Information Disclosure

The Linux kernel's regmap hwspinlock implementation contains a race condition where concurrent threads accessing a shared spinlock flags variable can corrupt IRQ state, potentially leading to denial of service through system hangs or crashes. A local attacker with sufficient privileges can exploit this condition to cause the kernel to become unresponsive. The vulnerability affects Linux systems and currently has no available patch.

The Linux kernel's OcteonTX2 firmware driver fails to validate firmware data structures before access, causing kernel panics on systems without a MAC block. A local privileged attacker can trigger a denial of service by accessing the uninitialized firmware data region. No patch is currently available for this medium-severity vulnerability.

An integer underflow in the Linux kernel's vsock/virtio credit calculation allows a local attacker with unprivileged access to cause a denial of service by exhausting system resources when the peer shrinks its advertised buffer while data is in flight. The vulnerability enables more data to be queued than the peer can handle, potentially leading to system instability. No patch is currently available for this medium-severity issue.

Double-free vulnerability in the Linux kernel's spi-sprd-adi driver allows local attackers with low privileges to cause a denial of service or potentially execute code by triggering a probe error path that improperly frees the SPI controller structure twice. The vulnerability exists in error handling where devm_spi_register_controller() is paired with manual spi_controller_put() calls, causing the kernel to attempt freeing the same memory region twice when device registration fails. No patch is currently available.

A local privilege escalation in the Linux kernel's rxrpc subsystem allows authenticated users to trigger use-after-free or reference count underflow conditions by exploiting improper queue management in the recvmsg() function when MSG_DONTWAIT is specified. An attacker with local access can cause denial of service or potentially execute arbitrary code by corrupting the recvmsg queue through repeated calls that unconditionally requeue already-queued items. No patch is currently available for this medium-severity vulnerability (CVSS 5.5).

A memory leak in the Linux kernel's AMD platform driver allows local authenticated users to exhaust system memory through repeated failures in the WBRF (Wifi Band RFI Mitigation) record function, potentially leading to denial of service. The vulnerability exists in the wbrf_record() function where a temporary buffer allocated via kcalloc() is not properly freed when the acpi_evaluate_dsm() call fails. An attacker with local access and sufficient privileges could trigger this condition multiple times to consume available memory and degrade system performance.

The Linux kernel's Kvaser USB CAN driver fails to properly release USB request block (URB) memory in its completion callback, allowing a local attacker with user privileges to cause a denial of service through memory exhaustion. The vulnerability occurs because URBs are unanchored by the USB framework before the completion function executes, preventing proper cleanup during device removal. No patch is currently available for this medium-severity issue.

n8n is an open source workflow automation platform. From version 1.65.0 to before 1.114.3, the use of Buffer.allocUnsafe() and Buffer.allocUnsafeSlow() in the task runner allowed untrusted code to allocate uninitialized memory. [CVSS 7.7 HIGH]

Big-Ip Access Policy Manager is affected by user interface (ui) misrepresentation of critical information (CVSS 3.1).

The SportsPress plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.7.26 via shortcodes 'template_name' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be...

Neo4j Enterprise and Community editions versions prior to 2026.01.3 and 5.26.21 are vulnerable to a potential information disclosure by a user who has ability to access the local log files. The "obfuscate_literals" option in the query logs does not redact error information, exposing unredacted data in the query log when a customer writes a query that fails. It can allow a user with legitimate...

Magic Import Document Extractor (WordPress plugin) versions up to 1.0.4 is affected by information exposure (CVSS 5.3).

Chapa Payment Gateway Plugin for WooCommerce (WordPress plugin) versions up to 1.0.3 is affected by information exposure (CVSS 5.3).

Android versions up to 15.0 contains a vulnerability that allows attackers to launch arbitrary activity with Settings privilege (CVSS 7.8).

CI4MS prior to version 0.28.5.0 contains an email enumeration vulnerability in its password reset functionality that allows unauthenticated attackers to determine whether specific email addresses are registered in the system. An attacker can exploit this information disclosure by analyzing response patterns during the authentication process to build a list of valid user accounts. A patch is available in version 0.28.5.0 and later.

Ew-7438Rpn Mini Firmware versions up to 1.13 is affected by insufficiently protected credentials (CVSS 7.5).

Netis E1+ 1.2.32533 contains an information disclosure vulnerability that allows unauthenticated attackers to retrieve WiFi passwords through the netcore_get.cgi endpoint. [CVSS 7.5 HIGH]

webERP 4.15.1 has an unauthenticated file access vulnerability allowing remote attackers to download sensitive files including configuration and database credentials.

import module contains a vulnerability that allows attackers to delete arbitrary files by manipulating the delete_import parameter (CVSS 8.8).

HTTP request smuggling in libsoup allows remote attackers to exploit non-compliant chunk header parsing by injecting malformed requests with LF-only line endings instead of proper CRLF formatting. Without requiring authentication, an attacker can cause libsoup to interpret multiple HTTP requests from a single network message, potentially leading to information disclosure. No patch is currently available for this vulnerability.

An out-of-bounds read vulnerability has been identified in the Postscript interpreter in various Lexmark devices. This vulnerability can be leveraged by an attacker to execute arbitrary code as an unprivileged user.

Tenda AC7 firmware V03.03.03.01_cn and earlier transmits account credentials in cleartext over HTTP, enabling network-positioned attackers to intercept and obtain authentication material without user interaction. This cleartext credential exposure in HTTP responses creates a high confidentiality risk for affected device users. No patch is currently available for this vulnerability.

Local code injection in NVIDIA Megatron-LM allows authenticated users to achieve arbitrary code execution and privilege escalation through malicious input to vulnerable scripts. An attacker with local access can craft specially designed data to trigger unsafe code evaluation, enabling complete system compromise including data theft and modification. No patch is currently available for this vulnerability affecting all supported platforms.

Tenda AC7 firmware v03.03.03.01_cn and earlier transmits administrative credentials in plaintext within web management responses and fails to set proper Cache-Control headers, allowing credentials to be cached by browsers. A local attacker with access to a client system or browser profile can retrieve these cached credentials to gain unauthorized administrative access to affected routers. No patch is currently available for this vulnerability.

When configured as L2TP/IPSec VPN server, Archer AXE75 V1 may accept connections using L2TP without IPSec protection, even when IPSec is enabled. This allows VPN sessions without encryption, exposing data in transit and compromising confidentiality.

Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). [CVSS 7.5 HIGH]

HCL AION is affected by a Missing or Insecure HTTP Strict-Transport-Security (HSTS) Header vulnerability. This can allow insecure connections, potentially exposing the application to man-in-the-middle and protocol downgrade attacks.. [CVSS 3.7 LOW]

The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. [CVSS 4.3 MEDIUM]

Open Eclass Platform versions up to 4.2 contains a vulnerability that allows attackers to identify valid user accounts by analyzing differences in the login response beha (CVSS 5.3).

FUXA v1.2.7 SCADA/HMI system has insecure default configuration with security disabled by default, exposing industrial control interfaces without authentication.

Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). [CVSS 7.5 HIGH]

GUnet OpenEclass 1.7.3 allows unauthenticated and authenticated users to access sensitive information, including system information, application version, and other students' uploaded assessments, due to improper access controls and information disclosure flaws in various modules. [CVSS 4.3 MEDIUM]

Rustfs versions up to 1.0.0 is affected by insertion of sensitive information into log file (CVSS 7.5).

The ContestsWP plugin versions 2.0.7 and earlier expose sensitive embedded data through improper access controls, allowing unauthenticated attackers to retrieve information from the contest-code-checker component. This low-impact information disclosure affects WordPress sites running vulnerable versions of the Run Contests, Raffles, and Giveaways plugin. No patch is currently available to remediate this exposure.

Rapid7 Nexpose versions 6.4.50 and later are vulnerable to an insufficient entropy issue in the CredentialsKeyStorePassword.generateRandomPassword() method.

Decidim is a participatory democracy framework. In versions from 0.30.0 to before 0.30.4 and from 0.31.0.rc1 to before 0.31.0, the private data exports can lead to data leaks in case the UUID generation, causing collisions for the generated UUIDs. [CVSS 6.5 MEDIUM]

data exposed depends on the last application view displayed versions up to 4.71.0 contains a security vulnerability.

A flaw was found in moodle. During anonymous assignment submissions, user identifiers were inadvertently exposed in URLs. [CVSS 4.3 MEDIUM]

A flaw was found in mooodle. A remote attacker could exploit a reflected Cross-Site Scripting (XSS) vulnerability in the policy tool return URL. [CVSS 5.4 MEDIUM]

A flaw was found in Moodle. An open redirect vulnerability in the OAuth login flow allows a remote attacker to redirect users to attacker-controlled pages after they have successfully authenticated. [CVSS 3.5 LOW]

Moodle contains a vulnerability that allows attackers to authenticate through the Learning Tools Interoperability (LTI) Provider (CVSS 8.1).

The Tutor LMS plugin for WordPress fails to enforce capability checks in its coupon details AJAX function, allowing authenticated subscribers to disclose sensitive coupon data including codes, discount amounts, and usage metrics through nonce validation bypass. This information exposure affects all versions up to 3.9.5 and requires only valid user authentication to exploit. No patch is currently available.

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in AKCE Software Technology R&D Industry and Trade Inc. SKSPro allows Directory Indexing.This issue affects SKSPro: through 07012026. [CVSS 7.5 HIGH]

WRC-X1500GS-B and WRC-X1500GSA-B routers contain a weak credential derivation vulnerability where initial administrative passwords can be predicted from publicly available system information, potentially allowing unauthenticated attackers to gain administrative access. The vulnerability requires physical proximity to the device to obtain necessary system details, limiting its practical exploitability. No patch is currently available for affected devices.

Spectra Gutenberg Blocks plugin for WordPress fails to properly check password protection before displaying post excerpts, allowing unauthenticated attackers to read excerpts from password-protected posts through Post Grid, Post Masonry, Post Carousel, and Post Timeline blocks. The vulnerability affects all versions up to 2.19.17 and requires no authentication or user interaction to exploit. Currently, no patch is available.

Fabric Operating System versions up to 9.2.1 contains a vulnerability that allows attackers to elevating the privileges of the local authenticated user to “root” using the exp (CVSS 7.8).

Fabric Operating System versions up to 9.2.1 contains a vulnerability that allows attackers to an authenticated attacker with admin privileges using the shell commands “sour (CVSS 2.3).

Fabric Operating System versions up to 9.2.1 contains a vulnerability that allows attackers to an authenticated attacker with admin privileges using the shell command “grep” t (CVSS 2.3).

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Api/ApiFormatXml.Php.

Vulnerability in Wikimedia Foundation Scribunto, Wikimedia Foundation luasandbox. This vulnerability is associated with program files includes/Engines/LuaCommon/lualib/mwInit.Lua, library.C.

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Api/ApiQueryRevisionsBase.Php.

Vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files includes/Mail/UserMailer.Php.

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Import/ImportableOldRevisionImporter.Php.

A vulnerability in the migration script for Brocade SANnav before 3.0 could allow the collection of database sql queries in the SANnav support save file. [CVSS 7.5 HIGH]

A vulnerability in update-reports-purge-settings.sh script logging for Brocade SANnav before 2.4.0a could allow the collection of SANnav database password in the system audit logs. [CVSS 6.5 MEDIUM]

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/recentchanges/RecentChangeRCFeedNotifier.Php.

Email enumeration in PolarLearn through timing analysis of the login endpoint allows unauthenticated attackers to identify valid user accounts by observing response time differences between existing and non-existent users. The vulnerability stems from the server only performing expensive password hashing for registered accounts, creating a measurable timing side-channel. Public exploit code exists for this vulnerability affecting PolarLearn version 0-PRERELEASE-15 and earlier.

PolarLearn versions 0-PRERELEASE-15 and earlier lack proper state parameter validation in OAuth 2.0 authentication, enabling attackers to conduct login CSRF attacks against GitHub and Google login flows. An attacker can pre-authenticate a victim's session and trick them into logging into the attacker's account, causing the victim's data and academic progress to be stored on the attacker's account instead. Public exploit code exists for this vulnerability, and a patch is available.

continuwuity is a Matrix homeserver written in Rust. This vulnerability allows an attacker with a malicious remote server to cause the local server to sign an arbitrary event upon user interaction.

Brocade SANnav before 2.4.0b logs the Brocade Fabric OS Switch admin password on the SANnav support save logs. When OOM occurs on a Brocade SANnav server, the call stack trace for the Brocade switch is also collected in the heap dump file which contains this switch password in clear text. [CVSS 4.9 MEDIUM]

Sannav contains a vulnerability that allows attackers to a remote authenticated attacker with admin privilege able to access the SANnav l (CVSS 4.9).

A vulnerability in Brocade SANnav before 2.4.0b prints the Password-Based Encryption (PBE) key in plaintext in the system audit log file. The vulnerability could allow a remote authenticated attacker with access to the audit logs to access the pbe key. [CVSS 6.5 MEDIUM]

Cryptographic issue when a Trusted Zone with outdated code is triggered by a HLOS providing incorrect input. [CVSS 7.1 HIGH]

A local attacker could cause a full device reset by resetting the device passwords using an invalid reset file via USB. [CVSS 7.7 HIGH]

Native Access's privileged XPC helper uses PID-based code signature verification, which is vulnerable to PID reuse attacks allowing local attackers with low privileges to bypass security checks and gain elevated access. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker can leverage this flaw to achieve arbitrary code execution with the privileges of the helper process.

In lunary-ai/lunary version 1.2.2, an account hijacking vulnerability exists due to a password reset token leak. A user with a 'viewer' role can exploit this vulnerability to hijack another user's account by obtaining the password reset token. [CVSS 8.8 HIGH]

Foreman KubeVirt disables SSL/TLS certificate verification by default when a CA certificate is not explicitly configured, enabling network-positioned attackers to intercept and manipulate communications between Satellite and OpenShift clusters. This man-in-the-middle vulnerability affects authenticated users and could result in unauthorized access to or modification of sensitive deployment data. No patch is currently available.

Improper certificate validation in fog-kubevirt enables remote attackers with network access to conduct man-in-the-middle attacks against communications between Satellite and OpenShift clusters, potentially exposing sensitive data and modifying traffic in transit. An authenticated attacker can exploit this vulnerability to intercept and tamper with cluster management communications due to disabled SSL/TLS certificate verification. Currently no patch is available for this high-severity vulnerability.

A flaw was found in Keycloak Admin API. This vulnerability allows an administrator with limited privileges to retrieve sensitive custom attributes via the /unmanagedAttributes endpoint, bypassing User Profile visibility settings. [CVSS 2.7 LOW]

The debug interface in EFM ipTIME A8004T firmware versions up to 14.18.2 contains a backdoor vulnerability in the /sess-bin/d.cgi component that can be exploited remotely through manipulation of the cmd parameter, allowing authenticated attackers with high privileges to achieve unauthorized access. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early notification of the disclosure.

OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs extracted from query strings, transmitting authentication tokens without user confirmation. This network-based vulnerability requires user interaction (clicking a malicious link) and allows attackers to hijack authenticated sessions and perform actions with the victim's privileges. Public exploit code exists for this high-severity flaw with no patch currently available.

Improper authorization in CRMEB up to version 5.6.3 allows authenticated remote attackers to access unauthorized order details by manipulating the order_id parameter in the /api/store_integral/order/detail/ endpoint. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification.

The Linux kernel's dmaengine QCOM GPI driver fails to properly handle krealloc() failures in gpi_peripheral_config(), causing memory leaks when reallocation of the channel configuration buffer fails. Local users with sufficient privileges can trigger this memory exhaustion condition, potentially leading to denial of service through resource depletion. A patch is not yet available for this vulnerability.

A memory corruption vulnerability in the Linux kernel's page allocation subsystem affects uniprocessor (SMP=n) configurations, allowing local attackers with low privileges to corrupt per-CPU page caches and potentially execute arbitrary code with elevated privileges. The vulnerability stems from improper spinlock handling in the page freeing path that can cause data structure corruption when triggered from interrupt context. No patch is currently available for this high-severity issue.

The idpf driver in the Linux kernel fails to properly clean up flow steering list entries during module removal, resulting in memory leaks when ethtool flow steering rules remain active. A local user with module removal privileges can trigger this memory exhaustion condition. No patch is currently available for this medium-severity vulnerability.

The Linux kernel's idpf driver fails to properly free the vport->rx_ptype_lkup memory during virtual port reset operations, resulting in a memory leak that could degrade system performance or cause denial of service on affected systems. A local attacker with sufficient privileges could trigger repeated reset cycles to exhaust available kernel memory. No patch is currently available for this vulnerability.

The Linux kernel's idpf driver fails to free the hw->lan_regs memory allocation during core deinitialization, resulting in a memory leak that can degrade system stability during driver reset operations. Local users with sufficient privileges can trigger this leak repeatedly through driver reset cycles, potentially leading to denial of service through memory exhaustion. A patch is not currently available for this medium-severity vulnerability.

The pegasus USB driver in Linux kernel fails to properly release memory when asynchronous device register writes encounter USB submission failures, leading to memory exhaustion. A local attacker with user-level access can trigger this leak by causing USB operations to fail, potentially degrading system performance or causing denial of service. A patch is available to address the resource cleanup issue.

A local privilege escalation vulnerability in the Linux kernel's btrfs filesystem can cause a denial of service through circular locking dependencies when memory reclaim is triggered during inode initialization. An authenticated local attacker can exploit this to hang or crash the system by performing filesystem operations that trigger the vulnerable code path. No patch is currently available.

Linux kernel netfilter conntrack cleanup can hang indefinitely due to improper reference counting in IP fragmentation reassembly, where fraglist skbs retain nf_conn references that are never released. A local attacker with network namespace capabilities can trigger this denial of service condition, causing conntrack cleanup operations to become blocked. No patch is currently available for this medium-severity vulnerability.

The Linux kernel GPIO MPSSE driver fails to properly release USB device references during probe error handling, potentially leading to resource exhaustion and denial of service on systems using affected GPIO hardware. A local attacker with standard user privileges can trigger this leak by causing probe failures, eventually exhausting system resources and impacting system availability. No patch is currently available for this issue.

In the Linux kernel, the following vulnerability has been resolved: dmaengine: at_hdmac: fix device leak on of_dma_xlate() Make sure to drop the reference taken when looking up the DMA platform device during of_dma_xlate() when releasing channel resources.

CVE-2025-71190 is a security vulnerability (CVSS 5.5). Remediation should follow standard vulnerability management procedures.

In the Linux kernel, the following vulnerability has been resolved: dmaengine: dw: dmamux: fix OF node leak on route allocation failure Make sure to drop the reference taken to the DMA master OF node also on late route allocation failures.

In the Linux kernel, the following vulnerability has been resolved: dmaengine: lpc18xx-dmamux: fix device leak on route allocation Make sure to drop the reference taken when looking up the DMA mux platform device during route allocation.

In the Linux kernel, the following vulnerability has been resolved: dmaengine: sh: rz-dmac: fix device leak on probe failure Make sure to drop the reference taken when looking up the ICU device during probe also on probe failures

In the Linux kernel, the following vulnerability has been resolved: dmaengine: stm32: dmamux: fix device leak on route allocation Make sure to drop the reference taken when looking up the DMA mux platform device during route allocation.

In the Linux kernel, the following vulnerability has been resolved: dmaengine: ti: dma-crossbar: fix device leak on am335x route allocation Make sure to drop the reference taken when looking up the crossbar platform device during am335x route...

In the Linux kernel, the following vulnerability has been resolved: btrfs: always detect conflicting inodes when logging inode refs After rename exchanging (either with the rename exchange operation or regular renames in multiple non-atomic steps) two inodes and at least one of them is a directory, we can end up with a log tree that contains only of the inodes and after a power failure that can result in an attempt to delete the other inode when it should not because it was not deleted before the power failure.

In the Linux kernel, the following vulnerability has been resolved: can: j1939: make j1939_session_activate() fail if device is no longer registered syzbot is still reporting unregister_netdevice: waiting for vcan0 to become free.