Skip to main content

Information Disclosure

other MEDIUM

Information disclosure occurs when an application unintentionally exposes sensitive data that aids attackers in reconnaissance or directly compromises security.

How It Works

Information disclosure occurs when an application unintentionally exposes sensitive data that aids attackers in reconnaissance or directly compromises security. This happens through multiple channels: verbose error messages that display stack traces revealing internal paths and frameworks, improperly secured debug endpoints left active in production, and misconfigured servers that expose directory listings or version control artifacts like .git folders. APIs often leak excessive data in responses—returning full user objects when only a name is needed, or revealing system internals through metadata fields.

Attackers exploit these exposures systematically. They probe for common sensitive files (.env, config.php, backup archives), trigger error conditions to extract framework details, and analyze response timing or content differences to enumerate valid usernames or resources. Even subtle variations—like "invalid password" versus "user not found"—enable account enumeration. Exposed configuration files frequently contain database credentials, API keys, or internal service URLs that unlock further attack vectors.

The attack flow typically starts with passive reconnaissance: examining HTTP headers, JavaScript bundles, and public endpoints for version information and architecture clues. Active probing follows—testing predictable paths, manipulating parameters to trigger exceptions, and comparing responses across similar requests to identify information leakage patterns.

Impact

  • Credential compromise: Exposed configuration files, hardcoded secrets in source code, or API keys enable direct authentication bypass
  • Attack surface mapping: Stack traces, framework versions, and internal paths help attackers craft targeted exploits for known vulnerabilities
  • Data breach: Direct exposure of user data, payment information, or proprietary business logic through oversharing APIs or accessible backups
  • Privilege escalation pathway: Internal URLs, service discovery information, and architecture details facilitate lateral movement and SSRF attacks
  • Compliance violations: GDPR, PCI-DSS, and HIPAA penalties for exposing regulated data through preventable disclosures

Real-World Examples

A major Git repository exposure affected thousands of websites when .git folders remained accessible on production servers, allowing attackers to reconstruct entire source code histories including deleted commits containing credentials. Tools like GitDumper automated mass exploitation of this misconfiguration.

Cloud storage misconfigurations have repeatedly exposed sensitive data when companies left S3 buckets or Azure Blob containers publicly readable. One incident exposed 150 million voter records because verbose API error messages revealed the storage URL structure, and no authentication was required.

Framework debug modes left enabled in production have caused numerous breaches. Django's DEBUG=True setting exposed complete stack traces with database queries and environment variables, while Laravel's debug pages revealed encryption keys through the APP_KEY variable in environment dumps.

Mitigation

  • Generic error pages: Return uniform error messages to users; log detailed exceptions server-side only
  • Disable debug modes: Enforce production configurations that suppress stack traces, verbose logging, and debug endpoints through deployment automation
  • Access control audits: Restrict or remove development artifacts (.git, backup files, phpinfo()) and internal endpoints before deployment
  • Response minimization: API responses should return only necessary fields; implement allowlists rather than blocklists for data exposure
  • Security headers: Deploy X-Content-Type-Options, remove server version banners, and disable directory indexing
  • Timing consistency: Ensure authentication and validation responses take uniform time regardless of input validity

Recent CVEs (66674)

EPSS 0% CVSS 8.3
HIGH PATCH This Week

Sandbox escape in Google Chrome on Linux prior to 149.0.7827.103 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a crafted HTML page, escalating from a contained renderer context to broader host access. Chromium rates this High severity, and while no public exploit has been identified at time of analysis, the CVSS 8.3 score reflects the serious consequence of bypassing one of the browser's core security boundaries. The flaw resides in the Views component and requires user interaction (UI:R) plus a prior renderer compromise, making it a second-stage vulnerability in a multi-bug exploit chain.

Information Disclosure Google Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Integer overflow in libyuv allows a renderer-compromised attacker to read sensitive process memory in Google Chrome prior to 149.0.7827.103. This is a chained, post-exploitation vulnerability: the attacker must first control the Chrome renderer process (via a separate exploit), then serve a crafted HTML page that triggers the libyuv integer overflow to extract memory contents - making this a privilege escalation and data exfiltration primitive within a broader attack chain. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Information Disclosure Google Red Hat +1
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Sandbox escape in Google Chrome on macOS versions prior to 149.0.7827.103 allows a remote attacker who has already compromised the renderer/network process to break out of the browser sandbox via a race condition triggered by a crafted HTML page. Chromium rates the severity as High and a vendor patch is available, though no public exploit has been identified at time of analysis.

Information Disclosure Google Race Condition +2
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Sandbox escape in Google Chrome and ChromeOS on Linux prior to 149.0.7827.103 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page abusing the Dawn (WebGPU) component. Chromium rates the severity High, and while no public exploit identified at time of analysis, sandbox-escape bugs in Dawn are historically chained with renderer RCE bugs in exploit chains. The CVSS 8.3 score reflects the high attack complexity and required user interaction, but the scope change (S:C) signals a meaningful trust-boundary break.

Information Disclosure Google Red Hat +1
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome's codec subsystem on Linux and ChromeOS (versions prior to 149.0.7827.103) enables remote unauthenticated attackers to exfiltrate sensitive data from other origins by delivering a specially crafted video file to a target user. The root cause is uninitialized memory use (CWE-457) within the codec pipeline, where memory contents from other origin contexts may be exposed during video processing. No public exploit code has been identified at time of analysis, and CISA SSVC classifies exploitation status as 'none'; however, the network-accessible attack surface and lack of authentication requirement make patching a prudent priority for Linux and ChromeOS deployments.

Information Disclosure Google Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Out-of-bounds read in the WebRTC component of Google Chrome before 149.0.7827.103 enables a remote attacker who has already compromised the GPU process to escalate into heap corruption via a crafted HTML page. Google rates this High severity and a vendor patch is available; no public exploit identified at time of analysis. The flaw is a chained-exploitation primitive rather than a standalone RCE, requiring a prior sandbox-adjacent foothold plus user interaction.

Information Disclosure Google Buffer Overflow +2
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

UI spoofing in Google Chrome prior to 149.0.7827.103 enables remote unauthenticated attackers to deceive users into interacting with falsified browser interface elements via a crafted HTML page. The vulnerability exploits insufficient input validation in Chrome's Input component (CWE-20), carrying a moderate CVSS 5.4 with confirmed low confidentiality impact and an Information Disclosure tag suggesting data exposure risk through spoofed UI surfaces such as fake dialogs or address bar manipulation. EPSS probability is very low at 0.05% (15th percentile), no public exploit has been identified, and no CISA KEV listing exists at time of analysis.

Information Disclosure Google Red Hat +1
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Out-of-bounds read in Dawn, Chrome's WebGPU graphics API layer, on Windows enables unauthenticated remote attackers to leak cross-origin data by serving a crafted HTML page. Affected versions of Google Chrome on Windows are all releases prior to 149.0.7827.103. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) confirms this is a network-exploitable, low-complexity information disclosure with no authentication requirement - limited only by the need for a user to visit the attacker-controlled page. No public exploit code or CISA KEV listing has been identified at time of analysis.

Information Disclosure Google Microsoft +3
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Sandbox escape in Google Chrome prior to 149.0.7827.103 allows a remote attacker who has already compromised the renderer process to break out of the Chromium sandbox via a crafted HTML page served through the New Tab Page. Google rates the underlying Chromium severity as High and a fix is shipped in the stable channel, but no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Information Disclosure Google Red Hat +1
NVD VulDB
EPSS 0% 4.8 CVSS 8.8
HIGH POC KEV PATCH THREAT Act Now

Remote code execution in Google Chrome's V8 JavaScript engine prior to 149.0.7827.103 allows a remote attacker to execute arbitrary code inside the renderer sandbox by enticing a victim to visit a crafted HTML page. The flaw is an out-of-bounds read and write (CWE-125) rated High severity by Chromium with a CVSS 8.8, and no public exploit identified at time of analysis, though V8 memory-corruption issues historically attract exploit development.

Information Disclosure Google Buffer Overflow +3
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH This Week

An information disclosure vulnerability in the /api/v1/user/info endpoint of AgentChat v2.3.0 allows unauthenticated attackers to obtain sensitive information, including SHA256 password hashes, via enumerating user IDs.

Information Disclosure
NVD GitHub
EPSS 0% CVSS 8.2
HIGH This Week

The utility functions used by Malwarebytes EDR 1.0.11 on Linux for calculating a cryptographic hash of data bytes truncate the hashed data if it exceeds 4GB. Rated high severity (CVSS 8.2), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Integer Overflow
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

CSV Injection in Poweradmin's log export functionality allows a high-privileged attacker to embed spreadsheet formulas in usernames that execute when an administrator exports activity logs and opens the resulting CSV in Excel, LibreOffice Calc, or Google Sheets. All four log export controllers pass username fields directly to PHP's fputcsv() without neutralizing formula trigger characters (=, +, -, @), enabling phishing via rendered hyperlinks and silent data exfiltration via =IMPORTXML() or similar functions targeting victim administrators. Publicly available exploit code exists per GHSA-3h6h-67x3-cv5x; the vulnerability is not listed in CISA KEV.

Google PHP Information Disclosure +2
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

DNS cache poisoning in Netty's resolver component (io.netty:netty-resolver-dns) enables remote unauthenticated attackers to redirect downstream application traffic to attacker-controlled IPs through a Kaminsky-style spoofing attack. The vulnerability combines two compounding weaknesses present in the default configuration: DNS transaction IDs shuffled with a mathematically predictable Linear Congruential Generator (ThreadLocalRandom), and a static UDP source port resulting from the default ChannelPerResolver channel strategy. No public exploit has been identified at time of analysis and the issue is not listed in CISA KEV, but the Netty project rated it high severity and released fixes in versions 4.1.135.Final and 4.2.15.Final.

Information Disclosure Java Red Hat +1
NVD GitHub VulDB
EPSS 0% CVSS 4.0
MEDIUM PATCH This Month

File descriptor exhaustion in Netty's Unix domain socket native transport allows a local peer to leak two file descriptors per crafted SCM_RIGHTS message into the receiving process, with neither FD ever closed. Affected are applications explicitly configured with DomainSocketReadMode.FILE_DESCRIPTORS on Epoll or KQueue DomainSocketChannel - a non-default opt-in setting. Sustained message flooding by a local socket peer can exhaust the Netty process's file descriptor table, ultimately causing denial of service. No public exploit identified at time of analysis and not listed in CISA KEV; CVSS scores this at 4.0 (Low) reflecting the local-only attack surface and low availability impact.

Information Disclosure Java Linux +2
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Traffic amplification in Netty's QUIC codec (io.netty:netty-codec-classes-quic versions 4.2.0.Final through 4.2.14.Final) allows remote unauthenticated attackers to weaponize Netty-based QUIC servers as DDoS reflectors. The default NoQuicTokenHandler's validateToken() unconditionally returns 0, which the server misinterprets as a successfully Retry-validated client address, bypassing RFC 9000's 3× anti-amplification limit and causing the server to reflect full-size handshake flights (including certificates) toward a spoofed victim IP. No public exploit identified at time of analysis, but the fix is published in Netty 4.2.15.Final.

Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Memory leak in Netty's HAProxy codec (io.netty:netty-codec-haproxy) allows remote unauthenticated attackers to exhaust server memory by sending PROXY protocol v2 frames containing a malformed PP2_TYPE_SSL TLV with a length below 5 bytes. The flaw causes a retained slice on the pooled cumulation buffer to never be released when an IndexOutOfBoundsException escapes the decoder's narrow exception handler. No public exploit identified at time of analysis, but the issue is trivially reproducible from the advisory's technical detail and affects any service that accepts PROXY v2 input from untrusted peers.

Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Cleartext credential exposure in Devolutions Server allows an authenticated low-privileged user to retrieve plaintext credentials stored for configured ticketing integrations via a crafted API request. Affected versions include Devolutions Server 2026.2.4.0 and all 2026.1.x releases up to and including 2026.1.20.0. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis; the vulnerability was self-disclosed by Devolutions via advisory DEVO-2026-0015.

Information Disclosure Server
NVD VulDB
EPSS 0% CVSS 2.9
LOW POC Monitor

Least privilege violation in the D-Link DGS-1100-08PD managed switch firmware version 1.00.006 allows remote unauthenticated attackers to achieve low-integrity impact through improper processing of the Boa web server configuration file /etc/boa.conf via the device's web interface. The CVSS 4.0 score is 2.9 (Low), reflecting high attack complexity (AC:H) and constrained impact (VI:L only), though a publicly available proof-of-concept lowers the barrier for skilled attackers. No active exploitation has been confirmed in CISA KEV, making this a low-priority but trackable risk for network operators deploying this switch model.

Information Disclosure D-Link
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Least privilege violation in TOTOLINK CP450 router firmware 4.1.0cu.747 allows low-privileged remote attackers to perform unauthorized integrity-affecting actions via the vsftpd FTP service, whose configuration in /etc/vsftpd.conf grants excessive permissions beyond operational necessity. The vulnerability carries a low CVSS 4.0 score of 2.1, reflecting constrained impact limited to low integrity effects on the vulnerable system with no confidentiality or availability consequence. A publicly available proof-of-concept exploit exists, and no CISA KEV listing has been confirmed, indicating no known active widespread exploitation at time of analysis.

Information Disclosure Cp450
NVD VulDB
EPSS 0% CVSS 7.1
HIGH POC This Week

Credential disclosure in OpenBullet2 through 0.3.2 on Windows allows authenticated remote attackers to coerce SMB authentication and capture NTLMv2 hashes by configuring a job's proxy source with an attacker-controlled UNC path. Captured hashes can be relayed against other services or cracked offline to recover the password of the account running the application. Publicly available exploit code exists per VulnCheck advisory; no CISA KEV listing at time of analysis.

Information Disclosure Microsoft Openbullet2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Kernel warning (WARN_ON) triggerable in the Linux videobuf2 DMA scatter-gather subsystem on Apple Silicon systems allows a low-privileged local user to destabilize video capture pipelines by performing mmap() on an imported DMA-buf. The vb2_dma_sg_mmap function fails to set VM_DONTEXPAND and VM_DONTDUMP VMA flags - protections that vb2_dma_contig correctly applies - causing drm_gem_mmap_obj() to hit its assertion guard. No public exploit has been identified at time of analysis; EPSS is 0.02% (5th percentile), consistent with the narrow hardware-specific trigger surface.

Linux Apple Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in the Linux kernel's AMD GPU userqueue (drm/amdgpu/userq) driver allows a low-privileged local user to exploit a race condition between queue creation and wptr_obj unmapping, resulting in access to stale wptr mappings and potential substitution of a buffer object at the same address. The flaw affects AMD GPU userqueue handling and could enable memory corruption with high impact to confidentiality, integrity, and availability. No public exploit has been identified at time of analysis, and EPSS rates exploitation probability at just 0.02%.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Information disclosure in the Linux kernel's Intel Xe DRM graphics driver (drm/xe) allows a local user to read stale data from previously freed memory pages belonging to other processes. The xe_vm_madvise_ioctl() handler failed to reject PAT indices set to XE_COH_NONE (non-coherent) coherency mode on CPU-cached buffer objects, letting a GPU bypass dirty CPU caches and read sensitive content directly from DRAM before the kernel's page-clearing writeback completes. There is no public exploit identified at time of analysis, and EPSS rates exploitation probability at just 0.02%, consistent with a local, race-dependent leak rather than a widely weaponized flaw.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation and memory corruption in the Linux kernel's MediaTek power-domain (pmdomain) driver stems from a use-after-free in scpsys_get_bus_protection_legacy(), where a device node is released via of_node_put() before the error path dereferences it in dev_err_probe(). Affecting kernels using the MediaTek SCPSYS legacy bus-protection code path (typically ARM/ARM64 MediaTek SoC platforms), a local low-privileged attacker able to influence the probe error path could corrupt freed kernel memory, with high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis, and EPSS exploitation probability is negligible (0.02%, 4th percentile).

Memory Corruption Mediatek Linux +2
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Out-of-bounds array write in the Linux kernel's ath5k wireless driver allows a stray write of a -1 sentinel value into adjacent struct memory when ts_final_idx reaches 3 on Atheros 5212 chipsets. The kernel maintainers and the original reporter explicitly describe the impact as negligible, as the only field overwritten is info->status.ack_signal, with no public exploit identified at time of analysis and an EPSS score of 0.02% (7th percentile).

Linux Buffer Overflow Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in the Linux kernel flow dissector allows remote attackers to trigger an unaligned access exception by sending crafted PPPoE Protocol Field Compression (PFC) frames to an Ethernet interface on alignment-sensitive architectures such as MIPS. The flaw affects kernels from 6.0 onward where Receive Packet Steering (RPS) or similar features invoke the flow dissector on incoming frames, and no PPPoE session needs to be active on the targeted interface. EPSS is very low (0.02%) and there is no public exploit identified at time of analysis, but the vendor has released patched kernel versions.

Debian Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in the Linux kernel's NVMe-over-TCP target (nvmet_tcp) module allows remote initiators to trigger a recursive nvmet-wq workqueue flush during controller teardown, producing a lockdep-flagged deadlock condition in nvmet_ctrl_free(). The flaw affects systems exposing NVMe-TCP targets where controller release work and async_event_work are both queued on the same nvmet workqueue. EPSS is 0.02% (7th percentile) and there is no public exploit identified at time of analysis; vendor patches have been issued across multiple stable branches.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Out-of-bounds disk read in the Linux kernel ISO 9660 filesystem (isofs) Rock Ridge handler allows narrow information disclosure when a crafted ISO image is mounted. The rock_continue() function trusted the CE continuation extent block number from the on-disk Rock Ridge record and passed it to sb_bread() without bounds checking against the volume size, so a malicious ISO can cause the kernel to read blocks belonging to an adjacent filesystem on the same block device and surface their contents through readlink() on SL sub-records. EPSS is 0.02%, no public exploit identified at time of analysis, and the issue is not on CISA KEV.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Local denial-of-service in the Linux kernel's SELinux subsystem allows any low-privileged local process to monopolize the `/sys/fs/selinux/policy` file descriptor, blocking all other processes from reading the active kernel policy. The root cause is a `policy_opened` flag that enforced a single-open restriction on the SELinux policy pseudofile - originally intended to prevent inconsistent reads or unbounded kernel memory allocation, but which also created a trivial resource-starvation primitive. No active exploitation has been identified (not in CISA KEV), and the EPSS score of 0.02% places this in the 5th percentile for exploitation likelihood.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation and memory corruption in the Linux kernel's topcliff-pch (pch_spi) SPI master driver arises from a use-after-free triggered when the driver is unbound, because DMA buffers are released before the driver's transfer queue is flushed. An attacker with the ability to unbind the device can cause the freed DMA buffers to be accessed by in-flight SPI transfers, yielding CWE-416 memory corruption with high confidentiality, integrity, and availability impact (CVSS 7.8). There is no public exploit identified at time of analysis, and the EPSS probability is negligible (0.02%), consistent with an obscure, hardware-specific driver rather than a broadly exploitable flaw.

Memory Corruption Linux Use After Free +1
NVD VulDB
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Local denial of service in the Linux kernel hfsplus filesystem driver occurs when hfsplus_fill_super() fails to release tree->tree_lock on an error path during HFS+ mount, causing a 'held lock freed' warning and potential lockdep-detected kernel instability. The flaw affects systems with CONFIG_HFSPLUS_FS enabled and is triggered when hfsplus_cat_build_key() returns an error during superblock initialization. No public exploit identified at time of analysis, and EPSS is very low (0.02%).

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Deadlock vulnerability in the Linux kernel's pseries/papr-hvpipe subsystem allows a local low-privileged attacker on IBM pSeries Power Architecture systems to cause a kernel deadlock by triggering a race between the ioctl or release handler and a hardware interrupt firing on the same CPU. Exploitation is architecture-specific, requiring IBM PAPR hardware with the hvpipe driver loaded, and results in an availability-only denial-of-service. No public exploit exists and EPSS probability stands at 0.02%, consistent with a narrow attack surface; vendor-released patches are confirmed available for Linux 7.0.7, 7.1-rc3, and the 6.18 stable branch.

Linux Race Condition Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Improper interrupt registration in the Linux kernel's libwx network driver causes a kernel WARNING when VF (Virtual Function) misc interrupts are initialized, resulting in high availability impact on affected systems. The libwx driver incorrectly calls request_threaded_irq() with a primary handler, a NULL threaded handler, and the IRQF_ONESHOT flag - an invalid combination flagged as a WARNING by the kernel interrupt management subsystem since commit aef30c8d569c. Exploitation requires local access with low privileges on a system equipped with a Wangxun VF NIC using the libwx driver; no public exploit code exists and EPSS is negligible at 0.02%.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds memory access in the Linux kernel's Microchip PolarFire SoC clock conditioning circuit driver (clk-mpfs-ccc) occurs during registration of the final clock outputs, because the driver's hws array is sized only for two PLLs and their four dividers while the defined clock IDs also enumerate two unsupported DLLs and their outputs. On affected Microchip PolarFire SoC hardware this leads to reads past the allocated array (flagged by UBSAN), enabling information disclosure or a kernel crash. There is no public exploit identified at time of analysis and EPSS exploitation probability is negligible (0.02%).

Linux Buffer Overflow Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Sensitive HMAC key material is exposed through kernel debug logging in the Linux kernel's CAAM (Cryptographic Acceleration and Assurance Module) crypto driver. On systems with CONFIG_DYNAMIC_DEBUG enabled and debug output activated for the caam module at runtime, calls to hash_digest_key() emit raw HMAC key bytes via hex dump into the kernel log, allowing any local attacker with debug log read access to extract cryptographic secrets. No public exploit code has been identified and EPSS probability is 0.02%, though the confidentiality impact is severe if exploitation conditions are met. The provided CVSS vector (C:N/A:H) appears to misclassify this as an availability issue rather than a confidentiality issue - see confidence notes.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Incorrect length calculation in the Linux kernel's lib/scatterlist extract_kvec_to_sg helper can produce scatterlist entries that cross page boundaries, leading to memory corruption or out-of-bounds access in kernel code paths that build scatterlists from kvecs (originally introduced in v6.3, moved to lib/scatterlist.c in v6.5). The flaw is patched upstream across the 6.6, 6.12, 6.18 and 7.0/7.1 stable trees, with no public exploit identified at time of analysis and a very low EPSS probability of 0.02%.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Use-after-free in the Linux kernel's Open Firmware (OF) device-tree unit test code (of_unittest_changeset) allows reads of freed memory when the unit test path executes. The flaw lives in selftest code (drivers/of/unittest.c) reachable only when CONFIG_OF_UNITTEST is built in and the test runs, making real-world impact narrow. EPSS is 0.02% (5th percentile) and there is no public exploit identified at time of analysis; the bug has been fixed upstream and backported to stable trees.

Linux Information Disclosure Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local memory corruption in the Linux kernel's mtd/docg3 M-Systems DiskOnChip driver occurs when docg3_release() dereferences a docg3 pointer already freed by doc_release_device() (kfree at line 1881), a CWE-416 use-after-free reachable during device teardown. Only systems that load the docg3 driver for DiskOnChip G3 flash hardware are affected. There is no public exploit identified at time of analysis, EPSS is negligible (0.02%, 7th percentile), and the issue is not in CISA KEV; it has been fixed upstream across multiple stable branches.

Memory Corruption Linux Use After Free +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Sensitive cryptographic material-HMAC session keys, nonces, and passphrase data held in struct tpm2_auth-is left in freed slab memory when a TPM device is released via tpm_dev_release() in Linux kernels from 6.10 onward, because that code path uses kfree() rather than kfree_sensitive(). Every other tear-down path in the same TPM driver (tpm2_end_auth_session() and tpm_buf_check_hmac_response()) already calls kfree_sensitive(), making this an isolated inconsistency. No public exploit exists and EPSS is 0.02% (5th percentile), but in high-assurance environments where TPM-backed key confidentiality is mandatory the residual key material is a meaningful exposure until overwritten by subsequent allocations.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in the Linux kernel's HMM (Heterogeneous Memory Management) test driver (lib/test_hmm) allows local users to trigger a kernel panic and potentially escalate privileges when device private pages are faulted in after the dmirror file descriptor is closed. The flaw was discovered during arm64 selftest runs where a SIGABRT coredump walked stale VMAs and dereferenced a dangling zone_device_data pointer. EPSS is very low (0.02%) and there is no public exploit identified at time of analysis, but the bug is fixed upstream across multiple stable trees.

Linux Information Disclosure Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Improper handling of allocation-profiling codetags in the Linux kernel's mm/alloc_tag subsystem causes an 'alloc_tag was not set' WARNING when pages allocated before page_ext initialization are later freed, because their codetag reference was never set. This affects local systems running kernels built with the debug option CONFIG_MEM_ALLOC_PROFILING_DEBUG and with mem_profiling_compressed disabled, and is triggered by ordinary boot-time activity (e.g. KASAN quarantine reclaim freeing early-allocated pages). It is classified under CWE-415 (double free) but the observed effect is a kernel warning splat; there is no public exploit identified at time of analysis and EPSS is negligible (0.02%).

Linux Red Hat Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in the Linux kernel's mm/zone_device subsystem allows local attackers with low privileges to corrupt memory or escalate privileges by exploiting a race where a device folio is accessed after the driver's ->folio_free() callback has already reallocated it with a potentially different order. The flaw affects systems using ZONE_DEVICE memory (typically with DAX, HMM, or GPU/accelerator drivers exposing device-backed folios) and carries a 7.8 CVSS with low EPSS (0.02%, 5th percentile), indicating high theoretical impact but no public exploit identified at time of analysis.

Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Information disclosure in FlowiseAI Flowise prior to version 3.1.2 allows authenticated users to retrieve encrypted credential blobs (API keys, passwords, OAuth tokens for OpenAI, AWS, etc.) by querying the credentials API with a credentialName filter. The /api/v1/credentials endpoint correctly strips the encryptedData field on unfiltered queries but omits this sanitization on the filtered code path, exposing AES-encrypted secrets to any authenticated caller. No public exploit identified at time of analysis, though a working curl reproduction is published in the GHSA advisory.

Information Disclosure Flowise
NVD GitHub VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Credential brute-force exposure in Flowise prior to 3.1.2 allows remote unauthenticated attackers to perform unlimited password-guessing attacks against the checkBasicAuth endpoint, which lacks rate limiting and uses non-constant-time plaintext comparison against the FLOWISE_USERNAME and FLOWISE_PASSWORD environment variables. Successful exploitation grants full access to the Flowise LLM workflow builder. No public exploit identified at time of analysis, though the GHSA advisory documents the vulnerable code path in detail and EPSS sits at a low 0.04%.

Information Disclosure Flowise
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Apache HTTP Server 2.4.0-2.4.67 has a buffer underwrite (CWE-124) in ap_regname, triggered by a crafted regular expression in the server configuration. The vendor (Apache) rates this Low severity. A separate CISA-ADP assessment assigned CVSS 9.8 using a network, unauthenticated vector that is inconsistent with the vendor description, because exploitation requires control over the httpd configuration. No public exploit and not in CISA KEV. Fixed in 2.4.68.

Information Disclosure Apache Red Hat +1
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Out-of-bounds read in Apache HTTP Server 2.4.0 through 2.4.67 arises from an interaction between mod_headers, mod_mime, and multi-language content negotiation, allowing unauthenticated remote attackers to trigger memory reads beyond allocated buffer boundaries. The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) confirms low-complexity, unauthenticated network exploitation yielding limited confidentiality and integrity impact with no availability consequence. No active exploitation confirmed in CISA KEV, and no public exploit code has been identified at time of analysis.

Information Disclosure Apache Buffer Overflow +2
NVD VulDB
EPSS 0% CVSS 2.7
LOW POC PATCH Monitor

Weak cryptographic hashing of attachment passwords in phpMyFAQ prior to 4.1.4 exposes protected attachment credentials to offline cracking or collision-based forgery. The application stored SHA-1 hashes of per-attachment passwords in the database column `password_hash`, computed via `sha1((string) $key)` in `AbstractAttachment::setKey()`. Because SHA-1 has been cryptographically broken since the 2017 SHAttered collision attack, an attacker who obtains these database-stored hashes faces significantly weakened resistance compared to a modern algorithm. No active exploitation is confirmed (CISA KEV: no; exploit status E:U per CVSS 4.0), and the CVSS 4.0 base score of 2.7 reflects limited real-world impact.

Information Disclosure Phpmyfaq
NVD GitHub VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Improper path handling in the mod_dav_fs module of Apache HTTP Server 2.4.67 and earlier permits a WebDAV content author to directly manipulate trusted DAV property databases, leading to integrity violations and child process crashes. With a CVSS of 9.1 (AV:N/AC:L/PR:N/UI:N) and SSVC technical impact rated 'total' with automatable=yes, the flaw is highly impactful, though there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Information Disclosure Apache Suse +2
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

OfflineIMAP before 8.0.3 trusts the server with their STARTTLS capability prior to authentication, which allows STRIPTLS/man-in-the-middle attacks, taking over the connection and extracting account. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Offlineimap
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Local privilege escalation and integrity compromise in Imagination Technologies Graphics DDK (GPU driver) allows non-privileged users to corrupt sparse memory mapping state via improper GPU system calls, leading to out-of-bounds memory access. The flaw stems from implicit scaling errors in pointer arithmetic across buffers of differing sizes (CWE-468), affecting DDK releases 24.2 RTM, 25.1-25.3 RTM, and 26.1 RTM. No public exploit identified at time of analysis, but the local attack vector with low complexity makes this attractive for sandbox escape chains on Android/Linux devices using PowerVR GPUs.

Information Disclosure Graphics Ddk
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation via use-after-free in the Linux kernel io_uring io-wq worker subsystem allows an unprivileged local user to corrupt kernel memory and potentially execute arbitrary code in kernel context. The flaw lives in io_wq_remove_pending(), where a missing io_wq_is_hashed() check on the predecessor work item lets a non-hashed io_kiocb be recorded in wq->hash_tail[0]; after that request is freed back to req_cachep, the stale pointer is dereferenced on the next hashed bucket-0 enqueue. EPSS is very low (0.02%) and no public exploit identified at time of analysis, but the bug is reachable from any process that can issue io_uring syscalls.

Linux Information Disclosure Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial-of-service in the Linux kernel's DRM VKMS (Virtual Kernel Mode Setting) subsystem arises from an improperly managed custom hrtimer used for vblank timing, replaced in the fix by DRM's standard vblank timer implementation. Local users with low-privileged access to the VKMS device can trigger a kernel availability failure - likely a crash or hang - due to the divergent timer lifecycle in struct vkms_output. EPSS is negligible at 0.02% and no active exploitation is confirmed; this is a low-urgency kernel hardening fix affecting development and CI-focused deployments.

Linux Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 8.7
HIGH This Week

Denial of service in NLnet Labs Routinator allows remote unauthenticated attackers to crash the daemon by opening a large number of HTTP or RTR connections, exhausting file descriptors and triggering an unrecoverable exit. Only deployments exposing the HTTP or RTR server to untrusted networks are affected. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Information Disclosure Routinator
NVD VulDB
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Hard-coded cryptographic key exposure in the glnassys (GL.iNet NAS system) component across eight GL.iNet router models running firmware 4.8.x enables a low-privileged remote attacker to exploit a static authentication token and potentially execute unauthorized commands against the NAS subsystem. The vulnerability is rooted in CWE-321 (Use of Hard-coded Cryptographic Key), where the firmware embeds a fixed authentication secret that cannot be rotated by users or administrators. No public exploit identified at time of analysis, and the vendor has released firmware 4.9.0 as a fix.

Information Disclosure A1300 Ax1800 +6
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Unauthenticated remote exploitation of the Boa embedded web server on the D-Link DCS-5615 IP camera (firmware 1.01.00) allows attackers to violate the principle of least privilege via manipulation of the `/etc/conf.d/boa/boa.conf` configuration component. The CVSS 4.0 vector confirms network-reachable, zero-complexity, no-authentication access with an active proof-of-concept exploit publicly available. No public KEV listing is present, but the PoC status elevates real-world risk for this class of always-on, internet-facing IoT device.

Information Disclosure D-Link
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Least-privilege violation in TOTOLINK AC1200 T8 firmware 4.1.5cu.8611 exposes the vsftpd FTP service to unauthorized integrity manipulation by low-privileged authenticated network users. The /etc/vsftpd.conf configuration grants excessive permissions beyond the principle of least privilege (CWE-272), allowing a low-privilege authenticated attacker to perform write operations they should not be authorized to execute. A proof-of-concept exploit has been publicly disclosed; the vulnerability is not confirmed in CISA KEV, but the CVSS temporal vector (E:P, RC:R) reflects publicly available exploit code with reasonable confidence in the report.

Information Disclosure Ac1200 T8
NVD VulDB
EPSS 0% CVSS 1.3
LOW POC Monitor

Weak password requirements in the Samba service of Tenda AC15 firmware 15.03.05.19 expose SMB file-sharing functionality to brute-force attacks from adjacent-network attackers. The flaw originates in the /etc_ro/smb.conf configuration, which enforces insufficient password complexity, enabling unauthenticated local-network adversaries to guess or brute-force credentials and achieve limited confidentiality, integrity, and availability impact. Publicly available exploit code exists, though the high attack complexity (AC:H) and adjacency requirement (AV:A) constrain realistic exploitation to targeted, in-person or LAN-positioned threat actors.

Tenda Information Disclosure Brute Force
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Least privilege violation in D-Link DIR-823G firmware version 1.0.2B05 exposes the vsftpd FTP daemon configuration file (/etc/vsftpd.conf) to manipulation by network-accessible, low-privileged authenticated users, enabling unauthorized modification of FTP service behavior. The CVSS vector (AV:N/AC:L/PR:L/UI:N/I:L) confirms this is remotely exploitable with low complexity by any authenticated user, resulting in limited integrity impact. A publicly available proof-of-concept exploit has been released per VulDB reporting (E:P), though no active exploitation has been confirmed in CISA KEV at this time.

Information Disclosure D-Link
NVD VulDB
EPSS 0% CVSS 1.1
LOW Monitor

Cross-project embedding cache leakage in grepai (versions up to 0.35.0) allows a local low-privileged authenticated user to retrieve cached PostgreSQL embedding vectors belonging to other projects by supplying a known or predicted content_hash value to the LookupByContentHash function. The underlying flaw is a missing project_id scope in the SQL query, meaning any project's embedding vectors can be retrieved by any other authenticated caller who can supply a matching hash. No public exploitation has been confirmed via CISA KEV, but proof-of-concept exploit code has been publicly disclosed per VulDB and GitHub issue #249, and a fix PR (#250) is pending acceptance.

Information Disclosure PostgreSQL
NVD GitHub VulDB
EPSS 0% CVSS 1.3
LOW Monitor

Weak SHA1-based chunk ID generation in yoanbernabeu grepai 0.35.0 enables insufficient namespace isolation within the Qdrant vector database backend, allowing an authenticated remote attacker to potentially access or corrupt indexed data belonging to other projects sharing the same Qdrant collection. The vulnerability stems from the absence of project namespace scoping in chunk UUID derivation, meaning chunk IDs could collide or be predicted across project boundaries. Publicly available exploit code exists per the CVSS E:P modifier and vendor disclosure, though no confirmed active exploitation (CISA KEV) has been recorded; the extremely low CVSS 4.0 score of 1.3 reflects high attack complexity and limited impact scope.

Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 1.3
LOW POC PATCH Monitor

Race condition in songquanpeng one-api's redemption code feature allows authenticated users to redeem a single-use code multiple times by sending concurrent requests before the transaction completes. The root cause is confirmed by PR diff: the codebase uses deprecated GORM v1 syntax (`tx.Set("gorm:query_option", "FOR UPDATE")`) that does not reliably apply a database row lock in GORM v2, leaving the transaction window unprotected. All versions up to 0.6.11-preview.7 are affected; a fix exists as an unmerged pull request, and publicly available exploit code is referenced in GitHub issue #2397 - no public exploit has been identified at time of analysis.

Information Disclosure One Api
NVD VulDB GitHub
EPSS 0% CVSS 1.3
LOW POC Monitor

Information disclosure in JeecgBoot up to 3.9.2 allows authenticated remote attackers to extract password salt values by manipulating the `salt` argument in the `queryPageList` function of the User List Endpoint (`SysUserController.java`). While the CVSS score is low (3.1) due to high attack complexity and a low-privilege authentication requirement, a publicly available proof-of-concept (GitHub issue #9648) exists and no vendor patch has been released - only one planned for a future version. Exposure of salt values is particularly sensitive as it can facilitate offline password hash cracking if hashes are separately obtained.

Information Disclosure Java
NVD VulDB GitHub
EPSS 0% CVSS 2.9
LOW POC Monitor

Type confusion in USCiLab Cereal C++ serialization library through version 1.3.2 allows remote attackers to trigger memory corruption via the Shared Pointer Handler component when deserializing untrusted input. Publicly available exploit code exists (published as a GitHub gist), and the issue was disclosed by VulDB after early vendor contact. CVSS 7.3 reflects network-reachable, low-complexity exploitation with low impact across confidentiality, integrity, and availability - consistent with a memory-safety flaw in a header-only library embedded in downstream applications.

Information Disclosure Memory Corruption Cereal
NVD VulDB GitHub
EPSS 0% CVSS 2.9
LOW POC Monitor

Improper input type validation in Boost Serialization versions up to 1.91 allows remote attackers to send maliciously crafted serialized data that triggers limited compromise of confidentiality, integrity, and availability. Publicly available exploit code exists (published as a GitHub gist by researcher TrebledJ), and the maintainer has indefinitely postponed a fix after the 90-day disclosure deadline expired, leaving downstream C++ applications using Boost Serialization unpatched. No active exploitation has been confirmed via CISA KEV.

Information Disclosure Serialization
NVD VulDB GitHub
EPSS 0% CVSS 1.9
LOW POC Monitor

Information disclosure in SecureAge CatchPulse (versions up to 10.9.1) is triggered through an improperly secured IOCTL handler within the saappctl.sys kernel-mode driver, allowing a low-privileged local user to extract sensitive data from the driver's memory space. A public proof-of-concept exploit exists per VulDB reporting, increasing the likelihood of opportunistic local use - particularly as a reconnaissance step within a broader privilege escalation chain. No vendor patch has been issued and the vendor did not respond to coordinated disclosure, leaving all installations of affected versions unmitigated.

Information Disclosure Catchpulse
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Unauthenticated remote access to the Spring Boot Actuator endpoint in erzhongxmu JeeWMS exposes sensitive application internals to any network-reachable attacker. The `/base-boot/actuator` path, part of the Spring Boot management framework, is accessible without credentials, potentially leaking environment variables, configuration properties, internal service topology, and application health data. A publicly available proof-of-concept exploit exists per CVSS temporal modifier E:P and a referenced GitHub issue; however, this vulnerability has not been confirmed in CISA KEV as actively exploited at time of analysis.

Information Disclosure Jeewms
NVD VulDB GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in the Perl Protocol::HTTP2 module versions up to and including 1.12 lets remote unauthenticated attackers exhaust server memory by sending a small HTTP/2 request that expands massively during HPACK decoding (an 'HTTP/2 bomb'). The module advertises MAX_HEADER_LIST_SIZE in SETTINGS but never enforces it on decode, and version 1.12 made things worse by unbounded CONTINUATION-frame buffering. No public exploit identified at time of analysis, and EPSS is very low (0.02%), but CPANSec has coordinated a vendor patch.

Information Disclosure Protocol Suse
NVD VulDB GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

Log injection in the Debug Log Manager WordPress plugin (versions up to and including 2.5.0) allows unauthenticated remote attackers to write arbitrary forged entries into the site's debug log. The root cause is a broken authorization design: the `log_js_errors()` AJAX handler is registered for unauthenticated users via `wp_ajax_nopriv_log_js_errors`, and the only gate-a WordPress nonce-is publicly broadcast in every page's front-end HTML via `wp_localize_script()` whenever JavaScript error logging is enabled, rendering it non-secret and thus non-protective. Exploitation enables log spoofing, masking of real malicious activity behind fabricated noise, and manipulation of administrator triage decisions. No public exploit identified at time of analysis and this CVE is not listed in CISA KEV.

Information Disclosure WordPress
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated webhook forgery in WPForms (wpforms-lite ≤1.10.0.1) enables payment fraud by allowing any remote attacker who knows a valid PayPal subscription_id to manipulate subscription payment records - including forcing a cancelled or suspended subscription back to active status - without any credentials or user interaction. The PayPal Commerce webhook endpoint accepts and acts on arbitrary JSON POST payloads, performing no HMAC-SHA256 origin verification, and trusts attacker-supplied resource data once the event_type field passes a whitelist check. No public exploit has been identified and this vulnerability is not listed in CISA KEV at time of analysis, but the zero-complexity attack path makes independent exploitation straightforward for anyone possessing a valid subscription_id.

Information Disclosure WordPress
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Sensitive information exposure in LearnPress WordPress LMS Plugin (all versions through 4.3.6) allows unauthenticated remote attackers to extract plaintext passwords and unpublished course content via a crafted REST API request. The /wp-json/lp/v1/courses/archive-course endpoint accepts two query parameters - c_status=all and return_type=json - that together bypass a publish-only post_status filter and suppress a safe DISTINCT(ID) field override, triggering an unrestricted SELECT * fallback query against the WordPress posts table. Exposed data includes post_password in plaintext for password-protected courses, and post_content, post_author, and post_name for draft, private, and pending courses. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, though the unauthenticated, low-complexity attack vector makes it trivially scriptable at scale.

Authentication Bypass Information Disclosure WordPress
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Information exposure in Essential Addons for Elementor (all versions ≤ 6.6.4) allows unauthenticated remote attackers to extract content from password-protected, private, and draft WordPress posts via the plugin's ajax_load_more AJAX endpoint. The root cause (CWE-639) is that user-controlled query parameters are accepted without enforcing WordPress native post-visibility access controls, bypassing the platform's built-in confidentiality model. No public exploit code has been identified at time of analysis, but the zero-authentication, zero-complexity attack surface on one of the most widely deployed Elementor add-ons makes this a realistic target for automated scanning campaigns.

Authentication Bypass Information Disclosure WordPress +1
NVD VulDB
EPSS 0% CVSS 6.6
MEDIUM This Month

PHP Object Injection in the LearnPress - Backup & Migration Tool WordPress plugin (versions ≤ 4.1.4, by ThimPress) allows authenticated administrators to supply maliciously crafted serialized data through the plugin's import functionality, triggering unsafe PHP deserialization. The vulnerability itself carries no direct impact in isolation - exploitation is contingent on a separate plugin or theme installing a usable POP (Property-Oriented Programming) chain on the same site, at which point an attacker can escalate to arbitrary file deletion, sensitive data retrieval, or remote code execution. No public exploit code and no CISA KEV listing have been identified at time of analysis, and the CVSS score of 6.6 (High complexity, High privileges required) reflects the constrained real-world conditions.

PHP Information Disclosure Deserialization +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH POC This Week

Local File Inclusion in the WP User Manager WordPress plugin (versions through 2.9.17) allows unauthenticated remote attackers to include and execute arbitrary .php files on the server via the profile tab query parameter. The flaw stems from missing validation of the tab value before it is passed to the profile template loader, enabling path traversal to any PHP file the web server can read. No public exploit is identified at time of analysis, and the issue is not listed in CISA KEV, but POC behavior is effectively documented in the upstream fix's traversal test cases.

WordPress Path Traversal RCE +2
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Payment forgery in the Event Monster WordPress plugin (versions through 2.1.0) allows unauthenticated remote attackers to generate valid paid event tickets without completing any actual payment transaction. The AJAX handler wp_ajax_nopriv_em_capture_payment accepts client-supplied transaction ID, amount, and payment status values at face value, with no PayPal API verification, no nonce, and no capability check - meaning any HTTP client can POST fabricated payment confirmation data and receive a fully authenticated QR-coded ticket via email. No public exploit has been identified at time of analysis, but the attack requires no authentication and minimal technical skill, making it a meaningful financial fraud risk for any site using this plugin for paid events.

Information Disclosure WordPress
NVD VulDB
EPSS 0% CVSS 3.8
LOW Monitor

Arbitrary directory deletion in the WPvivid Backup & Migration WordPress plugin (all versions through 0.9.128) allows authenticated administrators to remove arbitrary server-side folders by submitting a crafted path to the delete_cancel_staging_site() function. Impact is confined to integrity and availability - server files and directories can be irreversibly destroyed - with no confidentiality exposure. No public exploit identified at time of analysis, and exploitation requires high-privilege WordPress credentials, substantially limiting real-world risk.

Information Disclosure WordPress
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Server-side request forgery in the shared GraphQL service of Altium Enterprise Server (prior to 8.1.1) and Altium 365 allows authenticated users to coerce the server into issuing arbitrary outbound HTTP GET requests and receiving the response body. The flaw enables reconnaissance of internal services and cloud metadata endpoints not reachable from the public network. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Information Disclosure SSRF Altium Enterprise Server +1
NVD VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Stored XSS, IDOR, and credential disclosure in Shopper Framework admin Livewire components (versions < 2.8.0) allow authenticated admin users to tamper with arbitrary records, harvest plaintext customer passwords from the page DOM, and persist JavaScript payloads in product barcode fields that execute against any admin viewing the product. The combined issues enable session hijacking and privileged-action chaining within the Laravel-based e-commerce admin panel; no public exploitation has been reported and no public exploit identified at time of analysis.

XSS Information Disclosure
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Weak cryptographic salt generation in HAX CMS (haxcms-php) versions prior to 26.0.1 allows remote unauthenticated attackers to predict or recover salt values used during installation and authentication-related operations. The flaw stems from using PHP's uniqid() - a timestamp-based, non-cryptographic function - as a randomness source (CWE-338). No public exploit has been identified at time of analysis and the CVE is not on CISA KEV.

PHP Information Disclosure
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Session token disclosure in HAX CMS versions 25.0.0 through 26.0.0 (exclusive) stems from the haxcms_refresh_token cookie being issued without the Secure flag, allowing the browser to send it over plaintext HTTP. A network-positioned attacker can capture the refresh token via passive sniffing and hijack the victim's authenticated session. No public exploit identified at time of analysis, and the vendor has published a fix in version 26.0.0.

PHP Information Disclosure Haxcms Php
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Stored cross-site scripting in HAX CMS PHP before 26.0.0 lets authenticated low-privilege users upload HTML files with uppercase extensions (.HTML, .Html, .HTM) that bypass the case-sensitive .htaccess Content-Disposition: attachment rule, causing browsers to render the file inline and execute embedded JavaScript in the HAXcms origin. The flaw defeats the mitigation shipped for CVE-2026-22704 and carries a CVSS 8.7 score driven by scope change (S:C) into the victim browser context. No public exploit identified at time of analysis, though the GitHub Security Advisory describes the bypass technique in enough detail to reproduce.

PHP Information Disclosure
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Authentication bypass of MFA in Termix versions prior to 2.3.2 allows an attacker who already holds a victim's account password to disable TOTP or regenerate backup codes via the POST /users/totp/disable and POST /users/totp/backup-codes endpoints, completely neutralizing the second factor. The flaw stems from these MFA-critical endpoints accepting the account password as the sole authentication factor, meaning credential stuffing, phishing, or a leaked password hash (referenced as GHSA-xxxx) is sufficient to defeat 2FA. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Information Disclosure Termix
NVD GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Information disclosure in Arista EOS on platforms with hardware IPsec support can occur when physical interface flaps or specific agent restarts cause IPsec tunnels to re-establish while reusing existing Security Associations, leading to sequence number mismatches between endpoints. The CVSS 4.0 base score of 8.2 reflects high confidentiality impact reachable over the network, though attack requirements (AT:P) indicate specific preconditions must be met. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Information Disclosure Eos
NVD
EPSS 0% CVSS 8.0
HIGH This Week

Machine-in-the-middle interception of HTTPS traffic in Termix Desktop (Electron) starting at version 1.7.0 allows attackers positioned on the network path to steal login credentials and JWT/session tokens because the Electron client disables TLS certificate validation entirely. No public exploit identified at time of analysis and the issue is not in CISA KEV, but the CVSS 8.0 rating with scope-change and the absence of any vendor-released patch make this a meaningful concern for any user running Termix Desktop on untrusted networks.

Information Disclosure Termix
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in CloudburstMC Network versions prior to 1.0.0.CR3-20260418.124334-32 allows remote unauthenticated attackers to close the parent Netty channel, rendering the network layer inoperable. Any publicly accessible application depending on the affected library is exposed, and no public exploit has been identified at time of analysis. The CVSS 7.5 score reflects a high-availability impact with no confidentiality or integrity loss.

Information Disclosure Network
NVD GitHub
EPSS 0% 4.4 CVSS 6.9
MEDIUM POC KEV THREAT This Month

Tunnel decapsulation logic in Arista EOS fails to verify the encapsulation protocol type, allowing any tunneled packet destined for a configured decapsulation IP to be silently unwrapped and forwarded into the network. Unauthenticated remote attackers (PR:N, AV:N per CVSS 4.0) can inject traffic into network segments by exploiting this check bypass on switches with VXLAN, decap-groups, or GRE configurations. The CVE description explicitly states this issue has been reported as exploited in the wild; however, a CISA KEV entry was not confirmed in the provided data. The integrity impact is assessed as low on both the vulnerable and subsequent systems per CVSS 4.0 (VI:L/SI:L), but the network trust boundary violation in a core switching context warrants elevated operational priority.

Information Disclosure Eos
NVD VulDB GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

OAuth authorization code exchange in NocoDB versions up to 2026.05.0 is vulnerable to a race condition that breaks the single-use guarantee enforced by PKCE. By submitting two or more concurrent token-exchange requests before the server atomically marks the authorization code as consumed, an attacker who controls a malicious OAuth client can obtain multiple valid (access_token, refresh_token) pairs from a single authorization code, resulting in unauthorized long-lived session access alongside the legitimate token. Fixed in 2026.05.1 via an atomic compare-and-swap database operation; no public exploit has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog.

Information Disclosure Microsoft Race Condition
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Denial of service in the RTSP server of TP-Link Tapo C520WS v2 IP cameras allows adjacent network attackers to render the camera's video streaming service non-responsive by sending syntactically invalid RTSP input. The flaw is reachable without authentication or user interaction from the local network segment (CVSS 4.0 vector AV:A/PR:N/UI:N) and no public exploit identified at time of analysis. While confidentiality and integrity are unaffected, availability of the surveillance stream is fully impacted, which is operationally significant for a security camera.

Information Disclosure TP-Link Tapo C520Ws V2
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Off-by-one out-of-bounds read in 7-Zip's UEFI firmware image parser (versions 9.21-26.00) allows a network-adjacent attacker to trigger either a denial of service (application crash) or minor information disclosure of an adjacent static .rdata string literal into archive metadata, simply by convincing a user to open a crafted UEFI-containing archive. The vulnerability is reached automatically upon archive open with no special user action beyond opening the file, and affects default 7-Zip installations because the UEFI handler is enabled out-of-the-box. No public exploit code has been identified at time of analysis, no KEV listing exists, and the impact is bounded: there is no write primitive and no disclosure of heap data, secrets, or ASLR base addresses.

Denial Of Service Information Disclosure Buffer Overflow +1
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

User enumeration via observable timing discrepancy in NocoDB's sign-in endpoint allows network-positioned attackers to determine whether an email address is registered. The authentication service (`auth.service.ts`) returned immediately for unknown users without executing a bcrypt password hash comparison, producing measurably shorter response times than for known users - a classic timing side-channel. No public exploit has been identified at time of analysis, but the technique requires no privileges and is straightforward to execute against any network-accessible NocoDB instance running versions prior to 2026.04.1.

Information Disclosure
NVD GitHub
Prev Page 32 of 741 Next

Quick Facts

Typical Severity
MEDIUM
Category
other
Total CVEs
66674

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy