Information Disclosure

Wasmtime versions 29.0.0 through 41.0.0 on x86-64 platforms with AVX contain an out-of-bounds memory read in the f64.copysign instruction compilation that can cause application crashes when signal-based traps are disabled. In configurations with disabled guard pages, this vulnerability could potentially leak out-of-sandbox data, though the data remains inaccessible to WebAssembly guests without additional Cranelift bugs. Patches are available in versions 36.0.5, 40.0.3, and 41.0.1.

OctoPrint versions up to 1.11.5 contain a timing attack vulnerability in API key validation that enables remote extraction of valid API keys through network-based response time analysis. An unauthenticated attacker with network access can exploit the character-by-character comparison method to gradually recover API keys by measuring authentication response delays. The attack's practicality depends heavily on network conditions, but a patch is available in version 1.11.6.

Suricata versions up to 8.0.3 contains a vulnerability that allows attackers to slowdown over multiple packets (CVSS 5.3).

Suricata versions up to 8.0.3 contains a vulnerability that allows attackers to severe slowdowns (CVSS 3.7).

NVIDIA runx contains a vulnerability where an attacker could cause a code injection. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering. [CVSS 7.8 HIGH]

Out-of-bounds memory read in Rinnegatamante lpp-vita before version r6 allows local attackers with user interaction to read sensitive data, modify memory, or crash the application. The vulnerability requires local access and user interaction to trigger, affecting the integrity and confidentiality of affected systems. No patch is currently available.

SkyFire game server has improper pointer arithmetic enabling memory corruption.

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in ixray-team ixray-1.6-stcop.This issue affects ixray-1.6-stcop: before 1.3. [CVSS 3.7 LOW]

Issue summary: A TLS 1.3 connection using certificate compression can be forced to allocate a large buffer before decompression without checking against the configured certificate size limit. [CVSS 5.9 MEDIUM]

A low privileged remote attacker may be able to disclose confidential information from the memory of a privileged process by sending specially crafted calls to the Device Manager web service that cause an out-of-bounds read operation under certain circumstances due to ASLR and thereby potentially copy confidential information into a response. [CVSS 5.3 MEDIUM]

Dell CloudBoost Virtual Appliance versions before 19.14.0.0 store sensitive passwords in plaintext, allowing authenticated remote attackers to retrieve credentials and escalate privileges. This vulnerability carries a high availability impact alongside confidentiality and integrity concerns, though exploitation requires substantial technical complexity. No patch is currently available.

Out-of-bounds Read vulnerability in turanszkij WickedEngine (WickedEngine/LUA modules). This vulnerability is associated with program files lparser.C.

Out-of-bounds Read vulnerability in turanszkij WickedEngine (WickedEngine/LUA modules). This vulnerability is associated with program files ldebug.C.

Out-of-bounds Read vulnerability in praydog UEVR (dependencies/lua/src modules). This vulnerability is associated with program files lparser.C.

Vulnerability in root-project root (builtins/zlib modules). This vulnerability is associated with program files inftrees.C.

Out-of-bounds Read vulnerability in CloverHackyColor CloverBootloader (MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma modules). This vulnerability is associated with program files regparse.C.

Anythingllm versions up to 1.10.0 contains a vulnerability that allows attackers to complete compromise of the semantic search / retrieval functionality and indirec (CVSS 7.5).

The gix-date library's TimeBuf component can produce invalid UTF-8 strings that corrupt its internal safety mechanisms, triggering undefined behavior in downstream processing. This local privilege escalation vulnerability affecting gix-date has public exploit code available and can cause application crashes or unexpected behavior when a local attacker supplies malformed input. No patch is currently available to remediate this issue.

A flaw was found in NetworkManager. The NetworkManager package allows access to files that may belong to other users. [CVSS 3.3 LOW]

A flaw was found in github.com/go-viper/mapstructure/v2, in the field processing component using mapstructure.WeakDecode. [CVSS 5.3 MEDIUM]

Tenda W30E firmware through V16.01.0.19(5037) is vulnerable to CORS misconfiguration that permits authenticated administrative endpoints to accept credentialed cross-origin requests from arbitrary origins. An authenticated attacker can exploit this vulnerability to perform unauthorized actions on affected devices by tricking administrators into visiting malicious web pages. No patch is currently available for this vulnerability.

Tenda W30E V2 firmware through V16.01.0.19(5037) exposes stored administrative passwords in plaintext on the management interface, allowing any authenticated user to retrieve credentials. This information disclosure affects administrative account security and could enable privilege escalation or lateral movement. No patch is currently available.

Shenzhen Tenda W30E V2 firmware through V16.01.0.19(5037) transmits administrative credentials in plaintext over unencrypted HTTP from the maintenance interface, allowing unauthenticated network attackers to intercept and obtain account credentials. Affected devices lack authentication requirements for accessing this interface, making credential theft trivial for anyone on the same network. No patch is currently available for this vulnerability.

Default credentials in Tenda W30E V2 router firmware through V16.01.0.19. Known default password enables full administrative access.

Tanium addressed an improper input validation vulnerability in Discover. [CVSS 2.7 LOW]

Tomahawk auth timing attack due to usage of `strcmp` has been identified in Hiawatha webserver version 11.7 which allows a local attacker to access the management client. [CVSS 3.3 LOW]

Hiawatha versions up to 11.7 contains a vulnerability that allows attackers to request smuggling has been identified in Hiawatha webserver version 11 (CVSS 5.3).

Access control bypass in SpringBlade v4.5.0 importUser function allows low-privileged users to import sensitive user data and escalate privileges. PoC available.

An issue in continuous.software aangine v.2025.2 allows a remote attacker to obtain sensitive information via the excel-integration-service template download module, integration-persistence-service job listing module, portfolio-item-service data retrieval module endpoints [CVSS 7.5 HIGH]

IObit Uninstaller 10 Pro contains an unquoted service path vulnerability that allows local users to potentially execute code with elevated system privileges. [CVSS 7.8 HIGH]

The dormakaba registration units 9002 (PIN Pad Units) have an exposed UART header on the backside. The PIN pad is sending every button press to the UART interface.

By default, the password for the Access Manager's web interface, is set to 'admin'. In the tested version changing the password was not enforced.

The binary serving the web server and executing basically all actions launched from the Web UI is running with root privileges. This is against the least privilege principle. [CVSS 8.8 HIGH]

The web server of the Access Manager offers a functionality to download a backup of the local database stored on the device. This database contains the whole configuration.

Instead of typical session tokens or cookies, it is verified on a per-request basis if the originating IP address has once successfully logged in. As soon as an authentication request from a certain source IP is successful, the IP address is handled as authenticated.

The Access Manager is offering a trace functionality to debug errors and issues with the device. The trace functionality is implemented as a simple TCP socket.

Vulnerability in Altitude Authentication Service and Altitude Communication Server v8.5.3290.0 by Altitude, where manipulation of Host header in HTTP requests allows redirection to an arbitrary URL or modification of the base URL to trick the victim into sending login credentials to a malicious website.

Improper access controls in the UART interface of Beetel 777VR1 firmware (up to version 01.00.09) allow attackers with physical access to bypass authentication mechanisms, though exploitation requires high technical complexity. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early notification.

777Vr1 Firmware versions up to 01.00.09 contains a vulnerability that allows attackers to weak password requirements (CVSS 2.0).

A security flaw has been discovered in Beetel 777VR1 up to 01.00.09/01.00.09_55. This affects an unknown part of the component UART Interface. [CVSS 2.0 LOW]

A use-after-free vulnerability in Linux kernel DAMON subsystem allows local users with sysfs write permissions to trigger memory corruption by calling damon_call() against inactive contexts, causing dangling pointers in the call_controls list. An attacker could leverage this to achieve information disclosure or denial of service, though exploitation complexity is moderate due to permission requirements. The vulnerability currently lacks a patch and affects Linux kernel versions with the vulnerable DAMON code.

A use-after-free vulnerability in the Linux kernel's IPv6 address deletion function allows local attackers with user privileges to corrupt memory and potentially execute arbitrary code or cause a denial of service. The flaw occurs when ipv6_del_addr() is called prematurely before temporary address flags are read, leaving a dangling pointer reference. No patch is currently available for this high-severity vulnerability affecting Linux systems.

The Linux kernel's block layer fails to properly initialize non-protection information portions of auto-generated integrity buffers during write operations, allowing uninitialized memory containing sensitive data to be exposed to userspace or physical attackers with storage device access. This occurs when protection information is enabled with metadata sizes larger than the protection information tuple size, leaving the remainder uninitialized. Local attackers with appropriate permissions can read this uninitialized memory to leak kernel data.

The Linux kernel's IPv6 tunnel implementation fails to properly handle VLAN-encapsulated packets in __ip6_tnl_rcv(), allowing a local attacker with user privileges to cause a denial of service through uninitialized memory access. The vulnerability stems from using an insufficient packet validation function that does not account for VLAN headers, triggering kernel crashes during ECN decapsulation. No patch is currently available for this medium-severity issue affecting Linux systems.

A use-after-free vulnerability in the Linux kernel's macvlan driver allows local attackers with user privileges to cause memory corruption and potential privilege escalation through improper RCU synchronization in the macvlan_forward_source() function. The flaw stems from missing RCU protection when clearing vlan pointers during source entry deletion, enabling attackers to access freed memory structures. No patch is currently available for this HIGH severity vulnerability affecting Linux distributions.

All-in-One Dynamic Content Framework versions up to 1.1.27 is affected by information exposure (CVSS 4.3).

WP Directory Kit (WordPress plugin) versions up to 1.4.9 is affected by information exposure (CVSS 5.3).

The MetForm - Contact Form, Survey, Quiz, & Custom Form Builder for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.1.0. This is due to the use of a forgeable cookie value derived only from the entry ID and current user ID without a server-side secret. This makes it possible for unauthenticated attackers to access form submission entry data via MetForm shortcodes for entries created within the transient TTL (default is 15 minu...

Insufficient access controls in phpMyFAQ 4.0.16 and below expose sensitive information including user email addresses and non-public content through multiple API endpoints, allowing unauthenticated attackers to harvest data for phishing or access private records. Public exploit code exists for this vulnerability, and no patch is currently available. Upgrading to version 4.0.17 or later is required to remediate the exposure.

Hardcoded cryptographic key in Salesforce Marketing Cloud Engagement used across CloudPages, Forward to a Friend, Profile Center, and Subscription Center. Fourth critical Salesforce CVE.

Use of broken/risky cryptographic algorithm in Salesforce Marketing Cloud Engagement affecting CloudPages, Forward to a Friend, Profile Center, and Subscription Center components.

MyTube versions 1.7.78 and earlier allow authenticated users to bypass authorization controls and export the complete application database without proper permission validation. An attacker with guest-level access can retrieve sensitive data they are not authorized to access through the unprotected database export endpoint. A patch is available to address this authorization bypass vulnerability.

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. No vendor patch available.

An information disclosure vulnerability exists in the /srvs/membersrv/getCashiers endpoint of the Aptsys gemscms backend platform thru 2025-05-28. This unauthenticated endpoint returns a list of cashier accounts, including names, email addresses, usernames, and passwords hashed using MD5. [CVSS 7.5 HIGH]

A vulnerability in the PHP backend of gemscms.aptsys.com.sg thru 2025-05-28 allows unauthenticated remote attackers to trigger detailed error messages that disclose internal file paths, code snippets, and stack traces. [CVSS 5.3 MEDIUM]

A vulnerability in the PHP backend of gemsloyalty.aptsys.com.sg thru 2025-05-28 allows unauthenticated remote attackers to trigger detailed error messages that disclose internal file paths, code snippets, and stack traces. [CVSS 5.3 MEDIUM]

Epson USB Display 1.6.0.0 contains an unquoted service path vulnerability in the EMP_UDSA service running with LocalSystem privileges. Attackers can exploit the unquoted path by placing malicious executables in intermediate directories to gain elevated system access. [CVSS 7.8 HIGH]

LogonExpert 8.1 contains an unquoted service path vulnerability in the LogonExpertSvc service running with LocalSystem privileges. Attackers can exploit the unquoted path to place malicious executables in intermediate directories, potentially gaining elevated system access during service startup. [CVSS 7.8 HIGH]

In the Linux kernel, the following vulnerability has been resolved: dm-verity: disable recursive forward error correction There are two problems with the recursive correction: 1. It may cause denial-of-service. [CVSS 5.5 MEDIUM]

An unauthenticated information disclosure vulnerability in Newgen OmniApp allows attackers to enumerate valid privileged usernames via a publicly accessible client-side JavaScript resource. [CVSS 7.5 HIGH]

Cargus eCommerce versions 1.5.8 and earlier expose sensitive data in outbound communications due to improper information handling, allowing remote unauthenticated attackers to retrieve embedded sensitive information. The vulnerability requires no user interaction and carries a CVSS score of 5.3, though no patch is currently available.

The B Accordion WordPress plugin through version 2.0.0 exposes sensitive data in transmitted communications due to improper handling of embedded information. An authenticated attacker can intercept and retrieve this sensitive data, potentially compromising confidential information. No patch is currently available for this vulnerability.

CRM Perks Integration for Contact Form 7 HubSpot cf7-hubspot contains a security vulnerability (CVSS 5.4).

WEN Solutions Contact Form 7 GetResponse Extension contact-form-7-getresponse-extension contains a security vulnerability (CVSS 5.3).

Dotstore Fraud Prevention For Woocommerce woo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers contains a security vulnerability (CVSS 4.3).

Omnipress through version 1.6.6 contains a local file inclusion vulnerability in its PHP program that allows authenticated attackers to read arbitrary files on the server. An attacker with valid credentials can manipulate filename parameters in include/require statements to access sensitive files outside the intended directory. This vulnerability requires user interaction but poses significant risk to confidentiality with no available patch at this time.

Webpushr web push notification plugin versions 4.38.0 and earlier expose sensitive embedded system data to unauthorized parties through an information disclosure vulnerability. An unauthenticated remote attacker can retrieve this sensitive information without user interaction, potentially compromising system configuration details and credentials. No patch is currently available.

In the Linux kernel, the following vulnerability has been resolved: net: dsa: properly keep track of conduit reference Problem description ------------------- DSA has a mumbo-jumbo of reference handling of the conduit net device and its kobject which, sadly, is just wrong and doesn't make sense. [CVSS 7.8 HIGH]

An unauthenticated information disclosure vulnerability exists in Newgen OmniDocs due to missing authentication and access control on the /omnidocs/GetListofCabinet API endpoint. [CVSS 7.5 HIGH]

Elastic Cloud Storage versions up to 3.8.1.7 is affected by cleartext storage of sensitive information (CVSS 5.5).

Elastic Cloud Storage versions up to 3.8.1.7 is affected by inclusion of sensitive information in source code (CVSS 4.4).

Elastic Cloud Storage versions up to 3.8.1.7 is affected by cleartext transmission of sensitive information (CVSS 6.5).

Privilege escalation in Dell ECS 3.8.1.0-3.8.1.7 and ObjectScale prior to 4.2.0.0 stems from hardcoded default credentials in the operating system that a remote authenticated attacker can leverage to gain elevated privileges. An attacker with low-level access can exploit this vulnerability to achieve full system compromise including confidentiality, integrity, and availability impacts. No patch is currently available for affected versions.

Dell Data Protection Advisor, versions prior to 19.12, contains an Improper Neutralization of Special Elements Used in a Template Engine vulnerability in the Server. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Information exposure. [CVSS 4.3 MEDIUM]

Elastic Cloud Storage versions up to 3.8.1.7 is affected by cleartext transmission of sensitive information (CVSS 7.5).

IAQS and I6 systems by JNC have a client-side enforcement vulnerability allowing unauthenticated attackers to bypass security controls and access server functionality.

Hibernate's InlineIdsOrClauseBuilder is vulnerable to second-order SQL injection when processing non-alphanumeric characters in ID columns, allowing authenticated attackers to read sensitive data, modify database contents, or cause denial of service. The vulnerability requires low privileges and network access with no user interaction, making it exploitable by remote attackers with valid credentials. No patch is currently available.

8180 Ip Audio Alerter Firmware versions up to 5.5 contains a vulnerability that allows attackers to disclose sensitive information on affected installations of ALGO 8180 IP Audio A (CVSS 7.5).

The ALGO 8180 IP Audio Alerter web interface improperly exposes authentication cookies in HTTP response bodies, enabling unauthenticated remote attackers to steal sensitive credentials and gain unauthorized access to affected devices. This information disclosure vulnerability requires no authentication or user interaction to exploit and affects the device's web-based management interface. No patch is currently available for this vulnerability.

Open WebUI transmits authentication credentials in cleartext over the network, enabling adjacent attackers to intercept and obtain sensitive information without authentication. This information disclosure vulnerability can facilitate unauthorized access and further compromise of affected systems. No patch is currently available.

An authentication weakness was identified in Omada Controllers, Gateways and Access Points, controller-device adoption due to improper handling of random values.

M365 Copilot has an input validation vulnerability allowing unauthorized attackers to extract sensitive information through crafted prompts over the network.

Information disclosure in Microsoft 365 Word Copilot enables unauthenticated attackers to extract sensitive data through improper handling of escape and control sequences in network communications. The vulnerability requires user interaction to trigger and affects the Copilot AI/ML service with a CVSS score of 7.4. No patch is currently available.

An attacker could decrypt sensitive data, impersonate legitimate users or devices, and potentially gain access to network resources for lateral attacks. [CVSS 6.1 MEDIUM]

Gitea's notification API fails to re-validate repository access permissions when retrieving notification details, allowing users with revoked access to private repositories to continue viewing issue and pull request titles through cached notifications. An authenticated attacker can exploit this to maintain visibility into sensitive repository content after their access has been removed. A patch is available.

The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable. A low-privileged user can modify the parameters and potentially manipulate account-level privileges.

The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations. [CVSS 5.3 MEDIUM]

Dell PowerScale OneFS versions before 9.13.0.0 fail to adequately log security events, allowing unauthenticated remote attackers to tamper with information without leaving a detectable audit trail. The insufficient logging mechanism prevents administrators from identifying unauthorized modifications to system data. No patch is currently available for this medium-severity vulnerability.

POSIMYTH Nexter Blocks the-plus-addons-for-block-editor contains a security vulnerability (CVSS 7.5).

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in ThemeHunk Contact Form & Lead Form Elementor Builder lead-form-builder allows Retrieve Embedded Sensitive Data.This issue affects Contact Form & Lead Form Elementor Builder: from n/a through <= 2.0.1. [CVSS 6.5 MEDIUM]