Skip to main content

Information Disclosure

other MEDIUM

Information disclosure occurs when an application unintentionally exposes sensitive data that aids attackers in reconnaissance or directly compromises security.

How It Works

Information disclosure occurs when an application unintentionally exposes sensitive data that aids attackers in reconnaissance or directly compromises security. This happens through multiple channels: verbose error messages that display stack traces revealing internal paths and frameworks, improperly secured debug endpoints left active in production, and misconfigured servers that expose directory listings or version control artifacts like .git folders. APIs often leak excessive data in responses—returning full user objects when only a name is needed, or revealing system internals through metadata fields.

Attackers exploit these exposures systematically. They probe for common sensitive files (.env, config.php, backup archives), trigger error conditions to extract framework details, and analyze response timing or content differences to enumerate valid usernames or resources. Even subtle variations—like "invalid password" versus "user not found"—enable account enumeration. Exposed configuration files frequently contain database credentials, API keys, or internal service URLs that unlock further attack vectors.

The attack flow typically starts with passive reconnaissance: examining HTTP headers, JavaScript bundles, and public endpoints for version information and architecture clues. Active probing follows—testing predictable paths, manipulating parameters to trigger exceptions, and comparing responses across similar requests to identify information leakage patterns.

Impact

  • Credential compromise: Exposed configuration files, hardcoded secrets in source code, or API keys enable direct authentication bypass
  • Attack surface mapping: Stack traces, framework versions, and internal paths help attackers craft targeted exploits for known vulnerabilities
  • Data breach: Direct exposure of user data, payment information, or proprietary business logic through oversharing APIs or accessible backups
  • Privilege escalation pathway: Internal URLs, service discovery information, and architecture details facilitate lateral movement and SSRF attacks
  • Compliance violations: GDPR, PCI-DSS, and HIPAA penalties for exposing regulated data through preventable disclosures

Real-World Examples

A major Git repository exposure affected thousands of websites when .git folders remained accessible on production servers, allowing attackers to reconstruct entire source code histories including deleted commits containing credentials. Tools like GitDumper automated mass exploitation of this misconfiguration.

Cloud storage misconfigurations have repeatedly exposed sensitive data when companies left S3 buckets or Azure Blob containers publicly readable. One incident exposed 150 million voter records because verbose API error messages revealed the storage URL structure, and no authentication was required.

Framework debug modes left enabled in production have caused numerous breaches. Django's DEBUG=True setting exposed complete stack traces with database queries and environment variables, while Laravel's debug pages revealed encryption keys through the APP_KEY variable in environment dumps.

Mitigation

  • Generic error pages: Return uniform error messages to users; log detailed exceptions server-side only
  • Disable debug modes: Enforce production configurations that suppress stack traces, verbose logging, and debug endpoints through deployment automation
  • Access control audits: Restrict or remove development artifacts (.git, backup files, phpinfo()) and internal endpoints before deployment
  • Response minimization: API responses should return only necessary fields; implement allowlists rather than blocklists for data exposure
  • Security headers: Deploy X-Content-Type-Options, remove server version banners, and disable directory indexing
  • Timing consistency: Ensure authentication and validation responses take uniform time regardless of input validity

Recent CVEs (66671)

EPSS 0% CVSS 7.5
HIGH This Week

Local file inclusion in the Element Pack Pro WordPress plugin (versions 9.0.6 and earlier) allows authenticated contributors to read or include arbitrary server-side files via insufficient validation of a file path parameter, mapped to CWE-98 (improper control of filename for include/require). The flaw was reported through Patchstack and affects bdthemes' Element Pack Pro, a widely deployed Elementor add-on; no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Unauthenticated local file inclusion in the Xtemos Hitek WordPress theme versions prior to 1.8.3 allows remote attackers to include and execute arbitrary local files on the server via crafted requests, mapped to CWE-98 (Improper Control of Filename for Include/Require Statement in PHP). With a CVSS 3.1 score of 8.1 and high attack complexity but no authentication required, successful exploitation can lead to source code disclosure, sensitive configuration exposure, and potential remote code execution. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated local file inclusion in the Malmö WordPress theme versions 2.2 and earlier allows remote attackers to include arbitrary local files via crafted requests, enabling disclosure of sensitive server-side content and potentially remote code execution. The flaw is reported by Patchstack and classified as CWE-98 (improper control of filename for include/require), with no public exploit identified at time of analysis. Affected sites are WordPress installations using the elated-themes Malmö theme.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated local file inclusion in the Mikado Core WordPress plugin versions 1.6 and earlier allows remote attackers to include arbitrary local files via crafted HTTP requests, potentially exposing sensitive server contents and enabling code execution. CVSS 8.1 reflects high impact across confidentiality, integrity, and availability, though attack complexity is rated High. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated sensitive data exposure in the Bricksforge WordPress plugin versions 3.1.8.4 and earlier allows remote attackers to retrieve confidential information without any credentials. The flaw, tracked under CWE-201 (Insertion of Sensitive Information Into Sent Data), carries a CVSS 3.1 score of 7.5 driven entirely by confidentiality impact, and no public exploit has been identified at time of analysis.

Information Disclosure Bricksforge
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Account takeover in Booknetic WordPress appointment booking plugin versions 4.8.5 and earlier allows remote unauthenticated attackers to bypass authentication controls and gain access to arbitrary user accounts. The Patchstack advisory characterizes this as a broken authentication weakness (CWE-288) with high impact across confidentiality, integrity, and availability. No public exploit is identified at time of analysis, and exploitation requires high attack complexity per the CVSS vector.

Information Disclosure Booknetic
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated Local File Inclusion in ThemeREX EcoBlue WordPress theme versions 1.15 and earlier enables remote attackers to include arbitrary local files on the server without credentials, potentially leading to source code disclosure and remote code execution via PHP file inclusion (CWE-98). No public exploit identified at time of analysis, but the unauthenticated network-reachable nature combined with WordPress's broad deployment surface makes this notable. EPSS data was not provided, and the issue is not listed in CISA KEV.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated Local File Inclusion in the ThemeREX AutoParts WordPress theme versions 1.5.8 and earlier allows remote attackers to include and execute arbitrary local files on the server. No public exploit identified at time of analysis, but the CWE-98 classification and PR:N CVSS vector make this a meaningful pre-authentication risk for any WordPress site running the theme. Successful exploitation typically leads to sensitive file disclosure (wp-config.php) and, when combined with log poisoning or uploaded content, full remote code execution.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated local file inclusion in the Themeum Right Way WordPress theme versions 4.0 and earlier allows remote attackers to include arbitrary local files and likely achieve code execution through PHP file inclusion (CWE-98). The flaw is network-reachable without credentials, though CVSS records high attack complexity (AC:H), and no public exploit has been identified at time of analysis. The advisory is sourced from Patchstack's WordPress vulnerability database.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated local file inclusion in the Reprizo WordPress theme by AxiomThemes (versions 1.0.8 and earlier) allows remote attackers to coerce the PHP include/require chain into loading arbitrary server-side files, leading to disclosure of sensitive configuration data and potential code execution if uploaded or log files can be referenced. No public exploit identified at time of analysis, but the issue is tracked by Patchstack as a high-severity flaw against a commercial WordPress theme.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated local file inclusion in the Promo WordPress theme through version 1.3.0 allows remote attackers to coerce the application into including arbitrary PHP files from the server, potentially leading to source code disclosure, sensitive file reads, or remote code execution where attacker-controlled files are reachable. The vulnerability is reported by Patchstack and affects axiomthemes' Promo theme; no public exploit identified at time of analysis and EPSS data was not provided. The CVSS 3.1 base score of 8.1 reflects high impact across confidentiality, integrity, and availability despite high attack complexity.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated local file inclusion in the ThemeREX Tipsy WordPress theme versions 1.1 and earlier allows remote attackers to coerce the PHP interpreter into including arbitrary files via attacker-controlled path parameters. Successful exploitation can disclose sensitive server-side files, leak configuration secrets such as wp-config.php database credentials, and - depending on environment - escalate to code execution by including log files, session files, or other writable artifacts. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated Local File Inclusion in the ThemeREX Resurs WordPress theme versions 1.3 and below allows remote attackers to include and execute arbitrary local files on the server. The flaw, tracked under CWE-98 (Improper Control of Filename for Include/Require), enables disclosure of sensitive files and potential code execution depending on server configuration. No public exploit identified at time of analysis, though Patchstack has confirmed the issue against the affected theme.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated Local File Inclusion in the ThemeREX Orpheus WordPress theme (versions <= 1.3) allows remote attackers to read arbitrary files on the server and potentially achieve code execution via PHP file inclusion. The flaw stems from improper control of filenames in an include/require statement (CWE-98), and while no public exploit has been identified at time of analysis, the CVSS 8.1 rating reflects high impact across confidentiality, integrity, and availability. Risk is somewhat tempered by the high attack complexity metric in the CVSS vector.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated local file inclusion in the Snowy WordPress theme (ThemeREX) versions up to and including 1.13 allows remote attackers to coerce the PHP runtime into including arbitrary files from the server filesystem. The flaw is tracked as CWE-98 (Improper Control of Filename for Include/Require), reported by Patchstack, and carries a CVSS 3.1 score of 8.1 (High) reflecting high-complexity but unauthenticated network exploitation. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated local file inclusion in the ThemeREX Quirky WordPress theme versions 1.23 and earlier allows remote attackers to include and disclose arbitrary local files on the server. The flaw stems from improper control of filename for include/require statements (CWE-98), which can escalate to remote code execution if attackers can plant or reach an includable PHP payload. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated local file inclusion in the Gat WordPress theme (versions 1.16 and earlier) allows remote attackers to include arbitrary local files on the server, potentially leading to disclosure of sensitive configuration data, credentials, or remote code execution if combined with uploadable content. No public exploit identified at time of analysis, but the CVSS 8.1 rating reflects high confidentiality, integrity, and availability impact. The vulnerability is reported by Patchstack and affects the ThemeRex Gat theme.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated local file inclusion in the ThemeREX Ingenioso WordPress theme through version 1.14.0 allows remote attackers to coerce the PHP application into including arbitrary server-side files, leading to disclosure of sensitive content and potential remote code execution where uploaded or log-poisoned files can be reached. The flaw is classified under CWE-98 (improper control of filename for include/require) and was disclosed via Patchstack with no public exploit identified at time of analysis. CVSS is rated 8.1 (High) with high attack complexity, reflecting that successful exploitation depends on identifying a reachable include path.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated local file inclusion in the AirSupply WordPress theme versions up to and including 2.0.0 allows remote attackers to coerce the PHP application into including arbitrary local files, exposing sensitive data and potentially leading to code execution. Reported by Patchstack and tracked under CWE-98 (improper PHP file inclusion), with no public exploit identified at time of analysis and no EPSS or KEV signal supplied in the input. The CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:N) indicates network-reachable, unauthenticated exploitation that nevertheless requires meeting non-trivial conditions to succeed.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated local file inclusion in the ThemeRex HomeRoofer WordPress theme through version 2.11.0 allows remote attackers to include and read arbitrary local files on the server, potentially leading to source code disclosure, credential theft from wp-config.php, and in some PHP configurations remote code execution. The flaw is reachable without authentication over HTTP, and no public exploit has been identified at time of analysis though Patchstack has catalogued the issue in their WordPress vulnerability database. No CISA KEV listing or EPSS data was supplied in the source intelligence.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated Local File Inclusion affects the Joly WordPress theme by ThemeREX in versions up to and including 1.22.0, allowing remote attackers without credentials to coerce the PHP application into including arbitrary local files. Successful exploitation can disclose sensitive configuration (such as wp-config.php containing database credentials and auth keys) and, depending on server configuration, escalate to remote code execution via log poisoning or session file inclusion. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Unauthenticated local file inclusion in the ThemeREX Neuronet WordPress theme before version 1.14.0 allows remote attackers to coerce the PHP runtime into including arbitrary files via untrusted input reaching an include/require statement. The flaw is reachable without authentication or user interaction, but CVSS marks attack complexity as High, suggesting non-trivial preconditions for full exploitation. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated arbitrary file download in the Premium Age Verification / Restriction for WordPress plugin (versions ≤ 3.0.2) allows remote attackers to retrieve arbitrary files from the underlying server without any credentials or user interaction. The CVSS 3.1 score of 7.5 reflects high confidentiality impact with no integrity or availability impact, consistent with file disclosure rather than code execution. There is no public exploit identified at time of analysis and the issue is not present in CISA KEV, but Patchstack has confirmed the flaw against a default plugin installation.

PHP WordPress Information Disclosure +2
NVD
EPSS 1% CVSS 6.6
MEDIUM This Month

PHP Object Injection in the Counter Box WordPress plugin (all versions through 2.0.13) allows authenticated administrators to deserialize attacker-controlled input via the plugin's import functionality, with deserialization triggered automatically on the post-import redirect and again when any imported item is opened for editing. The vulnerability carries no standalone impact - exploitation is entirely contingent on a Property-Oriented Programming (POP) chain being present in a separately installed plugin or theme, at which point an attacker could achieve arbitrary file deletion, sensitive data retrieval, or remote code execution. No public exploit is identified at time of analysis, and the CVSS AC:H and PR:H ratings reflect both the administrative access requirement and the environmental dependency on co-installed POP chain software.

PHP Deserialization WordPress +2
NVD
EPSS 1% CVSS 6.9
MEDIUM PATCH This Month

Unauthenticated information disclosure in the Teldat Regesta Smart HD-PLC (model TLDPH16D2, firmware 11.02.05.10.02) exposes version and privilege data via a PHP-based upgrade query endpoint accessible over the network without any login or registration. An attacker sends a crafted HTTP request to /upgrade/query.php?cmd=p+3&3Bversion and receives sensitive system metadata in the response, violating CWE-201 by returning information that should be restricted. No active exploitation has been confirmed (not in CISA KEV), and the direct impact is limited to confidentiality, but the exposed data can enable targeted follow-on attacks against this HD-PLC networking device.

PHP Information Disclosure Regesta Smart Hd Plc Tldph16D2
NVD
EPSS 0% CVSS 10.0
CRITICAL Act Now

Local information disclosure in Android's MmsSmsProvider component allows installed applications to read sensitive SMS/MMS data without holding the required permissions. The flaw stems from a missing permission check inside MmsSmsProvider.java, enabling any local app to query the content provider and exfiltrate message data without user interaction. No public exploit identified at time of analysis, and the issue is addressed in the Android Security Bulletin for Android 17.

Information Disclosure
NVD VulDB
EPSS 0% CVSS 10.0
CRITICAL Act Now

Local information disclosure in the Android Contacts Provider component permits an on-device attacker to extract data from the contacts database via SQL injection without requiring additional execution privileges or user interaction. The flaw is addressed in the Android Security Bulletin for Android 17, and no public exploit identified at time of analysis. Although the input CVSS 4.0 score is 10.0 with a network vector, the description explicitly characterizes the impact as local, which security teams should reconcile before prioritization.

SQLi Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

The LearnPress WordPress plugin before 4.3.7 does not gate the `edit` context on one of its REST endpoint behind the `edit_users` capability, allowing unauthenticated visitors to retrieve each returned user's roles, full capabilities map, extra capabilities, locale, and registration date via a crafted request

WordPress Information Disclosure Learnpress
NVD WPScan VulDB
EPSS 0% CVSS 3.3
LOW Monitor

In Contacts Provider, there is a possible way to access an incoming call's phone number and associated metadata due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

Information Disclosure
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

In multiple functions of btm_sec.cc, there is a possible way for an attacker to intercept SMS messages due to a logic error in the code. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.

Information Disclosure
NVD VulDB
CRITICAL Act Now

Privilege escalation in Apache DolphinScheduler before 3.4.2 allows any authenticated general user to mint admin-level access tokens by calling the /access-tokens API endpoint directly, bypassing role-enforcement logic. This effectively grants full administrative control over the workflow scheduling platform to any low-privilege account holder. No public exploit has been identified at time of analysis, but the simplicity of the attack surface - a direct API call - makes this a high-priority remediation target for any multi-tenant or enterprise DolphinScheduler deployment.

Apache Information Disclosure
NVD
EPSS 0% CVSS 6.5
CRITICAL PATCH Act Now

Incorrect authorization in Apache DolphinScheduler before 3.4.2 allows authenticated users to read alert instances belonging to alert groups outside their assigned permissions. The API component (org.apache.dolphinscheduler:dolphinscheduler-api) fails to enforce permission boundaries between alert groups and their associated alert instances, constituting a broken access control flaw. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and the moderate severity rating reflects the authentication prerequisite and limited confidentiality impact.

Apache Information Disclosure
NVD
EPSS 0% CVSS 6.5
CRITICAL PATCH Act Now

Incorrect Authorization in Apache DolphinScheduler's API layer exposes workflow instance data across project boundaries to authenticated users who lack the required project permissions. All versions prior to 3.4.2 of the org.apache.dolphinscheduler:dolphinscheduler-api component are affected, with the vendor recommending immediate upgrade to 3.4.2. No public exploit has been identified and the vulnerability is not listed in CISA KEV; real-world risk is concentrated in multi-tenant deployments where project isolation is the primary access control boundary.

Apache Information Disclosure
NVD
EPSS 0% CVSS 6.5
CRITICAL PATCH Act Now

Incorrect Authorization in Apache DolphinScheduler's experimental `/v2` API interface permits authenticated users to invoke privileged operations without undergoing permission validation. All releases of the `dolphinscheduler-api` module prior to 3.4.2 are affected. An attacker with a valid account can bypass role-based access controls enforced on the stable API surface by routing requests through the unguarded `/v2` endpoint, potentially performing administrative workflow, datasource, or tenant operations beyond their granted privilege level. No public exploit code or CISA KEV listing has been identified at time of analysis.

Apache Information Disclosure
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Uninitialized Use in GPU in Google Chrome on Android prior to 149.0.7827.155 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

Google Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Race in Updater in Google Chrome on Mac prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Google Race Condition Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Object lifecycle issue in Metrics in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Google Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Out of bounds read in WebRTC in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)

Google Microsoft Information Disclosure +3
NVD VulDB
EPSS 0% CVSS 4.2
MEDIUM PATCH This Month

Insufficient policy enforcement in File System Access in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted PDF file. (Chromium security severity: High)

Google Chrome Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 3.1
LOW PATCH Monitor

Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

Google Chrome Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 4.2
MEDIUM PATCH This Month

Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)

Google Chrome Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 4.2
MEDIUM PATCH This Month

Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.155 allowed an attacker who convinced a user to install a malicious extension to bypass same origin policy via a crafted Chrome Extension. (Chromium security severity: High)

Google Chrome Authentication Bypass +3
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Race in Safe Browsing in Google Chrome on Mac prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Google Race Condition Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 4.2
MEDIUM PATCH This Month

Insufficient validation of untrusted input in Input in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: High)

Google Chrome Authentication Bypass +3
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Inappropriate implementation in Media in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)

Google Chrome Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Out of bounds read in Chromoting in Google Chrome on Windows prior to 149.0.7827.155 allowed a local attacker to obtain potentially sensitive information from process memory via a malicious file. (Chromium security severity: High)

Google Microsoft Information Disclosure +3
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Inappropriate implementation in WebView in Google Chrome on Android prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

Google Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.5
CRITICAL PATCH Act Now

Missing authorization check in the Apache DolphinScheduler DataSource API exposes arbitrary data source metadata to users who lack permission to view it, affecting all versions before 3.4.2. Authenticated users with low-privilege access can query the DataSource API and retrieve connection metadata - such as hostnames, ports, database names, and usernames - belonging to data sources they are not authorized to access. No public exploit or active exploitation has been identified at time of analysis, and the Apache Software Foundation has rated this moderate severity, consistent with a confidentiality-only impact against an internal platform.

Apache Information Disclosure
NVD
EPSS 0% CVSS 8.8
HIGH POC This Week

In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write operations, e.g., the system will send a one-time password to an attacker-controlled email address when the attacker attempts to reset the password of a user account.

Information Disclosure Citrix N A
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Credential exfiltration in n8n workflow automation platform allows authenticated workflow editors to leak SecurityScorecard API tokens to attacker-controlled hosts. The SecurityScorecard node's report download operation fails to validate the target URL against the credential's allowed-domains restriction, attaching the API token to outbound requests directed at arbitrary attacker URLs. No public exploit identified at time of analysis, but the upstream fix is published and traceable through the vendor's GitHub Security Advisory.

Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 8.9
HIGH PATCH This Week

Cross-tenant credential takeover in n8n Enterprise allows any authenticated user to hijack OAuth credentials belonging to other tenants when the Dynamic Credentials feature is enabled. Three EE endpoints failed to enforce per-resource ownership checks, letting attackers enumerate credentials across private workflows, overwrite stored OAuth tokens with attacker-controlled tokens, or revoke victim tokens entirely. No public exploit identified at time of analysis, but the issue has a high CVSS 4.0 score of 8.9 and a vendor advisory confirms the flaw.

Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Denial of service via ZIP decompression bomb in n8n's Compression node affects all versions prior to 2.24.0, allowing unauthenticated remote attackers to terminate the entire n8n process by submitting a maliciously crafted archive to any public webhook workflow that uses the Decompress operation. Memory exhaustion crashes the host process, taking every workflow on the instance offline simultaneously - a significant blast radius in production deployments. No public exploit has been identified at time of analysis and no CISA KEV listing exists, but the attack primitive is trivially constructible once a vulnerable workflow is identified.

Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Denial of service in n8n workflow automation platform (versions prior to 2.24.0) allows an authenticated user with workflow create/edit permissions to trigger global prototype pollution via a crafted table parameter in the Microsoft SQL node. The pollution of Object.prototype persists for the lifetime of the n8n process, causing application-wide validation failures until the server is restarted. No public exploit identified at time of analysis, though the vendor advisory provides clear technical detail.

Prototype Pollution Microsoft Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

Silent configuration hijack in Traccar Client GPS tracking app (versions 9.7.19 and below) allows remote attackers to redirect victim telemetry to attacker-controlled servers via a single crafted org.traccar.client://config deep link. The app accepts deep-link parameters (server URL, device ID, accuracy, distance, interval) and writes them to persistent configuration with no user confirmation, enabling continuous covert location tracking. No public exploit identified at time of analysis, but the upstream commit confirms a confirmation dialog was added in 9.7.20 as the fix.

Information Disclosure Traccar Client
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Unauthenticated exploitation of Postiz's `/public/modify-subscription` endpoint allowed any caller in possession of a validly signed NowPayments callback token to trigger subscription enforcement side effects against their own organization - disabling team members, dropping integrations, and resetting the scheduled-post cron - without Postiz authentication. The flaw (CWE-345) stems from the NowPayments crypto payment integration: the endpoint verified the token's cryptographic signature but never validated its intended purpose or bound it to a specific subscription-modification context. Impact is strictly self-contained; the endpoint cannot be redirected at other tenants. No public exploit code and no CISA KEV listing have been identified at time of analysis. The issue is fixed in Postiz 2.21.8.

Information Disclosure Postiz App
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Privilege escalation to SUPERADMIN in Postiz (gitroomhq/postiz-app) versions prior to 2.21.8 allows any authenticated user to forge session JWTs and impersonate arbitrary organizations. The Skool integration callback signed an attacker-controlled JSON blob into a session-shape JWT using the application's JWT_SECRET, and the auth middleware blindly trusted every claim without re-resolving the user from the database. No public exploit identified at time of analysis, but the fix commit is public and the root cause is trivially reproducible from the patch diff.

Information Disclosure Postiz App
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Cross-tenant privilege escalation in Daytona (versions ≤0.184.0) allows any authenticated user who owns an organization to modify or delete roles belonging to other organizations on the same instance, including the managed Daytona platform. The role update and delete endpoints only validated owner-level access to the path-named organization while resolving the target role by its global identifier, enabling tenant-boundary bypass. No public exploit identified at time of analysis, and exploitation requires knowing the victim role's non-enumerable identifier.

Authentication Bypass Information Disclosure
NVD GitHub
EPSS 0% CVSS 7.8
HIGH PATCH This Week

mTLS bypass in Traefik v3.6.17 through v3.7.2 allows unauthenticated remote clients to reach backends protected by router-specific client-certificate policies by negotiating over HTTP/3 (QUIC). The QUIC TLS configuration selector performs only an exact, case-sensitive SNI map lookup, so wildcard host rules (e.g. `*.example.com`) and mixed-case SNI values fall back to the default TLS configuration, which typically does not require a client certificate, while the HTTP routing layer still dispatches the request to the protected backend. Publicly available exploit code exists in the GitHub Security Advisory GHSA-9cr8-q42q-g8m7, but there is no public exploit identified at time of analysis indicating active in-the-wild abuse.

OpenSSL Information Disclosure Docker
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated local file inclusion in the Mr. SEO WordPress theme versions 2.0 and earlier allows remote attackers to include and execute arbitrary local PHP files on the server without authentication. The flaw, reported by Patchstack and tracked as CWE-98 (PHP Remote File Inclusion), enables information disclosure and potential remote code execution depending on what files are reachable on the host. No public exploit identified at time of analysis, though the theme's WordPress deployment context broadens the attack surface across affected sites.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated local file inclusion in the Aperitif WordPress theme (versions up to and including 1.5) by elated-themes allows remote attackers to coerce the PHP include/require chain into loading attacker-controlled paths without credentials or user interaction. No public exploit identified at time of analysis, but the high CIA impact and unauthenticated network reach make it a meaningful supply-chain risk for sites using this commercial theme. The CVSS:3.1 score of 8.1 reflects high attack complexity, indicating the trigger likely requires a specific request pattern rather than a single trivial payload.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Local File Inclusion in the Getaway WordPress theme (versions before 1.8) by Select-Themes allows unauthenticated remote attackers to include arbitrary local PHP files via an unsanitized include/require parameter, leading to disclosure of sensitive files and potential code execution. The CWE-98 classification indicates improper control of filename used in PHP include/require, a pattern that frequently chains into RCE when log files, session files, or uploaded media can be referenced. No public exploit identified at time of analysis, and the issue is not in CISA KEV.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated Local File Inclusion in the Solene WordPress theme versions 3.4 and earlier allows remote attackers to read arbitrary server-side files and potentially execute PHP code via improperly controlled filename inclusion (CWE-98). The flaw is reachable over the network without credentials, and while CVSS:3.1 rates it 8.1 (High) with high attack complexity, no public exploit identified at time of analysis. Wide impact is plausible because Solene is a commercial WordPress theme distributed by Elated Themes and exposed on internet-facing sites.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Unauthenticated local file inclusion in Softlab Core WordPress plugin versions before 1.2.11 allows remote attackers to read or include arbitrary local files on the server, potentially leading to sensitive information disclosure or remote code execution if attacker-controlled content can be reached. The flaw is reported by Patchstack and tagged as PHP/LFI affecting the WebGeniusLab Softlab Core plugin used in WordPress deployments. No public exploit identified at time of analysis, though the unauthenticated nature and high CVSS impact warrant prompt patching.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Unauthenticated Local File Inclusion in the Integrio Core WordPress plugin (versions prior to 1.2.8) by webgeniuslab allows remote attackers to coerce the PHP application into including arbitrary local files, leading to source code disclosure, sensitive file exposure, and potentially remote code execution when log poisoning or upload primitives are available. The CVSS vector (AV:N/AC:H/PR:N/UI:N) reflects network-reachable, unauthenticated exploitation with high attack complexity, and no public exploit identified at time of analysis. The flaw is tracked by Patchstack and ENISA EUVD (EUVD-2026-37466) with a vendor-released patch in version 1.2.8.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Unauthenticated Local File Inclusion in the Thegov Core WordPress plugin (versions prior to 2.0.23) allows remote attackers to coerce the application into including arbitrary files via a flaw classified as CWE-98 (PHP File Inclusion). Because the plugin powers the Thegov WordPress theme commonly used by government and political sites, successful exploitation can disclose sensitive configuration files such as wp-config.php and, depending on server state, escalate to PHP code execution. No public exploit identified at time of analysis, though Patchstack - the reporting party - has published a vendor advisory and a fixed release.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated Local File Inclusion in the Truemag WordPress theme by Cactus Themes (versions up to and including 4.3.14.2) allows remote attackers to coerce the server into including arbitrary local PHP files without credentials. With CVSS 8.1 and full CIA impact (CWE-98), successful exploitation can lead to disclosure of sensitive files, configuration data, and potential code execution by including attacker-controlled or log-poisoned content, though no public exploit identified at time of analysis.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated local file inclusion in the Roneous WordPress theme (versions up to and including 2.1.5) allows remote attackers to coerce the application into including arbitrary files on the server, potentially exposing sensitive data such as wp-config.php credentials or, when combined with file upload primitives, achieving remote code execution. The flaw is reachable without authentication over the network, and no public exploit identified at time of analysis. The vulnerability is tracked by Patchstack and ENISA EUVD (EUVD-2025-210183).

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local File Inclusion in the ThemeREX ITactics WordPress theme versions 1.0 and earlier allows remote unauthenticated attackers to include arbitrary files from the underlying server, leading to disclosure of sensitive configuration data and potentially PHP code execution if attacker-controlled content can be staged on the host. Tracked by Patchstack and indexed in ENISA EUVD as EUVD-2025-210182, the issue carries a CVSS 8.1 (High) score with no public exploit identified at time of analysis.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local File Inclusion in the Spike WordPress theme (versions ≤1.2) by ThemeREX allows remote unauthenticated attackers to coerce the PHP backend into including arbitrary local files via crafted filename parameters. Successful exploitation can disclose sensitive server-side files, configuration data, and credentials, and on misconfigured PHP installations may lead to code execution. No public exploit identified at time of analysis, but the issue is reported and tracked by Patchstack (WordPress vulnerability intelligence).

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated Local File Inclusion in the ThemeREX Eros WordPress theme versions 1.3 and earlier allows remote attackers to read arbitrary files and potentially achieve PHP code execution via include/require paths reachable without authentication. No public exploit identified at time of analysis, but the flaw is reported by Patchstack and tracked as EUVD-2025-210180. WordPress themes with LFI sinks are a recurring target because they expose include() statements through AJAX or template loader endpoints.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local File Inclusion in the Choreo WordPress theme (versions through 1.6) allows unauthenticated remote attackers to include and read arbitrary local files from the server, with potential for further escalation to code execution depending on writable file content. The flaw was disclosed by Patchstack and is tracked as EUVD-2025-210179; no public exploit identified at time of analysis, and the CVSS 3.1 base score of 8.1 reflects high impact across confidentiality, integrity, and availability.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated Local File Inclusion in the WineShop WordPress theme versions 3.17 and earlier allows remote attackers to include and execute arbitrary local files on the server via crafted requests. The flaw stems from improper control of filename for include/require (CWE-98) and carries a CVSS 8.1 (High) with full confidentiality, integrity, and availability impact, though no public exploit identified at time of analysis.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated local file inclusion in the ThemeRex Grecko WordPress theme versions 5.17 and earlier allows remote attackers to coerce the application into including arbitrary files from the server filesystem, potentially leading to sensitive file disclosure and PHP code execution where attacker-controlled content can be reached. The flaw is reachable without authentication over HTTP and was disclosed via Patchstack with no public exploit identified at time of analysis. CVSS is rated 8.1 with high attack complexity, indicating exploitation is feasible but not trivially automatable.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated local file inclusion in the ThemeRex Gita WordPress theme versions 1.11 and earlier allows remote attackers to include arbitrary local files via a PHP file-inclusion weakness (CWE-98), potentially exposing wp-config.php credentials and enabling further compromise. No public exploit identified at time of analysis, but the vulnerability is network-reachable without authentication and has been disclosed by Patchstack with a CVSS 3.1 base score of 8.1.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated local file inclusion in the Printo WordPress theme (versions ≤ 1.11 by ThemeRex) allows remote attackers to include arbitrary local files via a PHP file-inclusion sink (CWE-98), enabling disclosure of sensitive server-side files and potential remote code execution if attacker-controlled content can be reached on disk. No public exploit identified at time of analysis, though Patchstack has cataloged the issue and the CVSS 3.1 base score of 8.1 reflects high impact across confidentiality, integrity, and availability.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated local file inclusion in the Medeus WordPress theme versions 1.14 and earlier allows remote attackers to coerce the PHP backend into including arbitrary files, exposing sensitive configuration data such as wp-config.php and potentially enabling code execution if log poisoning or uploaded content can be referenced. The vulnerability is classified under CWE-98 (Improper Control of Filename for Include/Require), affects a ThemeREX product tracked by Patchstack as a WordPress theme issue, and no public exploit identified at time of analysis. Despite the CVSS 8.1 high rating, AC:H signals non-trivial exploitation requirements beyond a simple parameter swap.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated local file inclusion in the ThemeRex Top Dog WordPress theme (versions <=1.0.5) allows remote attackers to coerce the application into including arbitrary local PHP files, potentially leading to sensitive data disclosure or code execution if a writable/loggable file can be referenced. The flaw is reachable without authentication or user interaction over the network, though CVSS marks attack complexity as high; no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated local file inclusion in the ThemeREX Putter WordPress theme versions 1.17 and earlier allows remote attackers to read arbitrary files from the underlying web server and, in PHP environments where include wrappers are abused, potentially achieve code execution. The flaw is reachable without authentication or user interaction, though CVSS reports high attack complexity. No public exploit identified at time of analysis, but Patchstack has published the advisory.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated local file inclusion in the ThemeREX 'Dom' WordPress theme through version 1.24 allows remote attackers to coerce the PHP application into including arbitrary local files, leading to sensitive information disclosure and potential code execution. No public exploit identified at time of analysis, but the CVSS 8.1 rating reflects high impact across confidentiality, integrity, and availability if a vulnerable include path is reached. The flaw is tracked by Patchstack and ENISA (EUVD-2025-210210) and affects all Dom theme versions up to and including 1.24.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated Local File Inclusion affects the ThemeREX Mission WordPress theme in all versions up to and including 1.22, enabling remote attackers to coerce the PHP application into including arbitrary local files. Exploitation can lead to sensitive file disclosure, source-code exposure, and - depending on what files are accessible on the server - remote code execution via log poisoning or PHP wrapper abuse. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated local file inclusion in the Abelle WordPress theme versions 1.22 and earlier allows remote attackers to coerce the PHP runtime into including attacker-controlled file paths, leading to disclosure of sensitive server files and potential remote code execution if log poisoning or uploaded files can be reached. The flaw is reachable without credentials, but CVSS notes high attack complexity, and no public exploit identified at time of analysis. No EPSS or KEV signal is provided in the source data.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated Local File Inclusion in the Kelly Young WordPress theme (versions ≤1.1.0) allows remote attackers to read arbitrary local files and potentially achieve code execution by including attacker-controlled file paths via a vulnerable PHP include sink. The flaw is reachable without authentication over the network, and no public exploit identified at time of analysis. Risk is elevated by the high CVSS impact triad (C:H/I:H/A:H), though AC:H indicates non-trivial exploitation prerequisites.

PHP Information Disclosure LFI +1
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

Local File Inclusion in the Wanium WordPress theme (versions up to and including 1.9.8) allows remote unauthenticated attackers to coerce the application into including arbitrary local PHP files, leading to source disclosure and potential remote code execution on the server. The flaw was disclosed via Patchstack and tracked as EUVD-2025-210204; no public exploit identified at time of analysis, and the CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:N) indicates network-reachable exploitation that nevertheless requires some non-trivial conditions to succeed.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated local file inclusion in the Food Drop WordPress theme versions 1.3 and earlier allows remote attackers to read arbitrary server files or potentially achieve PHP code execution by abusing an improperly controlled include/require path (CWE-98). The flaw was disclosed by Patchstack and tracked as EUVD-2025-210202; no public exploit code or active exploitation has been identified at time of analysis, but the network-reachable, no-auth attack surface makes it a meaningful risk for any site running this theme.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated Local File Inclusion in the ThemeRex Especio WordPress theme (versions ≤ 1.0) allows remote attackers to coerce the PHP application into including arbitrary files from the underlying server. Because the include path is attacker-controlled and no authentication is required, the flaw can lead to disclosure of sensitive files (wp-config.php, system files) and, depending on local file primitives available on the server, escalation to code execution. No public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated local file inclusion in the ThemeRex Deliciosa WordPress theme (versions up to and including 1.10.0) allows remote attackers to coerce the PHP application into including arbitrary local files, potentially leading to sensitive file disclosure and code execution. The flaw is reachable without authentication but carries high attack complexity per the CVSS vector, and no public exploit identified at time of analysis. Patchstack disclosed the issue and tracks it as EUVD-2025-210199.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated local file inclusion in the Corbesier WordPress theme (versions ≤ 1.15.0) allows remote attackers to read arbitrary server files or potentially execute code by abusing improper validation of file paths passed to PHP include/require functions. The flaw is reachable without credentials and carries a CVSS 3.1 score of 8.1; no public exploit identified at time of analysis, and it is not listed in CISA KEV. The combination of network reachability and unauthenticated access makes any vulnerable WordPress site running this theme an immediate concern despite the high attack complexity rating.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated local file inclusion in the CopyPress WordPress theme (ThemeREX) through version 1.4.5 lets remote attackers coerce the PHP include/require chain into loading arbitrary server-side files without credentials. Patchstack catalogued the flaw as CWE-98 with CVSS 8.1, and no public exploit identified at time of analysis. Successful exploitation can expose sensitive files such as wp-config.php and, depending on the include sink, escalate to PHP code execution.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated Local File Inclusion in the Iona WordPress theme versions 1.0.8 and earlier allows remote attackers to coerce the PHP application into including arbitrary local files, enabling source code disclosure and potentially full remote code execution. Reported by Patchstack and tracked as EUVD-2025-210196, the flaw is rated CVSS 8.1 (High) despite high attack complexity, with no public exploit identified at time of analysis.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated local file inclusion in the ThemeREX MaxiNet WordPress theme through version 1.2.10 allows remote attackers to coerce the PHP application into including arbitrary local files, exposing sensitive configuration data such as wp-config.php and potentially enabling code execution if log poisoning or uploaded content can be reached. The flaw was disclosed via Patchstack and tracked as EUVD-2025-210195; no public exploit identified at time of analysis, and no CISA KEV listing exists.

PHP Information Disclosure LFI +1
NVD
Prev Page 25 of 741 Next

Quick Facts

Typical Severity
MEDIUM
Category
other
Total CVEs
66671

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy