Information Disclosure

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/recentchanges/RecentChangeRCFeedNotifier.Php.

Email enumeration in PolarLearn through timing analysis of the login endpoint allows unauthenticated attackers to identify valid user accounts by observing response time differences between existing and non-existent users. The vulnerability stems from the server only performing expensive password hashing for registered accounts, creating a measurable timing side-channel. Public exploit code exists for this vulnerability affecting PolarLearn version 0-PRERELEASE-15 and earlier.

PolarLearn versions 0-PRERELEASE-15 and earlier lack proper state parameter validation in OAuth 2.0 authentication, enabling attackers to conduct login CSRF attacks against GitHub and Google login flows. An attacker can pre-authenticate a victim's session and trick them into logging into the attacker's account, causing the victim's data and academic progress to be stored on the attacker's account instead. Public exploit code exists for this vulnerability, and a patch is available.

continuwuity is a Matrix homeserver written in Rust. This vulnerability allows an attacker with a malicious remote server to cause the local server to sign an arbitrary event upon user interaction.

Brocade SANnav before 2.4.0b logs the Brocade Fabric OS Switch admin password on the SANnav support save logs. When OOM occurs on a Brocade SANnav server, the call stack trace for the Brocade switch is also collected in the heap dump file which contains this switch password in clear text. [CVSS 4.9 MEDIUM]

Sannav contains a vulnerability that allows attackers to a remote authenticated attacker with admin privilege able to access the SANnav l (CVSS 4.9).

A vulnerability in Brocade SANnav before 2.4.0b prints the Password-Based Encryption (PBE) key in plaintext in the system audit log file. The vulnerability could allow a remote authenticated attacker with access to the audit logs to access the pbe key. [CVSS 6.5 MEDIUM]

Cryptographic issue when a Trusted Zone with outdated code is triggered by a HLOS providing incorrect input. [CVSS 7.1 HIGH]

A local attacker could cause a full device reset by resetting the device passwords using an invalid reset file via USB. [CVSS 7.7 HIGH]

Native Access's privileged XPC helper uses PID-based code signature verification, which is vulnerable to PID reuse attacks allowing local attackers with low privileges to bypass security checks and gain elevated access. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker can leverage this flaw to achieve arbitrary code execution with the privileges of the helper process.

In lunary-ai/lunary version 1.2.2, an account hijacking vulnerability exists due to a password reset token leak. A user with a 'viewer' role can exploit this vulnerability to hijack another user's account by obtaining the password reset token. [CVSS 8.8 HIGH]

Foreman KubeVirt disables SSL/TLS certificate verification by default when a CA certificate is not explicitly configured, enabling network-positioned attackers to intercept and manipulate communications between Satellite and OpenShift clusters. This man-in-the-middle vulnerability affects authenticated users and could result in unauthorized access to or modification of sensitive deployment data. No patch is currently available.

Improper certificate validation in fog-kubevirt enables remote attackers with network access to conduct man-in-the-middle attacks against communications between Satellite and OpenShift clusters, potentially exposing sensitive data and modifying traffic in transit. An authenticated attacker can exploit this vulnerability to intercept and tamper with cluster management communications due to disabled SSL/TLS certificate verification. Currently no patch is available for this high-severity vulnerability.

A flaw was found in Keycloak Admin API. This vulnerability allows an administrator with limited privileges to retrieve sensitive custom attributes via the /unmanagedAttributes endpoint, bypassing User Profile visibility settings. [CVSS 2.7 LOW]

The debug interface in EFM ipTIME A8004T firmware versions up to 14.18.2 contains a backdoor vulnerability in the /sess-bin/d.cgi component that can be exploited remotely through manipulation of the cmd parameter, allowing authenticated attackers with high privileges to achieve unauthorized access. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early notification of the disclosure.

OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs extracted from query strings, transmitting authentication tokens without user confirmation. This network-based vulnerability requires user interaction (clicking a malicious link) and allows attackers to hijack authenticated sessions and perform actions with the victim's privileges. Public exploit code exists for this high-severity flaw with no patch currently available.

Improper authorization in CRMEB up to version 5.6.3 allows authenticated remote attackers to access unauthorized order details by manipulating the order_id parameter in the /api/store_integral/order/detail/ endpoint. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification.

The Linux kernel's dmaengine QCOM GPI driver fails to properly handle krealloc() failures in gpi_peripheral_config(), causing memory leaks when reallocation of the channel configuration buffer fails. Local users with sufficient privileges can trigger this memory exhaustion condition, potentially leading to denial of service through resource depletion. A patch is not yet available for this vulnerability.

A memory corruption vulnerability in the Linux kernel's page allocation subsystem affects uniprocessor (SMP=n) configurations, allowing local attackers with low privileges to corrupt per-CPU page caches and potentially execute arbitrary code with elevated privileges. The vulnerability stems from improper spinlock handling in the page freeing path that can cause data structure corruption when triggered from interrupt context. No patch is currently available for this high-severity issue.

The idpf driver in the Linux kernel fails to properly clean up flow steering list entries during module removal, resulting in memory leaks when ethtool flow steering rules remain active. A local user with module removal privileges can trigger this memory exhaustion condition. No patch is currently available for this medium-severity vulnerability.

The Linux kernel's idpf driver fails to properly free the vport->rx_ptype_lkup memory during virtual port reset operations, resulting in a memory leak that could degrade system performance or cause denial of service on affected systems. A local attacker with sufficient privileges could trigger repeated reset cycles to exhaust available kernel memory. No patch is currently available for this vulnerability.

The Linux kernel's idpf driver fails to free the hw->lan_regs memory allocation during core deinitialization, resulting in a memory leak that can degrade system stability during driver reset operations. Local users with sufficient privileges can trigger this leak repeatedly through driver reset cycles, potentially leading to denial of service through memory exhaustion. A patch is not currently available for this medium-severity vulnerability.

The pegasus USB driver in Linux kernel fails to properly release memory when asynchronous device register writes encounter USB submission failures, leading to memory exhaustion. A local attacker with user-level access can trigger this leak by causing USB operations to fail, potentially degrading system performance or causing denial of service. A patch is available to address the resource cleanup issue.

A local privilege escalation vulnerability in the Linux kernel's btrfs filesystem can cause a denial of service through circular locking dependencies when memory reclaim is triggered during inode initialization. An authenticated local attacker can exploit this to hang or crash the system by performing filesystem operations that trigger the vulnerable code path. No patch is currently available.

Linux kernel netfilter conntrack cleanup can hang indefinitely due to improper reference counting in IP fragmentation reassembly, where fraglist skbs retain nf_conn references that are never released. A local attacker with network namespace capabilities can trigger this denial of service condition, causing conntrack cleanup operations to become blocked. No patch is currently available for this medium-severity vulnerability.

The Linux kernel GPIO MPSSE driver fails to properly release USB device references during probe error handling, potentially leading to resource exhaustion and denial of service on systems using affected GPIO hardware. A local attacker with standard user privileges can trigger this leak by causing probe failures, eventually exhausting system resources and impacting system availability. No patch is currently available for this issue.

In the Linux kernel, the following vulnerability has been resolved: dmaengine: at_hdmac: fix device leak on of_dma_xlate() Make sure to drop the reference taken when looking up the DMA platform device during of_dma_xlate() when releasing channel resources.

CVE-2025-71190 is a security vulnerability (CVSS 5.5). Remediation should follow standard vulnerability management procedures.

In the Linux kernel, the following vulnerability has been resolved: dmaengine: dw: dmamux: fix OF node leak on route allocation failure Make sure to drop the reference taken to the DMA master OF node also on late route allocation failures.

In the Linux kernel, the following vulnerability has been resolved: dmaengine: lpc18xx-dmamux: fix device leak on route allocation Make sure to drop the reference taken when looking up the DMA mux platform device during route allocation.

In the Linux kernel, the following vulnerability has been resolved: dmaengine: sh: rz-dmac: fix device leak on probe failure Make sure to drop the reference taken when looking up the ICU device during probe also on probe failures

In the Linux kernel, the following vulnerability has been resolved: dmaengine: stm32: dmamux: fix device leak on route allocation Make sure to drop the reference taken when looking up the DMA mux platform device during route allocation.

In the Linux kernel, the following vulnerability has been resolved: dmaengine: ti: dma-crossbar: fix device leak on am335x route allocation Make sure to drop the reference taken when looking up the crossbar platform device during am335x route...

In the Linux kernel, the following vulnerability has been resolved: btrfs: always detect conflicting inodes when logging inode refs After rename exchanging (either with the rename exchange operation or regular renames in multiple non-atomic steps) two inodes and at least one of them is a directory, we can end up with a log tree that contains only of the inodes and after a power failure that can result in an attempt to delete the other inode when it should not because it was not deleted before the power failure.

In the Linux kernel, the following vulnerability has been resolved: can: j1939: make j1939_session_activate() fail if device is no longer registered syzbot is still reporting unregister_netdevice: waiting for vcan0 to become free.

In the Linux kernel, the following vulnerability has been resolved: counter: interrupt-cnt: Drop IRQF_NO_THREAD flag An IRQ handler can either be IRQF_NO_THREAD or acquire spinlock_t, as CONFIG_PROVE_RAW_LOCK_NESTING warns: ============================= [ BUG: Invalid wait context ] 6.18.0-rc1+git...

Cleartext Storage of Sensitive Information vulnerability in OpenText™ Vertica allows Retrieve Embedded Sensitive Data. The vulnerability could read Vertica agent plaintext apikey.This issue affects Vertica versions: 23.X, 24.X, 25.X.

Popcorn Time 6.2.1.14 contains an unquoted service path vulnerability that allows local non-privileged users to potentially execute code with elevated system privileges. [CVSS 7.8 HIGH]

Vendure versions up to 3.5.3 contains a vulnerability that allows attackers to enumerate valid usernames (email addresses) (CVSS 5.3).

After receiving a malformed 802.15.4 MAC Data Request the Zigbee Coordinator sends a ‘network leave’ request to Zigbee router resulting in the Zigbee Router getting stuck in a non-rejoinable state. If a suitable parent is not available, the end devices will be unable to rejoin.

Insufficient input validation in HIKSEMI NAS devices allows authenticated users to trigger denial of service conditions through malformed messages. An attacker with valid credentials can exploit this flaw to cause abnormal device behavior and availability disruptions without requiring user interaction. No patch is currently available to address this vulnerability.

Codriapp Innovation and Software Technologies Inc. HeyGarson is affected by error message information leak (CVSS 8.2).

Llama Stack (aka llama-stack) before 0.4.0rc3 does not censor the pgvector password in the initialization log. [CVSS 3.2 LOW]

Some VX800v v1.0 web interface endpoints transmit sensitive information over unencrypted HTTP due to missing application layer encryption, allowing a network adjacent attacker to intercept this traffic and compromise its confidentiality. [CVSS 6.5 MEDIUM]

Vx800V Firmware contains a vulnerability that allows attackers to high impact to confidentiality, integrity, and availability of transmitted data (CVSS 8.8).

Bhojon Restaurant Management System versions up to 20260116 contain a price manipulation vulnerability in the add-to-cart endpoint that allows authenticated attackers to bypass business logic controls. Public exploit code exists for this issue, and the vendor has not provided a patch despite early notification. While the direct impact is limited to price modification, this could enable financial fraud through order manipulation.

Bhojon versions up to 20260116. contains a vulnerability that allows attackers to business logic errors (CVSS 4.3).

Improper authorization in Bdtask SalesERP's administrative endpoint allows authenticated attackers to manipulate the ci_session parameter and gain unauthorized access to restricted functions. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor. Affected versions through January 16, 2026 enable remote exploitation by any user with valid credentials.

R PVI client versions up to 6.5 is affected by insertion of sensitive information into log file (CVSS 5.0).

Parsec is a cloud-based application for cryptographically secure file sharing. In versions on the 3.x branch prior to 3.6.0, `libparsec_crypto`, a component of the Parsec application, does not check for weak order point of Curve25519 when compiled with its RustCrypto backend. In practice this means an attacker in a man-in-the-middle position would be able to provide weak order points to both parties in the Diffie-Hellman exchange, resulting in a high probability to for both parties to obtain ...

SonarQube 8.3.1 contains an unquoted service path vulnerability that allows local attackers to gain SYSTEM privileges by exploiting the service executable path. [CVSS 7.8 HIGH]

Session Fixation vulnerability in QR Menu Pro Smart Menu Systems Menu Panel allows Session Hijacking.This issue affects Menu Panel: through 29012026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. [CVSS 5.7 MEDIUM]

Session Fixation vulnerability in Akın Software Computer Import Export Industry and Trade Ltd. QR Menu allows Session Fixation.This issue affects QR Menu: before s1.05.12. [CVSS 5.7 MEDIUM]

Information disclosure in Dell OpenManage Network Integration versions before 3.9 stems from improper authentication controls that allow low-privileged remote attackers to access sensitive data. The vulnerability requires valid credentials but no user interaction, making it exploitable by authenticated users with minimal privileges. No patch is currently available for affected deployments.

Information disclosure and denial-of-service in TeamViewer DEX Client versions before 26.1 allows adjacent network attackers to trigger an out-of-bounds read via specially crafted packets, potentially leaking sensitive memory that could be leveraged to bypass ASLR protections. Affected Windows systems running the NomadBranch.exe content distribution service are vulnerable to attacks requiring only network proximity, with no authentication or user interaction needed.

Hidden functionality issue exists in multiple MFPs provided by Brother Industries, Ltd., which may allow an attacker to obtain the logs of the affected product and obtain sensitive information within the logs. [CVSS 5.3 MEDIUM]

Improper authorization in PHPGurukul Hospital Management System 1.0 allows authenticated attackers to manipulate the Admin Dashboard Page and gain unauthorized access to sensitive functionality. Public exploit code exists for this vulnerability, and no patch is currently available. The network-accessible flaw requires only valid credentials to exploit, enabling attackers to bypass access controls with low complexity.

Discourse is an open source discussion platform. [CVSS 7.5 HIGH]

During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. [CVSS 5.3 MEDIUM]

A sensitive information disclosure in HCL BigFix Compliance allows a remote attacker to access files under the WEB-INF directory, which may contain Java class files and configuration information, leading to unauthorized access to application internals. [CVSS 5.3 MEDIUM]

66biolinks v62.0.0 has a session fixation vulnerability where the application doesn't regenerate session IDs after authentication, enabling session hijacking.

Explorance Blue versions prior to 8.14.12 use reversible symmetric encryption with a hardcoded static key to protect sensitive data, including user passwords and system configurations. This approach allows stored values to be decrypted offline if the encrypted data are obtained. [CVSS 6.8 MEDIUM]

An out-of-bounds read was addressed with improved input validation. This issue is fixed in iOS 26.1 and iPadOS 26.1, Pages 15.1, macOS Tahoe 26.1. [CVSS 4.3 MEDIUM]

The issue was addressed with improved bounds checks. This issue is fixed in macOS Tahoe 26, Keynote 15.1, iOS 26 and iPadOS 26. [CVSS 5.5 MEDIUM]

NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager, where a malicious guest could cause heap memory access after the memory is freed. [CVSS 7.8 HIGH]

NVIDIA Display Driver for Linux contains a vulnerability in the NVIDIA kernel module where an attacker could cause an integer overflow or wraparound. [CVSS 7.8 HIGH]

NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys), where an attacker could cause an integer overflow. [CVSS 7.8 HIGH]

NVIDIA Display Driver for Windows contains a vulnerability where an attacker could trigger a use after free. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, denial of service, and information disclosure. [CVSS 7.8 HIGH]

libsoup's HTTP redirect handling fails to strip Proxy-Authorization headers when requests are forwarded to different hosts, allowing proxy credentials to be exposed to unintended third-party servers. Applications relying on libsoup for HTTP communication are vulnerable to disclosure of sensitive proxy authentication data. No patch is currently available.

Linux kernel perf subsystem denial of service via improper hrtimer cleanup allows local users with standard privileges to cause a system crash when perf events are freed with active hrtimerss still pending. The vulnerability stems from insufficient timer cancellation during event destruction, enabling resource exhaustion. No patch is currently available.

Vulnerable cross-model authorization in juju.

WP Adminify (WordPress plugin) versions up to 4.0.7.7 is affected by information exposure (CVSS 5.3).

its nordvpn-service contains a vulnerability that allows attackers to execute code with elevated privileges (CVSS 7.8).

Prey 1.9.6 contains an unquoted service path vulnerability that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in the CronService to insert malicious code that would execute during application startup or system reboot. [CVSS 7.8 HIGH]

Default credentials vulnerability exists in SuprOS product. If exploited, this could allow an authenticated local attacker to use an admin account created during product deployment.

Thunderbird's inline OpenPGP message decryption can leak secret email contents through CSS style injection when remote content loading is enabled, allowing attackers to extract decrypted plaintext via crafted email formatting. This affects Thunderbird versions before 147.0.1 and 140.7.1, requiring user interaction to trigger the vulnerability. No patch is currently available.

The RustCrypto ml-dsa crate versions 0.0.4 through 0.1.0-rc.3 incorrectly validate ML-DSA digital signatures by accepting duplicate hint indices that should be strictly increasing per the FIPS 204 specification, allowing attackers to forge valid signatures that should be rejected. This regression was introduced by a comparison operator change in version 0.0.4 and affects any application relying on this crate for signature verification. A patch is available in version 0.1.0-rc.4.

Clatter Noise protocol library has a broken cryptographic algorithm implementation that weakens post-quantum security guarantees in encrypted communications.

Meshtastic is an open source mesh networking solution. In the current Meshtastic architecture, a Node is identified by their NodeID, generated from the MAC address, rather than their public key. [CVSS 8.2 HIGH]

OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 7.0.4 have a vulnerability where sensitive data is unintentionally revealed to unauthorized parties. [CVSS 6.5 MEDIUM]

Incorrect rounding in the mulDiv() function of soroban-fixed-point-math versions 1.3.0 and 1.4.0 allows attackers to manipulate fixed-point arithmetic results in Soroban smart contracts by exploiting sign handling when both the intermediate product and divisor are negative. This affects all signed FixedPoint implementations (i64, i128, I256) and could enable financial miscalculations or loss of funds in dependent contracts. A patch is available in versions 1.3.1 and 1.4.1.

Kargo's GetConfig() API endpoint fails to validate Bearer token authenticity, allowing unauthenticated attackers to retrieve sensitive configuration data including Argo CD cluster endpoints and namespaces that could facilitate further attacks. The same authentication bypass affects the RefreshResource endpoint, which can be leveraged for denial-of-service attacks. Versions 1.6.3, 1.7.7, and 1.8.7 and later include patches for this vulnerability.

Hono versions before 4.11.7 contain an information disclosure vulnerability in the static file serving middleware for Cloudflare Workers that allows unauthenticated remote attackers to read sensitive environment keys through path traversal. The lack of proper input validation enables attackers to access internal asset keys that should remain protected. A patch is available in version 4.11.7 and later.

Hono versions up to 4.11.7 contains a vulnerability that allows attackers to private or authenticated responses being cached and subsequently exposed to unau (CVSS 5.3).

Wasmtime versions 29.0.0 through 41.0.0 on x86-64 platforms with AVX contain an out-of-bounds memory read in the f64.copysign instruction compilation that can cause application crashes when signal-based traps are disabled. In configurations with disabled guard pages, this vulnerability could potentially leak out-of-sandbox data, though the data remains inaccessible to WebAssembly guests without additional Cranelift bugs. Patches are available in versions 36.0.5, 40.0.3, and 41.0.1.

OctoPrint versions up to 1.11.5 contain a timing attack vulnerability in API key validation that enables remote extraction of valid API keys through network-based response time analysis. An unauthenticated attacker with network access can exploit the character-by-character comparison method to gradually recover API keys by measuring authentication response delays. The attack's practicality depends heavily on network conditions, but a patch is available in version 1.11.6.

Suricata versions up to 8.0.3 contains a vulnerability that allows attackers to slowdown over multiple packets (CVSS 5.3).

Suricata versions up to 8.0.3 contains a vulnerability that allows attackers to severe slowdowns (CVSS 3.7).

NVIDIA runx contains a vulnerability where an attacker could cause a code injection. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering. [CVSS 7.8 HIGH]

Out-of-bounds memory read in Rinnegatamante lpp-vita before version r6 allows local attackers with user interaction to read sensitive data, modify memory, or crash the application. The vulnerability requires local access and user interaction to trigger, affecting the integrity and confidentiality of affected systems. No patch is currently available.