Information Disclosure
Information disclosure occurs when an application unintentionally exposes sensitive data that aids attackers in reconnaissance or directly compromises security.
How It Works
Information disclosure occurs when an application unintentionally exposes sensitive data that aids attackers in reconnaissance or directly compromises security. This happens through multiple channels: verbose error messages that display stack traces revealing internal paths and frameworks, improperly secured debug endpoints left active in production, and misconfigured servers that expose directory listings or version control artifacts like .git folders. APIs often leak excessive data in responses—returning full user objects when only a name is needed, or revealing system internals through metadata fields.
Attackers exploit these exposures systematically. They probe for common sensitive files (.env, config.php, backup archives), trigger error conditions to extract framework details, and analyze response timing or content differences to enumerate valid usernames or resources. Even subtle variations—like "invalid password" versus "user not found"—enable account enumeration. Exposed configuration files frequently contain database credentials, API keys, or internal service URLs that unlock further attack vectors.
The attack flow typically starts with passive reconnaissance: examining HTTP headers, JavaScript bundles, and public endpoints for version information and architecture clues. Active probing follows—testing predictable paths, manipulating parameters to trigger exceptions, and comparing responses across similar requests to identify information leakage patterns.
Impact
- Credential compromise: Exposed configuration files, hardcoded secrets in source code, or API keys enable direct authentication bypass
- Attack surface mapping: Stack traces, framework versions, and internal paths help attackers craft targeted exploits for known vulnerabilities
- Data breach: Direct exposure of user data, payment information, or proprietary business logic through oversharing APIs or accessible backups
- Privilege escalation pathway: Internal URLs, service discovery information, and architecture details facilitate lateral movement and SSRF attacks
- Compliance violations: GDPR, PCI-DSS, and HIPAA penalties for exposing regulated data through preventable disclosures
Real-World Examples
A major Git repository exposure affected thousands of websites when .git folders remained accessible on production servers, allowing attackers to reconstruct entire source code histories including deleted commits containing credentials. Tools like GitDumper automated mass exploitation of this misconfiguration.
Cloud storage misconfigurations have repeatedly exposed sensitive data when companies left S3 buckets or Azure Blob containers publicly readable. One incident exposed 150 million voter records because verbose API error messages revealed the storage URL structure, and no authentication was required.
Framework debug modes left enabled in production have caused numerous breaches. Django's DEBUG=True setting exposed complete stack traces with database queries and environment variables, while Laravel's debug pages revealed encryption keys through the APP_KEY variable in environment dumps.
Mitigation
- Generic error pages: Return uniform error messages to users; log detailed exceptions server-side only
- Disable debug modes: Enforce production configurations that suppress stack traces, verbose logging, and debug endpoints through deployment automation
- Access control audits: Restrict or remove development artifacts (
.git, backup files,phpinfo()) and internal endpoints before deployment - Response minimization: API responses should return only necessary fields; implement allowlists rather than blocklists for data exposure
- Security headers: Deploy
X-Content-Type-Options, remove server version banners, and disable directory indexing - Timing consistency: Ensure authentication and validation responses take uniform time regardless of input validity
Recent CVEs (66671)
Unauthenticated local file inclusion in the ThemeREX Nexio WordPress theme (versions ≤ 1.10.0) allows remote attackers to coerce the PHP application into including arbitrary local files, enabling disclosure of sensitive server content and potentially remote code execution if attacker-controlled content can be staged on the host. The CWE-98 classification and PHP tag indicate a classic dynamic include/require sink reachable without authentication. At time of analysis there is no public exploit identified and no CISA KEV listing, but the unauthenticated network vector and high CVSS (8.1) warrant prompt action on any WordPress site running this theme.
Unauthenticated local file inclusion in the Planty WordPress theme versions 1.14.0 and earlier allows remote attackers to coerce the PHP application into including arbitrary files from the server filesystem, leading to disclosure of sensitive configuration data and potential code execution. The flaw is reachable without credentials over the network but rated AC:H, indicating exploitation requires meeting specific conditions; no public exploit identified at time of analysis and the issue is tracked by Patchstack and ENISA EUVD-2025-210193.
Local File Inclusion in the ThemeREX Raider Spirit WordPress theme versions 1.1.2 and earlier allows unauthenticated remote attackers to include and disclose arbitrary local files via attacker-controlled file paths reaching a PHP include/require sink. The flaw maps to CWE-98 (Improper Control of Filename for Include/Require) and was disclosed through Patchstack with no public exploit identified at time of analysis, though the CVSS 8.1 rating reflects high confidentiality, integrity, and availability impact if the inclusion can be steered to executable PHP content.
Unauthenticated remote local file inclusion in the Rosaleen WordPress theme versions 2.8 and earlier allows attackers to coerce the PHP application into including arbitrary files via a CWE-98 remote file inclusion/path traversal flaw. The issue was reported by Patchstack and affects the ThemeREX-developed Rosaleen theme; no public exploit identified at time of analysis, though the unauthenticated network vector makes opportunistic targeting plausible.
Unauthenticated Local File Inclusion in the ThemeREX Modernee WordPress theme (versions through 1.6.0) allows remote attackers to coerce the server into including arbitrary local PHP files, enabling information disclosure and potential code execution via log poisoning or session file abuse. Reported by Patchstack and tracked as EUVD-2025-210189, no public exploit identified at time of analysis and the vulnerability is not in CISA KEV. The CVSS 8.1 score reflects high impact across confidentiality, integrity, and availability but with high attack complexity.
Unauthenticated Local File Inclusion in the Learnify WordPress theme (versions up to and including 1.15.0) allows remote attackers to read arbitrary files from the underlying server without credentials. Patchstack catalogued the issue as a PHP file inclusion flaw (CWE-98) and no public exploit was identified at time of analysis, though the WordPress theme ecosystem makes targeted scanning likely. The CVSS 3.1 score of 8.1 reflects high impact across confidentiality, integrity, and availability, tempered by high attack complexity.
Unauthenticated local file inclusion in the ThemeRex Geya WordPress theme (versions up to and including 1.15) allows remote attackers to read or include arbitrary files on the server, leading to information disclosure and potential code execution via PHP file inclusion. Reported by Patchstack with no public exploit identified at time of analysis and no CISA KEV listing, though the high CVSS (8.1) reflects severe confidentiality, integrity and availability impact if the vulnerable path is reached.
Cookie disclosure in yt-dlp (2023.09.24 through versions before 2026.06.09) lets a malicious website exfiltrate a victim's authenticated session cookies when the curl external downloader is in use. Because yt-dlp passes cookies to curl via inline --cookie without activating curl's cookie-scoping engine, curl forwards those cookies across HTTP redirects and to fragment hosts that differ from their parent manifest, so an attacker who lures the user into extracting a crafted URL that redirects to attacker infrastructure receives cookies scoped to a trusted site. This is the curl-downloader counterpart to GHSA-v8mc-9377-rwjj. There is no public exploit identified at time of analysis, though the vendor commit includes a regression test proving the leak; EPSS is low (0.27%, 18th percentile) and it is not in CISA KEV.
Unauthorized read access in Oracle VM VirtualBox 7.2.8's VMSVGA device component can be triggered by a locally authenticated, highly privileged attacker, resulting in a scope-change impact that may expose a subset of confidential data from resources beyond the guest VM boundary, potentially the host layer. Oracle's June 2026 Critical Patch Update describes the flaw as easily exploitable once the high-privilege prerequisite is met, though the constrained attack surface limits realistic exposure to administrative accounts with existing local host access. No public exploit code or active exploitation via CISA KEV has been identified at time of analysis; the low CVSS base score of 3.2 reflects the narrow confidentiality-only impact and strict access requirements.
Full compromise of Oracle HR Intelligence (a module of Oracle E-Business Suite) is possible for an authenticated low-privileged attacker who can reach the Internal Operations component over HTTP, per Oracle's June 2026 Critical Patch Update. The flaw affects EBS versions 12.2.3 through 12.2.15 and yields high impact across confidentiality, integrity, and availability, though Oracle rates exploitation as difficult (AC:H). No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Oracle VM VirtualBox 7.2.8 Core component exposes a local information disclosure path exploitable by a high-privileged attacker already logged on to the host infrastructure, resulting in unauthorized read access to a subset of VirtualBox-accessible data. The CVSS scope change (S:C) indicates the read impact may cross virtualization boundaries and affect additional products - such as guest VMs - beyond the VirtualBox process itself. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog, placing this in a low-urgency but operationally meaningful category for multi-tenant virtualization environments.
Local information disclosure in Oracle VM VirtualBox 7.2.8 via the VMSVGA virtual graphics device allows a high-privileged guest or host attacker to read a subset of VirtualBox-accessible data across the VM isolation boundary. The scope change (S:C) in the CVSS vector indicates the vulnerability crosses the hypervisor boundary, making it relevant to multi-tenant or shared virtualization deployments despite the low base score of 3.2. No public exploit has been identified and this vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog; Oracle addressed it in the June 2026 Critical Patch Update.
Information disclosure in the VMSVGA device component of Oracle VM VirtualBox 7.2.8 enables a highly privileged local attacker already present on the virtualization host to read a subset of VirtualBox-accessible data. The scope change (S:C) in the CVSS vector is the most operationally significant element - exploitation can impact components beyond the VirtualBox process itself, potentially reaching adjacent VMs or host resources. No public exploit code and no active exploitation have been identified at time of analysis; CVSS base score of 3.2 (Low) reflects limited confidentiality impact and a high privilege bar.
Remote unauthenticated takeover of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible over HTTP, with the vendor and CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) characterizing the flaw as easily exploitable and yielding full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, the issue is not on the CISA KEV list, and no EPSS score was provided, but the 9.8 base score plus Oracle's 'takeover' wording make this a top-tier patching priority on the Oracle Critical Patch Update cycle.
Remote unauthenticated takeover of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible over HTTP, with a maximum CVSS 3.1 base score of 10.0 and a scope change indicating impact beyond the WebCenter Sites boundary. Oracle's June 2026 Critical Patch Update advisory (cspujun2026) lists the issue as easily exploitable with no privileges or user interaction required. There is no public exploit identified at time of analysis and the flaw is not currently listed in CISA KEV.
Remote takeover of Oracle WebCenter Sites versions 12.2.1.4.0 and 14.1.2.0.0 allows unauthenticated network attackers to fully compromise the product via HTTP, per Oracle's June 2026 Critical Patch Update. The CVSS 3.1 base score of 9.8 reflects complete loss of confidentiality, integrity, and availability with no privileges or user interaction required, and no public exploit identified at time of analysis. Oracle's own advisory characterizes the flaw as 'easily exploitable,' raising the urgency for affected customers despite the lack of a published CWE classification.
Remote takeover of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible by unauthenticated network attackers over HTTP, with a CVSS 3.1 base score of 10.0 reflecting a scope change that can impact adjacent products. No public exploit identified at time of analysis, but Oracle has rated the issue as easily exploitable and released a fix in the June 2026 Critical Patch Update.
Unauthenticated remote takeover of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible via HTTP, allowing attackers to fully compromise confidentiality, integrity, and availability of the content management platform. Oracle's June 2026 Critical Patch Update advisory rates this 9.8 CVSS and describes it as easily exploitable with no authentication or user interaction. No public exploit identified at time of analysis, but the unauthenticated network vector and high impact place this among the highest-priority items in the CPU.
Account takeover in Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 allows a low-privileged authenticated attacker with HTTP network access to fully compromise the product when a victim user is tricked into interacting with attacker-supplied content. Oracle rates the flaw 8.0 (high) with confidentiality, integrity, and availability all marked High. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Unauthorized information disclosure in Oracle WebCenter Content 14.1.2.0.0 exposes a subset of managed content to remote unauthenticated attackers via HTTP against the Content Server component. The intelligence tags classify the mechanism as an Authentication Bypass, suggesting the Content Server fails to enforce access controls on certain requests before serving content. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the zero-complexity, zero-privilege CVSS vector means any network-reachable attacker can attempt exploitation without preconditions.
Account takeover in Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 allows a low-privileged remote attacker with HTTP access to fully compromise the product. The flaw is rated CVSS 8.8 with high impact across confidentiality, integrity, and availability, and Oracle classifies it as easily exploitable; no public exploit identified at time of analysis.
Remote takeover of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible by unauthenticated attackers over HTTP, with full compromise of confidentiality, integrity, and availability per Oracle's June 2026 Critical Patch Update. The CVSS 3.1 base score of 9.8 reflects network-reachable, low-complexity exploitation with no user interaction, placing this among the most severe Fusion Middleware issues in the cycle. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Takeover of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible when a low-privileged attacker with HTTP network access successfully chains a high-complexity exploit path in the WebCenter Sites component, resulting in full confidentiality, integrity, and availability compromise. Oracle's June 2026 Critical Patch Update disclosure rates this CVSS 7.5 with AC:H/PR:L, meaning a valid (even low-tier) account plus non-trivial conditions are required. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Account takeover in Oracle Identity Manager Connector (Fusion Middleware, Mainframe Connectors component) versions 12.2.1.4.0 and 14.1.2.1.0 allows an authenticated low-privileged attacker to fully compromise the connector over HTTP and pivot to other products via a CVSS scope change. The flaw carries a 9.9 CVSS 3.1 score with high confidentiality, integrity, and availability impact; no public exploit identified at time of analysis, and CISA KEV does not list it.
Remote code execution and full product takeover affects Oracle WebCenter Sites 14.1.2.0.0 within Oracle Fusion Middleware, enabling unauthenticated attackers to compromise the platform over HTTP. Oracle's June 2026 Critical Patch Update rates this 9.8 (CVSS 3.1) with confidentiality, integrity, and availability all marked High, and Oracle describes it as easily exploitable. No public exploit identified at time of analysis, and CWE classification is not provided in the supplied data.
Permission-sandbox bypass in the Deno runtime (versions <= 2.7.13) on macOS lets untrusted code reach paths that operators explicitly blocked with --deny-read, --deny-write, --deny-run, or --deny-ffi. Because Deno compared paths byte-for-byte while APFS treats Unicode-equivalent and case-equivalent spellings as the same file, a script granted broad --allow-* but with --deny-* carve-outs can read, write, execute, or FFI-load a protected file by referring to it with an alternate spelling (NFD vs NFC, case folding, ligatures, or German ss vs ß). No public exploit identified at time of analysis, and EPSS is low (0.14%), but the bypass is trivial to perform once an attacker controls the path string.
Cryptographic primality validation in Deno's Node.js compatibility layer (versions <= 2.8.0) silently skips Miller-Rabin testing when `crypto.checkPrime`/`checkPrimeSync` is called with default options, causing crafted composites whose smallest prime factor exceeds 17,863 (e.g. 17,881 × 17,891) to be reported as prime. Remote attackers who control bignums fed into a victim Deno application can therefore smuggle composite values past validation, with no public exploit identified at time of analysis beyond the vendor-published reproducer.
Mutual-TLS bypass in Traefik v3.7.0 and v3.7.1 lets unauthenticated remote attackers reach backends protected by wildcard-router `TLSOptions` (for example `Host("*.example.com")` with `RequireAndVerifyClientCert`). The `SNICheck` domain-fronting middleware resolves TLS options for the HTTP `Host` header via exact map lookups only, so an attacker completing the TLS handshake under a permissive SNI on the same entrypoint can then send a `Host` header for the wildcard-protected backend and skip the client-certificate requirement. Publicly available exploit code exists in the GitHub Security Advisory PoC; this is independent of the prior HTTP/3 mTLS issue.
Prototype pollution in n8n's Merge node SQL Query mode enables cross-user workflow data interception on multi-user instances. A low-privileged authenticated user can inject JavaScript prototype mutations into a shared, cached sandbox context; because that sandbox is reused across all workflow executions on the instance, the mutations persist into subsequent Merge SQL executions belonging to other users or projects, exposing their workflow data. Vendor-released patches are available in versions 2.25.7 and 2.26.2; no public exploit code or CISA KEV listing has been identified at time of analysis.
Prototype pollution in n8n's internal webhook object-copying routine enables unauthenticated network attackers to inject attacker-controlled fields into workflow execution data, turning affected workflows into confused deputies that abuse the workflow owner's stored credentials. Affected npm package versions span all n8n releases below 2.25.7 and the 2.26.0-2.26.1 range; vendor-confirmed patches are available. Exploitation is constrained by a specific workflow topology requirement, but where that topology exists the impact extends beyond n8n itself to external systems reachable via the owner's configured credentials - a scope change that the CVSS S:C metric appropriately captures. No public exploit code and no CISA KEV listing have been identified at time of analysis.
In several functions of the RTCP packet decoder, there is a possible out-of-bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.
In Camera, there is a possible unauthorized way to access photos due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
In RtcpHeader::decodeRtcpHeader, there is a possible OOB read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
In ImsMediaBitReader::ReadByteBuffer, there is a possible OOB read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
In keymint, there is a possible Permission Bypass due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
In iavb_parse_key_data of avb_rsa.c, there is a possible out of bounds read due to improper input validation. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
In decodeAppPacket of RtcpAppPacket.cpp, there is a possible OOB read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
In RtpPacket::decodePacket, there is a possible out-of-bounds read due to an integer overflow. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.
In PostWipeData of recovery_ui.cpp, there is a possible data persistence issue after a factory reset due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
In RtcpChunk::decodeRtcpChunk, there is a possible out of bounds read due to a heap buffer overflow. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.
In RtcpByePacket::decodeByePacket, there is a possible due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.
Remote information disclosure in Android's RTCP Feedback packet decoder allows a network attacker to read out-of-bounds process memory on a target device by delivering a maliciously crafted RTCP FB packet. The root cause is a CWE-190 integer overflow in RtcpFbPacket::decodeRtcpFbPacket that causes a miscalculated buffer boundary, enabling the out-of-bounds read. Exploitation requires user interaction (the target must participate in an attacker-influenced media session), and no public exploit has been identified at time of analysis; EPSS of 0.16% (6th percentile) confirms low current exploitation probability.
Improper access control in the social login connection endpoint in Devolutions Server 2026.2.5 allows an authenticated vault member to enumerate social login entry metadata to which they are not authorized via a crafted API request.
Improper access control in PAM account discovery results in Devolutions Server 2026.2.5, 2026.1.21 allows an authenticated user to retrieve account discovery scan results.
OpenClaw before 2026.4.24 exposes sensitive configuration data to other local users on shared hosts due to insecure file permissions set during the config recovery process. When recovery restores OpenClaw.json, the resulting file is created with overly broad permissions, allowing any low-privileged local user to read its contents. No public exploit has been identified at time of analysis, but exploitation requires only a low-privilege local account and a shared-host environment where the recovery path has been exercised.
OpenClaw's streamable-http MCP server implementation leaks operator-configured custom headers to attacker-controlled origins during cross-origin HTTP redirects. All OpenClaw versions before 2026.5.12 are affected, and any deployment that places sensitive values - API keys, tenant-routing credentials, or bearer tokens - in operator-configured custom headers is exposed. An attacker who controls or has compromised an MCP endpoint can trigger a cross-origin redirect, causing OpenClaw to forward those headers to an origin the attacker controls, resulting in credential theft. No public exploit has been identified at time of analysis, and this CVE is not currently listed in CISA KEV.
Elevation of privilege in the Microsoft Malware Protection Engine (mpengine) - the scanning core shared by Microsoft Defender Antivirus - allows a low-privileged local user, tracked publicly as "RoguePlanet", to gain SYSTEM-level control by abusing how the engine resolves file links (CWE-59). Because the engine runs with the highest privileges, successful exploitation yields total loss of confidentiality, integrity, and availability. Publicly available exploit code exists (MSNightmare/RoguePlanet on GitHub) and SSVC rates technical impact as total, but there is no CISA KEV listing and EPSS is low (0.39%, 30th percentile), indicating no evidence of widespread active exploitation yet.
update_disk_psu_baseline.sh requires password in plain text. Rated high severity (CVSS 7.4).
Out-of-bounds reads in stable-diffusion.cpp's PyTorch pickle checkpoint parser (versions prior to master-584-0a7ae07) allow a crafted or truncated .ckpt file to crash the loading application or leak process memory contents. The pickle opcode handlers in src/model.cpp advanced the buffer pointer without verifying remaining bytes before each read, meaning any application using this library to load untrusted .ckpt model files is exposed to denial-of-service and potential memory disclosure. No public exploit has been identified at time of analysis, though LibFuzzer triggered crashing inputs in under one second, indicating an extremely low barrier for generating working crash payloads.
Out-of-bounds read in Adobe DNG SDK 1.7.1 build 2536 and earlier exposes sensitive process memory when a victim opens a specially crafted Digital Negative (DNG) image file. The vulnerability is confined to information disclosure - no code execution or data modification is achievable - and requires local file delivery combined with explicit user interaction, as reflected by the CVSS AV:L/UI:R metrics. No public exploit code or CISA KEV listing has been identified at time of analysis, placing this as a moderate-priority patching target, though risk scales with how broadly the SDK is embedded in applications that process untrusted DNG files.
Out-of-bounds memory read in Adobe DNG SDK 1.7.1 build 2536 and earlier enables sensitive process memory disclosure when a victim opens a specially crafted DNG raw image file. The vulnerability is local-vector, requiring attacker-controlled file delivery and victim interaction, making phishing or malicious file distribution the primary delivery mechanism. No public exploit code or CISA KEV listing has been identified at time of analysis, placing this as a medium-priority information disclosure risk consistent with its CVSS 5.5 rating.
Out-of-bounds read in Adobe DNG SDK 1.7.1 build 2536 and earlier exposes sensitive process memory contents when a victim opens a specially crafted DNG image file. The attacker requires no privileges of their own - the attack surface is entirely dependent on social engineering a user into opening a malicious file processed by any application embedding the vulnerable SDK. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, indicating no confirmed active exploitation.
Local code execution in NVIDIA NeMo Framework on Linux allows an authenticated low-privileged attacker to abuse unsafe deserialization of untrusted data (CWE-502) to run arbitrary code, escalate privileges, tamper with data, or disclose information. The CVSS 7.8 (AV:L/PR:L) profile and the typical ML-training use case mean exploitation requires existing access to the host running NeMo. No public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Code injection in NVIDIA NeMo Framework across all supported platforms allows a local attacker with low privileges to execute arbitrary code, escalate privileges, disclose sensitive information, and tamper with data. The flaw carries a CVSS 3.1 score of 7.8 with high impact across confidentiality, integrity, and availability, though no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Resource-accounting bypass in OpenStack Nova (compute service) lets an authenticated tenant create an instance whose scheduler hint data is not properly stripped, resulting in a running VM that has no corresponding Placement allocation. Because the instance consumes real host CPU/RAM/disk that the Placement service never accounted for, an attacker with ordinary project credentials can quietly over-subscribe a compute host and degrade availability for co-located tenants. SSVC lists exploitation as proof-of-concept (no public exploit identified as weaponized) with partial technical impact; EPSS is low at 0.26% (17th percentile).
Server-side request forgery in Astro SSR deployments (npm package astro < 6.4.6) allows remote unauthenticated attackers to coerce the runtime into fetching attacker-controlled URLs by spoofing the HTTP Host header when a prerendered /404 or /500 page is configured. The attacker-controlled response body is reflected back to the victim, enabling information disclosure from internal services reachable by the application. No public exploit identified at time of analysis; the issue was responsibly disclosed by Tarmo Technologies via GitHub Security Advisory GHSA-2pvr-wf23-7pc7.
Header chain truncation in Hono's Lambda@Edge adapter silently discards all but the last value of repeated request headers, undermining IP-based access control and audit integrity for applications deployed on AWS Lambda@Edge. The adapter incorrectly uses `Headers.set` instead of `Headers.append` when converting CloudFront's multi-value header format, meaning headers such as `X-Forwarded-For`, `Forwarded`, and `Via` are reduced to a single entry before reaching application middleware. Affected deployments using Hono versions prior to 4.12.25 on Lambda@Edge may experience weakened IP restriction logic or loss of hop-chain audit data; no public exploit or active exploitation (CISA KEV) has been identified at time of analysis.
Denial-of-service in Rockwell Automation 1794-AENTR FLEX I/O EtherNet/IP adapters allows remote unauthenticated attackers to fault the device and sever its connection to associated I/O modules via malformed CIP protocol requests. Recovery requires a manual reset, making this a high-impact availability issue for industrial control environments where uptime is critical. No public exploit identified at time of analysis, but the CVSS 4.0 score of 8.7 reflects the network-reachable, no-privilege attack path against operational technology.
Cross-origin credential exposure in Hono web framework versions prior to 4.12.25 allows arbitrary third-party sites to read responses from cookie-authenticated endpoints when applications enable the CORS middleware with credentials: true and leave origin unset. The middleware reflects the request Origin header alongside Access-Control-Allow-Credentials: true, bypassing the browser's standard wildcard-with-credentials safeguard. No public exploit identified at time of analysis, but the misconfiguration pattern is trivial to weaponize and exploitation only requires luring an authenticated user to visit a malicious page.
Denial-of-service in the pypdf Python library allows an attacker to cause excessive CPU consumption by supplying a crafted PDF containing a FlateDecode stream with a PNG predictor filter. Any application using pypdf to parse untrusted PDFs is affected on versions prior to 6.12.2. No public exploit is identified at time of analysis, but the attack surface is broad given pypdf's use in document processing pipelines; no special authentication is required to exploit applications that accept user-supplied PDFs.
Unauthenticated information disclosure in Rockwell Automation CompactLogix 5370 PLCs exposes CIP Connection IDs via the controller's built-in web diagnostics page to any host with network access. The disclosed identifiers can be used by an attacker as a stepping-stone to craft malicious CIP packets, enabling a chained Denial-of-Service attack against active controller connections. No public exploit code or CISA KEV listing has been identified at time of analysis, though the CVSS 4.0 AT:P flag indicates specific network access conditions must be satisfied, which reduces exposure in properly segmented OT environments.
Denial-of-service in Rockwell Automation 1769 CompactLogix 5370 controllers allows remote unauthenticated attackers to induce a minor fault on the PLC by abusing Connection IDs exposed via the device's web interface and sending forged CIP traffic. The CVSS 4.0 base score of 8.7 reflects high availability impact with no authentication or user interaction required, and no public exploit has been identified at time of analysis.
Cookie leakage in Firefox for iOS prior to 152.0 allows an attacker-controlled suffix domain to intercept cookies intended for a target site during PDF request handling. The browser's PDF loading code path applied partial rather than exact-origin domain matching when deciding which cookies to attach, meaning a domain such as 'evilbank.com' could satisfy a suffix match against 'bank.com' and receive that site's cookies. No active exploitation is confirmed, but the SSVC framework rates this as automatable with partial technical impact, making it a credible session-hijacking vector for users on unpatched versions.
Memory safety flaw in the CanvasWebGL graphics component of Mozilla Firefox allows remote attackers to trigger incorrect boundary handling through crafted web content, leading to limited confidentiality, integrity, and availability impact. The issue affects Firefox prior to version 152 and Firefox ESR prior to 140.12, and no public exploit identified at time of analysis. Reported by Mozilla with low complexity and no authentication required (CVSS 7.3).
JIT miscompilation in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 152.
Information disclosure in the Password Manager component. This vulnerability was fixed in Firefox 152.
Sandbox escape with information disclosure in Mozilla Firefox's Process Sandboxing component allows a remote attacker to break out of the browser sandbox and read sensitive data from the host environment when a user visits attacker-controlled content. Affected versions span all Firefox releases prior to 152 and all Firefox ESR releases prior to 140.12, patched by Mozilla in mfsa2026-57 and mfsa2026-58. No public exploit identified at time of analysis and SSVC signals no current exploitation activity, keeping real-world urgency at moderate priority despite the scope-changing nature of the flaw.
Information disclosure, sandbox escape in the Security: Process Sandboxing component. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12.
Out-of-bounds read in Firefox's WebGPU graphics component exposes browser memory contents to remote attackers who can lure a user to a malicious webpage. All Firefox versions prior to 152 are affected, with the vulnerability stemming from incorrect boundary conditions during GPU-accelerated rendering operations. No public exploit or active exploitation has been identified at time of analysis; exploitation requires user interaction, limiting opportunistic mass exploitation despite the zero-authentication requirement on the attacker side.
JIT miscompilation in Mozilla Firefox's DOM Core & HTML component enables memory corruption and limited information disclosure when a user visits a malicious web page. Affecting Firefox prior to 152, Firefox ESR 140.x prior to 140.12, and Firefox ESR 115.x prior to 115.37, the root cause is a type confusion (CWE-843) in the Just-In-Time compiler that mishandles type information during DOM object operations. No public exploit has been identified and CISA's SSVC rates exploitation as none with partial technical impact; vendor patches are confirmed across all three release channels.
Out-of-bounds read memory safety bug in Mozilla Firefox allows network-based attackers to cause limited confidentiality and integrity impact by luring users to visit crafted web content. All Firefox versions prior to 152 and Firefox ESR versions prior to 140.12 are affected, per Mozilla security advisories mfsa2026-57 and mfsa2026-58. No public exploit identified at time of analysis, and CISA SSVC assessment confirms no known active exploitation with only partial technical impact.
Sandbox escape in the Security: Process Sandboxing component. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12.
Sandbox escape in the DOM: Navigation component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, and Firefox ESR 115.37.
Sandbox escape in Mozilla Firefox's DOM Workers component allows remote attackers to break out of the browser's content process sandbox when a user visits a malicious web page. The flaw affects Firefox prior to 152, Firefox ESR before 140.12, and Firefox ESR before 115.37, with no public exploit identified at time of analysis despite a critical 9.6 CVSS score. EPSS exploitation probability is low at 0.16% and CISA SSVC marks exploitation as 'none', suggesting no in-the-wild abuse has been observed yet.
Use-after-free in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 152.
Memory corruption via use-after-free in the Networking: HTTP component of Mozilla Firefox enables remote attackers to potentially execute arbitrary code or trigger crashes when a user visits a malicious page. The flaw affects Firefox prior to version 152, Firefox ESR before 140.12, and Firefox ESR before 115.37, and carries a CVSS 3.1 score of 8.8 with high impact across confidentiality, integrity, and availability. With an EPSS of 0.16% (5th percentile) and no public exploit identified at time of analysis, opportunistic mass exploitation appears unlikely despite the high severity rating.
Session fixation in osTicket v1.18.2 enables remote attackers to hijack authenticated user accounts by pre-seeding a known OSTSESSID cookie before the victim logs in. The application fails to invalidate or regenerate the session identifier upon successful authentication, so an attacker who plants a known token in the victim's browser retains access to that session once the victim authenticates. No public exploit code has been identified at time of analysis; the CVSS 4.0 score of 5.1 (Medium) reflects limited per-account impact and a mandatory victim-interaction prerequisite.
Format string exploitation in Moxa NPort W2150A-W4/W2250A-W4 and W2150A/W2250A series wireless serial device servers (firmware v1.5 and prior) allows network-accessible, authenticated administrators to leak arbitrary stack memory through the web management interface. The 'alias' parameter on the Serial Param configuration page passes attacker-controlled input directly to a printf-family function without sanitization, violating CWE-134. The disclosed memory contents can be used to defeat ASLR, making this vulnerability a likely prerequisite stepping-stone to CVE-2026-10829 (stack-based buffer overflow) documented in the same Moxa advisory MPSA-261910. No public exploit and no CISA KEV listing are identified at time of analysis.
Unauthenticated sensitive data exposure in the GetGenie WordPress plugin (versions <= 4.4.1) allows any remote, unauthenticated attacker to retrieve sensitive information via a network request to an unprotected endpoint. Reported by Patchstack and rooted in CWE-201 (Insertion of Sensitive Information Into Sent Data), the plugin inadvertently includes sensitive data - potentially AI service API keys or configuration values - in HTTP responses that require no authentication. No public exploit code and no active exploitation have been identified at time of analysis.
Denial-of-service in Moxa NPort 6000-G2 Series serial device servers allows a low-privileged authenticated attacker to disrupt service and potentially trigger an unexpected device reboot via specially crafted JSON requests to the WebSocket API. The CVSS 4.0 base score of 7.1 reflects high availability impact with no confidentiality or integrity loss. Per current intelligence, there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Use-after-free memory corruption in GnuTLS's PKCS#11 PIN management function `gnutls_pkcs11_token_set_pin` enables a local low-privileged attacker to crash the process and potentially corrupt memory on systems where PKCS#11 tokens are deployed without a protected authentication path. Affected deployments span Red Hat Enterprise Linux 6 through 10, Red Hat Hardened Images, and Red Hat OpenShift Container Platform 4, as confirmed by Red Hat (reporter) and covered under GnuTLS upstream advisory GNUTLS-SA-2026-04-29-9. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Heap buffer overflow in GNOME localsearch (formerly tracker-miners) tracker-extract-mp3 component on Red Hat Enterprise Linux 8/9/10, Ubuntu, Debian, and SUSE allows remote attackers to trigger an out-of-bounds heap read by delivering a malformed MP3 file with crafted ID3 performer tags, leading to crashes (DoS) or disclosure of process memory contents. No public exploit identified at time of analysis, and the EPSS score of 0.19% (9th percentile) plus CISA SSVC 'Exploitation: none' indicate low real-world exploitation activity despite the 8.1 CVSS rating. Vendor patches are available across Red Hat (RHSA), Ubuntu USN-8019-1, Debian, and SUSE-SU-2026:0780/21854.
Out-of-bounds read in the tracker-extract-mp3 component of GNOME localsearch (formerly tracker-miners) allows a low-privileged local user to trigger an application crash or leak sensitive process memory when the indexer parses a specially crafted MP3 file. Affected deployments include Red Hat Enterprise Linux 8, 9, and 10 running the GNOME desktop stack. No public exploit or active exploitation has been identified at time of analysis, though the file-based delivery mechanism - providing a malicious MP3 to a system where localsearch auto-indexes media - keeps realistic attacker reach higher than the AV:L vector alone implies.
Heap out-of-bounds read in GNOME localsearch (formerly tracker-miners) MP3 Extractor affects Red Hat Enterprise Linux 8, 9, and 10, exploitable when a local user triggers indexing of a specially crafted MP3 file containing malformed ID3v2.4 tags. The missing bounds check in the `extract_performers_tags` function can cause a Denial of Service via an unmapped memory read, and in certain heap layout scenarios may also leak fragments of heap memory, resulting in limited information disclosure. No public exploit code has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog.
Information disclosure in Canon EOS Network Setting Tool version 1.5.0 and earlier stems from an insecure default FTP configuration that transmits credentials and image data in cleartext over the network. Remote attackers positioned on the network path can intercept the unencrypted FTP traffic to capture authentication material and uploaded photographs. No public exploit identified at time of analysis, but the vulnerability is published with a Canon PSIRT advisory and CVSS 4.0 base score of 7.1.
Weak SSH cryptographic algorithms in Canon EOS Network Setting Tool version 1.5.0 and earlier allow network-adjacent attackers to undermine the confidentiality and integrity of SSH sessions used by the tool, per Canon PSIRT advisory CP2026-005. The CVSS 4.0 vector (AV:N/AC:H/UI:P/VC:H/VI:H) reflects high attack complexity and required user interaction, and there is no public exploit identified at time of analysis.
Hard-coded cryptographic keys embedded in Canon EOS Network Setting Tool version 1.5.0 and earlier expose static decryption material to any local system user, enabling unauthorized decryption of protected network traffic or configuration data exchanged between the tool and Canon EOS cameras. The flaw is CWE-321 (Use of Hard-coded Cryptographic Key) and is classified as an information disclosure vulnerability with high confidentiality impact, bounded by the requirement for local system access. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog.
Improper TLS certificate validation in Canon EOS Network Setting Tool version 1.5.0 and earlier allows network-positioned attackers to intercept communications between the tool and Canon servers via man-in-the-middle attacks. The flaw enables disclosure of sensitive information transmitted during camera network configuration, though no public exploit identified at time of analysis. CVSS 4.0 score of 7.1 reflects high confidentiality impact but requires user interaction (UI:P) to be successful.
Information disclosure in Canon EOS Network Setting Tool version 1.5.0 and earlier stems from improper SSH host key validation (CWE-295), allowing network-positioned attackers to impersonate legitimate SSH endpoints and harvest credentials or configuration data transmitted by the tool. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:P, VC:H) indicates remote exploitation requiring user interaction with high confidentiality impact but no integrity or availability effects. There is no public exploit identified at time of analysis, and the issue is not on the CISA KEV list.
Credential disclosure in Devolutions Remote Desktop Manager versions 2026.2.0 through 2026.2.8 allows a low-privileged attacker to capture stored social login credentials by creating a crafted web entry targeting a provider lookalike domain. The social login autofill feature fails to properly validate the target host against the legitimate OAuth or social identity provider domain, causing stored credentials to be submitted to an attacker-controlled site when the victim user opens the malicious entry. No public exploit code has been identified at time of analysis, and this vulnerability does not appear in the CISA KEV catalog.