Skip to main content

Information Disclosure

other MEDIUM

Information disclosure occurs when an application unintentionally exposes sensitive data that aids attackers in reconnaissance or directly compromises security.

How It Works

Information disclosure occurs when an application unintentionally exposes sensitive data that aids attackers in reconnaissance or directly compromises security. This happens through multiple channels: verbose error messages that display stack traces revealing internal paths and frameworks, improperly secured debug endpoints left active in production, and misconfigured servers that expose directory listings or version control artifacts like .git folders. APIs often leak excessive data in responses—returning full user objects when only a name is needed, or revealing system internals through metadata fields.

Attackers exploit these exposures systematically. They probe for common sensitive files (.env, config.php, backup archives), trigger error conditions to extract framework details, and analyze response timing or content differences to enumerate valid usernames or resources. Even subtle variations—like "invalid password" versus "user not found"—enable account enumeration. Exposed configuration files frequently contain database credentials, API keys, or internal service URLs that unlock further attack vectors.

The attack flow typically starts with passive reconnaissance: examining HTTP headers, JavaScript bundles, and public endpoints for version information and architecture clues. Active probing follows—testing predictable paths, manipulating parameters to trigger exceptions, and comparing responses across similar requests to identify information leakage patterns.

Impact

  • Credential compromise: Exposed configuration files, hardcoded secrets in source code, or API keys enable direct authentication bypass
  • Attack surface mapping: Stack traces, framework versions, and internal paths help attackers craft targeted exploits for known vulnerabilities
  • Data breach: Direct exposure of user data, payment information, or proprietary business logic through oversharing APIs or accessible backups
  • Privilege escalation pathway: Internal URLs, service discovery information, and architecture details facilitate lateral movement and SSRF attacks
  • Compliance violations: GDPR, PCI-DSS, and HIPAA penalties for exposing regulated data through preventable disclosures

Real-World Examples

A major Git repository exposure affected thousands of websites when .git folders remained accessible on production servers, allowing attackers to reconstruct entire source code histories including deleted commits containing credentials. Tools like GitDumper automated mass exploitation of this misconfiguration.

Cloud storage misconfigurations have repeatedly exposed sensitive data when companies left S3 buckets or Azure Blob containers publicly readable. One incident exposed 150 million voter records because verbose API error messages revealed the storage URL structure, and no authentication was required.

Framework debug modes left enabled in production have caused numerous breaches. Django's DEBUG=True setting exposed complete stack traces with database queries and environment variables, while Laravel's debug pages revealed encryption keys through the APP_KEY variable in environment dumps.

Mitigation

  • Generic error pages: Return uniform error messages to users; log detailed exceptions server-side only
  • Disable debug modes: Enforce production configurations that suppress stack traces, verbose logging, and debug endpoints through deployment automation
  • Access control audits: Restrict or remove development artifacts (.git, backup files, phpinfo()) and internal endpoints before deployment
  • Response minimization: API responses should return only necessary fields; implement allowlists rather than blocklists for data exposure
  • Security headers: Deploy X-Content-Type-Options, remove server version banners, and disable directory indexing
  • Timing consistency: Ensure authentication and validation responses take uniform time regardless of input validity

Recent CVEs (66671)

EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Dancer2::Plugin::Auth::OAuth versions before 0.22 for Perl default to a predictable nonce. The default nonce was generated using an MD5 hash of the epoch time, which is predictable.

Information Disclosure Dancer2 Suse
NVD
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Socket versions before 2.041 for Perl have an out-of-bounds heap read. In Socket.xs, pack_ip_mreq_source() checks the length of its source argument before the argument is read, so the check tests the byte length carried over from the preceding multiaddr argument instead. Both addresses occupy a 4-byte field, so a valid multiaddr lets a source of any length pass the check, and the source is then copied into the 4-byte imr_sourceaddr field with a fixed-size copy. A source shorter than 4 bytes is not rejected, and the copy reads up to 3 bytes past the end of its buffer. Calling pack_ip_mreq_source() with a source value shorter than 4 bytes copies adjacent heap memory into the returned packed structure.

Information Disclosure Buffer Overflow Socket +2
NVD GitHub VulDB
EPSS 0% CVSS 3.7
LOW PATCH Monitor

Parser differential in python-multipart's QuerystringParser enables HTTP parameter pollution against applications protected by WHATWG-compliant upstream components (WAFs, API gateways). Versions prior to 0.0.30 tokenize semicolons as field separators in application/x-www-form-urlencoded bodies - diverging from WHATWG, modern browsers, and Python's urllib.parse - allowing an attacker to craft a request body whose fields are parsed differently by an upstream body inspector than by the backend, smuggling form parameters the intermediary never validated. No public exploit code and no CISA KEV listing have been identified at time of analysis, but the attack primitive is well-understood and mirrors the class of issue fixed in CPython as CVE-2021-23336.

Python Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Credential leakage in Tornado's SimpleAsyncHTTPClient (versions prior to 6.5.6) allows sensitive Authorization headers and HTTP auth parameters to be forwarded to attacker-controlled origins during 3xx redirect handling. Because follow_redirects=True is the default behavior, any Tornado-based client making outbound HTTP requests with credentials may inadvertently disclose them to a redirect target on a different scheme, host, or port. No public exploit identified at time of analysis, and this issue is not listed in CISA KEV.

Information Disclosure
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated sensitive data exposure in the ABC Crypto Checkout WordPress plugin (versions <= 1.8.2) allows remote attackers to retrieve sensitive information without any credentials over the network. The flaw, reported by Patchstack and tracked as CWE-201, carries a CVSS 7.5 with high confidentiality impact and no integrity or availability effect; no public exploit identified at time of analysis.

Information Disclosure Abc Crypto Checkout
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated sensitive data exposure in the Signature Add-On for WooCommerce WordPress plugin versions 2.0 and earlier allows remote attackers to retrieve protected information without credentials over the network. Reported by Patchstack and tracked as CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere), the issue carries a CVSS 7.5 score driven entirely by confidentiality impact. At time of analysis there is no public exploit identified and no CISA KEV listing, but the trivial attack complexity makes opportunistic scanning plausible.

WordPress Information Disclosure Signature Add On For Woocommerce
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated sensitive data exposure in the Affiliates Manager WordPress plugin versions 2.9.50 and earlier allows remote attackers to retrieve confidential information without credentials. The CVSS 7.5 score (AV:N/AC:L/PR:N/UI:N) reflects high confidentiality impact with no integrity or availability effects, and no public exploit identified at time of analysis. Disclosed by Patchstack, the issue affects WordPress sites running the wp.insider Affiliates Manager plugin used to manage affiliate marketing programs.

Information Disclosure Affiliates Manager
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Denial of service in Tornado web framework versions prior to 6.5.6 allows a malicious HTTP server to exhaust client memory through a gzip decompression bomb against SimpleAsyncHTTPClient in its default configuration. The flaw stems from missing cumulative size enforcement on decompressed response bodies; HTTPServer is also vulnerable when explicitly configured with decompress_request=True. No public exploit identified at time of analysis, though the technique (gzip bomb) is well-understood and trivial to weaponize.

Information Disclosure
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Authentication bypass in the RegistrationMagic WordPress plugin (versions up to and including 6.0.8.6) allows unauthenticated remote attackers to circumvent intended authentication controls and gain access to protected resources. The flaw, tracked as CWE-288 and reported by Patchstack, carries a critical 9.8 CVSS score because exploitation requires no privileges, no user interaction, and is reachable over the network. There is no public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.

Information Disclosure Registrationmagic
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Broken authentication in the Upsell Order Bump Offer for WooCommerce plugin (versions 3.1.4 and earlier) allows remote unauthenticated attackers to manipulate offer/price integrity on affected WordPress storefronts. Patchstack classifies the issue as a price manipulation vulnerability with high integrity impact, and no public exploit identified at time of analysis. The defect is reachable over the network without authentication or user interaction, making any WooCommerce store running the plugin a direct target.

WordPress Information Disclosure Upsell Order Bump Offer For Woocommerce
NVD
EPSS 0% CVSS 7.4
HIGH This Week

Sensitive data exposure in the Chatway Live Chat WordPress plugin (versions <= 1.4.8) allows authenticated subscriber-level users to access information they should not have visibility into. The flaw, reported by Patchstack and tracked as CWE-201 (Insertion of Sensitive Information Into Sent Data), has a CVSS 3.1 score of 7.4 with scope change. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Information Disclosure Chatway Live Chat 8211 Ai Chatbot Customer Support Faq Amp Helpdesk Customer Service Amp Chat Buttons
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Improper input validation in the WP Travel Engine WordPress plugin (versions 6.7.10 and earlier) allows remote unauthenticated attackers to tamper with integrity-sensitive data over the network with low complexity. The Patchstack-reported issue carries a CVSS 7.5 driven entirely by high integrity impact (I:H) with no confidentiality or availability effect, and no public exploit identified at time of analysis. Despite the 'Information Disclosure' tag inherited from the plugin context, the CVSS vector points to an integrity-affecting weakness rather than data leakage.

Information Disclosure Wp Travel Engine
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Sensitive data exposure in the Coupon Affiliates WordPress plugin (versions 7.8.1 and earlier) allows remote unauthenticated attackers to retrieve confidential subscriber information over the network without any user interaction. The flaw, reported by Patchstack and classified as CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere), carries a CVSS 7.5 score reflecting high confidentiality impact with no integrity or availability consequences. No public exploit identified at time of analysis.

Information Disclosure Coupon Affiliates
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated sensitive data exposure in the Conekta Payment Gateway WordPress plugin (versions 6.0.0 and earlier) allows remote attackers to retrieve confidential information without authentication or user interaction. The flaw, tracked by Patchstack and classified as CWE-497 (Exposure of Sensitive System Information), carries a CVSS 7.5 score driven entirely by a high confidentiality impact over the network. No public exploit identified at time of analysis, and the CVE is not present in CISA KEV.

Information Disclosure Conekta Payment Gateway
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated sensitive data exposure in the WebToffee 'WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels' WordPress plugin versions 4.9.4 and earlier allows remote attackers to retrieve protected information without credentials. The flaw, reported by Patchstack and tracked as CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere), carries a CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) with confidentiality-only impact. There is no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

WordPress Information Disclosure Woocommerce Pdf Invoices Packing Slips Delivery Notes And Shipping Labels
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Authentication bypass in the Really Simple SSL WordPress plugin versions 9.5.10 and earlier allows remote attackers to circumvent identity verification controls (CWE-288), potentially gaining unauthorized access to WordPress sites that rely on the plugin's two-factor or login security features. The flaw was disclosed via Patchstack and carries a CVSS 3.1 base score of 8.1 driven by high impact on confidentiality, integrity, and availability, though high attack complexity (AC:H) suggests non-trivial preconditions. No public exploit identified at time of analysis and EPSS data was not supplied.

Information Disclosure Really Simple Ssl
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Sensitive data exposure in the XCloner backup and restore WordPress plugin (versions up to and including 4.8.6) permits unauthorized access to subscriber-level sensitive information via a network-accessible attack path. The vulnerability is classified under CWE-201 (Insertion of Sensitive Information Into Sent Data), meaning the plugin inadvertently includes sensitive data in responses or transmitted content accessible without sufficient authorization controls. Discovered and reported by Patchstack, this flaw carries a CVSS 3.1 base score of 6.5 with no public exploit or CISA KEV listing identified at time of analysis.

Information Disclosure Xcloner
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Sensitive data exposure in the Visual Link Preview WordPress plugin (versions up to and including 2.4.1) allows authenticated users with subscriber-level access to access restricted data they should not be authorized to view. The vulnerability stems from insufficient access controls over sensitive system information (CWE-497), permitting any logged-in subscriber to trigger a disclosure endpoint or functionality that returns protected data. No active exploitation has been confirmed by CISA KEV and no public exploit code has been identified at time of analysis, though the low privilege bar makes this accessible to any registered WordPress user.

Information Disclosure Visual Link Preview Bootstrap
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated sensitive data exposure in the EmbedPress WordPress plugin (versions 4.5.2 and earlier) allows remote attackers to retrieve confidential information from affected sites without any credentials or user interaction. The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates trivial network exploitation against any vulnerable installation, though no public exploit identified at time of analysis. The flaw was disclosed via Patchstack and is classified under CWE-639, suggesting authorization checks are bypassed via predictable or user-controlled object references.

Authentication Bypass Information Disclosure Embedpress
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated integrity compromise in the WpEvently WordPress plugin (versions 5.3.3 and earlier) by MagePeople allows remote attackers to alter application data over the network without privileges or user interaction. The vendor-supplied description is a Patchstack placeholder ('Other Vulnerability Type') and does not identify the specific endpoint or function, but the CVSS vector indicates high integrity impact with no confidentiality or availability impact. No public exploit identified at time of analysis.

Information Disclosure Wpevently
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Unauthenticated broken authentication in the Masteriyo LMS WordPress plugin (versions ≤2.1.8) stems from improper JWT signature verification (CWE-347), allowing remote attackers to forge authentication tokens without valid credentials and gain unauthorized access to protected LMS resources. The CVSS:3.1 vector AV:N/AC:L/PR:N/UI:N confirms fully unauthenticated, low-complexity network exploitation, enabling an attacker to impersonate enrolled students or instructors and read or modify course-related data. No public exploit code or active exploitation has been confirmed at time of analysis, and the vulnerability is not listed in CISA KEV.

Jwt Attack Information Disclosure Masteriyo Lms
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Information disclosure in the Email Marketing for WooCommerce by Omnisend WordPress plugin versions 1.18.0 and earlier allows unauthenticated remote attackers to bypass authentication controls and access protected data. The flaw is classified as CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and carries CVSS 7.5 driven entirely by confidentiality impact. No public exploit identified at time of analysis, and the issue is not on CISA KEV.

WordPress Information Disclosure Email Marketing For Woocommerce By Omnisend
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Sensitive data exposure in the Bookly WordPress appointment booking plugin (versions 27.4 and earlier) allows remote unauthenticated attackers to retrieve information that should remain protected, per a Patchstack advisory. With CVSS 7.5 reflecting high confidentiality impact and no required privileges or user interaction, the flaw is reachable over the network against any site running an affected Bookly version, though no public exploit identified at time of analysis.

Information Disclosure Bookly
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Sensitive data exposure in the Contest Gallery WordPress plugin (versions <= 28.1.7) allows authenticated subscribers to access confidential information they are not authorized to view. The vulnerability stems from insufficient access control over data retrieval endpoints within the plugin, permitting low-privileged WordPress users to read sensitive data with high confidentiality impact. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the low complexity and remote exploitability make it a credible risk for WordPress sites with open subscriber registration.

Information Disclosure Contest Gallery
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated integrity-impacting input validation failure in the Contest Gallery WordPress plugin affects all versions up to and including 28.1.7, allowing network-accessible attackers with no privileges to perform unauthorized write-class operations against the plugin. The CVSS vector confirms the unauthenticated, low-complexity attack path (AV:N/AC:L/PR:N/UI:N) with low integrity impact and unchanged scope. No public exploit code and no CISA KEV listing have been identified at time of analysis, placing this in a monitor-and-patch posture rather than emergency response.

Information Disclosure Contest Gallery
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Authentication bypass in the CloudSecure WP Security WordPress plugin (versions ≤ 1.4.7) allows remote unauthenticated attackers to subvert the plugin's authentication controls, leading to high impact on confidentiality, integrity, and availability of affected WordPress sites. The flaw is tracked by Patchstack and ENISA EUVD as a broken authentication issue (CWE-288) with a CVSS 3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Information Disclosure Cloudsecure Wp Security
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Unauthenticated sensitive data exposure in the Simply Schedule Appointments WordPress plugin versions prior to 1.6.11.2 allows remote attackers to retrieve protected information without credentials over the network. The flaw is reported by Patchstack and carries a CVSS 7.5 (high) confidentiality-only impact, with no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Information Disclosure Simply Schedule Appointments
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Broken authentication in WP Full Stripe Free (WordPress plugin by Themeisle) versions 8.4.1 and earlier permits subscriber-level authenticated users to bypass authorization controls and access restricted functionality, resulting in high-confidence information disclosure. The vulnerability (CWE-288) targets the Stripe payment integration plugin's internal access control logic, allowing a low-privileged WordPress user to reach endpoints or data intended only for higher-privileged roles. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Information Disclosure Wp Full Stripe Free
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Broken authentication in the Simple Cloudflare Turnstile WordPress plugin (versions ≤ 1.38.0) allows unauthenticated remote attackers to bypass Cloudflare Turnstile CAPTCHA verification on any protected form without completing the bot-detection challenge. Classified as CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and reported by Patchstack, the flaw enables automated or scripted form submissions that the plugin was designed to block - including login, registration, contact, and WooCommerce checkout forms. No public exploit code has been identified at time of analysis, though the network-accessible, zero-complexity nature of the bypass makes it trivially replicable by any attacker familiar with WordPress form mechanics.

Information Disclosure Simple Cloudflare Turnstile Cloudflare
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Sensitive subscriber data exposure in the WPPizza WordPress plugin (versions ≤ 3.19.9) permits any authenticated user with a subscriber-level account to access protected data belonging to other users, such as customer order records or personal information managed by the plugin. The vulnerability stems from insufficient access control enforcement on data retrieval functionality (CWE-497), where low-privilege users are permitted to query sensitive system information outside their authorization scope. No public exploit code or confirmed active exploitation has been identified at time of analysis, though the low access complexity makes opportunistic exploitation realistic on sites permitting public user registration.

Information Disclosure Wppizza
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Sensitive SMS subscriber data exposure in the VeronaLabs WP SMS WordPress plugin (versions <= 7.2.1) permits authenticated subscriber-role users to access protected data through an authorization bypass path. The flaw, classified as CWE-288 (Authentication Bypass Using an Alternate Path or Channel), enables the lowest-privilege WordPress account tier to retrieve sensitive information - likely including phone numbers, message history, or subscriber records - that should be restricted to privileged roles. No public exploit code has been identified at time of analysis, and this CVE does not appear in CISA KEV, though the low attack complexity combined with open WordPress registration on many sites meaningfully lowers the real-world exploitation barrier.

Information Disclosure Wp Sms
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated sensitive data exposure in the Amelia (Amelia Booking) WordPress plugin versions 2.2 and earlier allows remote attackers to retrieve protected information without credentials, per a Patchstack advisory. With a CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) and CWE-201 classification, the flaw is network-reachable and trivially triggerable, though no public exploit identified at time of analysis and no CISA KEV listing.

Information Disclosure Amelia
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Broken authentication in the AutomatorWP WordPress plugin versions 5.6.7 and earlier allows authenticated users with low-level Subscriber privileges to bypass authorization controls, enabling integrity tampering and high availability impact on affected WordPress sites. The flaw is tracked via Patchstack and ENISA EUVD-2026-36989, with no public exploit identified at time of analysis. EPSS data was not provided, and the issue is not currently listed in CISA KEV.

Information Disclosure Automatorwp
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Authentication bypass in the ReviewX WordPress plugin versions 2.3.6 and earlier allows remote unauthenticated attackers to perform actions they should not be able to, leading to high-integrity impact on the affected site. The flaw is classified as CWE-288 (authentication bypass using an alternate path/channel) and was disclosed by Patchstack via the WordPress plugin vulnerability database. No public exploit identified at time of analysis and the issue is not listed on CISA KEV.

Information Disclosure Reviewx
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Unauthenticated information disclosure in the wpForo Forum WordPress plugin versions prior to 3.0.2 allows remote attackers to bypass access controls and read forum content that should be restricted. The flaw stems from improper permission preservation (CWE-281), letting unauthenticated users access data intended only for authorized members. No public exploit identified at time of analysis, but a vendor patch is available via Patchstack advisory.

Information Disclosure Wpforo Forum
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated sensitive data exposure in the Inisev Backup Migration WordPress plugin (versions through 2.1.1) allows remote attackers to retrieve confidential information without credentials or user interaction. Patchstack rates the issue at CVSS 7.5 with high confidentiality impact; no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Information Disclosure Backup Migration
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Broken authentication in the FunnelKit Automations WordPress plugin (versions <= 3.7.3) allows authenticated low-privilege users (subscribers) to bypass intended authentication controls, leading to integrity tampering and availability impact on the WordPress site. The flaw is reported by Patchstack and tracked as EUVD-2026-36929, with no public exploit identified at time of analysis and no CISA KEV listing. Given subscriber-level registration is open on many WordPress sites, the practical attack surface is broader than the CVSS 7.1 score alone suggests.

Information Disclosure Funnelkit Automations
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated sensitive data exposure in the IDPay Payment Gateway for WooCommerce WordPress plugin (versions ≤ 2.2.5) allows remote attackers to retrieve confidential information without credentials or user interaction over the network. The flaw was reported by Patchstack and tracked as EUVD-2026-36918; no public exploit identified at time of analysis. With a CVSS 7.5 (high) score driven entirely by confidentiality impact, the issue is significant for any WooCommerce site processing payments through this Iranian payment gateway integration.

WordPress Information Disclosure Idpay Payment Gateway For Woocommerce
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Starlette's HTTPEndpoint dispatcher allows remote unauthenticated attackers to invoke arbitrary internal Python instance methods as HTTP handlers by sending non-standard HTTP method names that resolve to endpoint attributes via getattr, effectively circumventing authorization logic guarding intended public handlers. Applications built on Starlette - including FastAPI - are affected when HTTPEndpoint subclasses are registered via Route(...) without an explicit methods= argument and those subclasses expose internal methods whose lowercased names match non-standard HTTP token shapes. No public exploit or active exploitation has been identified at time of analysis; a vendor-released patch is available in starlette 1.1.0.

Information Disclosure Red Hat Suse
NVD GitHub VulDB
EPSS 0% CVSS 1.7
LOW PATCH Monitor

Resource leak in aiohttp's response write_eof method allows unauthenticated remote attackers to cause temporary file descriptor exhaustion by repeatedly disconnecting mid-response. All aiohttp versions up to and including 3.14.0 fail to invoke Payload.close() when a write is interrupted by a client disconnection, exception, or asyncio task cancellation, leaving file handles and similar OS-level resources open until Python's garbage collector intervenes. No public exploit code exists and no active exploitation has been confirmed; however, the attack requires no authentication, no special configuration, and is straightforward to automate against any endpoint serving file-backed responses. The advisory's 'Information Disclosure' tag appears inconsistent with the actual impact, which is purely availability (transient resource starvation).

Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 6.6
MEDIUM PATCH This Month

Unread compressed request bodies in aiohttp bypass the client_max_size limit during the cleanup phase, allowing a single-chunk decompression of an arbitrarily large payload into server memory. All versions up to and including 3.14.0 are affected. An attacker who can send HTTP requests with compressed bodies can trigger a zip bomb condition during cleanup, exhausting server memory and causing denial of service. No public exploit has been identified at time of analysis.

Information Disclosure Red Hat Suse
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

DigestAuthMiddleware in aiohttp leaks HTTP Digest authentication credentials to attacker-controlled cross-origin redirect targets. Applications using DigestAuthMiddleware with the default follow_redirects behavior are affected in versions up to and including 3.14.0. When a server responds with a cross-origin redirect, the middleware incorrectly computes and sends a digest authentication response to the redirect destination, exposing the auth digest to the third-party domain. No public exploit has been identified at time of analysis, but exploitation is plausible wherever an open redirect exists on the origin server.

Information Disclosure Open Redirect
NVD GitHub VulDB
EPSS 0% CVSS 1.3
LOW PATCH Monitor

Cookie scope escalation in aiohttp's CookieJar persistence layer causes host-only cookies to lose their host-restricted status after a save/load cycle, allowing them to be transmitted to subdomains that the original server never authorized to receive them. Applications using pip/aiohttp <= 3.14.0 that invoke CookieJar.save() and CookieJar.load() for session persistence are affected. No public exploit code has been identified at time of analysis, but the impact is information disclosure: sensitive cookies - including session tokens or authentication credentials - may be sent to unintended subdomain endpoints, violating the HTTP cookie scoping model.

Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Concurrent action execution in OliveTin versions 3000.0.0 and prior triggers a race condition in a shared text/template.Template instance, enabling cross-user command contamination, runtime panics, and execution of unintended commands. Authenticated users of the OliveTin web interface can exploit this by issuing parallel ExecRequests; no public exploit is identified at time of analysis, but the bug manifests during normal multi-user operation. The vendor patched the issue in version 3000.13.0.

Race Condition Information Disclosure Olivetin
NVD GitHub
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Unauthorized hook command execution in Cursor Desktop versions prior to 3.0.0 allows a malicious workspace to silently run local commands by registering Claude hooks in .claude/settings.local.json without prompting the user for approval. The flaw, tracked under CWE-829 (Inclusion of Functionality from Untrusted Control Sphere), enables sandbox escape, persistence, and follow-on compromise the moment an agent turn completes. No public exploit identified at time of analysis, but the vendor advisory GHSA-pc9j-3qc2-95wv confirms the issue and the CVSS 4.0 base score of 8.5 (High) reflects full CIA impact on the victim's workstation.

Information Disclosure Cursor
NVD GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Origin validation failure in Spring Cloud Gateway (WebMVC and WebFlux Server variants) allows remote attackers to spoof client identity by injecting X-Forwarded-For and Forwarded headers that the gateway then forwards from untrusted proxies in certain configuration scenarios. The flaw, tracked as CVE-2026-47825 with a CVSS 3.1 base score of 8.6 (Scope:Changed, Integrity:High), affects Spring Cloud Gateway 3.1.x, 4.1.x, 4.2.x, 4.3.x, and 5.0.x. No public exploit identified at time of analysis, but the trust-boundary nature of the issue makes it an attractive target for downstream authentication and access-control bypass.

Java Information Disclosure Spring Cloud Gateway
NVD HeroDevs
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

{team}/join), exploiting the fact that text/plain Content-Type does not trigger a CORS preflight check. In CTF deployments this allows score inflation by forcing victims to solve Juice Shop challenges credited to the attacker's team; any sensitive data entered by the victim is also captured in the attacker's Juice Shop instance. No public exploit identified at time of analysis, and a vendor-released patch is available in version 10.0.1.

CSRF Kubernetes Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 7.1
HIGH This Week

Out-of-bounds read in GStreamer's VMnc decoder allows remote attackers to crash the application or disclose memory contents when a victim opens a maliciously crafted VMnc video file. The flaw stems from a signed integer overflow in payload-size arithmetic that bypasses a length check when cursor dimensions are abnormally large. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Integer Overflow Information Disclosure Red Hat Enterprise Linux 10 +4
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Out-of-bounds read and denial-of-service in GStreamer's RealMedia demuxer (gst-plugins-ugly) allows remote attackers to crash, hang, or potentially leak limited adjacent memory when a victim opens a maliciously crafted RealMedia (.rm) file. The flaw stems from unvalidated offsets in re_skip_pascal_string() and an attacker-controlled loop counter in the FILEINFO metadata parser. No public exploit identified at time of analysis, and the CVE is not on the CISA KEV list.

Denial Of Service Information Disclosure Buffer Overflow +4
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Out-of-bounds read in the GStreamer RealMedia demuxer (gst-plugins-ugly) allows a maliciously crafted .rm file to crash the consuming application and potentially leak small amounts of adjacent heap memory through stream metadata. The flaw affects Red Hat Enterprise Linux 7, 8, 9, and 10 systems shipping the vulnerable demuxer, and exploitation requires a user to open or otherwise process the file (UI:R). There is no public exploit identified at time of analysis, and the issue is not on the CISA KEV list.

Information Disclosure Buffer Overflow Red Hat Enterprise Linux 10 +3
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Out-of-bounds read vulnerabilities in GStreamer's pcapparse element expose Red Hat Enterprise Linux 6 through 10 users to potential application crashes or limited memory disclosure when processing malformed PCAP files. The flaws reside in IPv4/TCP header parsing logic, where specially crafted PCAP records trigger reads beyond buffer boundaries across multiple code paths. Real-world exposure is materially constrained by pcapparse's restriction to debugging pipelines, the requirement for local user interaction, and high attack complexity; no public exploit or active exploitation has been identified at time of analysis.

Information Disclosure Buffer Overflow Red Hat Enterprise Linux 10 +6
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Out-of-bounds read in the VA JPEG decoder shipped in GStreamer's gst-plugins-bad allows a remote attacker to crash the decoder or potentially leak adjacent memory contents when a victim opens a maliciously crafted JPEG file. The flaw stems from the JPEG parser trusting a segment-length value from the bitstream without verifying it fits within the buffer, and affects Red Hat Enterprise Linux 6 through 10 where the plugin is consumed. There is no public exploit identified at time of analysis and the issue is not in CISA KEV.

Information Disclosure Buffer Overflow Red Hat Enterprise Linux 10 +4
NVD VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

NoSQL/query injection in Spring AI Vector Stores (1.0.0-1.0.8 and 1.1.0-1.1.7) allows remote unauthenticated attackers to inject special characters into vector-store inputs and force execution of arbitrary queries against Elasticsearch, OpenSearch, and GemFire VectorDB backends. The flaw resides in the spring-ai-elasticsearch-store, spring-ai-opensearch-store, and spring-ai-gemfire-store components, enabling information disclosure and limited integrity/availability impact against any application embedding Spring AI's vector-store abstraction. No public exploit identified at time of analysis, but the CVSS 8.6 (scope unchanged here, network vector, no privileges) makes this a high-priority patch for any Spring AI deployment ingesting untrusted text.

Nosql Injection Java Elastic +2
NVD
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Symfony's UrlGenerator encodes only alternating dot-segments in chained `../` or `./` sequences due to a `strtr()` advancement bug, producing URLs that RFC 3986-conformant reverse proxies, API gateways, and HTTP clients collapse to unintended paths. Routes exposing parameters with permissive requirements (`.+`, `.*`) that permit slashes are the exploitable surface when attacker-controlled values contain multiple consecutive dot-segments. No active exploitation is confirmed (not in CISA KEV, no EPSS score assigned), but vendor-confirmed patches are available across all maintained Symfony branches, and the vulnerability shares the same route round-trip integrity class as the previously disclosed CVE-2026-45065.

Information Disclosure
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Symfony HtmlSanitizer's UrlSanitizer::parse() method fails to block percent-encoded Unicode BiDi formatting marks (U+202A-U+202E, U+2066-U+2069) and Unicode whitespace characters, allowing both character classes to survive sanitization and be re-emitted unchanged in the output URL. Applications running symfony/html-sanitizer versions 6.1.0 through the patched releases where a downstream consumer - such as a phishing-detection filter, audit dashboard, or federated content pipeline - decodes the href before display or comparison are susceptible to visual-spoofing attacks that defeat the sanitizer's own domain allow-list defenses. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the bypass technique is fully documented in the advisory and the fix commit's test cases make reproduction straightforward.

Information Disclosure
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Algorithm-confusion in Symfony's Mailomat webhook parser allows an attacker to downgrade the HMAC primitive used for signature verification, bypassing webhook authentication. Symfony packages symfony/mailomat-mailer and symfony/symfony versions 7.2.0 through 7.4.12 and 8.0.0 through 8.0.12 accept an attacker-controlled algorithm field from the inbound X-MOM-Webhook-Signature request header and pass it directly to PHP's hash_hmac(), enabling an adversary who can exploit cryptographic weaknesses in weaker HMAC primitives (e.g., HMAC-MD4 existential forgery) to inject fraudulent webhook payloads. No public exploit has been identified at time of analysis, and this CVE is not listed in CISA KEV.

Canonical Jwt Attack PHP +1
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

SSRF filter bypass in Symfony's NoPrivateNetworkHttpClient permits requests to private IPv4 addresses to be smuggled via four classes of IPv6 transition encodings - 6to4 (2002::/16), NAT64 (64:ff9b::/96 and 64:ff9b:1::/48), Teredo (2001::/32), and IPv4-compatible (::/96) - none of which appeared in the IpUtils::PRIVATE_SUBNETS blocklist. Any Symfony application on versions 5.4.0-5.4.52 or 6.4.0-8.0.12 that uses NoPrivateNetworkHttpClient as its SSRF guard and accepts attacker-controlled URLs is vulnerable to the filter bypass; actual packet delivery to the embedded private IPv4 is additionally gated by the server's IPv6 routing configuration. No public exploit code has been released and this CVE is not in CISA KEV, but the bypass payloads are fully enumerated in the official security advisory.

Mozilla Google Information Disclosure
NVD GitHub
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Sensitive header leakage in @angular/service-worker allows remote attackers to capture Authorization tokens, Proxy-Authorization credentials, and session cookies when a credentialed asset fetch is redirected cross-origin, because the worker preserved request headers instead of stripping them per the Fetch redirect algorithm. Affected versions span Angular 20.x, 21.x, and 22.x prereleases (and all 19.x and earlier), and no public exploit identified at time of analysis. The flaw was discovered by Google DeepMind's CodeMender and patched in 22.0.1, 21.2.17, and 20.3.25.

Google Information Disclosure
NVD GitHub VulDB HeroDevs
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Cache key collision in Angular's @angular/common HttpTransferCache allows remote attackers to poison Server-Side Rendering (SSR) cache entries and replace responses for sensitive endpoints with attacker-controlled content. The weak 32-bit DJB2-like polynomial rolling hash used for TransferState cache keys is trivially brute-forceable, enabling state poisoning, DOM-based XSS, and information leakage when a victim follows a crafted link. No public exploit identified at time of analysis, but the vulnerability was discovered and reported by Google DeepMind's CodeMender and is patched in Angular 22.0.1, 21.2.17, and 20.3.25.

Google XSS Information Disclosure
NVD GitHub VulDB HeroDevs
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

DOM sanitization bypass in @angular/compiler allows client-side XSS in Angular applications that use two-way property binding syntax on security-sensitive native DOM properties. The Angular template compiler's sanitizer-resolution phase omitted a case for the TwoWayProperty IR operation, meaning compiled templates with [(innerHTML)], [(src)], [(href)], [(srcdoc)], [(data)], or [(sandbox)] bindings emit the runtime ɵɵtwoWayProperty() instruction without the required sanitizer function argument, while identical one-way [property] bindings are correctly protected. No active exploitation has been confirmed (not in CISA KEV), and no public exploit code has been identified at time of analysis, though the patch diff in PR #69107 fully characterizes the missing code path.

XSS Information Disclosure
NVD GitHub VulDB HeroDevs
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Cross-site scripting execution is possible in Angular applications (@angular/compiler and @angular/core) through a dual-bypass of the framework's template sanitization engine using XML namespace prefixes. The Angular template preparser used a simple string comparison for 'script' that failed to match namespaced representations such as ':svg:script', allowing those elements to survive template compilation unstripped. Concurrently, the security context schema mappings for namespaced SVG and MathML attributes were incomplete, allowing malicious attribute bindings to evade both compile-time and runtime sanitizers. No public exploit has been identified at time of analysis, and exploitation requires the specific non-default deployment condition of runtime JIT template compilation with user-controlled input.

XSS Information Disclosure
NVD GitHub HeroDevs VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Tar parser interpretation differential in node-tar (npm `tar` package) <= 7.5.15 allows a crafted archive to present a different member list to node-tar than to GNU tar, libarchive, or Python tarfile, enabling security scanner evasion in pipelines that scan with one tool and extract with another. The flaw stems from node-tar incorrectly applying a PAX extended header's `size=` override to intermediary GNU long-name (`L`) and long-link (`K`) metadata headers, desynchronizing the stream cursor and causing node-tar to raise a checksum error and report zero members while reference parsers correctly extract files. A detailed, working proof-of-concept (Python stdlib only) is included in the advisory; no active exploitation (CISA KEV) has been confirmed at time of analysis, but the broad npm ecosystem blast radius - node-tar backs npm's own tarball handling - materially elevates real-world risk.

Python Information Disclosure Node.js +1
NVD GitHub VulDB
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

Request credential and cache policy stripping in @angular/service-worker (versions 19.x through 22.x pre-release) causes the service worker's internal request reconstruction logic to silently discard explicit developer-defined safety parameters, replacing `credentials: 'omit'` with the browser default `credentials: 'same-origin'` and overriding `cache: 'no-store'` with default cache behavior. This results in two distinct failure modes: session cookies and Authorization headers are transmitted to same-origin endpoints that were explicitly designed to receive anonymous requests, and private or sensitive HTTP responses are stored in the browser's Cache Storage under `ngsw:` prefixed keys where they persist after user logout. No public exploit identified at time of analysis and no CISA KEV listing; vendor-released patches are available across all active major branches.

Information Disclosure
NVD GitHub HeroDevs VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Information disclosure in @angular/common HttpTransferCache allows unauthenticated attackers to obtain other users' private data when Server-Side Rendering and hydration are enabled. The flaw stems from the cache failing to inspect the withCredentials flag or Cookie header, allowing credentialed responses to be serialized into SSR HTML and inadvertently shared via downstream CDN/reverse-proxy caches. No public exploit identified at time of analysis, but a vendor patch and detailed advisory describing the conditions are available.

Information Disclosure
NVD GitHub HeroDevs VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Dynamic component mounting in @angular/core permits client-side XSS by failing to reject script elements as valid host targets for `createComponent`. Angular applications that pass user-supplied selectors or host element references to the `createComponent` API without prior sanitization are vulnerable to namespace bypass, allowing an attacker to mount Angular components onto `<script>` or `<svg:script>` elements and execute arbitrary JavaScript in the victim's browser. No active exploitation has been confirmed (not in CISA KEV) and no public proof-of-concept has been identified at time of analysis, but vendor-released patches are available across multiple supported major versions.

XSS Information Disclosure
NVD GitHub HeroDevs VulDB
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

Redirect-policy stripping in @angular/service-worker allows the Angular Service Worker to silently follow HTTP 3xx redirects that client code explicitly prohibited via `redirect: 'error'`, turning the SW into an unintended Confused Deputy proxy. When a public asset route matched by an `assetGroups` pattern issues a same-origin redirect to a session-restricted private endpoint, the SW reconstructs the intercepted Request object without preserving the caller's redirect policy, causing the browser to transparently fetch and return credentialed private data that should have triggered a network error. No public exploit has been identified at time of analysis, but the vulnerability class (same-origin credential leakage via service-worker policy bypass) carries meaningful real-world risk for Angular SPAs with mixed public/private routing.

Information Disclosure
NVD GitHub HeroDevs VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Heap use-after-free in LibreOffice's ODF number format parser allows memory corruption when a user opens a crafted document containing a malformed number format string. The flaw arises because a position value embedded in the document is consumed without validation against the actual length of the format-code string, causing the parser to reference stale or out-of-bounds heap memory. Publicly available exploit code exists (CVSS 4.0 E:P), and while no active exploitation is confirmed via CISA KEV, the low attack complexity and document-phishing delivery model make this a realistic targeted threat.

Use After Free Memory Corruption Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

webpack-dev-server's WebSocket upgrade handler, when a proxy entry is configured with a broad path context (/) and ws: true, incorrectly forwards the dev server's own HMR WebSocket upgrade requests to the configured proxy backend. This unintentionally delivers browser cookies and the Origin header to the proxy target, bypasses the dev server's built-in Host/Origin validation, and corrupts the HMR channel by routing both HMR and proxy traffic over the same socket. No public exploit identified at time of analysis, though the affected configuration pattern is common in development setups; a vendor-released patch is available in version 5.2.5.

Information Disclosure Webpack Dev Server
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Use-after-free in Zephyr RTOS's native TCP2 stack allows a concurrent connection teardown - triggered by ordinary TCP traffic from an adjacent-network peer - to invalidate a cached iterator pointer in net_tcp_foreach(), crashing the system or causing the iterator callback to operate on attacker-influenced reallocated memory. All Zephyr releases from the TCP2 stack introduction in 2020 through v4.4.0 (inclusive) are affected. No public exploit has been identified at time of analysis and no CISA KEV listing exists; the primary real-world risk is denial of service against embedded or IoT devices with TCP networking and shell access exposed on an adjacent network segment.

Use After Free Memory Corruption Information Disclosure +2
NVD GitHub VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Private-key recovery is possible in Crypt::DSA for Perl (all versions before 1.21) because the module caches the per-signature DSA nonce (k) inside the Key object and never clears it, causing every call to sign() after the first to reuse the identical nonce and produce signatures with matching r values. Any attacker who can observe two or more DSA signatures produced by the same Key object can apply well-known algebraic techniques to recover the private key entirely, after which they can forge arbitrary signatures. No public exploit code has been identified at time of analysis and CISA KEV listing is absent, but the cryptographic impact is catastrophic: all keys used to sign more than once under an affected version must be treated as fully compromised.

Information Disclosure Red Hat
NVD VulDB
EPSS 0% CVSS 7.7
HIGH This Week

Credential leakage in Mattermost Desktop App versions up to 6.1 and 5.5.13.0 allows authenticated server users to harvest NTLM credentials from other users by embedding images that resolve to attacker-controlled external web servers. The client fails to enforce a strict domain allow list before forwarding Windows NTLM authentication challenges, so any post in a server without the image proxy enabled becomes a credential capture vector. No public exploit identified at time of analysis and EPSS is low (0.18%), but the scope-change CVSS of 7.7 reflects cross-user impact.

Mattermost Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Sensitive information disclosure in the GetPaid WordPress plugin (also known as Invoicing, by Stiofan) through version 2.8.49 allows remote unauthenticated attackers to retrieve embedded sensitive data via responses sent by the plugin. The flaw is classified as CWE-201 and was reported by Patchstack; no public exploit identified at time of analysis, but the network-reachable, no-auth, no-interaction CVSS profile makes opportunistic discovery plausible on exposed WordPress sites.

Information Disclosure Getpaid
NVD
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Resource flooding in MIA Technology Pizzy Library versions 1.0.0.26250 through 1.3.9.26250 allows authenticated remote attackers to abuse improper interaction frequency controls (CWE-799) to degrade availability and tamper with integrity. With a CVSS 3.1 base score of 7.1 and no public exploit identified at time of analysis, the flaw primarily threatens service availability in deployments that expose the library over the network. The advisory was coordinated through Turkey's TR-CERT, with no CISA KEV listing and no EPSS data provided.

Information Disclosure Pizzy Library
NVD
EPSS 0% CVSS 8.7
HIGH POC Monitor

WordPress CherryFramework Themes 3.1.4 contains an information disclosure vulnerability that allows unauthenticated attackers to download sensitive backup files by accessing the download_backup.php. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Information Disclosure WordPress +2
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC Monitor

BBS e-Franchise 1.1.1 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the uid. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Information Disclosure +1
NVD Exploit-DB
EPSS 0% CVSS 6.8
MEDIUM This Month

Hard-coded cryptographic key exposure in Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) enables local attackers to decrypt sensitive licensing and configuration data for vault room and safe deposit locker systems. The static key, embedded in SafeSystem.Infrastructure.Security.dll, can be recovered through standard reverse engineering, then used to decrypt the licence.whs file - which itself contains a second key granting access to additional configuration files. No active exploitation has been confirmed (not listed in CISA KEV), and no public exploit code is known at time of analysis; however, the attack requires only low-privilege local file access and straightforward tooling, making it realistic for any insider or attacker who achieves filesystem access.

Information Disclosure Wertheim Safecontroller Software For Vault Rooms Safe Deposit Locker System
NVD
EPSS 0% CVSS 6.9
MEDIUM This Month

Unauthenticated file disclosure in Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) exposes unprotected HTTP endpoints that allow any remote, unauthenticated attacker to directly download files from paths including /Resources/CompanyId_[ID]/Audio/ and /SafeData/. The affected software manages physical vault rooms and safe deposit locker systems, making the /SafeData/ endpoint particularly sensitive as it likely contains locker allocation records, customer data, or audit materials. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the network-accessible, zero-authentication nature of the flaw (AV:N/AC:L/PR:N/UI:N per CVSS 4.0) makes opportunistic abuse trivially achievable without specialized tooling.

Information Disclosure Wertheim Safecontroller Software For Vault Rooms Safe Deposit Locker System
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Cryptographic key disclosure in Wertheim SafeController Family 65000 (AssemblyVersion 6.11.8130.22319), a microcontroller-based safe deposit locker system, allows adjacent attackers to decrypt protected communications. The device uses a weak custom (proprietary) cryptographic algorithm with hard-coded keys, and researchers at SEC-VLab demonstrated both breaking the encryption routine and recovering the key by intercepting sufficient traffic. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Information Disclosure Wertheim Safecontroller Family 65000 Hardware For Vault Rooms Safe Deposit Locker System Microcontroller
NVD
EPSS 0% CVSS 8.6
HIGH This Week

Authentication bypass via replay attack affects Wertheim SafeController 5400 and Controller 5400 (AssemblyVersion 6.11.8130.22320) vault room safe deposit locker systems, where RS-485 traffic between the server and microcontroller flows without cryptographic protection. An adjacent attacker with physical access to the RS-485 bus can capture legitimate commands and replay them - for instance, repeatedly injecting a 'quit alarm' message to silently disable the safe's alarm. No public exploit identified at time of analysis, and there is no published CISA KEV listing or EPSS data for this physical-bus weakness.

Information Disclosure Wertheim Safecontroller 5400 Hardware For Vault Rooms Safe Deposit Locker System Microcontroller
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Insufficient OAuth token invalidation in Ansible Lightspeed (part of Red Hat Ansible Automation Platform 2.x) allows a remote attacker who has exfiltrated a valid access token to maintain persistent authenticated sessions even after the legitimate user has logged out. The backend fails to revoke the token server-side on logout, leaving it exploitable until natural expiration. Successful exploitation enables unauthorized read access to sensitive Ansible resources - including inventories, playbooks, and configuration data - with no public exploit or CISA KEV listing identified at time of analysis.

Information Disclosure Red Hat Ansible Automation Platform 2 7 Red Hat Ansible Automation Platform 2 +1
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL POC PATCH Act Now

The WP MAPS PRO WordPress plugin before 6.1.1 registers an unauthenticated AJAX action which, given a valid nonce that is publicly emitted on any frontend page enqueuing its map script, unconditionally creates an administrator account and returns a magic-login URL granting interactive admin access.

WordPress Information Disclosure Wp Maps Pro
NVD WPScan
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

The WP Go Maps WordPress plugin before 10.0.10 does not perform any approval-state filtering on its public single-marker REST endpoint, allowing unauthenticated users to retrieve marker records that an administrator has not yet approved for public display, including any PII placed in the address and description fields and the marker's geographic coordinates.

WordPress Information Disclosure Wp Go Maps
NVD WPScan
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

The WP Go Maps WordPress plugin before 10.0.10 does not properly enforce the marker approval filter on the admin-ajax fallback for its datatables route, allowing unauthenticated visitors to retrieve marker records that the site owner has not approved for public display, including their title, category, address and description fields.

WordPress Information Disclosure Wp Go Maps
NVD WPScan
EPSS 0% CVSS 7.1
HIGH This Week

Local privilege escalation in DVDFab Virtual Drive 2.0.0.5 allows authenticated local users to abuse improper privilege management in the signed kernel driver dvdfabio.sys to gain elevated execution within the Windows kernel. Publicly available exploit code exists and the vendor did not respond to coordinated disclosure, increasing the window of risk for affected endpoints. No CISA KEV listing has been recorded, and EPSS data was not provided in the input.

Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Protection mechanism failure in Qihoo 360 Total Security 6.0 allows a locally authenticated attacker to bypass the Nucleus Engine Monitoring Logic by manipulating the NetworkAddr argument to the RpcStringBindingComposeW function. Publicly available exploit code exists, and the vendor did not respond to coordinated disclosure, leaving users on 6.0 without an official remediation path. EPSS data is not provided and the issue is not in CISA KEV, but the public PoC raises the practical risk for endpoints running this version.

Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW Monitor

Improper authorization in Huly Platform up to version 0.7.0 allows authenticated low-privilege users to remotely invoke the `getAccountInfo` function in `server/account/src/operations.ts` and retrieve account information beyond their authorized scope. The vulnerability is classified under CWE-266 (Incorrect Privilege Assignment), with impact confined to limited confidentiality disclosure - no integrity or availability impact is present. A public proof-of-concept exploit exists (CVSS 4.0 E:P); no vendor patch is available as the vendor did not respond to coordinated disclosure.

Information Disclosure
NVD VulDB
EPSS 0% CVSS 2.1
LOW Monitor

Improper access controls in Huly Platform's RPC interface allow an authenticated remote attacker with low privileges to invoke the `getMailboxSecret` function in `server/account/src/operations.ts` and retrieve mailbox secrets they are not authorized to access. Versions up to and including 0.7.0 of hcengineering's Huly Platform are confirmed affected. A public proof-of-concept exploit has been disclosed (reflected in the CVSS 4.0 E:P modifier); no vendor patch exists as the vendor did not respond to responsible disclosure, leaving all users of affected versions exposed with no official remediation path.

Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Prototype pollution in RubyLouvre Avalon's Template Filter Handler (src/filters/index.js) allows remote unauthenticated attackers to modify JavaScript Object.prototype attributes by supplying crafted template filter input. All versions through 2.2.10 are affected per the CPE range cpe:2.3:a:rubylouvre:avalon:*:*:*:*:*:*:*:*. No vendor patch exists - the maintainer did not respond to coordinated disclosure - and a public exploit is available on GitHub (OriginSecurityX/avalon-filter-rce), which the repository title characterizes as capable of remote code execution, a materially more severe claim than the CVSS 4.0 VI:L rating assigned by the reporter.

Prototype Pollution Information Disclosure Avalon
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Prototype pollution in jsonata-js (all versions up to 2.2.0) allows remote unauthenticated attackers to inject arbitrary properties into JavaScript's Object.prototype via the createFrame function in src/jsonata.js. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) with exploitation status E:P confirms this is network-exploitable with zero prerequisites, and a public proof-of-concept has been published on GitHub demonstrating a hasOwnProperty guard bypass. No patch exists - the vendor failed to respond to coordinated disclosure - leaving all users of jsonata ≤ 2.2.0 indefinitely exposed.

Prototype Pollution Information Disclosure Jsonata +1
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Patient record exposure in medkey EHR (up to commit fc09b7ba9441ff590b72d428d5380834216b09ed) allows authenticated remote users to retrieve arbitrary patient records by manipulating the `id` parameter of the `actionGetPatientById` REST API endpoint - a textbook Insecure Direct Object Reference (BOLA/IDOR) flaw classified under CWE-99. A publicly available proof-of-concept exploit is hosted on GitHub (onyxglitch/Medkey-EHR-IDOR-PoC), materially lowering the exploitation barrier. The vendor did not respond to coordinated disclosure, leaving no confirmed patch and no official advisory for this rolling-release EHR system.

PHP Information Disclosure Medkey
NVD VulDB GitHub
Prev Page 27 of 741 Next

Quick Facts

Typical Severity
MEDIUM
Category
other
Total CVEs
66671

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy