CISA KEV. The CVSS 4.0 score of 2.1 reflects a limited real-world blast radius despite the network-accessible attack vector.

Information Disclosure Litellm
NVD VulDB GitHub
EPSS 0% CVSS 3.7
LOW Monitor

Information disclosure in GNU Savane's file-serving layer (frontend/php/file.php) allows network-accessible, unauthenticated remote attackers to bypass file authorization controls by supplying untrusted user-controlled data that the application incorrectly treats as authoritative in its access decision logic. Affected installations span Savane 3.14 through 3.17, confirmed by EUVD-2026-38135 and acknowledged via an FSF public statement. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog, though the AC:H CVSS rating suggests non-trivial exploitation rather than a trivially automated mass-scan scenario.

Information Disclosure Savane
NVD VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Host header injection in Apache NiFi 0.0.1 through 2.9.0 enables network-accessible clients to supply arbitrary values via X-ProxyHost and X-Forwarded-Host HTTP headers, causing the application to construct attacker-controlled qualified URLs used in HTTP redirects and data references. Although NiFi introduced an allowlist-based Host header control (nifi.web.proxy.host) in version 1.6.0, that validation was never extended to the alternative proxy and forwarded headers, leaving a persistent gap across roughly a decade of releases. No public exploit code has been identified at time of analysis and CVE-2026-54665 is not listed in CISA KEV; practical risk centers on open-redirect abuse, link manipulation, and potential bypass of same-origin assumptions rather than direct code execution.

Apache Information Disclosure Nifi
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Tenant isolation is broken in Capgo's statistics API before version 12.128.2, allowing authenticated holders of app-limited API keys to enumerate app IDs belonging to other tenants across the platform. The GET /statistics/app/:app_id endpoint returns distinct error codes depending on whether a target app exists (500 PGRST116) or is entirely nonexistent (401), creating an oracle that maps real app IDs outside the caller's authorized scope. No public exploit has been identified at time of analysis, and the CVSS 4.0 score of 5.3 reflects the authenticated requirement and limited confidentiality impact.

Information Disclosure Capgo
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Broken cursor pagination in Capgo's /private/devices endpoint on the Cloudflare/workerd runtime path allows authenticated attackers with app.read_devices permission to trigger infinite duplicate-page loops, making later dataset rows permanently unreachable for affected sessions. All Capgo versions before 12.128.12 are vulnerable, and the impact is operational: device-management workflows repeatedly process the same duplicate records while failing to advance through the full dataset. No public exploit identified at time of analysis, and this vulnerability is not listed in CISA KEV; the CVSS 4.0 score of 5.3 (Medium) reflects limited, availability-only impact scoped to the vulnerable system.

Information Disclosure Capgo
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Unauthenticated access to Capgo's /replication HTTP endpoint exposes internal PostgreSQL replication telemetry to any remote attacker, affecting all versions prior to 12.128.2. Attackers can retrieve replication slot names, WAL LSN positions (confirmed_flush_lsn, restart_lsn), and database error messages without supplying any credentials, enabling database infrastructure reconnaissance. No public exploit code or CISA KEV listing exists at time of analysis, but the zero-complexity unauthenticated attack vector makes opportunistic scanning against internet-exposed Capgo deployments trivially feasible.

Information Disclosure PostgreSQL Capgo
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Unauthenticated PII exposure in Flowise's forgot-password API endpoint allows remote attackers to harvest user objects containing IDs, full names, email addresses, account status, and timestamps by submitting any known or guessed email address. All Flowise releases prior to 3.0.13 are affected via the POST /api/v1/account/forgot-password endpoint, which returns a sanitized but data-rich user object instead of a generic acknowledgment. No public exploit has been identified at time of analysis per CISA KEV, though the GHSA advisory (GHSA-jc5m-wrp2-qq38) includes a working curl-based proof-of-concept demonstrating the full response.

Information Disclosure Flowise
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Cross-tenant information disclosure in Capgo (cap-go/capgo) before version 12.128.2 exposes per-organization usage telemetry to any caller holding the publicly distributed Supabase API key. Three PostgREST RPC functions - get_app_metrics, get_global_metrics, and get_total_metrics - are granted to the Supabase anon role without enforcing org membership or permission checks, allowing queries against arbitrary org_id values to return MAU, bandwidth, installs, and app IDs belonging to other tenants. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis; a vendor-released patch exists at version 12.128.2.

Information Disclosure Oracle Capgo
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Capgo before version 12.128.2 exposes user physical location by retaining EXIF GPS metadata in uploaded images without sanitization. Unauthenticated remote attackers can download images hosted on affected Capgo instances and extract embedded latitude/longitude coordinates, revealing where users were physically located at the time of photo capture. No public exploit is identified at time of analysis, and a vendor patch is available in version 12.128.2.

Information Disclosure Capgo
NVD GitHub VulDB
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Preview subdomain resolution in Capgo before 12.128.2 is susceptible to app-id confusion because the resolver uses PostgreSQL's ILIKE operator - which treats underscores as single-character wildcards - instead of exact equality matching for app_id lookups. An authenticated attacker who can register a Capgo application can craft an app_id with strategically placed underscores that collide with a victim application's identifier, hijacking preview subdomain resolution and breaking preview functionality for the targeted app. No public exploit code exists and no active exploitation has been confirmed (KEV absent); the CVSS 4.0 score of 2.3 reflects genuinely low real-world risk constrained by high attack complexity, required authentication, and limited availability-only impact.

Information Disclosure Capgo
NVD GitHub VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Crypt::OpenSSL::PKCS12 versions before 1.96 for Perl permits a heap OOB read in print_attribute UTF8STRING path. print_attribute() copies a UTF8STRING ASN.1 attribute value into a heap buffer sized exactly to its declared length via strncpy, leaving no NUL terminator. Downstream callers run strlen() on the result and pass the inflated length to newSVpvn(), copying attacker-influenced adjacent heap bytes into a Perl scalar.

OpenSSL Information Disclosure Crypt +1
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Unauthenticated information disclosure in Capgo before 12.128.2 lets remote attackers enumerate organizations and reveal billing status by invoking the Supabase PostgREST RPC endpoints is_trial_org and is_paying_org with the publicly distributed sb_publishable key. The flaw is reachable directly over the network without credentials and produces distinguishable responses that identify paying customers, enabling targeted profiling; no public exploit identified at time of analysis.

Information Disclosure Capgo
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Account pre-registration hijack in Capgo before 12.128.2 lets a remote unauthenticated attacker claim an account under a victim's email address before that email is verified, then lock the legitimate owner out by enabling two-factor authentication on the squatted account. The flaw stems from a CWE-640 weak password recovery / account-binding logic issue and carries a CVSS 4.0 score of 9.3; no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Information Disclosure Capgo
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Cross-tenant data exposure in Capgo before 12.128.2 lets an authenticated org-scoped read API key reach other tenants' PostgREST endpoints and pull HMAC webhook signing secrets plus delivery logs. Disclosed by VulnCheck with a vendor GitHub Security Advisory (GHSA-hj3h-v877-g5rx); no public exploit identified at time of analysis, and the secrets retrieved enable subsequent forgery of authentic-looking webhook events against victim organizations.

Information Disclosure Capgo
NVD GitHub VulDB
EPSS 1% CVSS 7.5
HIGH PATCH Exploit Unlikely This Week

Information disclosure in GitHub Copilot Chat for Visual Studio Code (versions 1.0.0 up to but not including 1.123.2) lets a remote, unauthenticated attacker read sensitive data over a network because an insecure default configuration exposes a resource that should be protected. The CVSS 3.1 score of 7.5 reflects high confidentiality impact with no integrity or availability effect. There is no public exploit identified at time of analysis and EPSS exploitation probability is low at 0.53% (40th percentile).

Information Disclosure Github Copilot Chat
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Incomplete session termination in Langflow (pip/langflow < 1.7.0) leaves authentication cookies active after logout on shared machines, allowing any subsequent browser user to resume the previous session without credentials. The `/logout` endpoint issued cookie-deletion calls without matching the `httponly`, `samesite`, `secure`, and `domain` attributes used at cookie creation, causing browsers to silently ignore the deletion; the frontend compounded this by also failing to clear `access_token_lf` and `refresh_token_lf` from storage. No public exploit code has been separately catalogued, though the PoC is trivially reproducible (click Logout, press refresh), and the vulnerability is not listed in CISA KEV.

Information Disclosure
NVD GitHub VulDB
EPSS 0% 4.7 CVSS 8.4
HIGH POC KEV PATCH THREAT Act Now

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing the victim's flow UUID as the `model` value to the `/api/v1/responses` endpoint, exposing data the victim's flow processes and consuming their resources. The flaw is an Insecure Direct Object Reference (CWE-639) in the `get_flow_by_id_or_endpoint_name` helper, which skipped ownership checks on the UUID lookup path. Publicly available exploit code exists (a working curl PoC), and the input lists it as confirmed actively exploited (CISA KEV), though the SSVC exploitation status of 'poc' and a low 0.24% EPSS complicate that claim (see risk_assessment).

Python Authentication Bypass Information Disclosure +1
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Denial-of-service via decompression bomb in py7zr, the pure-Python 7-Zip library, affects all versions up to and including 1.1.2. The library's Worker.decompress() writes extracted data to disk or memory without tracking cumulative decompressed size, so a tiny crafted .7z (demonstrated at a 6,556:1 ratio - 15.6 KB expanding to 100 MB) can exhaust disk or RAM on any application that extracts untrusted archives. Publicly available exploit code exists (a working PoC is published in the GHSA advisory), but the issue is not listed in CISA KEV; CVSS 4.0 rates it 8.7 (High) with pure availability impact.

Python Ubuntu Information Disclosure
NVD GitHub VulDB
CVSS 6.8
MEDIUM PATCH This Month

Token exfiltration in dbt-mcp's embedded OAuth helper server (versions before 1.20.0) allows any co-located process or DNS-rebinding attacker to retrieve a victim's full dbt Cloud access and refresh tokens via a single unauthenticated HTTP GET request. Developers running dbt-mcp in OAuth mode on any shared or browser-accessible host are affected for the entire lifetime of the OAuth helper process following a completed login flow. No public exploit identified at time of analysis, though the GitHub security advisory (GHSA-jr33-mw75-7j8f) includes a fully functional Docker-based PoC with step-by-step reproduction artifacts, substantially lowering the exploitation barrier.

Python CSRF Information Disclosure +2
NVD GitHub
MEDIUM PATCH This Month

Craft Commerce's CartController exposes a coupon code brute-force vector by conditionally applying rate limiting only when the 'number' parameter is present in a request. Unauthenticated attackers targeting the session-based cart endpoint can omit the 'number' parameter entirely, bypassing IP-based rate limiting and submitting unlimited coupon code guesses via automated requests. Affected versions span the entire 4.x line through 4.11.1 and the 5.x line through 5.6.4; a proof-of-concept is referenced in the advisory, and no public exploit identified at time of analysis beyond the disclosed PoC reproduction steps.

Information Disclosure
NVD GitHub
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Authenticated principal impersonation in CoreWCF (versions >=1.9.0, <1.9.1) occurs because the SPNEGO SecurityContextToken proof key returned in the RequestSecurityTokenResponse (RSTR) is wrapped without confidentiality protection, allowing any on-path observer to recover it. An attacker who captures the unprotected handshake can impersonate the authenticated Windows principal for the SCT lifetime (~10 hours) and decrypt or forge subsequent WS-SecureConversation traffic. No public exploit identified at time of analysis, but the vendor-confirmed advisory (GHSA-2288-8h3r-cqgg) and CVSS 7.4 indicate a meaningful confidentiality/integrity exposure for affected .NET WCF replacement deployments.

Microsoft Information Disclosure
NVD GitHub
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Authentication bypass via XML Signature Wrapping in CoreWCF allows attackers who capture a single signed SOAP envelope to replay arbitrary operations as the victim principal for the lifetime of the signing key. The flaw affects CoreWCF.Primitives versions below 1.8.1 and the 1.9.0 line below 1.9.1, defeating the DetectReplays mitigation because the attacker forges a fresh wsse:Security timestamp rather than reusing the original. No public exploit identified at time of analysis, but the vendor advisory (GHSA-gqv6-pwcg-87r8) provides sufficient technical detail to reproduce.

Information Disclosure
NVD GitHub
EPSS 0% CVSS 3.7
LOW PATCH Monitor

WS-Security DigestMethod validation in CoreWCF's receive pipeline can be bypassed, allowing a remote sender to present XML Digital Signatures that use cryptographically weak per-reference hash algorithms (e.g., SHA-1) even when the configured SecurityAlgorithmSuite explicitly prohibits them. Affected are all CoreWCF.Primitives releases below v1.8.1 and the 1.9.0 release (pre-1.9.1). The service silently accepts these weakened signatures as policy-compliant, undermining the integrity guarantees that the algorithm suite is designed to enforce. No public exploit or CISA KEV listing exists; the vendor has released patches in v1.8.1 and v1.9.1 with no available workaround.

Information Disclosure
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

SAML token replay protection in CoreWCF.Primitives is silently inoperative when DetectReplayedTokens is explicitly enabled, allowing replay attacks to succeed against WCF services using SAML-based federated authentication. Affected versions of the NuGet package CoreWCF.Primitives include all releases before 1.8.1 and the 1.9.0 release prior to 1.9.1. A network-accessible attacker in possession of a valid, unexpired SAML token can replay it to impersonate a legitimate user, defeating the only control operators may have believed was protecting against token theft - no public exploit code has been identified, and this is not listed in CISA KEV.

Information Disclosure
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Local named pipe interception in CoreWCF.NetNamedPipe allows an authenticated local attacker to hijack WCF inter-process communication by winning a TOCTOU race condition. Affected versions expose a window between GUID publication to shared memory and named pipe creation, during which an attacker can pre-create the pipe and silently intercept or manipulate all NetNamedPipe transport traffic. No public exploit or active exploitation has been identified; fixed versions 1.8.1 and 1.9.1 are available from the vendor.

Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Persistent denial-of-service in CoreWCF.Kafka allows any attacker with write access to a consumed Kafka topic to permanently halt message processing by publishing a single null-value (tombstone) record. Affected versions span all CoreWCF.Kafka releases below 1.8.1 and the 1.9.0 release prior to 1.9.1. The consume pump exits without recovery on the uncaught exception, meaning the endpoint remains silently dead until the service process is manually restarted - no exploit code or CISA KEV listing exists at time of analysis.

Information Disclosure
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Signature substitution in CoreWCF's WS-Security message processing allows a remote unauthenticated attacker to replace the server's cryptographic integrity check with a signature of the attacker's choosing, effectively forging authenticated SOAP messages. Affected versions of CoreWCF.Primitives perform a document-wide lookup for ds:Signature elements rather than scoping verification to the wsse:Security header, so an attacker-injected signature in a preceding SOAP header is found and verified first. Exploitation is constrained by two non-default server-side prerequisites, limiting widespread risk on generic deployments, but the integrity bypass is complete where those conditions are met. No public exploit code has been identified and this CVE does not appear in the CISA KEV catalog at time of analysis.

Jwt Attack Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW PATCH Monitor

Heap use-after-free in the Oj Ruby JSON parser allows malicious SAJ/SAJ2 callback handlers to dereference freed memory by mutating the input JSON string mid-parse, potentially leading to memory disclosure or arbitrary code execution within the Ruby process. The flaw affects the oj gem at versions below 3.17.2 and is triggered when a callback such as hash_start invokes String#replace with a larger payload, causing Ruby to reallocate the backing buffer that the C parser still references. No public exploit identified at time of analysis, but a fully working reproducer is published in the upstream GHSA advisory.

Use After Free Memory Corruption Information Disclosure
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in the Oj Ruby JSON parser (versions <3.17.3) allows remote unauthenticated attackers to crash any process that parses untrusted JSON via Oj::Doc.open followed by a recursive each_child call. A deeply nested JSON document drives doc->where past the 100-element where_path array, causing a subsequent memcpy to overflow an 800-byte stack buffer and trigger the stack canary (SIGABRT). No public exploit identified at time of analysis beyond the vendor-published PoC, and EPSS data was not supplied; the issue is not listed in CISA KEV.

Denial Of Service Information Disclosure Buffer Overflow
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Authorization bypass in jupyterlab-git 0.53.0 and earlier allows authenticated JupyterLab users to read admin-excluded git directories on case-insensitive filesystems (macOS APFS, Windows NTFS) by altering the case of URL path segments. The `GitHandler.prepare()` check uses `fnmatch.fnmatchcase()`, which is unconditionally case-sensitive, while the underlying filesystem resolves case-varied paths to the same location. Publicly available exploit code exists (PoC published with the GHSA advisory), but no public exploit identified in active exploitation feeds.

Python Microsoft Apple +1
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Stack memory disclosure in the Oj RubyGem (all versions before 3.17.3) allows remote unauthenticated callers to recover uninitialized process stack contents by supplying a JSON object with keys of 254 bytes or longer to `Oj.load` in `:object` mode. The root cause is a copy-paste defect in `ext/oj/intern.c` where `form_attr()` allocates and fills a correct heap buffer `b` but then erroneously passes the uninitialized 256-byte stack buffer `buf` to `rb_intern3()`, causing leaked bytes to surface in the returned Symbol or an `EncodingError` message. A proof-of-concept is publicly available in the GHSA advisory; no confirmed active exploitation (CISA KEV) has been identified at time of analysis.

Information Disclosure Buffer Overflow
NVD GitHub
EPSS 0% CVSS 7.6
HIGH PATCH This Week

{device_id}`. The KonnectedView HTTP endpoint sets `requires_auth = False` and only enforces Bearer-token validation on POST/PUT methods, leaving the GET handler entirely unauthenticated. Publicly available exploit code exists in the form of a detailed reporter-published proof of concept against Home Assistant Core 2026.5.2.

Python Microsoft Information Disclosure +2
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Denial of service in the Faraday Ruby HTTP client library (versions up to and including 2.14.2) allows remote attackers to crash worker threads by submitting query strings with deeply nested bracket-notation parameters. The Faraday::NestedParamsEncoder recursively walks attacker-controlled nested Hash structures without a depth ceiling, raising an uncaught SystemStackError at roughly 3,000+ levels of nesting (~9.4 KB payload). Publicly available exploit code exists in the GHSA-98m9-hrrm-r99r advisory itself; no public exploit identified at time of analysis in the active-exploitation sense, and impact is limited to availability - no RCE, auth bypass, or data disclosure, despite the input tags listing those categories.

Denial Of Service Authentication Bypass Information Disclosure +1
NVD GitHub
CVSS 6.9
MEDIUM PATCH This Month

Symfony/ux-live-component's LiveComponentHydrator computes HMAC checksums over prop key/value pairs alone, omitting the component name and slot identifier, enabling cross-component and cross-slot HMAC replay attacks. Any user able to interact with a LiveComponent-enabled page can capture a valid signed props blob minted for component A and submit it as component B's props (when key names overlap), or substitute a `props` blob into the `propsFromParent` slot, bypassing read-only prop integrity protection and forcing server-side component state to attacker-chosen values. No public exploit has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog.

Information Disclosure
NVD GitHub
CVSS 6.9
MEDIUM PATCH This Month

Unescaped SQL LIKE wildcards in symfony/ux-autocomplete allow unauthenticated network attackers to turn the autocomplete endpoint into a broad data matcher or blind boolean oracle against all entity columns. Because BaseEntityAutocompleteType defaults to security => false and searchable_fields defaults to all entity properties, versions >= 2.2.0 < 2.36.0 and >= 3.0.0 < 3.1.0 expose potentially sensitive entity data to any caller who sends % or _ as the query parameter. No public exploit has been identified at time of analysis, but the attack requires only standard HTTP tooling; patches are available in 2.36.0 and 3.1.0.

SQLi Information Disclosure Oracle
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Improper input validation in ProxySQL versions 3.0.0 through 3.0.8 lets MCP callers bypass the GenAI `run_sql_readonly` tool's read-only contract by submitting multi-statement payloads such as `SELECT 1; RENAME TABLE x TO y`, which execute in full because the backend connection enables `CLIENT_MULTI_STATEMENTS`. An attacker reaching the `/mcp/query` endpoint can perform writes and administrative SQL up to the privileges of the configured MCP backend account. No public exploit identified at time of analysis, though the upstream advisory documents a successful live test against the endpoint.

PostgreSQL Information Disclosure Proxysql
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Heap use-after-free in the Oj Ruby JSON parser (versions prior to 3.17.3) is triggered when an application toggles the symbol_keys option from true to false on a reused Oj::Parser instance. The opt_symbol_keys_set function frees the internal key cache via cache_free but fails to NULL the d->key_cache pointer, so the next parse call dereferences freed memory through cache_intern, potentially leading to memory disclosure, crashes, or controlled corruption. No public exploit identified at time of analysis, and the issue is documented in GitHub Security Advisory GHSA-2cw7-v8ff-p88r.

Use After Free Memory Corruption Information Disclosure
NVD GitHub
CVSS 6.9
MEDIUM PATCH This Month

Business logic bypass in Symfony UX LiveComponent (symfony/ux-live-component) allows any client to manipulate writable `#[LiveProp]` date fields to arbitrary points in time by submitting relative PHP date strings such as '+10 years' or 'tomorrow' - inputs the application would never generate legitimately. Applications that gate time-sensitive features (trial periods, discount windows, scheduling logic, subscription expiry) on these date props are exposed to unauthorized temporal state manipulation. No public exploit has been identified and no CVSS has been assigned by the vendor, but the attack surface exists wherever writable format-less DateTimeInterface props are present in security-relevant components.

Information Disclosure
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Authorization bypass in Mercator information system mapping application prior to version 2025.05.19 allows any authenticated user - including the read-only Auditor role - to query arbitrary Eloquent models via the unprotected `/admin/queries/execute` endpoint. The flaw permits enumeration of the `User` model and even allows the supposedly `$hidden` `password` column to be probed via `LIKE` filter predicates, enabling blind extraction of password hashes. No public exploit identified at time of analysis, but the vendor advisory (GHSA-q3r8-3h7c-96w3) confirms the issue and ships a fix.

Information Disclosure Mercator
NVD GitHub VulDB
EPSS 1% CVSS 5.5
MEDIUM POC PATCH This Month

Credential leakage in @microsoft/kiota-http-fetchlibrary versions 1.0.0-preview.97 through 1.0.0-preview.101 causes Bearer tokens and session cookies to be forwarded to attacker-controlled cross-origin redirect destinations because the default RedirectHandler's header-scrubbing logic silently fails: FetchRequestAdapter lowercases all header keys before the middleware sees them, but scrubSensitiveHeaders performs PascalCase deletes (delete headers.Authorization), targeting keys that no longer exist. This flaw is present in the default middleware chain with no opt-in configuration required, affecting every kiota-generated TypeScript SDK - including Microsoft Graph clients - that uses BaseBearerTokenAuthenticationProvider or any auth provider that sets the Authorization header. Proof-of-concept code exists (CVSS 4.0 E:P), and a vendor patch is available in version 1.0.0-preview.102; no active exploitation has been confirmed in the CISA KEV at time of analysis.

Microsoft Information Disclosure Kiota Typescript
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Unauthorized resource disclosure in Statamic CMS allows any authenticated Control Panel user to read metadata and content for entries, assets, users, roles, and groups beyond their assigned permissions. All v5 releases prior to 5.73.23 and all v6 releases prior to 6.20.0 are affected. Exploitation is read-only - no data can be modified - and no public exploit has been identified at time of analysis, but the flaw is significant for multi-tenant deployments relying on Statamic's role-based access controls to segregate content.

Information Disclosure Cms
NVD GitHub
EPSS 0% CVSS 8.7
HIGH POC This Week

Joomla com_booking component 2.4.9 contains an information disclosure vulnerability that allows unauthenticated attackers to enumerate user accounts by exploiting the getUserData function in the. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP Joomla Com Booking Component
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.7
HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP Joomproject
NVD Exploit-DB
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Integrity and availability loss in Statamic CMS versions prior to 5.73.23 and 6.20.0 allows remote attackers to destroy content and assets by manipulating sort parameters that flow into in-memory collection sorting. This is an incomplete-fix follow-up to CVE-2026-41175 (CWE-470, unsafe reflection / method invocation), where the original patch covered the query builder but not the in-memory sort path. No public exploit identified at time of analysis and not in CISA KEV; exploitation requires a non-default template configuration that pipes visitor input into a tag's sort parameter.

Information Disclosure Cms
NVD GitHub
EPSS 0% CVSS 7.1
HIGH This Week

Out-of-bounds heap read in libaom's SVC layer ID control function allows remote attackers to leak approximately 40,728 bytes of heap memory or crash AV1 encoder processes by supplying a spatial_layer_id value exceeding the configured number of scalable video coding layers. The flaw affects network-facing services that pass attacker-influenced SVC encoder parameters into the reference AV1 codec, enabling information disclosure or denial of service. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Denial Of Service Information Disclosure Buffer Overflow
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Out-of-bounds heap read in libheif's uncompressed HEIF decoder allows a remote attacker to crash any application processing crafted HEIF files. Versions prior to 1.22.1 fail to safely validate icef compressed-unit offsets because the addition of unit_offset + unit_size can integer-wrap, bypassing the range check and permitting a C++ vector to be constructed from iterators pointing outside the compressed item buffer. Exploitation requires a user or automated pipeline to open an attacker-supplied HEIF file; no public exploit or CISA KEV listing exists at time of analysis.

Information Disclosure Buffer Overflow Libheif +1
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP SQLi +1
NVD Exploit-DB VulDB
EPSS 0% CVSS 4.6
MEDIUM This Month

Access token exposure in Microchip's GridTime 3000 GNSS Time Server (versions 1.0r0.03 through 1.1r0.0) leaks authentication credentials via URL query parameters on certain management endpoints. Any party capable of observing network traffic, server access logs, HTTP Referer headers, or browser history during a high-privilege administrator session can harvest the exposed token and subsequently impersonate that session. The vendor-supplied CVSS 4.0 vector includes E:A (Exploit Maturity: Attacked), indicating that exploitation activity has been observed in the field, elevating practical urgency beyond what the moderate base score alone implies.

Information Disclosure Gridtime 3000
NVD VulDB
EPSS 0% CVSS 6.3
MEDIUM This Month

HTML injection in HCL Verse for Android's rich text email composition component enables malicious content execution on the local device. The compose-rich-editor library (v1.0.0-rc14) bundled with HCL Verse for Android fails to sanitize HTML input, allowing crafted content to execute in the composition context. With High confidentiality and integrity impact signals in the CVSS vector, successful exploitation could expose sensitive email data or allow unauthorized modification of content; no public exploit code has been identified at time of analysis.

Google Information Disclosure Verse For Android
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Improper network-namespace isolation in the Linux kernel's IPv6 VTI (ip6_vti) tunnel driver allows the per-netns fallback device (ip6_vti0) to be relocated into another network namespace, because vti6_init_net() omits the netns_immutable flag that sibling tunnel drivers (ip6_tunnel, sit, ip6_gre, ip_tunnel) all set. A local user holding CAP_NET_ADMIN in a namespace can move this fallback device, breaking the isolation guarantee the kernel enforces for other fallback tunnels and potentially destabilizing networking state. There is no public exploit identified at time of analysis, and EPSS exploitation probability is low (0.15%, 5th percentile).

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Type confusion in CedarJava versions prior to 2.3.6, 3.4.1, and 4.9 allows authenticated remote attackers to manipulate authorization decisions by injecting reserved JSON keys (`__entity` or `__extn`) into CedarMap objects built from attacker-controlled input. When an integrating service constructs a CedarMap from caller-supplied data such as headers, metadata, or resource tags, the Rust cedar-policy evaluator can be tricked into interpreting a record as an entity reference, undermining fine-grained authorization. No public exploit identified at time of analysis, but the CVSS 8.8 rating reflects high impact on confidentiality, integrity, and availability of authorization outcomes.

Memory Corruption Java Information Disclosure
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Silent TLS downgrade in Guzzle's built-in cURL handlers exposes proxy credentials and tunneled connection metadata to network interception when the application is configured to use an https:// proxy but runs against libcurl older than 7.50.2. Affected deployments see proxy authentication headers (Proxy-Authorization, CURLOPT_PROXYUSERPWD), CONNECT target host/port for tunneled HTTPS, and full request headers and bodies for plain HTTP requests transmitted without encryption - with no runtime error or warning from Guzzle or libcurl. No public exploit identified at time of analysis and no CISA KEV listing; however, the CVSS confidentiality impact is rated High (C:H) due to full credential exposure on the proxy leg.

PHP Information Disclosure
NVD GitHub
CVSS 5.3
MEDIUM PATCH This Month

OAuth2 credential exposure in the jleehr/canto-saas-api PHP Composer library (versions ≤ 2.0.0) allows any party with read access to web server logs, proxy logs, APM traces, or error tracking platforms to harvest Canto app_secret, refresh_token, and authorization code values in plaintext. The library violates RFC 6749 §2.3.1 by transmitting these credentials as URL query parameters on POST requests to the Canto OAuth token endpoint, rather than in the form-encoded POST body - causing them to be recorded by default in virtually every HTTP logging layer. A second exposure path exists through failed token requests: Guzzle exception messages containing the full credential-laden URI were propagated unmodified into AuthorizationFailedException, meaning error trackers such as Sentry may also have captured these secrets. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Information Disclosure
NVD GitHub
CVSS 4.8
MEDIUM PATCH This Month

Unencoded path variable injection in `jleehr/canto-saas-api` (versions ≤ 2.0.0) allows URL path traversal sequences and delimiter characters to alter the destination endpoint of outbound API requests constructed by `Request::buildRequestUrl()`. When a consuming PHP application passes untrusted user input directly as path variables - such as `scheme` or `contentId` in `GetContentDetailsRequest` - characters including `../`, `?`, and `#` are inserted verbatim, silently redirecting the request to an unintended Canto API endpoint. Because the Bearer access token is unconditionally appended in `AbstractEndpoint::sendRequest()`, every such redirected request carries full application credentials, enabling unintended reads or writes scoped to the configured app's privileges. No public exploit has been identified at time of analysis, and exploitation is conditional on the consuming application's input-handling design.

Information Disclosure
NVD GitHub
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Improper access-control re-validation in the Linux kernel's RDMA/InfiniBand subsystem (the ib_uverbs memory-region re-registration path) allows a local user with RDMA device access to obtain unintended read-write access to memory that was only pinned as read-only. When IB_MR_REREG_ACCESS upgrades a memory region from RO to RW, the underlying umem was not re-evaluated to confirm it is properly pinned for writing, enabling potential memory corruption or disclosure across RDMA-capable drivers. EPSS is low (0.17%, 6th percentile) and there is no public exploit identified at time of analysis; the issue is fixed upstream in multiple stable trees.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Sensitive information disclosure in the Tilt HUD server (Go package github.com/tilt-dev/tilt, versions >= 0.19.5 through <= 0.37.3) lets an unauthenticated network caller read live process memory via unprotected net/http/pprof endpoints mounted under /debug, harvesting the session token (Tilt-Token cookie) and the apiserver loopback bearer token, and hold the process under CPU profiling or tracing to degrade performance. Exploitation requires the HUD or apiserver listener to be bound to a non-loopback address (tilt up --host 0.0.0.0 or TILT_HOST set); the default loopback-only bind is not remotely reachable. No public exploit identified at time of analysis, and this is not in CISA KEV; a vendor patch (v0.37.4) is available.

Information Disclosure
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM This Month

Silent integer truncation in NI grpc-device 2.17.0 and earlier allows unauthenticated network-accessible attackers to corrupt size values processed by the CodeGen component, potentially causing integrity violations in instrument control operations. The root cause is CWE-681 - missing range checks during numeric type conversion in CodeGen - meaning oversized size fields silently lose their high-order bits rather than being rejected or flagged. No CISA KEV listing and no public exploit code have been identified at time of analysis, placing this in a lower operational priority tier despite its medium CVSS 4.0 score of 6.3.

Information Disclosure Grpc Device Instrumentstudio
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH This Week

Remote denial of service in NI grpc-device 2.17.0 and earlier allows unauthenticated network attackers to crash the streaming API by sending a specially crafted write request that triggers an out-of-bounds read (CWE-125). The flaw was reported by NI itself and is documented in both an NI security bulletin and a GitHub security advisory (GHSA-8rjh-429j-f6gw); no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Denial Of Service Information Disclosure Buffer Overflow +2
NVD GitHub
EPSS 0% CVSS 2.3
LOW Monitor

The wolf-rbac plugin in Apache APISIX 1.2.0 through 3.16.0 trusts client-controlled identity and IP data under its default configuration, allowing a low-privileged network attacker to inject spoofed identity information into application logs and manipulate IP-based access control rule evaluation. Rooted in CWE-348 (Use of Less-Trusted Source), the plugin accepts identity claims from a less-trusted input channel rather than authoritative internal state. No public exploit has been identified and the vulnerability is absent from the CISA KEV catalog; the vendor has released a fix in version 3.17.0.

Apache Information Disclosure Apache Apisix
NVD VulDB
EPSS 0% CVSS 5.8
MEDIUM This Month

Identity header spoofing in Apache APISIX versions 2.12.0 through 3.16.0 allows a low-privileged network attacker to manipulate header values forwarded by the forward-auth plugin to upstream backend services. The flaw, rooted in improper input validation (CWE-20) of the forward-auth plugin's header handling, enables an attacker to impersonate other identities as seen by backend services that rely on APISIX to assert trustworthy identity context. No active exploitation is confirmed in CISA KEV and no public proof-of-concept has been identified, but the CVSS 4.0 subsequent-system impact metrics (SC:H/SI:H/SA:H) signal that backend services face high-severity consequences if exploited.

Apache Information Disclosure Apache Apisix
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Account takeover in JetBrains Hub is possible through predictable restore codes, affecting all versions prior to 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, and 2024.2.148429. Remote unauthenticated attackers can guess or predict the restore codes used for account recovery, enabling them to seize control of arbitrary user accounts. No public exploit identified at time of analysis, but the CVSS 9.8 rating reflects the high impact of full account compromise across an identity management platform.

Information Disclosure Hub
NVD
EPSS 0% CVSS 5.6
MEDIUM POC PATCH This Month

Use-after-free memory corruption in Cloudflare Quiche's FFI layer exposes applications built with the non-default FFI feature flag to remote denial of service and limited heap disclosure. Two FFI iterator functions - quiche_connection_id_iter_next and quiche_conn_retired_scid_next - return raw pointers to ConnectionId values that are immediately freed when their owning Rust scope exits, leaving callers holding dangling pointers. No public exploit has been identified at time of analysis and there is no CISA KEV listing, but the CVSS 5.6 (AV:N/AC:H) score correctly reflects the constrained preconditions imposed by the opt-in build flag.

Use After Free Memory Corruption Information Disclosure +2
NVD GitHub VulDB
EPSS 0% CVSS 7.7
HIGH This Week

Local privilege escalation and denial of service in Imagination Technologies Graphics DDK (PowerVR GPU driver) allows non-privileged users to trigger a use-after-free of GPU MMU page tables via crafted GPU system calls. An error path fails to clean up before freeing the physical page-table allocation, enabling memory corruption that can be leveraged for kernel-context impact. No public exploit identified at time of analysis and SSVC reports no observed exploitation.

Information Disclosure Use After Free Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

Missing authorization controls in the WP Hotel Booking WordPress plugin (all versions before 2.3.1) expose sensitive hospitality business data to any authenticated Subscriber-level user. Affected AJAX handlers lack WordPress capability checks, enabling low-privilege users to read other guests' booking line items, enumerate active coupon codes, and access internal pricing data across the entire site. A public proof-of-concept exploit exists per WPScan; while not confirmed actively exploited in CISA KEV, the low authentication barrier and publicly available exploit represent meaningful real-world risk for any hotel or hospitality site with user registration enabled.

Information Disclosure WordPress Wp Hotel Booking
NVD WPScan VulDB
EPSS 1% CVSS 9.8
CRITICAL Act Now

Unauthenticated remote code execution in BetterDocs Pro for WordPress (versions through 3.8.0) is achievable by abusing the `doc_style` parameter to include arbitrary local PHP files. Wordfence has assigned a critical 9.8 CVSS score, and while no public exploit identified at time of analysis, the unauthenticated network-reachable nature of the flaw on a widely deployed WordPress documentation plugin makes opportunistic mass-exploitation likely once details propagate.

Information Disclosure WordPress RCE +3
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Arbitrary file read in Royal Addons for Elementor versions 1.7.1058-1.7.1059 allows authenticated attackers with Contributor-level access to retrieve the contents of any file readable by the PHP process - including wp-config.php and its database credentials - via a crafted wpr-data-table widget saved through Elementor's save_builder endpoint. The flaw is a regression: the vulnerable wpr_get_csv_handle() helper was itself introduced in version 1.7.1058 as the remediation for a prior CVE (CVE-2026-6229), meaning the security patch introduced a new, exploitable path. No public exploit has been identified at time of analysis, but the low privilege bar (Contributor) and high-value disclosure target (database credentials) elevate real-world risk on WordPress sites that permit open or low-friction contributor registration.

PHP WordPress Information Disclosure +1
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Sensitive information exposure in the Bogo WordPress plugin through version 3.9.1 allows authenticated users with subscriber-level access to extract the raw title, body content, excerpt, and password of any private, draft, or password-protected post by abusing the translation duplication endpoint. The REST API handler bogo_rest_create_post_translation enforced only a locale-access capability check, which all authenticated users can satisfy, and returned raw post field values in the API response without verifying whether the requestor had read or edit rights over the source content. No public exploit code or active exploitation (CISA KEV) is confirmed at time of analysis, though the attack path is straightforward for any authenticated WordPress user.

Authentication Bypass WordPress Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

Use-after-free in libexpat before 2.8.2 allows memory corruption when XML_ResumeParser is called from within a handler callback during a policy-violation scenario. The missing call-depth guard permits re-entrant parser invocation, leaving dangling pointers in the parser's internal heap state and enabling potential information disclosure or memory corruption with low confidentiality, integrity, and availability impact. No public exploit is identified at time of analysis, and the high attack complexity (AC:H) reflects the specific re-entrant handler pattern required to trigger the flaw.

Use After Free Memory Corruption Information Disclosure +2
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH Act Now

Denial-of-service in Mitsubishi Electric MELSEC iQ-F Series FX5-ENET/IP Ethernet Modules (all versions) allows unauthenticated remote attackers to halt the module's communication function by flooding its Ethernet port with packets. The high packet rate overwhelms internal anomaly-detection processing and stops communications - a critical impact for the industrial control environments these PLCs operate in. No public exploit identified at time of analysis, but the CVSS 4.0 score of 8.7 reflects high availability impact in operational technology contexts.

Information Disclosure Mitsubishi Electric Melsec Iq F Series Fx5 Enet Ip Ethernet Module Fx5 Enet Ip
NVD
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Kubernetes device-plugin and resource-allocation enforcement can be bypassed in containerd by a namespace user holding pod-creation rights, who restores a container from a maliciously crafted checkpoint image. The CRI restore path trusts Container Device Interface (CDI) annotations embedded in untrusted checkpoint metadata instead of the pod's create-time spec, letting the attacker smuggle arbitrary CDI edits (host device nodes and mounts) into the restored container. It affects containerd v2.1.0-2.1.8, v2.2.0-2.2.4 and v2.3.0-2.3.1; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Kubernetes Checkpoint Information Disclosure +1
NVD VulDB GitHub
EPSS 0% CVSS 9.4
CRITICAL PATCH Act Now

Host command execution in containerd's CRI plugin arises because labels from an image config (Dockerfile LABEL instruction) are propagated to the created container without validation; when a downstream plugin consumes those labels for operations (notably the restart-monitor's binary:// logger path), an attacker-controlled label value becomes an arbitrary command executed with host-root privileges. Affected releases are all containerd versions prior to 1.7.33, 2.0.10, 2.1.9, 2.2.5, and 2.3.2, meaning any environment that pulls and runs an untrusted image on a node using a label-consuming plugin is exposed to full container-to-host escape. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, so this is a high-severity, responsibly-disclosed flaw rather than one with confirmed active exploitation.

Information Disclosure Containerd
NVD VulDB GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Arbitrary host file disclosure in containerd's CRI plugin lets an attacker read any file on the Kubernetes node via `kubectl logs` because the plugin restores `container.log` from a checkpoint image while blindly following a symlinked path. All containerd 2.x branches before 2.1.9, 2.2.5, and 2.3.2 are affected wherever container checkpoint/restore (CRIU-based) is used. There is no public exploit identified at time of analysis and it is not on CISA KEV, but the flaw was independently reported by numerous researchers and a vendor patch is available.

Checkpoint Information Disclosure Containerd
NVD VulDB GitHub
EPSS 0% CVSS 9.1
CRITICAL Act Now

Out-of-bounds read in Microsoft HEIF Image Extensions 1.2.22.0 allows remote attackers to disclose memory contents and crash the process by serving a crafted HEIF image. The flaw stems from CHEIFItemInfoEntry_GetDataSize returning success with a reported data size of zero, leading to a 1-byte allocation that is later overrun by a memmove in CopyPixels. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.

Microsoft Buffer Overflow Information Disclosure +1
NVD GitHub VulDB
EPSS 1% CVSS 9.3
CRITICAL Emergency

Remote code execution in AVer PTC500S, PTC115, PTC500+, and PTC115+ cameras allows unauthenticated attackers to run arbitrary code by sending a specially crafted web request to the device's HTTP interface. The flaw was reported through CISA's ICS-CERT coordination process and carries a CVSS 4.0 base score of 9.3, but there is no public exploit identified at time of analysis and the CVE is not on the CISA KEV list.

Path Traversal Information Disclosure RCE +3
NVD GitHub
EPSS 0% CVSS 7.1
HIGH Act Now

Cleartext Bluetooth Low Energy transmission in the Apollo Pharmacy Blood Glucose Monitoring System (Model APG-01 BT) allows an attacker within BLE radio range to passively sniff wireless traffic and recover patient glucose readings and related health data. The flaw is a CWE-319 cleartext-transmission issue affecting a consumer medical device, disclosed via CISA ICS-CERT advisory ICSMA-26-169-01. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Information Disclosure Blood Glucose Monitoring System Model No Apg 01 Bt
NVD GitHub
EPSS 0% CVSS 7.3
CRITICAL Act Now

Session ID generation in Mojolicious::Sessions::Storable through version 0.05 relies on predictable, low-entropy inputs - a SHA-1 hash seeded with Perl's built-in rand(), epoch time, a heap memory address, and the server PID - making session identifiers guessable by a network attacker. Successful exploitation enables session hijacking, allowing an attacker to impersonate authenticated users without possessing their credentials. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, but the flaw is structurally significant on low-traffic, single-worker deployments where PID and timing entropy are minimal.

Information Disclosure Suse
NVD
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Information disclosure in PraisonAI before 1.5.115 allows authenticated agents to read other agents' system prompts and conversation history by exploiting missing uniqueness enforcement on agent identifiers in the MultiAgentLedger component. An attacker who can register an agent with a colliding ID receives the same ledger instance as the victim, breaking tenant isolation in multi-agent deployments. No public exploit identified at time of analysis, though the upstream GHSA advisory (GHSA-766v-q9x3-g744) publishes a working proof-of-concept demonstrating the collision.

Information Disclosure Praisonai
NVD GitHub VulDB
EPSS 1% CVSS 7.5
HIGH PATCH NO ACTION Monitor

Information disclosure in Microsoft Cost Management Interactive Experiences allows unauthenticated remote attackers to retrieve sensitive data over a network. The flaw carries a CVSS 3.1 base score of 7.5 with high confidentiality impact and no integrity or availability effects, and Microsoft has published an advisory with a fix. At time of analysis there is no public exploit identified and the vulnerability is not listed in CISA KEV.

Information Disclosure Microsoft Cost Management
NVD VulDB
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Hardcoded static credentials in Chef 360 prior to v1.7.0 exposed internal message queue infrastructure to unauthorized network access, disclosing tenant-specific identifiers across the multi-tenant platform. The credential was embedded in the product itself, making it accessible to any party with possession of the software. Progress Chef confirmed the issue and eliminated the static credential entirely in v1.7.0 by replacing it with per-tenant access controls. No public exploit identified at time of analysis, though the CVSS 4.0 supplemental vector flags this as automatable (AU:Y) with proof-of-concept exploit maturity (E:P), elevating its realistic urgency beyond the low base score of 2.3.

Information Disclosure Chef360
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Out-of-bounds heap read in libssh2 through 1.11.1 enables a malicious SFTP server or man-in-the-middle attacker to leak heap memory or crash client applications by sending a crafted SSH_FXP_NAME response with an inflated link_len during READLINK or REALPATH operations. The library is embedded in many SSH/SFTP clients (curl, Git tooling, language bindings), so impact extends to anywhere libssh2 is used as a client. No public exploit identified at time of analysis, but a vendor patch (commit 2dae302) is available and the issue was reported by VulnCheck.

Information Disclosure Buffer Overflow Libssh2
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM POC PATCH This Month

Kernel stack memory disclosure in OpenBSD's MPLS input processing exposes arbitrary kernel stack contents to unauthenticated remote attackers via crafted MPLS frames. The flaw exists in `mpls_do_error` within `sys/netmpls/mpls_input.c` (revision 1.81), where a label-stack iterator lacked an upper-bounds guard, allowing a 16-label frame with no Bottom-of-Stack bit to drive an out-of-bounds read. A publicly available exploit exists per the Argus Systems advisory; this vulnerability is not confirmed as actively exploited in the CISA KEV catalog, and the CVSS 4.0 score is 6.9.

Information Disclosure Buffer Overflow Src
NVD GitHub VulDB
EPSS 0% CVSS 5.8
MEDIUM PATCH This Month

Symlink race condition in pam_usb prior to 0.9.2 allows a local attacker to redirect one-time pad files to an attacker-controlled directory, potentially exposing future OTP values before use and undermining hardware-based PAM authentication on Linux. The flaw is a classic TOCTOU pattern in per-device and per-user pad directory creation, fixed as part of a 12-issue security hardening release (0.9.2) triggered by an ongoing audit. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, successful exploitation could permit authentication bypass by a local low-privilege user.

Information Disclosure Pam Usb
NVD GitHub
EPSS 0% CVSS 5.8
MEDIUM PATCH This Month

Non-atomic one-time pad file creation in pam_usb prior to 0.9.2 exposes the core replay-prevention mechanism to a local race condition (CWE-362), allowing a precisely timed concurrent write to corrupt or reuse the stored OTP pad state. Systems running pam_usb as a PAM module for SSH, sudo, or login are affected on all versions before 0.9.2; successful exploitation could silently degrade hardware authentication integrity, creating a window for USB token replay attacks. No public exploit or CISA KEV listing has been identified at time of analysis; vendor-released patch 0.9.2 resolves this and 11 additional security findings.

Race Condition Information Disclosure Pam Usb
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Mojolicious::Sessions::Storable versions through 0.05 for Perl generate session ids insecurely. The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, the heap address of an anonymous hash, and the PID. These are predictable or low-entropy sources that are unsuitable for security purposes.

Information Disclosure Mojolicious Suse
NVD VulDB
EPSS 0% CVSS 4.2
MEDIUM PATCH This Month

Path traversal in Daytona's sandbox volume mount handling (versions <= 0.185.0) allowed a crafted volume reference containing traversal sequences to theoretically resolve the runner's bind-mount source path outside the intended per-volume base directory, with a worst-case impact of cross-tenant read/write access to other tenants' FUSE-mounted volume data. Critically, the vendor confirmed the vulnerability was NOT exploitable in any released version: volume references pass through UUID-type database validation before reaching the runner, structurally rejecting traversal payloads and producing a server-side validation error instead of an unintended mount. No public exploit has been identified and the CVE carries no CISA KEV listing, consistent with a latent code-path defect rather than an active attack surface.

Canonical Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Insecure deallocation in pam_usb 0.9.1 and below leaves sensitive authentication material - including one-time pad (OTP) bytes read from removable media - resident in freed heap memory because the xfree() helper calls free() without first zeroing the buffer. On any system where a secondary use-after-free condition or heap inspection primitive is present within the same pam_usb process, an attacker could recover pad values or other credential material from those freed regions, potentially undermining the hardware authentication guarantee pam_usb is designed to provide. This is a defense-in-depth hardening gap patched in 0.9.2; no confirmed active exploitation or public exploit code has been identified at time of analysis.

Information Disclosure Pam Usb
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW PATCH Monitor

OpenFGA's authorization Check API returns incorrect results when MySQL is configured as the datastore and authorization policies depend on case-sensitive user string differentiation. MySQL's default case-insensitive collations cause two distinct user identifiers - identical except for letter casing - to match the same stored authorization tuple, producing an 'allowed' response for a user identity that should be denied. This constitutes an improper policy enforcement flaw (GHSA-cf98-j28v-49v6) that can silently bypass fine-grained access controls in any deployment meeting the two required preconditions. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Information Disclosure
NVD GitHub VulDB
CVSS 6.1
MEDIUM PATCH This Month

Integer overflow in tract-nnef's NNEF .dat tensor parser allows loading a crafted model archive to produce a Tensor whose reported element count (e.g. 2^61+7) vastly exceeds its 56-byte heap allocation, causing a bounded heap out-of-bounds read during model build and a reliable SIGSEGV (DoS) on any access past the mapped region. Affected are all applications using tract-nnef < 0.21.16, 0.22.0-0.22.2, or 0.23.0-0.23.1 that load attacker-controlled NNEF model archives via the public `model_for_path` / `model_for_read` API. No public exploit is available at time of analysis, though the reporter demonstrated the issue against affected crate versions; no CISA KEV entry exists.

Information Disclosure Buffer Overflow
NVD GitHub
Prev Page 23 of 741 Next

Quick Facts

Typical Severity
MEDIUM
Category
other
Total CVEs
66671

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy