Information Disclosure
Information disclosure occurs when an application unintentionally exposes sensitive data that aids attackers in reconnaissance or directly compromises security.
How It Works
Information disclosure occurs when an application unintentionally exposes sensitive data that aids attackers in reconnaissance or directly compromises security. This happens through multiple channels: verbose error messages that display stack traces revealing internal paths and frameworks, improperly secured debug endpoints left active in production, and misconfigured servers that expose directory listings or version control artifacts like .git folders. APIs often leak excessive data in responses—returning full user objects when only a name is needed, or revealing system internals through metadata fields.
Attackers exploit these exposures systematically. They probe for common sensitive files (.env, config.php, backup archives), trigger error conditions to extract framework details, and analyze response timing or content differences to enumerate valid usernames or resources. Even subtle variations—like "invalid password" versus "user not found"—enable account enumeration. Exposed configuration files frequently contain database credentials, API keys, or internal service URLs that unlock further attack vectors.
The attack flow typically starts with passive reconnaissance: examining HTTP headers, JavaScript bundles, and public endpoints for version information and architecture clues. Active probing follows—testing predictable paths, manipulating parameters to trigger exceptions, and comparing responses across similar requests to identify information leakage patterns.
Impact
- Credential compromise: Exposed configuration files, hardcoded secrets in source code, or API keys enable direct authentication bypass
- Attack surface mapping: Stack traces, framework versions, and internal paths help attackers craft targeted exploits for known vulnerabilities
- Data breach: Direct exposure of user data, payment information, or proprietary business logic through oversharing APIs or accessible backups
- Privilege escalation pathway: Internal URLs, service discovery information, and architecture details facilitate lateral movement and SSRF attacks
- Compliance violations: GDPR, PCI-DSS, and HIPAA penalties for exposing regulated data through preventable disclosures
Real-World Examples
A major Git repository exposure affected thousands of websites when .git folders remained accessible on production servers, allowing attackers to reconstruct entire source code histories including deleted commits containing credentials. Tools like GitDumper automated mass exploitation of this misconfiguration.
Cloud storage misconfigurations have repeatedly exposed sensitive data when companies left S3 buckets or Azure Blob containers publicly readable. One incident exposed 150 million voter records because verbose API error messages revealed the storage URL structure, and no authentication was required.
Framework debug modes left enabled in production have caused numerous breaches. Django's DEBUG=True setting exposed complete stack traces with database queries and environment variables, while Laravel's debug pages revealed encryption keys through the APP_KEY variable in environment dumps.
Mitigation
- Generic error pages: Return uniform error messages to users; log detailed exceptions server-side only
- Disable debug modes: Enforce production configurations that suppress stack traces, verbose logging, and debug endpoints through deployment automation
- Access control audits: Restrict or remove development artifacts (
.git, backup files,phpinfo()) and internal endpoints before deployment - Response minimization: API responses should return only necessary fields; implement allowlists rather than blocklists for data exposure
- Security headers: Deploy
X-Content-Type-Options, remove server version banners, and disable directory indexing - Timing consistency: Ensure authentication and validation responses take uniform time regardless of input validity
Recent CVEs (66673)
Improper certificate trust validation in Systerel S2OPC allows remote attackers to have well-formed but untrusted X.509 certificates accepted as trusted, undermining the OPC UA secure channel authentication model. CVSS 7.3 reflects network-reachable, unauthenticated exploitation with low impact across confidentiality, integrity, and availability, and no public exploit identified at time of analysis. The flaw is reported by GitLab and tracked in Systerel's public issue tracker, with no CISA KEV listing.
Arbitrary symlink creation in Debusine's mergeuploads task allows remote unauthenticated attackers to overwrite files accessible to the worker process. Affected versions 0.12.0 through 0.14.8 fail to sanitize fully user-controlled paths embedded in Debian manifest files (.dsc and .changes), enabling path traversal via CWE-59 link-following. Despite a CVSS network-accessible, no-auth vector, real-world risk is bounded by deployment context - exploitation requires the ability to submit packages to a Debusine instance. No public exploit identified at time of analysis and EPSS sits at 0.02% (4th percentile).
Off-path DNS response spoofing in NLnet Labs ldns 1.2.0 through 1.9.0 allows remote attackers to inject forged answers into applications that use the library as a UDP stub resolver, including the bundled drill tool. The library fails to validate the response source address/port, the query transaction ID, and the question section against the original query, making cache and answer poisoning feasible without on-path positioning. No public exploit identified at time of analysis, but the CVSS 4.0 score of 8.2 reflects high integrity impact on any downstream application that trusted ldns to validate DNS answers.
CA root certificate exposure in Dahua IPC devices allows unauthenticated network-based attackers, under specific prerequisite conditions, to retrieve the device's internal CA root certificate. If the obtained certificate is installed and trusted on client systems, the attacker could leverage it to issue fraudulent certificates recognized as valid by those clients, collapsing the integrity of affected certificate trust chains. No active exploitation has been confirmed (not in CISA KEV), no public exploit code has been identified, and the CVSS 4.0 score of 2.3 reflects the multi-step, user-dependent nature of the full attack chain.
External control of assumed-immutable web parameters in QNAP NAS software enables remote unauthenticated attackers to achieve low-integrity impact by manipulating parameters the application treats as unmodifiable. The vulnerability requires active user interaction to trigger, limiting opportunistic exploitation. QNAP has released a fix per advisory QSA-26-10; no public exploit code or CISA KEV listing has been identified at time of analysis.
High-severity information disclosure flaw in QNAP QTS NAS operating system versions 5.2.0 through 5.2.7.3256 build 20250913 allows remote unauthenticated attackers to obtain sensitive data over the network with low attack complexity, per CVSS v4.0 vector AV:N/AC:L/PR:N/UI:N rating 9.2. The vendor has released a fix, and notably QuTS hero is explicitly unaffected. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Out-of-bounds read in ESP-IDF's BlueDroid AVRCP vendor-command parser allows adjacent Bluetooth attackers with low privileges to leak device memory and degrade availability across multiple ESP-IDF stable branches. Versions 5.2.6, 5.3.5, 5.4.4, 5.5.3, and 6.0 are confirmed affected via the Espressif GitHub security advisory. The parser's failure to validate payload length before dereferencing the buffer pointer enables a malformed AVRCP vendor command to read beyond allocated memory, yielding partial confidentiality loss and potential stack instability. No public exploit code exists and this CVE is not in CISA KEV at time of analysis.
Information disclosure in Espressif ESP-IDF 5.5.4 and 6.0 allows local code in the Rich Execution Environment (REE) to leak TEE-protected memory by passing crafted pointer arguments to ESP-TEE secure-service wrappers. Because TEE hardware peripherals (ECC, SHA, SPI) run in RISC-V M-mode with full address-space access, attackers can coerce them to read from TEE-exclusive memory and return raw bytes, computed functions, or single-bit oracles enabling incremental disclosure of sensitive material. No public exploit identified at time of analysis; vendor-released patches exist in 5.5.5 and 6.0.1.
Privilege escalation from REE to TEE in Espressif ESP-IDF 5.5.4 and 6.0 lets a low-privileged user-application caller abuse esp_tee secure-service wrappers (AES, SHA, ECC, HMAC, SPI, MMU, WDT, attestation, OTA, secure storage) due to insufficient buffer-range validation in esp_secure_services.c and esp_secure_services_iram.c. EPSS is 0.02% and there is no public exploit identified at time of analysis, but technical impact is total because the flaw lets REE code reach TEE-protected hardware peripherals and security services.
Out-of-bounds read in ESP-IDF's embedded DHCP server crashes or exposes heap memory on ESP32 devices operating in SoftAP or DHCP server mode. The `parse_options()` function in the bundled lwIP DHCP server component walks BOOTP/DHCP option TLV fields without validating that each option's declared length stays within the received packet buffer, allowing an adjacent-network unauthenticated attacker to trigger a device crash by sending a single crafted DHCP request. Five active release branches are affected (5.2.x through 6.0.x); vendor-released patches are available across all branches. No public exploit code or CISA KEV listing has been identified at time of analysis.
Denial-of-service in Nimiq core-rs-albatross (Rust implementation of the Albatross Proof-of-Stake consensus) prior to version 1.4.0 allows a malicious DHT node to suppress all valid DHT GET responses for a query by being the first to reply with an unverifiable record. Because the DhtResults accumulator is only created after the first record passes verification, a single bad first response causes subsequent valid records to be discarded as 'DHT inconsistent state', breaking peer/validator discovery. No public exploit identified at time of analysis, but the patch and full root cause are public in PR #3707.
Incomplete macro-block state synchronization in Nimiq core-rs-albatross LightBlockchain allows a network-accessible attacker to permanently stall a light client's chain progression by triggering a rebranch to a fork whose tip is a macro (checkpoint or election) block. Affected are all deployments of the Rust Albatross light client prior to v1.4.0. When exploitation targets an election block specifically, the stale current_validators pointer causes every subsequent push() call to fail verify_validators(), rendering the light client unable to advance its chain. No public exploit identified at time of analysis, though the exact fix is visible in merged PR #3706 and the triggering conditions are fully described in the advisory.
Indefinite future hang (denial of service) in Nimiq core-rs-albatross's network-libp2p component allows any remote peer to cause DHT get-record callers to block forever by returning a record that fails signature or structural verification. The root cause is improper error handling in handle_dht_get (swarm.rs): on verifier failure or subsequent inconsistent-state transitions, the oneshot channel used by Network::dht_get is never completed and per-query bookkeeping is never cleaned up, leaving the awaiting caller suspended without a timeout. No public exploit has been identified at time of analysis, and this is not listed in CISA KEV. The issue is patched in version 1.4.0.
Spring Data REST leaks persistence-layer internals - including database schema details, Hibernate/JPA exception messages, and query structures - by serializing the full exception cause chain directly into HTTP error response bodies. All five active release lines are affected (3.7.x, 4.3.x, 4.4.x, 4.5.x, and 5.0.x), and the CVSS vector confirms unauthenticated remote exploitation against default configurations with no user interaction required. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; however, the zero-friction access conditions make any network-exposed Spring Data REST deployment a realistic target for automated reconnaissance that could enable follow-on, more damaging attacks.
Improper input validation in Spring for Apache Kafka's non-blocking retry topic infrastructure allows an authenticated network producer to disrupt message processing availability across multiple major version lines. By injecting a crafted `retry_topic-attempts` header with an out-of-range integer value, an attacker causes the retry topic router to misidentify the message's position in the retry sequence, producing high availability impact (A:H per CVSS). Affected deployments span Spring for Apache Kafka 2.8.x through 4.0.x. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.
Improper certificate validation in Spring AMQP allows a network-positioned attacker to perform a man-in-the-middle attack against applications that configure broker connections via RabbitConnectionFactoryBean.setUri("amqps://...") without explicitly calling setUseSSL(true). Affected are Spring AMQP versions 2.4.0 through 4.0.3 across four release lines. Although TLS encryption is established, the absence of certificate chain validation and hostname verification means a rogue broker can impersonate the legitimate RabbitMQ instance, exposing message content in transit. No public exploit identified at time of analysis, and this CVE is not listed in CISA KEV.
Predictable correlation IDs in Spring AMQP's RabbitTemplate.sendAndReceive() expose request-reply messaging to correlation hijacking when a fixed reply queue is configured. Affected are all widely used Spring AMQP branches from 2.4.x through 4.0.x - a broad install base across Java enterprise applications. A network-positioned attacker with high privileges can exploit the sequential counter to predict future correlation IDs, enabling interception or injection of reply messages into the shared fixed reply queue. No public exploit code exists and this vulnerability is not listed in CISA KEV; CVSS 4.4 Medium reflects real-world limitations from high privilege and complexity requirements despite the changed scope indicator.
Boolean-based blind query injection in Spring Data Relational (JDBC and R2DBC) allows remote unauthenticated attackers to infer database contents by supplying wildcard characters to Query By Example (QBE) endpoints using StringMatcher modes STARTING, ENDING, or CONTAINING. The root cause is insufficient escaping of externally-controlled binding values before they reach the underlying query logic. No public exploit or CISA KEV listing has been identified at time of analysis, but the network-accessible, no-authentication-required attack surface makes this a meaningful exposure for any Spring Data application that exposes QBE search functionality.
Regex parameter binding in Spring Data MongoDB's @Query annotation fails to sufficiently quote user-supplied strings, enabling NoSQL injection that can manipulate query semantics. Unauthenticated remote attackers (PR:N, AV:N) who can influence the bound parameter in applications using this pattern may break out of the intended regular expression context to retrieve unintended documents, resulting in high-impact confidentiality compromise. No confirmed active exploitation or public exploit code has been identified at time of analysis; the CVSS Attack Complexity of High reflects a dependency on a specific application-level coding pattern.
Decryption oracle exposure in Spring Security's SAML module allows unauthenticated remote attackers (PR:N, AV:N per CVSS) to submit crafted SAML Responses, LogoutRequests, and LogoutResponses to a Service Provider endpoint and leverage the SP's private key for decryption without presenting a valid XML signature. Affected deployments span Spring Security 5.7.x through 7.0.x that use SAML-based SSO or Single Logout. No public exploit has been identified at time of analysis and EPSS data was not provided, but the attack class (XML encryption oracle) is well-documented in SAML security research and carries meaningful risk in identity-sensitive environments.
Absolute path traversal (CWE-36) in Silverpeas through 6.4.6 allows authenticated remote users to read arbitrary files from the server filesystem by exploiting the 'Personal space' fallback path in the FileServer servlet, activated when no componentId parameter is supplied. The CVSS vector confirms network-reachable, low-complexity exploitation requiring only low-privilege credentials, with high confidentiality impact and no integrity or availability loss. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Metadata injection in Frappe LMS prior to version 2.53.0 enables authenticated users to embed crafted content into user-editable fields that, when reflected in page metadata, silently redirects visiting users' browsers to an attacker-controlled URL. Exploitation requires a low-privilege account (PR:L) and passive victim interaction (UI:P) - a target must visit a page containing the poisoned content. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog; its CVSS 4.0 score of 2.1 reflects genuinely low severity, though the redirect capability carries downstream phishing and credential-harvesting risk.
Denial-of-service in FlashMQ MQTT broker prior to version 1.26.2 allows any authenticated (low-privilege) connected client to crash the entire broker process by deliberately exceeding the permitted write buffer over-commit threshold. The crash occurs because the resulting internal safeguard exception is raised in a C++ destructor code path during stack unwinding - a context where exceptions cannot be caught - forcing a call to std::terminate() and aborting the server. No public exploit has been identified at time of analysis, but exploitation requires only valid MQTT credentials, making this a realistic risk for any FlashMQ deployment with untrusted or semi-trusted client populations.
Use-after-free in Cloud Hypervisor versions 21.0 through 51.1 allows a malicious guest VM to corrupt host memory in the cloud-hypervisor VMM process by racing duplicate virtio-block descriptor chains against the host's asynchronous I/O completion path. The flaw carries a CVSS 4.0 score of 8.9 with high impact on both the affected VMM and subsequent system scope, indicating a credible VM escape primitive. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
MongoDB Server leaks SASL authentication credentials into plaintext server logs when connection health metric logging is enabled, exposing database passwords to any local actor with log file read access. The flaw (CWE-532) affects all versions per the available CPE data and was self-disclosed by MongoDB, indicating a vendor-acknowledged issue without a confirmed patch version at time of analysis. A low-privileged local attacker who can read the MongoDB log directory can harvest credentials and authenticate directly to the database - no public exploit exists at time of analysis, and it is not listed in the CISA KEV catalog.
Information disclosure in MongoDB Server allows authenticated users holding the read role to obtain small amounts of uninitialized stack memory by submitting specially-crafted filemd5 commands. The flaw stems from CWE-457 (Use of Uninitialized Variable) in the filemd5 command handler, and while no public exploit has been identified at time of analysis, the low attack complexity and network reachability make it a credible insider/credential-theft risk against MongoDB databases.
Plaintext credential exposure in MongoDB Server allows a local authenticated attacker to retrieve the LDAP query password from log files. When an administrator uses the runtime setParameter command to configure the ldapQueryPassword parameter, MongoDB writes the new password value to mongod.log in cleartext. Any local user with read access to the log file - a broad class on many deployments - can silently capture these credentials and use them to authenticate against or query the connected LDAP directory. No public exploit has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Denial of service in MongoDB Server allows authenticated users to trigger an assertion failure by running aggregation pipelines that use the internal $exchange stage with key-range partitioning and order-preserving delivery. When a single key range fills its consumer buffer, the high watermark is not updated correctly, leading to a reachable assertion (CWE-617) and likely process termination. No public exploit identified at time of analysis.
Environment and debug-mode tampering in symfony/runtime (5.4.46-5.4.51, 6.4.14-6.4.39, 7.1.7-7.4.11, 8.0.0-8.0.11) lets an unauthenticated remote attacker flip APP_ENV and toggle APP_DEBUG via a crafted GET query string, bypassing the fix for CVE-2024-50340. The prior patch gated the argv read on empty($_GET), but because parse_str() and the web SAPI parse the raw query differently, an attacker can craft input that leaves $_GET empty while $_SERVER['argv'] still carries --env/--no-debug flags. No public exploit is listed in KEV, though the vendor commit ships a working proof-of-concept test case; EPSS is low at 0.10%.
Sensitive information disclosure in MongoDB Server affects deployments using Queryable Encryption (QE) or Client-Side Field Level Encryption (CSFLE) when issuing $vectorSearch aggregation queries. Due to a flaw in client-side query analysis, literal values intended for encrypted fields inside $vectorSearch filter expressions are transmitted to the server as plaintext instead of ciphertext, defeating the confidentiality guarantee of client-side encryption. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Out-of-bounds read in Adobe Acrobat Reader versions 24.001.30365 and 26.001.21651 and earlier exposes sensitive memory contents to an attacker who can deliver a malicious PDF to a victim. The CVSS vector (AV:L/AC:L/PR:N/UI:R) confirms low complexity with no privilege prerequisite, but requires local file execution - the victim must open the crafted document. Confidentiality impact is rated High (C:H) with no integrity or availability consequence, making this a targeted information disclosure risk with no public exploit identified at time of analysis and no CISA KEV listing.
Out-of-bounds read in Adobe Acrobat Reader versions 24.001.30365 and 26.001.21651 and earlier enables sensitive memory disclosure when a victim opens a specially crafted file. The vulnerability (CWE-125) exposes potentially high-value in-memory data - including heap addresses or document contents - but cannot be leveraged for code execution or system modification based on available data. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog, though the vendor-confirmed advisory (APSB26-63) establishes this as a real, patched issue.
Out-of-bounds read in Adobe Acrobat Reader exposes sensitive process memory when a victim opens a specially crafted PDF file. Affected versions include 24.001.30365, 26.001.21651, and all earlier releases across both tracks. The vulnerability carries a high confidentiality impact (C:H) with no integrity or availability consequence, making it a targeted information disclosure primitive rather than a code execution path. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Arbitrary file system read in Adobe Dreamweaver Desktop 21.7 and earlier allows a local attacker to access sensitive files and directories outside the application's intended access scope by convincing a victim to open a specially crafted malicious file. The changed scope (S:C) in the CVSS vector confirms the impact extends beyond Dreamweaver's own security context - read access can reach OS-level files, credentials, or configuration data. No public exploit has been identified and this vulnerability is not listed in CISA KEV, placing it in a targeted rather than opportunistic threat profile.
Information disclosure in Pure Storage FlashArray Purity (versions 6.5.0-6.5.8 and 6.10.0-6.10.5) allows an authenticated low-privileged user to retrieve sensitive data via insufficiently filtered data paths. The flaw carries a CVSS 4.0 score of 8.7 with high confidentiality, integrity, and availability impact, but SSVC indicates no public exploitation and the attack is not automatable. No public exploit has been identified at the time of analysis.
Hardcoded credentials and default-enabled telnet on the Shenzhen Kangda Xin DR300 router (firmware 2.1.2.121) allow remote unauthenticated attackers to gain full administrative access over both WAN and LAN interfaces. With CVSS 9.8 and SSVC indicating proof-of-concept exploit code with total technical impact, attackers can read/write device memory, modify flash-resident firmware, and enumerate connected devices and active connections. No CISA KEV listing exists, but publicly available exploit code exists and the issue is automatable.
Weak password encoding in Dell Client Platform BIOS (CWE-261) exposes BIOS credentials to recovery by a physically present unauthenticated attacker, enabling privilege escalation through unauthorized BIOS access. Affected hardware spans ruggedized Latitude field devices, Precision workstation towers and racks, and Edge/Embedded Gateway platforms - product categories frequently deployed in physically accessible or unattended environments. No public exploit code exists and no active exploitation has been identified at time of analysis, but the combination of credential recoverability and high-confidentiality/high-integrity CVSS impact makes patching a priority for organizations managing assets in low-physical-security locations.
Arbitrary file write in Dell/Alienware Purchased Apps versions prior to 1.1.32.0 is achievable by a low-privileged local attacker through a link-following (CWE-59) flaw, enabling overwrite of files at elevated privilege levels and resulting in high integrity and availability impact. The CVSS vector (AV:L/AC:H/PR:L) confirms local access with high attack complexity is required, suggesting exploitation likely involves a race condition or carefully staged symlink placement. No active exploitation is confirmed (not in CISA KEV), and a vendor-released patch is available at version 1.1.32.0.
Out-of-bounds read in Adobe InDesign Desktop versions 21.3 and 20.5.3 (and earlier) exposes sensitive process memory when a victim opens a specially crafted document file. The vulnerability carries a high confidentiality impact (CVSS C:H) with no integrity or availability impact, making it a targeted information-disclosure primitive - useful for memory leak-assisted exploitation chains or direct leakage of in-memory content such as document data, credentials, or heap pointers. No public exploit code has been identified and this CVE does not appear in CISA KEV at time of analysis, but its social-engineering-friendly delivery mechanism (malicious file open) makes it a realistic phishing vector against creative industry targets who routinely handle external InDesign files.
Local privilege escalation in Microsoft PC Manager allows an authenticated low-privileged user on Windows to gain higher privileges by abusing symbolic link or junction resolution before file access. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV, but the high CVSS (7.8) reflects full confidentiality, integrity, and availability impact once exploited. Microsoft has issued a fix through its Security Response Center advisory.
Account takeover in LimeSurvey is possible through host header injection in the forgotten-password workflow, where reset links are built from the client-supplied HTTP Host header without validation. Remote unauthenticated attackers who know a target's username and email can submit a password-reset request with a spoofed Host header, causing LimeSurvey to email the victim a reset link pointing to an attacker-controlled host while still embedding the valid reset token. Reported by VulnCheck with publicly available exploit code exists via the vendor PR diff, though no public exploit identified at time of analysis in CISA KEV.
Arbitrary file write in Dell Inventory Collector Client versions prior to 13.8.0 allows a low-privileged local attacker to overwrite files outside the intended write path by exploiting improper symbolic or hard link resolution. The vulnerability (CWE-1386) arises when the client resolves a link to an unintended target before performing a file access operation, enabling an attacker to redirect writes to attacker-controlled locations. No public exploit has been identified at time of analysis and CISA KEV confirmation is absent, but the high integrity and availability impact (CVSS I:H/A:H) means successful exploitation could corrupt system files or cause denial of service.
Improper access control in the IOMMU register interface on AMD EPYC server processors allows a high-privileged local attacker to induce non-coherent memory accesses by the AMD Secure Processor (ASP), resulting in loss of system integrity beyond the directly compromised component. Affected processor families span EPYC 8004, 9004, and 9005 series - including embedded variants - covering AMD's current-generation server and embedded datacenter platforms. No public exploit code and no CISA KEV listing exist at time of analysis, but the elevated subsequent integrity impact (SI:H in CVSS 4.0) signals meaningful security boundary degradation, particularly relevant for confidential computing and virtualized environments where ASP integrity is foundational.
Information disclosure in Microsoft Windows NTLM authentication allows remote unauthenticated attackers to obtain sensitive data and conduct network spoofing attacks against affected Windows 10, Windows 11, and Windows Server installations. The flaw carries a CVSS 7.5 (high) rating due to high confidentiality impact with no privileges or user interaction required, though EPSS exploitation probability is low at 0.08% and no public exploit identified at time of analysis. Microsoft has released patches through MSRC for all affected SKUs.
Arbitrary file deletion in Hermes WebUI before v0.51.303 allows a low-privileged local attacker to remove files outside the configured workspace boundary by exploiting a TOCTOU race condition in the git_discard function of api/workspace_git.py. An attacker who controls a workspace path component can swap it for a symlink in the narrow window between safe_resolve_ws() validation and the raw shutil.rmtree or Path.unlink deletion call, causing the delete operation to follow the symlink and destroy arbitrary files on the host. No public exploit has been identified at time of analysis and active exploitation is not confirmed (not in CISA KEV); a vendor-released patch in v0.51.303 closes the validation-to-use window.
Out-of-bounds read in the Windows Desktop Window Manager (DWM) Core Library exposes sensitive memory contents to locally authenticated, low-privileged attackers on Windows 11 and Windows Server 2025. The flaw (CWE-125) allows a standard user to read beyond an allocated buffer boundary within the DWM process, resulting in high-confidence information disclosure with no integrity or availability impact. Microsoft has released patches covering all affected build ranges; no public exploit code has been identified at time of analysis.
Local privilege escalation in Windows Narrator Braille component allows an authenticated low-privileged user to gain elevated privileges by exploiting an untrusted search path (CWE-426). The flaw affects the accessibility subsystem on Windows and was reported directly by Microsoft (secure@microsoft.com); no public exploit identified at time of analysis. With CVSS 7.8 and full CIA impact on the local host, successful exploitation grants the attacker code execution at a higher privilege context than they started with.
Local privilege escalation in Microsoft Windows Storage allows an authorized low-privilege user to gain higher privileges through an untrusted search path weakness (CWE-426). The flaw requires existing local access and a successful race or environmental manipulation, reflected in the high attack complexity. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Information disclosure in Visual Studio Code versions 1.0.0 through 1.123.0 allows an unauthenticated remote attacker to exfiltrate sensitive information over a network by inducing user interaction. The CVSS vector (AV:N/AC:L/PR:N/UI:R/C:H) indicates that while no authentication or elevated complexity is required on the attacker's side, the victim must perform some interaction to trigger the exposure - likely opening a malicious file, workspace, or following a crafted link within the IDE environment. No public exploit code or CISA KEV listing has been identified at time of analysis, but the high confidentiality impact and zero-privilege requirement make this a meaningful risk for developer workstations handling secrets, tokens, or source code.
Local privilege escalation in Microsoft Defender for Endpoint for Mac (versions 101.0.0 through 101.26042.0010) allows an authenticated local attacker to win a time-of-check/time-of-use race and gain elevated privileges on the host. No public exploit identified at time of analysis, and EPSS is very low (0.05%), but SSVC rates technical impact as 'total' because successful exploitation yields full compromise of the endpoint security agent.
Spoofing via improper input validation affects Microsoft Azure Attestation service and the Device Health Attestation Service component across a broad range of Windows OS versions, from Windows Server 2012 through Windows Server 2025 and Windows 10/11. An authorized attacker with high privileges and physical access to the target device can manipulate attestation inputs to spoof device health or platform integrity status, achieving a high-integrity impact with no confidentiality or availability consequence. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; the CVSS score of 3.9 (Low) reflects the significant physical and privilege barriers to exploitation.
Information disclosure in Microsoft Windows Remote Desktop Protocol (RDP) allows remote unauthenticated attackers to read out-of-bounds memory over the network, potentially exposing sensitive data from the RDP service process. The flaw is reachable without authentication or user interaction across any exposed RDP endpoint, and no public exploit identified at time of analysis. Microsoft has assigned the issue a CVSS 3.1 score of 7.5 reflecting high confidentiality impact with no integrity or availability effect.
Out-of-bounds read in the Windows DHCP Server service enables a locally authenticated, low-privileged attacker to disclose contents of process memory on affected systems. The CVSS vector (AV:L/AC:L/PR:L/UI:N) confirms this is a local, low-complexity attack requiring only standard user privileges - no elevated rights or user interaction needed. Exploitation is constrained to hosts where the Windows DHCP Server role is actively installed and running, which significantly limits the attack surface to designated infrastructure servers rather than general workstations. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.
Out-of-bounds read in Windows DHCP Server exposes adjacent memory contents and can crash the service, yielding both information disclosure and a high-severity denial-of-service condition on affected Windows systems. The flaw (CWE-125) is exploitable locally with low attack complexity and no user interaction, targeting systems where the DHCP Server role is installed across a broad range of Windows 10, 11, and Server editions from 2012 through 2025. No public exploit has been identified at time of analysis, and Microsoft has released patched builds via the MSRC update guide (CVE-2026-45608).
Local code execution in Microsoft Windows Hyper-V allows an authenticated low-privilege attacker to run arbitrary code on the host via an out-of-bounds read (CWE-125) in the hypervisor. The flaw affects a broad swath of Windows 10, Windows 11, and Windows Server builds running Hyper-V, and Microsoft has released patches. No public exploit identified at time of analysis and EPSS is very low (0.06%), but SSVC technical impact is rated total.
Out-of-bounds read in Microsoft's UxTheme Library (uxtheme.dll) enables a locally authenticated attacker to crash the affected Windows system, resulting in denial of service. The vulnerability spans a broad swath of Windows releases - from Server 2012 through Windows 11 26H1 and Windows Server 2025 - making patch surface management critical for enterprise environments. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Out-of-bounds read in the Windows Application Identity (AppID) Subsystem exposes sensitive kernel or process memory to a local authenticated attacker without requiring elevated privileges or user interaction. Affected builds span Windows 11 versions 23H2 through 26H1 and Windows Server 2025, including Server Core installations. No public exploit code has been identified at time of analysis and this CVE does not appear in the CISA KEV catalog, though the high confidentiality impact (CVSS C:H) indicates meaningful data exposure potential when triggered.
Local privilege escalation in Microsoft Windows Kernel-Mode Drivers allows an authenticated low-privileged user to elevate to SYSTEM via a type confusion (CWE-843) flaw. The vulnerability carries a CVSS 7.8 (High) with low attack complexity and no user interaction once local access is obtained, though no public exploit identified at time of analysis. Reported by Microsoft's MSRC, this fits the recurring pattern of Windows kernel driver EoP bugs frequently abused in post-compromise stages.
Local privilege escalation in Microsoft Windows UI Automation Manager (uiamanager.dll) enables authenticated low-privileged users to gain higher privileges by exploiting a race condition in concurrent resource access. The flaw was reported by Microsoft's own security team (secure@microsoft.com) and has no public exploit identified at time of analysis, though the CVSS 7.0 score reflects high impact on confidentiality, integrity, and availability once successfully triggered.
Information disclosure in the Windows Application Identity (AppID) Subsystem exposes sensitive data to locally authenticated, low-privileged attackers across a broad range of Windows 10, Windows 11, and Windows Server versions. The CVSS vector (AV:L/AC:L/PR:L/UI:N) confirms that exploitation requires only a local session with standard user privileges - no elevated rights or user interaction needed. No public exploit code or CISA KEV listing has been identified at time of analysis, but the wide affected surface spanning consumer and server SKUs makes patching a meaningful priority in multi-user or shared-system environments.
Local privilege escalation in Windows Collaborative Translation Framework permits an authorized low-privileged user to gain elevated rights on affected Windows systems by abusing improper symbolic link resolution before file access. The flaw yields high confidentiality, integrity, and availability impact (CVSS 7.8) but requires existing local access. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Local privilege escalation in the Windows Program Compatibility Assistant (PCA) Service affects supported Windows 10, Windows 11, and Windows Server 2022/2025 builds through a TOCTOU race condition (CWE-367). An authenticated local attacker who wins the race window can elevate from a standard user context to higher privileges with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and EPSS is very low (0.05%), but Microsoft has released patches across all affected branches.
Out-of-bounds read in Microsoft Office and SharePoint Server exposes low-level memory contents to a local attacker when a victim opens a crafted document. Affected products span Microsoft 365 Apps for Enterprise, Office 2016/2019/LTSC 2021/2024, Office for Mac variants, and SharePoint Server 2016/2019/Subscription Edition - all at version 16.0.x baselines. The CVSS score of 3.3 (Low) reflects constrained impact: confidentiality is only partially affected, integrity and availability are untouched, and exploitation requires both local access and user interaction. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Local code execution in Microsoft Office Word is possible through an untrusted pointer dereference (CWE-125 out-of-bounds read) that an attacker can trigger by convincing a user to open a malicious document. The CVSS 7.8 vector (AV:L/AC:L/PR:N/UI:R) reflects high impact to confidentiality, integrity, and availability once the booby-trapped file is opened, though no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Out-of-bounds read in Microsoft Excel exposes limited memory contents to a local attacker when a user opens a specially crafted workbook. Affected product lines span Excel 2016, Office 2019, Office LTSC 2021/2024, Microsoft 365 Apps for Enterprise, Office Online Server, and multiple Mac variants. With a CVSS score of 3.3 (Low), no public exploit identified at time of analysis, and no CISA KEV listing, this is a low-urgency information disclosure issue - though a notable conflict exists between the description's claim of network-based disclosure and the CVSS AV:L (local) vector that warrants verification against the vendor advisory.
Information disclosure in Microsoft Office Excel allows remote unauthenticated attackers to read out-of-bounds memory over a network, potentially exposing sensitive data from process memory. The CVSS 8.2 score reflects high confidentiality impact with no authentication or user interaction required per the CVSS vector. No public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV.
Out-of-bounds read in Microsoft Office triggers local information disclosure when a victim opens a crafted document, exposing adjacent memory contents with high confidentiality impact. The vulnerability spans a wide product surface including Office 2016 through LTSC 2024, Microsoft 365 Apps for Enterprise, multiple SharePoint Server versions, and Mac variants, as confirmed by EUVD-2026-35664. No public exploit or CISA KEV listing is identified at time of analysis; vendor-released patches are available across affected product lines.
Local code execution in Microsoft Office Excel stems from an integer underflow condition that can be triggered when a victim opens a malicious spreadsheet, leading to out-of-bounds memory access (CWE-125). The flaw requires user interaction but no prior authentication on the target, and no public exploit identified at time of analysis. With a CVSS of 7.8 (high) and the typical phishing-friendly delivery model of Office files, this fits the profile of a document-based client-side RCE primitive.
Local privilege escalation in Microsoft Windows Push Notifications service stems from a race condition (CWE-362) that an authenticated low-privilege user can win to gain higher privileges on the host. The CVSS 7.8 score with Scope:Changed indicates successful exploitation crosses a security boundary, impacting confidentiality, integrity, and availability of resources beyond the vulnerable component. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Local privilege escalation in Microsoft Winlogon allows authenticated low-privileged users to gain elevated (SYSTEM-level) privileges by abusing improper link resolution before file access. The flaw is rooted in CWE-59 (link following) within the Windows logon component, and while no public exploit has been identified at time of analysis, the CVSS 7.8 rating reflects the high impact to confidentiality, integrity, and availability once a local attacker has a foothold. Microsoft has released a patch via the MSRC advisory.
Local privilege escalation in Microsoft Windows Push Notifications service stems from a race condition (CWE-362) that an attacker with low-privileged local access can exploit to gain higher privileges. No public exploit identified at time of analysis, and the issue is not on CISA KEV, but the CVSS 7.8 rating reflects high impact across confidentiality, integrity, and availability once the race is won. A vendor patch is available via the Microsoft Security Response Center advisory.
Local privilege escalation in Microsoft Windows Push Notifications service stems from a race condition (CWE-362) in concurrent handling of shared resources, allowing an authorized low-privileged attacker to win a timing window and elevate to higher privileges with scope change. The CVSS 3.1 vector AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H reflects local-only exploitation with high attack complexity due to the timing-dependent nature, but a successful attacker gains full confidentiality, integrity, and availability impact across a security boundary. No public exploit identified at time of analysis.
Local privilege escalation in Windows Push Notifications enables an authenticated low-privileged user to elevate to higher privileges by exploiting a race condition (CWE-362) in concurrent access to a shared resource. Successful exploitation results in high impact to confidentiality, integrity, and availability with scope change, but no public exploit identified at time of analysis. Microsoft has released a patch via MSRC advisory.
Windows Push Notifications contains a use-of-uninitialized-resource flaw (CWE-200) that enables a locally authenticated attacker to read sensitive information from memory without elevation of privilege. Affecting a wide range of Windows 10, Windows 11, and Windows Server builds, the vulnerability requires only low-privilege local access and no user interaction to trigger. No public exploit code has been identified at time of analysis, and CISA SSVC rates exploitation as none with partial technical impact, placing this in a lower-urgency remediation band despite the High confidentiality rating in the CVSS vector.
Local information disclosure in Windows Hyper-V enables an authenticated low-privileged attacker to access sensitive data they are not authorized to read, without any user interaction. Affected systems span a broad range of Windows desktop and server editions from Server 2012 through Windows 11 26H1 and Server 2025. No public exploit identified at time of analysis and no CISA KEV listing; however, the high confidentiality impact (C:H) and breadth of affected versions make this a meaningful patching priority, particularly in multi-tenant virtualization environments.
Windows Push Notifications on multiple Windows 10, Windows 11, and Windows Server versions exposes sensitive memory contents through an uninitialized resource condition, allowing a low-privileged local user to read high-confidentiality data without any user interaction. The CVSS vector (AV:L/PR:L) confirms this is strictly a local privilege issue - no remote attack path exists - limiting its practical blast radius to insider threats and post-compromise lateral reconnaissance. No public exploit has been identified at time of analysis, and Microsoft has released patches addressing all listed affected versions.
Windows Push Notifications contains a use-of-uninitialized-resource flaw (CWE-200) that enables authenticated local attackers to disclose sensitive information across a wide breadth of Microsoft Windows desktop and server platforms. Spanning Windows 10 through Windows 11 25H2 and Windows Server 2012 through Server 2025, the vulnerability carries a CVSS 5.5 Medium score with high confidentiality impact (C:H) but no integrity or availability impact. Microsoft has released patches via the June 2026 Patch Tuesday cycle; no public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Windows Push Notifications on a broad range of Windows 10, Windows 11, and Windows Server editions leaks sensitive memory contents to locally authenticated low-privileged users through an uninitialized resource condition (CWE-908). The CVSS vector confirms local attack vector with low-privilege authentication requirement, no user interaction needed, and high confidentiality impact - meaning an attacker who has already obtained a standard user account can read residual memory data that could include tokens, credentials, or other sensitive artifacts. No public exploit code exists and no active exploitation has been identified at time of analysis; a vendor-released patch is available via Microsoft Security Response Center.
Out-of-bounds read in the Windows Telephony Service exposes sensitive memory contents to locally authenticated attackers across a broad range of Windows client and server versions. The flaw (CWE-125) is exploitable with only low privileges and no user interaction, yielding high confidentiality impact while leaving integrity and availability unaffected. No public exploit code or active exploitation has been identified; CISA's SSVC framework rates this as non-automatable with partial technical impact, placing it at medium operational priority.
Local privilege escalation in the Windows NT OS Kernel allows an authenticated low-privileged user to elevate to higher privileges through an integer underflow condition. The flaw carries a CVSS 7.8 (High) rating with no public exploit identified at time of analysis, but Microsoft has issued a patch via MSRC. Defenders should treat this as a standard Patch-Tuesday-class kernel EoP that becomes a critical post-compromise pivot once initial access is achieved.
Denial-of-service in the Windows TCP/IP stack allows an authenticated attacker on an adjacent network to crash the networking subsystem of affected Windows hosts via an incorrect buffer size calculation. Affected systems span Windows 10 (21H2, 22H2), Windows 11 (23H2 through 26H1), Windows Server 2022, and Windows Server 2025 - all unpatched builds within Microsoft-documented version ranges. No public exploit identified at time of analysis, though Microsoft has released fixes addressable via Windows Update; the vulnerability is not listed in the CISA KEV catalog.
Windows Kerberos out-of-bounds read (CWE-125) allows a low-privilege network attacker to crash the Kerberos authentication service across all actively supported Windows client and server platforms, from Windows Server 2012 through Windows Server 2025 and Windows 11 26H1. The attack requires prior domain authentication and high-complexity triggering conditions (CVSS AC:H), limiting opportunistic mass exploitation, though a successful attack against a domain controller can deny authentication domain-wide by crashing the KDC. Vendor patches are available via the Microsoft MSRC advisory; no public exploit code exists and SSVC confirms no observed exploitation at time of analysis.
Local privilege escalation in Microsoft Windows Telephony Service allows an authenticated low-privileged attacker to elevate to higher privileges by exploiting a race condition in concurrent access to a shared resource. The flaw carries a CVSS 7.0 (High) rating with high attack complexity, and no public exploit identified at time of analysis. Successful exploitation grants full confidentiality, integrity, and availability impact on the affected host.
Information disclosure in Microsoft Windows Remote Desktop Protocol (RDP) allows unauthenticated remote attackers to read out-of-bounds memory contents over the network, potentially leaking sensitive data from the RDP service process. The vulnerability requires no authentication or user interaction and is rated CVSS 7.5 with high confidentiality impact only. At time of analysis there is no public exploit identified and the issue is not listed in CISA KEV.
Information disclosure in Windows Shell exposes sensitive data to authenticated low-privileged attackers, with a confirmed vendor patch available. The vulnerability stems from CWE-200 improper information exposure within the Windows Shell component, allowing confidentiality compromise with no integrity or availability impact. No public exploit code or CISA KEV listing has been identified at time of analysis, but the high confidentiality impact score (C:H) and low attack complexity elevate practical concern for environments where lateral movement or credential harvesting are threat vectors.
Windows Shell exposes sensitive information to locally authenticated, low-privileged attackers without requiring user interaction or elevated privileges. The vulnerability (CWE-200) results in high confidentiality impact, allowing disclosure of sensitive data accessible through the Shell component. No active exploitation has been confirmed by CISA KEV and no public exploit code has been identified at time of analysis, though the Microsoft Security Response Center (MSRC) has acknowledged the issue via advisory.
Local privilege escalation in the Windows Projected File System (ProjFS) Filter Driver allows an authenticated low-privileged user on a Windows host to escalate to higher privileges by triggering a buffer over-read in the kernel-mode driver. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the CVSS 7.8 with low attack complexity and no user interaction makes it an attractive post-compromise target for endpoint operators.
Local privilege escalation in the Windows Function Discovery Service (fdwsd.dll) allows an authorized low-privileged attacker on the host to win a race condition and obtain elevated privileges. Reported by Microsoft (secure@microsoft.com) and tracked under MSRC's update guide, the issue carries a CVSS 7.0 score driven by high impact across confidentiality, integrity, and availability, though the high attack complexity reflects the timing window required. No public exploit identified at time of analysis and the flaw is not currently listed in CISA KEV.
Information disclosure in Microsoft Teams for Android allows an authenticated remote attacker to extract sensitive data via an injection flaw (CWE-74) in output passed to a downstream component. The CVSS 8.1 rating reflects high confidentiality and availability impact over the network with low privileges and no user interaction, though no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Elevation of privilege in the Microsoft Windows Universal Disk Format File System (UDFS) driver allows a local authenticated attacker to escalate to SYSTEM-level privileges with high impact on confidentiality, integrity, and availability. The CVSS 7.8 vector indicates local attack with low complexity and low privileges required, and no public exploit identified at time of analysis. The vulnerability stems from a numeric truncation error (CWE-197) in kernel-mode file system code, a class historically favored by post-compromise privilege escalation chains.