Skip to main content

Information Disclosure

other MEDIUM

Information disclosure occurs when an application unintentionally exposes sensitive data that aids attackers in reconnaissance or directly compromises security.

How It Works

Information disclosure occurs when an application unintentionally exposes sensitive data that aids attackers in reconnaissance or directly compromises security. This happens through multiple channels: verbose error messages that display stack traces revealing internal paths and frameworks, improperly secured debug endpoints left active in production, and misconfigured servers that expose directory listings or version control artifacts like .git folders. APIs often leak excessive data in responses—returning full user objects when only a name is needed, or revealing system internals through metadata fields.

Attackers exploit these exposures systematically. They probe for common sensitive files (.env, config.php, backup archives), trigger error conditions to extract framework details, and analyze response timing or content differences to enumerate valid usernames or resources. Even subtle variations—like "invalid password" versus "user not found"—enable account enumeration. Exposed configuration files frequently contain database credentials, API keys, or internal service URLs that unlock further attack vectors.

The attack flow typically starts with passive reconnaissance: examining HTTP headers, JavaScript bundles, and public endpoints for version information and architecture clues. Active probing follows—testing predictable paths, manipulating parameters to trigger exceptions, and comparing responses across similar requests to identify information leakage patterns.

Impact

  • Credential compromise: Exposed configuration files, hardcoded secrets in source code, or API keys enable direct authentication bypass
  • Attack surface mapping: Stack traces, framework versions, and internal paths help attackers craft targeted exploits for known vulnerabilities
  • Data breach: Direct exposure of user data, payment information, or proprietary business logic through oversharing APIs or accessible backups
  • Privilege escalation pathway: Internal URLs, service discovery information, and architecture details facilitate lateral movement and SSRF attacks
  • Compliance violations: GDPR, PCI-DSS, and HIPAA penalties for exposing regulated data through preventable disclosures

Real-World Examples

A major Git repository exposure affected thousands of websites when .git folders remained accessible on production servers, allowing attackers to reconstruct entire source code histories including deleted commits containing credentials. Tools like GitDumper automated mass exploitation of this misconfiguration.

Cloud storage misconfigurations have repeatedly exposed sensitive data when companies left S3 buckets or Azure Blob containers publicly readable. One incident exposed 150 million voter records because verbose API error messages revealed the storage URL structure, and no authentication was required.

Framework debug modes left enabled in production have caused numerous breaches. Django's DEBUG=True setting exposed complete stack traces with database queries and environment variables, while Laravel's debug pages revealed encryption keys through the APP_KEY variable in environment dumps.

Mitigation

  • Generic error pages: Return uniform error messages to users; log detailed exceptions server-side only
  • Disable debug modes: Enforce production configurations that suppress stack traces, verbose logging, and debug endpoints through deployment automation
  • Access control audits: Restrict or remove development artifacts (.git, backup files, phpinfo()) and internal endpoints before deployment
  • Response minimization: API responses should return only necessary fields; implement allowlists rather than blocklists for data exposure
  • Security headers: Deploy X-Content-Type-Options, remove server version banners, and disable directory indexing
  • Timing consistency: Ensure authentication and validation responses take uniform time regardless of input validity

Recent CVEs (66678)

EPSS 0% CVSS 8.1
HIGH This Week

Local File Inclusion in Axiomthemes Fermentio WordPress theme through version 1.5.0 allows remote unauthenticated attackers to include arbitrary local files via improperly controlled filename parameters in PHP include/require statements. The flaw is tracked under CWE-98 (PHP Remote File Inclusion) but per the description is exploitable as LFI, with no public exploit identified at time of analysis and high attack complexity reflected in the CVSS vector.

LFI Information Disclosure PHP
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local File Inclusion in the Axiomthemes Spin WordPress theme (versions up to and including 1.8) allows remote attackers to coerce the PHP runtime into including arbitrary local files via an unsanitized filename parameter passed to an include/require statement. Successful exploitation can disclose sensitive configuration data (such as wp-config.php) and, depending on server configuration, escalate into remote code execution by including attacker-controlled content. No public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV.

LFI Information Disclosure PHP
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Dräger Infinity Acute Care System and Standalone Infinity M540 patient monitors running software versions VG4.1.1, VG4.0.3, and lower contain network message handling vulnerabilities that allow. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Dräger Infinity Delta, Delta XL, and Kappa patient monitors contain an information disclosure vulnerability that allows unauthenticated network attackers to access log files over a network. Rated medium severity (CVSS 5.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Infinity Delta Firmware Delta Xl Firmware +1
NVD
EPSS 0% CVSS 6.3
MEDIUM POC PATCH This Month

HTTP response smuggling in the Elixir Mint HTTP client library (versions 0.1.0 through before 1.9.0) allows attacker-controlled upstream servers to desynchronize response framing on shared connections by exploiting a non-RFC-compliant Content-Length parser. Mint's parser accepts sign-prefixed integers such as '+0' or '+123' that RFC 7230 forbids, creating a disagreement with RFC-strict fronting proxies about where one HTTP response body ends and the next begins. When Mint reuses connections via keep-alive, pipelining, or pooling across trust boundaries, this parser mismatch can be weaponized to leak bytes from one requester's response into another's stream. No public exploit code has been identified at time of analysis, and no KEV listing exists; a vendor patch (v1.9.0) is available.

Information Disclosure Request Smuggling Mint
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in the Axiomthemes Crafti WordPress theme (versions up to and including 1.12) allows remote unauthenticated attackers to coerce the PHP runtime into including arbitrary local files through improperly validated include/require parameters. Successful exploitation can lead to disclosure of sensitive server-side files, configuration data, and under certain conditions code execution via included content. No public exploit identified at time of analysis, but the issue is catalogued by Patchstack in their WordPress vulnerability database.

LFI Information Disclosure PHP
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Local file inclusion in the UnboundStudio Accordion FAQ WordPress plugin (versions up to and including 2.2.1) allows authenticated remote attackers to include and execute arbitrary PHP files from the server filesystem via improperly controlled include/require statements. The flaw, reported by Patchstack and tagged as LFI/Information Disclosure, can lead to full compromise of the WordPress instance through disclosure of sensitive configuration data (e.g., wp-config.php) and potential code execution if attacker-controlled files are reachable. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

LFI Information Disclosure PHP
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local File Inclusion in Axiomthemes Confidant WordPress theme (versions up to and including 1.4) allows remote unauthenticated attackers to include arbitrary local PHP files on the server, potentially leading to sensitive information disclosure and code execution. The vulnerability is reported by Patchstack with a CVSS 8.1 (High) rating; no public exploit identified at time of analysis and the CVE is not present in CISA KEV. The high attack complexity (AC:H) suggests exploitation requires specific conditions to be met, despite the network-reachable, no-auth attack surface.

LFI Information Disclosure PHP
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Unsafe reflection in Apache Calcite 1.5.0 through 1.41 allows unauthenticated remote attackers to supply externally-controlled input that influences class or code selection at runtime, resulting in partial confidentiality and integrity impact (CVSS C:L/I:L). The vulnerability stems from CWE-470, where user-supplied input is used unsanitized to drive Java reflection operations. No public exploit code exists and no active exploitation has been confirmed; EPSS of 0.02% (7th percentile) indicates low community-assessed exploitation probability at time of analysis.

Information Disclosure Apache Red Hat
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Path traversal in Jupyter Server 2.17.0 allows authenticated users to read and write files in sibling directories outside the configured root, via a flawed startswith() boundary check in _get_os_path() combined with to_os_path() failing to strip '..' sequences. With CVSS 8.1 (high confidentiality and integrity impact) and a publicly available proof-of-concept disclosed through huntr, the issue is particularly dangerous in shared/multi-tenant hosting where multiple Jupyter instances share a parent directory. EPSS is currently low (0.05%), and there is no public exploit identified at time of analysis beyond the huntr POC reference.

Information Disclosure Path Traversal Red Hat +1
NVD VulDB
EPSS 0% CVSS 1.3
LOW POC PATCH Monitor

Race condition in Open5GS AMF up to version 2.7.6 allows a remote, low-privileged attacker to trigger concurrent NGAP Security Mode Command processing in gmm_state_security_mode (src/amf/gmm-sm.c), resulting in low availability impact. Publicly available exploit code exists (N2-SMC-Concurrent.zip), though no public exploit identified at time of analysis indicates active exploitation and this CVE is not listed in CISA KEV. Notably, the associated fix PR (#4501) addresses a broader NGAP identity-scoping flaw - where the AMF accepted UE-associated NGAP messages from any gNB regardless of which gNB originally registered the UE - suggesting the underlying attack surface may exceed what the formal CVSS score of 3.1 captures.

Information Disclosure Race Condition Open5gs
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Local File Inclusion via null byte injection in SourceCodester Pizzafy Ecommerce System 1.0 allows authenticated remote attackers with low-privilege accounts to read arbitrary files from the server by manipulating the `page` parameter in `/index.php`. Publicly available exploit code exists, published as a GitHub writeup demonstrating the null byte (%00) bypass technique. No CISA KEV listing at time of analysis, but the public POC lowers the bar for targeted exploitation against low-security PHP deployments.

Information Disclosure PHP
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

File inclusion in SourceCodester Pizzafy Ecommerce System 1.0 exposes the admin panel to path traversal attacks via the `page` parameter in `/admin/index.php`, enabling an authenticated remote attacker to include arbitrary server-side files. Successful exploitation yields low-impact confidentiality, integrity, and availability compromise consistent with the CVSS C:L/I:L/A:L rating. A public exploit writeup (POC) exists on GitHub, significantly lowering the skill threshold for exploitation; however, no active exploitation has been confirmed via CISA KEV at time of analysis.

Information Disclosure PHP
NVD VulDB GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Slider Revolution WordPress plugin versions 7.0.0 through 7.0.14 exposes raw social media API credentials - including Instagram OAuth tokens, Flickr API keys, YouTube Data API keys, and Facebook App IDs - to any authenticated user holding Contributor-level access or higher. The flaw stems from insufficient authorization controls on the 'slider.get.full' AJAX action, which returns full slider configuration data without verifying whether the requesting user should have access to sensitive credential fields. No public exploit has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog, but the real-world impact of credential theft for active social media integrations exceeds what the medium CVSS score alone suggests.

Information Disclosure WordPress Authentication Bypass
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Transmission BitTorrent client through version 4.1.1 fails to emit anti-clickjacking HTTP response headers on its browser-facing WebUI and RPC endpoint, enabling an attacker to embed the interface in a cross-origin iframe and redirect authenticated user interactions to unintended RPC actions. The fix confirmed in upstream PR #8747 adds both X-Frame-Options: SAMEORIGIN and Content-Security-Policy: frame-ancestors 'self' to all relevant responses. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (4th percentile) indicates low current exploitation interest.

Information Disclosure N A Suse
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

Insecure Direct Object Reference (IDOR) in code-projects Online Hospital Management System 1.0 allows a high-privileged remote attacker to manipulate the `delid` parameter in `viewdoctortimings.php`, resulting in unauthorized modification or deletion of doctor timing records beyond the attacker's intended access scope. The CVSS 4.0 score of 2.0 reflects the high privilege prerequisite (PR:H), low integrity impact (VI:L), and low availability impact (VA:L) to the vulnerable component. No public exploit identified at time of analysis as active exploitation - however, publicly available exploit code exists, documented in a GitHub proof-of-concept writeup.

Information Disclosure PHP
NVD VulDB GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Information disclosure in eLabFTW prior to version 5.4.2 allows authenticated users to enumerate resource titles outside their authorization scope via numeric reference/search queries. Affected deployments in regulated environments - such as clinical labs or research institutions embedding patient identifiers, project names, or regulated data in resource titles - face elevated sensitivity risk despite the limited scope of exposure. Content-level access controls remain intact; only titles leak. No public exploit identified at time of analysis, and CVSS rates this Medium (4.3), consistent with authenticated, low-impact disclosure.

Information Disclosure Elabftw
NVD GitHub
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in Qualcomm Snapdragon platforms stems from an out-of-bounds read (CWE-125) triggered during IOCTL escape operation processing, resulting in memory corruption. A local authenticated attacker with low privileges on an affected Snapdragon-based device can leverage the flaw to achieve high-impact compromise of confidentiality, integrity, and availability. There is no public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Information Disclosure Buffer Overflow Snapdragon
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Qualcomm Snapdragon chipsets improperly parse 802.11 advertisement frames containing malformed MBSSID (Multiple BSSID) elements of insufficient length, triggering a buffer over-read that discloses memory contents to an attacker. The CVSS vector (AV:N/AC:H/PR:L/UI:R/S:C) indicates network-reachable exploitation with changed scope, meaning the impact crosses beyond the Wi-Fi subsystem into adjacent components. No public exploit identified at time of analysis, and no CISA KEV listing exists; Qualcomm addressed this in their June 2026 Security Bulletin.

Information Disclosure Buffer Overflow Snapdragon
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Sensitive device configuration is exposed to adjacent network attackers during factory reset operations conducted through the powerline interface on Qualcomm Snapdragon chipsets. An unauthenticated attacker present on the same powerline network segment can intercept unprotected configuration data at the moment of reset, gaining unauthorized access to potentially sensitive device parameters such as credentials or network settings. No public exploit has been identified at time of analysis, and Qualcomm addressed this vulnerability in its June 2026 Security Bulletin.

Information Disclosure Authentication Bypass Snapdragon
NVD
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

Private key disclosure in Cloud Foundry UAA versions v76.12.0 through v78.12.0 allows unauthenticated remote attackers to retrieve Elliptic Curve (EC) private key material from the public /token_keys endpoint, which is supposed to expose only public verification keys. With the leaked private keys, attackers can forge arbitrary JWTs and impersonate any UAA-authenticated identity across the platform. No public exploit identified at time of analysis, though the CVSS 10.0 score and trivial reproduction step (a single unauthenticated HTTP GET) make weaponization straightforward once the issue is widely known.

Information Disclosure Uaa Release Cf Deployment
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Dräger Infinity Delta, Delta XL, and Kappa patient monitors contain a denial-of-service vulnerability that allows remote attackers to cause the monitor to reboot by sending a malformed network. Rated high severity (CVSS 7.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Infinity Delta Infinity Delta Xl +1
NVD
EPSS 0% CVSS 3.3
LOW Monitor

Android's AppOpsService (AppOpsService.java) exposes protected system or user information to low-privileged local applications due to missing permission checks across multiple functions, enabling unauthorized information disclosure without requiring additional execution privileges. Affected versions span Android 14 through Android 16-QPR2, representing a broad swath of active Android deployments in use today. No public exploit code exists and no active exploitation has been confirmed (not in CISA KEV); SSVC rates exploitation as none with only partial technical impact, placing this at low urgency for most organizations.

Privilege Escalation Information Disclosure
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in Android 14, 15, and 16 (including 16-qpr2) stems from an out-of-bounds read in the validateNode function of ResourceTypes.cpp, part of the Android resource parsing layer. A local attacker running an unprivileged app can leverage the flaw to elevate privileges without user interaction. No public exploit identified at time of analysis and EPSS is very low (0.01%), but the issue is addressed in the June 2026 Android Security Bulletin.

Privilege Escalation Information Disclosure Buffer Overflow
NVD VulDB
EPSS 0% CVSS 3.3
LOW Monitor

Local information disclosure in Google Android's ResourceTypes.cpp affects Android 14, 15, and 16 (including 16-QPR2) via an incorrect bounds check in the setTo function that enables an out-of-bounds read. An authenticated local attacker holding a standard user account can trigger this flaw without user interaction, potentially leaking sensitive memory contents from the process. No public exploit has been identified at time of analysis, and active exploitation has not been confirmed by CISA KEV.

Information Disclosure Buffer Overflow
NVD VulDB
EPSS 0% CVSS 3.3
LOW Monitor

Local information disclosure in Android's Bluetooth stack allows a low-privileged application to bypass permission enforcement in handleBondStateChanged of AdapterService.java, exposing sensitive Bluetooth bonding state data without requiring any user interaction. Affected versions include Android 15, Android 16, and Android 16-qpr2, as confirmed by the June 2026 Android Security Bulletin and EUVD-2026-33779. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog, placing it in the lower tier of operational priority despite the permission bypass nature of the flaw.

Privilege Escalation Information Disclosure
NVD VulDB
EPSS 0% CVSS 3.3
LOW Monitor

Improper privilege management in Android 16 and 16-QPR2 allows a local low-privileged user to override credential provider settings across user profiles by exploiting a permissions bypass in the `updateProvidersWhenServiceRemoved` method of `CredentialManagerService.java`. The CVSS vector confirms local-only exploitation (AV:L) by an authenticated low-privilege account (PR:L) with no user interaction required, yielding limited confidentiality impact. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Privilege Escalation Information Disclosure
NVD VulDB
EPSS 0% CVSS 3.3
LOW Monitor

Lockdown mode bypass in Google Android exposes protected information via a logic error in KeyguardViewMediator.java that allows screen pinning to circumvent lockdown protections. Affected versions span Android 14, 15, 16, and 16-qpr2, with exploitation requiring only local low-privileged access and no user interaction. No public exploit has been identified at time of analysis, and the CVSS score of 3.3 reflects a limited-scope, local-only confidentiality impact.

Java Information Disclosure
NVD VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

Unauthenticated SQL injection in Pixa Bank 2.0 allows remote attackers to exfiltrate database contents by submitting UNION-based payloads in the 'rib' parameter of the agence-ajax.php endpoint. Publicly available exploit code exists (Packet Storm) and the issue was disclosed by VulnCheck, making opportunistic exploitation likely against any internet-exposed instance. No public exploit identified at time of analysis as actively exploited in the wild (not on CISA KEV), but the trivial attack complexity and existing PoC elevate practical risk.

PHP Information Disclosure SQLi
NVD
EPSS 0% CVSS 8.8
HIGH POC This Week

Joomla Component JE Photo Gallery 1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting malicious SQL code through the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Information Disclosure
NVD Exploit-DB
EPSS 0% CVSS 3.7
LOW Monitor

GnuTLS's PKCS#7 padding validation during decryption is not implemented as a constant-time operation, creating a timing side-channel (CWE-208) that remote unauthenticated attackers can exploit to infer padding byte values on CBC-mode cipher suites. Affected deployments include GnuTLS as packaged across Red Hat Enterprise Linux 6 through 10, Red Hat Hardened Images, and Red Hat OpenShift Container Platform 4. Red Hat has issued patch RHSA-2026:20613; no active exploitation is confirmed in CISA KEV, and no public exploit code has been identified, but the network-reachable, no-auth-required attack surface warrants patching on systems handling sensitive encrypted traffic.

Information Disclosure Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 +5
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Insufficient granularity of access control in ASP (AMD Secure Processor) may allow an attacker with an untrusted user space application to map sensitive SMN (System Management Network) apertures. Rated high severity (CVSS 7.1). No vendor patch available.

Information Disclosure Amd
NVD
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Local privilege-level information disclosure and artifact tampering in CodexBar versions prior to 0.32.0 allows authenticated users on the same macOS host to read App Store Connect API keys and hijack release builds via predictable temporary file paths in the notarization workflow. The flaw stems from writing sensitive credentials and notarization archives to fixed, world-reachable locations rather than per-run private directories, enabling symlink races and pre-creation attacks. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Information Disclosure Codexbar
NVD GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Cleartext session cookie exposure in CodexBar (a macOS menu bar AI provider client) prior to 0.32.0 allows network-positioned attackers to intercept imported browser session cookies for Amp and Ollama providers. The client failed to enforce HTTPS before reattaching imported cookies when a provider-controlled redirect pointed to a cleartext HTTP endpoint inside the same provider domain, leaking authentication material in plaintext. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Information Disclosure Codexbar
NVD GitHub
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

Uncontrolled recursion in Spring Cloud Function's routing layer triggers an Out-of-Memory (OOM) condition, resulting in a denial of service across all active release trains (3.2.x through 5.0.x). The vulnerability is rooted in CWE-674 (Uncontrolled Recursion), where the routing layer lacks depth limits or cycle detection, allowing recursive request-handling to exhaust JVM heap space. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the CVSS physical attack vector (AV:P) appears inconsistent with a routing-layer vulnerability and warrants verification against the Spring/VMware advisory.

Java Information Disclosure
NVD HeroDevs VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Nextcloud Tables versions 0.8.0 through 1.0.3 improperly disclose view filter criteria to authenticated users holding only read-only permissions on a shared view. The flaw in ViewService.php attempted to sanitize filter arrays for low-privileged users but instead exposed the full filter rules - potentially revealing sensitive column names, threshold values, or data organization logic the view owner intended to keep confidential. No public exploit code has been identified at time of analysis, and this CVE is not listed in CISA KEV, indicating no confirmed active exploitation.

Information Disclosure Nextcloud
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Broken share revocation in Nextcloud Forms versions 4.3.0 through 5.2.7 leaves former collaborators with persistent read access to uploaded respondent files after removal. The vulnerability stems from a two-layer share architecture where removing a collaborator deleted the Forms-layer share record but silently preserved the underlying Nextcloud Files-layer share on the uploaded files folder - meaning removed users retained filesystem-level access to sensitive form submission files. No public exploit has been identified at time of analysis and the issue is not listed in CISA KEV, but the low-complexity network vector (CVSS AV:N/AC:L/PR:N/UI:N) means a removed collaborator can exploit this passively without any additional action.

Information Disclosure Path Traversal Nextcloud
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

User enumeration via Nextcloud Calendar's attendee suggestion endpoint affects authenticated users on versions 5.5.13-5.5.16 and 6.2.0-6.2.2. The `searchAttendee` controller method in `ContactController.php` called the contacts manager search API without passing the instance's configured sharing restriction parameters - meaning enumeration-limiting settings (`shareapi_allow_share_dialog_user_enumeration`, `shareapi_only_share_with_group_members`, group-scoped restrictions) enforced on all other sharing endpoints were silently bypassed here. An authenticated low-privilege attacker can probe the endpoint with partial name or email strings to reconstruct the full user directory, disclosing usernames and email addresses that administrators had intentionally restricted. No public exploit identified at time of analysis and no confirmed active exploitation (CISA KEV not listed).

Information Disclosure Nextcloud
NVD GitHub
EPSS 0% CVSS 3.3
LOW PATCH Monitor

Information disclosure in the Nextcloud Approval app prior to version 2.7.2 allows authenticated users to enumerate whether arbitrary files are enrolled in approval workflows, regardless of their access rights to those files. The root cause (CWE-200) is a missing file-access authorization check in ApprovalService.php before workflow association queries are processed, confirmed by the patch diff in PR #356. No public exploit exists and no active exploitation is confirmed; the practical impact is limited to organizational workflow metadata leakage rather than file content exposure.

Information Disclosure Nextcloud
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Unauthorized access to form submissions in Nextcloud Forms prior to version 5.2.6 allows any authenticated user to read survey or form responses submitted by other users. The root cause is a missing authorization check in the `getSubmission` API endpoint (`ApiController.php`), which failed to verify whether the requesting user held the PERMISSION_RESULTS privilege or was the original submitter. With a CVSS score of 6.5 (Medium) and no public exploit identified at time of analysis, real-world risk is bounded by the requirement for an authenticated session, but the confidentiality impact is rated High given unrestricted access to potentially sensitive form response data.

Information Disclosure Nextcloud
NVD GitHub
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in PC Tools Internet Security (Symantec) is possible because the PCTCore64.sys kernel driver exposes its PCTCoreDriver WDM device interface to user-mode processes without adequate access controls, allowing low-privileged users to invoke privileged IOCTL handlers. CERT/CC tracked this as VU#158530 and the affected driver is a candidate for Microsoft's recommended driver block list; no public exploit identified at time of analysis, though the vulnerability class (BYOVD-style abuse) is well understood by attackers.

Microsoft Information Disclosure
NVD
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Local privilege escalation in the Linux kernel's SMB/CIFS client allows unprivileged userspace processes to forge cifs.spnego keys via add_key(2) or request_key(2), supplying attacker-controlled pid, uid, creduid, and upcall_target fields that cifs.upcall trusts as kernel-originated. Successful exploitation enables impersonation of CIFS credential negotiation, leading to high confidentiality, integrity, and availability impact on systems mounting SMB shares. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Linux Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Execution After Redirect (EAR) in a4m4's Student-Management-System exposes admin/ endpoints to unauthorized data access via manipulation of the uid parameter, allowing server-side PHP logic to execute and return sensitive output despite issuing an HTTP redirect response. The CVSS vector (PR:N) confirms no authentication is required, and the exploit has been publicly published via a GitHub issue, making this trivially reproducible. No patch exists and the project maintainer has not responded to disclosure, leaving all deployed instances exposed with no vendor remediation timeline.

Information Disclosure Student Management System
NVD VulDB GitHub
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local code execution in Poppler's Splash rendering backend allows attackers to compromise applications that open attacker-supplied PDFs by triggering an integer overflow in tilingPatternFill that produces an undersized heap allocation and a subsequent out-of-bounds write. The flaw affects Poppler as shipped across Red Hat Enterprise Linux 6 through 10 and Red Hat Hardened Images, with impact including arbitrary code execution, information disclosure, or denial of service in the rendering process. No public exploit identified at time of analysis, and the CVSS 7.8 vector requires user interaction to open a malicious PDF.

Information Disclosure RCE Buffer Overflow +8
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Sensitive data exposure in the Logtivity Activity Logs, User Activity Tracking, Multisite Activity Log WordPress plugin (versions up to and including 3.3.6) allows remote unauthenticated attackers to retrieve embedded sensitive information from data sent by the plugin. The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates network-reachable exploitation with no privileges or user interaction, though no public exploit identified at time of analysis and the issue is not on the CISA KEV list.

Information Disclosure Activity Logs User Activity Tracking Multisite Activity Log From Logtivity
NVD
EPSS 0%
LOW PATCH Monitor

Integrity bypass in Siemens kas (pip/kas < 5.3) allows an attacker who controls a referenced external git repository to substitute arbitrary commit content by creating a branch whose name matches the commit SHA recorded in a kas configuration file. Because kas passed the raw SHA string to `git checkout` without forcing disambiguation to a commit object, git resolves a branch of that name instead of the pinned commit, defeating the integrity guarantee users rely on. The primary impact falls on SHA-256 commit IDs; SHA-1 commits face a related but distinct risk through hash-collision substitution. No public exploit has been identified at time of analysis and the issue is not listed in CISA KEV.

Jwt Attack Information Disclosure Siemens
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

File and directory information exposure in SourceCodester Pet Grooming Management Software 1.0 allows remote unauthenticated attackers to enumerate internal file and directory structures via the /admin/ endpoint. The root cause is CWE-538 (Deployment of Code to Unauthorized Actors / File and Directory Information Exposure), and a proof-of-concept exploit has been publicly released on GitHub. While not listed in CISA KEV and carrying only low confidentiality impact, the absence of any authentication requirement and the public POC lower the bar for exploitation significantly.

Information Disclosure Pet Grooming Management Software
NVD VulDB GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Arbitrary firmware memory writes in Imagination Technologies Graphics DDK affect multiple DDK versions across Guest/Host VM deployments. A logic error in GPU driver address translation permits kernel-level software within a VM to issue malformed commands to GPU firmware, causing writes to memory regions outside the intended GPU memory boundary. The Chrome OS stable channel advisory reference confirms real-world platform-level impact, and a vendor patch is available. No public exploit has been identified at time of analysis, and this vulnerability is not listed in CISA KEV.

Memory Corruption Information Disclosure Graphics Ddk
NVD
EPSS 0% CVSS 2.0
LOW POC Monitor

CSV injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows high-privileged remote attackers to embed malicious spreadsheet formula payloads via the Address and Company Name fields in the Supplier Creation Interface, which are then written unsanitized to exported CSV files. When downstream staff open the exported file in a spreadsheet application such as Microsoft Excel or LibreOffice Calc, the injected formulas execute in that client application's context, enabling information disclosure, data manipulation, or further client-side exploitation. A publicly available proof-of-concept exists (GitHub), though no active exploitation has been confirmed and this CVE is not listed in the CISA KEV catalog.

Information Disclosure Pharmacy Sales And Inventory System
NVD VulDB GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

Reflected cross-site scripting in the Stormshield Network Security (SNS) appliance login API allows network-accessible attackers to inject and execute arbitrary scripts in a victim's browser session. Affected versions span three distinct release branches: 4.3.0-4.3.41, 4.8.0-4.8.15, and 5.0.0-5.0.5. Successful exploitation can result in session cookie theft, sensitive data exfiltration, or redirection to attacker-controlled sites. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

XSS Information Disclosure
NVD
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Unauthenticated information disclosure in Apache ActiveMQ Broker allows remote attackers to enumerate all durable topic subscriptions - including client identifiers, subscription names, topic destinations, and JMS selector expressions - by sending a BrokerInfo command to a broker with syncDurableSubs enabled on a network connector. The broker incorrectly skips authentication before servicing the BrokerInfo request, exposing sensitive messaging infrastructure metadata. No public exploit identified at time of analysis, and EPSS stands at 0.02% (6th percentile), indicating very low current exploitation probability despite network-reachable attack vector.

Information Disclosure Apache
NVD VulDB
EPSS 0% CVSS 8.5
HIGH This Week

Local privilege escalation in Fujitsu ServerView Agents for Windows V11.60.04 and earlier enables an authenticated low-privileged user to chain privileges and obtain SYSTEM-level access on the host. The flaw was reported by JPCERT/CC and is documented in JVN advisory JVN67883085 and FSAS Technologies advisory 0529; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Microsoft Information Disclosure
NVD
EPSS 0% CVSS 8.5
HIGH This Week

Local privilege escalation in Fujitsu ServerView Agents for Windows version 11.60.04 and earlier allows an authenticated low-privileged user on the host to obtain SYSTEM-level privileges through incorrect permission assignment on a critical resource. The flaw is reported by JPCERT/CC under JVN#67883085 with a CVSS 4.0 score of 8.5; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Microsoft Information Disclosure
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Unauthenticated remote attackers can create privileged administrator accounts in SourceCodester Water Billing Management System 1.0 by sending crafted requests to the User Management endpoint, bypassing all authorization controls. The researcher-published reference - titled 'Unauthenticated Admin Creation in PHP System' - confirms the practical impact exceeds the moderate CVSS score: full administrative takeover of the application is achievable without credentials. Publicly available exploit code exists (CVSS E:P), and no vendor patch has been identified at time of analysis.

Information Disclosure PHP
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

{connection_id}) allows any authenticated user holding the Connection-read permission to retrieve plaintext secrets stored in a Connection's extra JSON blob, provided those credential field names - such as slack_webhook_url, bearer, dsn, auth_header, and service_key - were absent from the DEFAULT_SENSITIVE_FIELDS redaction allowlist prior to version 3.2.2. All Airflow deployments before 3.2.2 that store credentials inline in Connection extra fields and grant Connection-read access to more than one user are exposed to lateral credential theft within the platform. No public exploit code or active exploitation has been identified at time of analysis; however, the network-accessible vector and high confidentiality impact make this a meaningful priority in shared or multi-tenant Airflow environments.

Information Disclosure Apache
NVD GitHub VulDB
EPSS 0% CVSS 1.9
LOW POC Monitor

Out-of-bounds read in Assimp's Half-Life 1 MDL Loader affects all versions up to 6.0.4, enabling a local low-privileged attacker to leak memory contents by supplying a crafted MDL file that triggers faulty bounds handling in the `read_sequence_infos` function of `HL1MDLLoader.cpp`. Impact is confined to partial confidentiality loss (C:L) with no integrity or availability consequences per the CVSS vector. A publicly available proof-of-concept exploit exists (POC disclosed via GitHub), though no active exploitation has been confirmed and this vulnerability is not listed in the CISA KEV catalog.

Information Disclosure Buffer Overflow Assimp
NVD VulDB GitHub
EPSS 0% CVSS 5.7
MEDIUM This Month

Improper input validation in the OTRS Customer Backend module allows authenticated low-privilege users to bypass group-based access controls and read customer records restricted to other groups. Affected versions span every major OTRS release line (7.0.X through 2026.X before 2026.4.X), though exploitation is gated by a non-default configuration requirement. No public exploit identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog.

Information Disclosure Otrs
NVD
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Remote injection in NousResearch Hermes Agent through version 2026.4.30 allows unauthenticated attackers to manipulate the _serve_plugin_skill/skill_view function in tools/skills_tool.py. Publicly available exploit code exists via a GitHub gist, and the vendor has not responded to disclosure attempts, leaving deployments without an official fix. CVSS 7.3 reflects network-reachable, low-complexity exploitation with partial impact across confidentiality, integrity, and availability.

Information Disclosure Hermes Agent
NVD VulDB GitHub
EPSS 0% CVSS 2.9
LOW POC Monitor

Missing brute-force protection on the claim endpoint in unitedbyai droidclaw (all versions up to 0.5.3) allows unauthenticated remote attackers to submit unlimited authentication attempts against the device pairing flow, potentially enumerating or compromising pairing credentials. The root cause is CWE-307 - absent rate limiting or lockout logic in server/src/routes/pairing.ts. A publicly available proof-of-concept exploit exists (hosted on GitHub Gist), though high attack complexity and low confidentiality impact constrain the real-world severity. No patch has been released; the vendor has not responded to the responsible disclosure filed via GitHub issue #14.

Information Disclosure Droidclaw
NVD VulDB GitHub
EPSS 0% CVSS 1.9
LOW POC Monitor

Divide-by-zero in Assimp's FBXExporter (UV Channel Handler) up to version 6.0.4 crashes the application when processing maliciously crafted UV channel data during FBX export, resulting in a local denial-of-service condition. An authenticated local user with low privileges can trigger the crash by supplying crafted input to the FBXExporter::WriteObjects function in FBXExporter.cpp. Publicly available exploit code exists via a POC ZIP hosted on GitHub; no active exploitation is confirmed (not in CISA KEV), and the CVSS 4.0 score of 1.9 reflects the severely constrained real-world impact.

Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 5.7
MEDIUM This Month

Unintended internal ticket data exposure in OTRS 2026.3.1 occurs because the ticket article forwarding feature enforces the 'Is visible for customer' flag by default and provides no UI control to override it. Authenticated agents who forward ticket articles will inadvertently expose internal communications or notes to customers through the External Frontend without any warning or opt-out. No public exploit code exists and this is not listed in CISA KEV, but the high confidentiality impact (C:H in CVSS) makes this a meaningful data-leak risk for organizations handling sensitive support workflows.

Information Disclosure Otrs
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Heap out-of-bounds read in Sereal::Decoder for Perl before version 5.005 allows remote attackers to leak up to 31 bytes of adjacent heap memory when a victim application decodes attacker-controlled Sereal-encoded data. The flaw lives in COPY tag handling within srl_read_object() and srl_read_hash(), where a crafted COPY offset can redirect the decoder to mid-value bytes that are then re-interpreted as a SHORT_BINARY tag without bounds checking against the COPY tag's own offset. No public exploit identified at time of analysis, and EPSS is 0.01%, but a vendor patch is available in Sereal-Decoder 5.005.

Information Disclosure Buffer Overflow Suse
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

The SecretsMasker component in Apache Airflow prior to 3.2.2 returns cleartext sensitive values when those values are stored under recognized sensitive key names (password, token, secret, api_key) nested deeper than five dict levels in structured payloads. Authenticated low-privilege users can craft dag_run.conf or XCom payloads exceeding this depth threshold, causing secrets to surface in task logs, rendered templates, and API responses. No public exploit code exists and EPSS is 0.02% at the 5th percentile - this is not confirmed actively exploited (not in CISA KEV) - but the CVSS confidentiality impact is rated High given that the bypass can expose real credentials to any user who can review logs.

Information Disclosure Apache
NVD GitHub VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Server-side template injection in Apache Airflow versions 3.0.0 through 3.2.1 allows low-privilege authenticated users to inject Jinja2 expressions via dag_run.conf parameters that are unsafely interpolated into BashOperator commands, leading to arbitrary command execution in the worker context. The flaw carries a 9.1 CVSS but EPSS sits at just 0.03% (9th percentile), and there is no public exploit identified at time of analysis despite a vendor patch being available. Disclosure occurred via the oss-security mailing list on 2026-05-31 alongside several other Airflow advisories.

Ssti Apache Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Rendered template field serialization in Apache Airflow before 3.2.2 exposes nested secrets in cleartext when template field values exceed the configured max_templated_field_length threshold. Authenticated low-privilege users with access to rendered template views can read values stored under documented sensitive keys (password, token, secret, api_key) embedded in nested dictionaries - the pre-fix code stringified the structured object before invoking the secrets masker, destroying the nested key context required for recursive redaction. No public exploit is identified at time of analysis; EPSS is 0.02% (5th percentile), and this CVE is not listed in the CISA KEV catalog.

Information Disclosure Apache
NVD GitHub VulDB
EPSS 0% CVSS 8.4
HIGH POC This Week

SQL injection in OpenCATS through 0.9.7.4 allows authenticated users to extract arbitrary database contents by injecting malicious SQL into the sortDirection parameter of ajax/getDataGridPager.php. Publicly available exploit code exists (Exploit-DB 52579, Packet Storm), and the issue was disclosed via a GitHub Security Advisory coordinated with VulnCheck. The CVSS 4.0 base score of 8.4 reflects high confidentiality impact with a subsequent-system scope change, though exploitation requires a valid low-privileged account.

PHP Information Disclosure SQLi
NVD GitHub Exploit-DB VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Protection mechanism failure in Aider-AI Aider 0.86.3 exposes git pre-commit hook bypass via manipulation of the `git-commit-verify` argument in `aider/args.py`, allowing authenticated remote attackers to commit code without triggering pre-commit security controls. The CVSS temporal score includes E:P (proof-of-concept exploit publicly available, linked to GitHub issue #5057), and the vendor has not yet responded to the responsible disclosure. No public KEV listing exists, and the report confidence (RC:R) remains at 'Reasonable' rather than 'Confirmed', indicating the vendor has not acknowledged the finding.

Information Disclosure Aider
NVD VulDB GitHub
EPSS 0% CVSS 2.9
LOW POC Monitor

Weak password recovery in the BrinaryBrains School Student Management System (OUSL-GROUP-BrinaryBrains) exposes its Forgot Password endpoint to remote manipulation of the email argument, enabling attackers to abuse the flawed recovery mechanism and achieve limited unauthorized account integrity impact. The CVSS 4.0 score of 2.9 reflects high attack complexity (AC:H), constraining real-world exploitability despite publicly available exploit code (E:P). No active exploitation has been confirmed via CISA KEV, and the vendor has not responded to the coordinated disclosure as of the time of reporting.

Information Disclosure PHP
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Resource injection in the OUSL-GROUP-BrinaryBrains School Student Management System allows authenticated remote attackers to manipulate the param1 argument in the marks function of Parents.php, improperly controlling resource identifiers to access unauthorized academic records. The CVSS 4.0 score is 2.1, reflecting low-privilege authentication requirements (PR:L) and limited scope impact; a publicly available proof-of-concept exploit has been disclosed via a GitHub issue. No vendor patch exists - the project uses continuous delivery rolling releases and has not responded to the responsible disclosure report.

Information Disclosure PHP
NVD VulDB GitHub
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in the Linux kernel eventpoll (epoll) subsystem stems from a use-after-free in ep_remove() where file->f_ep is cleared but the file pointer continues to be used inside the f_lock critical section, allowing a concurrent __fput() to free the underlying struct eventpoll and struct file. Successful exploitation yields an attacker-controllable kmem_cache_free() against the wrong slab cache, enabling memory corruption that can lead to high-integrity, high-confidentiality, and high-availability impact (CVSS 7.8). EPSS is very low (0.02%), no public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Information Disclosure Linux Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Authenticated privilege escalation to administrator in the Simple History WordPress plugin (versions through 5.26.0) allows a Subscriber-level user to read password-reset email contents logged by SimpleUserLogger and hijack admin accounts. The react/unreact event endpoints reuse a permission callback that only checks for a logged-in user, exposing full event context including reset URLs and keys. No public exploit identified at time of analysis, and exploitation requires that an administrator previously enabled the non-default experimental features option.

Information Disclosure WordPress
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Out-of-bounds read in the Zephyr RTOS SocketCAN implementation lets a local userspace application leak adjacent memory or crash the system by submitting a truncated CAN frame through the sendto syscall. The zcan_sendto_ctx() path guards the user-supplied buffer length only with a NET_ASSERT, which is compiled out of production builds, so socketcan_to_can_frame() then dereferences fields past the end of the buffer. All Zephyr versions up to and including 4.3 are affected; there is no public exploit identified at time of analysis and EPSS is negligible (0.01%, 2nd percentile).

Information Disclosure Buffer Overflow Zephyr
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Uninitialized stack memory disclosure in Exim 4.88 through 4.99.3 allows remote unauthenticated attackers to read arbitrary stack memory contents by sending specially crafted short payloads to proxy-enabled SMTP listeners. The vulnerability is constrained to proxy configurations but requires no authentication and no user interaction (AV:N/AC:L/PR:N/UI:N), making it trivially reachable against exposed instances. No public exploit code or CISA KEV listing exists at time of analysis, and a vendor-released fix is available in Exim 4.99.4.

Information Disclosure Exim
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Cross-workspace Insecure Direct Object Reference in praisonai-platform (<=0.1.2) allows any authenticated workspace member to read, create, and delete issue dependencies belonging to foreign workspaces by supplying arbitrary issue UUIDs in URL paths and request bodies. The dependency endpoints only enforce membership on the URL workspace_id while passing unvalidated issue and dependency identifiers to DependencyService, enabling cross-tenant linking of issues across any two workspaces in the deployment. No public exploit identified at time of analysis, but the GitHub Security Advisory GHSA-4x6r-9v57-3gqw confirms the flaw and a fixed version (0.1.4) is available.

Python Authentication Bypass Information Disclosure
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Cross-workspace IDOR and member-to-owner privilege escalation in PraisonAI Platform API (pip package praisonai-platform <= 0.1.2) lets any authenticated user read, modify, and delete issues and projects belonging to other tenants, and lets any workspace member promote themselves to owner and evict the legitimate owner. The two flaws chain together: a single member-level invite to any workspace becomes platform-wide data access plus full takeover of any workspace the attacker is added to. No public exploit identified at time of analysis beyond the detailed PoC published in the GHSA advisory, and the issue is not in CISA KEV.

Privilege Escalation Python Authentication Bypass +1
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Local SSRF in PraisonAI's direct-prompt CLI allows an attacker who can influence prompt text to cause the operator's machine to fetch loopback and private-network HTTP resources, injecting the response body into the LLM prompt context. Affected packages are pip/praisonai <= 4.6.39 and pip/praisonaiagents <= 1.6.39; patches are available in 4.6.40 and 1.6.40 respectively. Publicly available exploit code exists (confirmed working PoC in the GHSA advisory), no public exploit identified at time of analysis as confirmed actively exploited (CISA KEV listing absent), and the CVSS 5.5 score reflects a meaningful confidentiality impact (C:H) constrained by a local attack vector.

Information Disclosure Mozilla SSRF +1
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Unauthenticated remote agent control in PraisonAI's call server (versions <= 4.6.39) allows any network-reachable client to enumerate, inspect, invoke, and unregister registered agents when the operator launches `praisonai-call` without setting the `CALL_SERVER_TOKEN` environment variable. The flaw stems from a fail-open authentication dependency combined with the server binding to 0.0.0.0 by default, and a working proof-of-concept is published in the GHSA advisory demonstrating end-to-end exploitation against a default deployment.

Python Authentication Bypass Information Disclosure
NVD GitHub
EPSS 0% CVSS 4.4
MEDIUM PATCH This Month

Plaintext credential exposure in Admidio v5.0.9 and earlier causes session IDs and persistent auto-login cookie values to be written to application logs whenever debug logging is enabled. Both the ADMIDIO_*_SESSION_ID and the long-lived ADMIDIO_*_AUTO_LOGIN_ID tokens are recorded verbatim by Session::setCookie() and Session::start(), effectively turning the log sink into a recoverable credential store. Any actor with read access to log files, log backups, or external log aggregation pipelines can extract and replay these tokens to hijack active sessions or gain persistent account access. Publicly available exploit code exists as documented in GitHub advisory GHSA-mch8-wf3h-6x88; this CVE is not currently listed in CISA KEV.

Information Disclosure PHP CSRF +1
NVD GitHub
EPSS 0% CVSS 2.9
LOW PATCH Monitor

Brute force regulation bypass in Authelia's Basic Auth flow (versions 4.38.0-4.39.19) allows unauthenticated remote attackers to partially circumvent account lockout controls by submitting login attempts using case variants of a target username (e.g., 'john', 'John', 'JOHN'). Because Authelia passes the raw Authorization header username to the regulation system without canonicalization, and LDAP backends treat these as the same identity while the regulation SQL queries treat them as distinct, each casing variant occupies a separate ban bucket - multiplying the effective attempt quota before lockout triggers. No public exploit identified at time of analysis, and the CVSSv4 weighted score of 2.9 (Low) reflects the narrow exploitation conditions required and the lack of attacker feedback during exploitation.

Information Disclosure Nginx
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Cross-tenant data exposure in Extreme Platform ONE's IAM Gateway API-key authentication path allows an authenticated API-key holder to intermittently receive response data belonging to a different tenant under high-concurrency conditions. Affected endpoints include both ExtremeCloud IQ (XIQ/XAPI) and Extreme Platform ONE Common Services API paths; XIQ-native tokens and standard OAuth/Bearer JWT authentication are explicitly confirmed unaffected. No public exploit identified at time of analysis, and no CISA KEV listing exists, but the Changed scope (S:C) in the CVSS vector confirms that successful exploitation crosses tenant isolation boundaries, elevating the real-world severity beyond the 6.3 base score for multi-tenant deployments.

Information Disclosure Race Condition Extreme Platform One
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Uncontrolled recursion in python-zeroconf's mDNS DNS name decoder (versions < 0.149.5) allows any unauthenticated host on the local link to crash or degrade the mDNS listener with a single ~3 kB packet. The `_decode_labels_at_offset` method recurses once per DNS compression pointer (RFC 1035 §4.1.4) with no cap on unique forward-pointer chain depth; a packet carrying ~1500 chained pointers overflows CPython's default call stack, and because `RecursionError` was omitted from `DECODE_EXCEPTIONS`, the exception escaped `DNSIncoming.__init__` rather than being handled gracefully. Replaying at a few hertz produces sustained CPU burn, log flooding, and degradation of all mDNS-dependent services (HomeKit, Chromecast/Matter, AirPlay, network printers); no public exploit identified at time of analysis, but the attack is trivially constructible from the published advisory and test fixture in PR #1719.

Information Disclosure Python
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

FreeScout help desk software prior to version 1.8.219 leaks account existence through its password reset endpoint, enabling unauthenticated remote attackers to enumerate valid helpdesk agent email addresses at scale. The endpoint returns visually distinct responses depending on whether a submitted email is registered, violating CWE-203 (Observable Discrepancy) and creating a reliable reconnaissance channel. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the zero-authentication, low-complexity attack surface makes automated enumeration trivially achievable against any internet-exposed FreeScout instance running a pre-1.8.219 version.

Information Disclosure Freescout
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Heap use-after-free/double-free in the FreeRDP RDP client (versions prior to 3.26.0) lets a malicious or compromised RDP server corrupt client memory through the RDPEAR authentication-redirection path. The flaw stems from the RDPEAR NDR parser reusing a single non-null pointer ref-id across multiple logical fields, causing the same heap object to be assigned to two outputs and freed twice by the generic destructor. There is no public exploit beyond a proof-of-concept (SSVC: poc), and EPSS exploitation probability is very low (0.05%), but the SSVC technical impact is rated total and a vendor fix is available.

Information Disclosure Use After Free Memory Corruption +1
NVD GitHub VulDB
EPSS 0%
HIGH PATCH This Week

Multiple input-validation and outbound-channel hardening defects in AgenticMail (npm @agenticmail/api ≤ 0.9.31 and @agenticmail/core ≤ 0.9.9) allow tenants to bypass storage ownership checks via raw SQL, reach cross-agent metadata, and cause the MailSender to transmit credentials over channels lacking certificate verification or with attacker-controlled SMTP headers. Tagged as information disclosure, the issue class is CWE-20 (improper input validation); no public exploit code has been identified at time of analysis and the vendor explicitly withheld the security patch branch from public release per their SECURITY.md, so weaponization risk is currently limited despite confirmed code-level fixes. Real-world impact is highest for multi-tenant AgenticMail deployments handling agent-owned mailboxes and outbound relay secrets.

Information Disclosure
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

HTTP response/header injection in cpp-httplib server versions prior to 0.44.0 allows remote unauthenticated attackers to smuggle CRLF sequences into stored header values, because the is_field_value validity check runs before percent-decoding lets %0D%0A through and expand to literal \r\n. The CVSS 9.9 score with Scope:Changed reflects the ability to influence downstream HTTP components, but no public exploit identified at time of analysis and the issue is not on the CISA KEV list.

Information Disclosure Suse
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Schema metadata disclosure in Parse Server's GraphQL endpoint allows unauthenticated callers to iteratively reconstruct the full application schema - including class names, field names, argument names, mutation names, and input-object fields - by exploiting 'Did you mean ...?' suggestions embedded in GraphQL validation-error messages. This affects all deployments with the GraphQL API mounted, bypasses the existing IntrospectionControlPlugin (the default schema-hiding control), and directly defeats the security goals of prior advisories GHSA-48q3-prgv-gm4w and GHSA-q5q9-2rhp-33qw. No public exploit or CISA KEV listing has been identified at time of analysis; however, the unauthenticated, low-effort nature of the enumeration technique and the reconnaissance value of schema intelligence make this a meaningful risk for deployments that rely on schema opacity as a defense layer.

Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 3.3
LOW PATCH Monitor

Double free memory corruption in Rizin's byte_pattern_search() function (librz/core/cmd/cmd_search.c) arises from incorrect pointer ownership declarations, allowing a low-privileged local attacker with physical access to cause low-integrity and low-availability impacts under high-complexity conditions requiring user interaction. The CVSS score of 3.3 (Low) reflects the extremely constrained attack surface: physical presence, high complexity, and mandatory user interaction all limit practical exploitability. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Information Disclosure Rizin
NVD GitHub VulDB
EPSS 0% CVSS 3.3
LOW Monitor

Heap out-of-bounds read in Rizin's OMF binary parser exposes heap memory contents when a user opens a maliciously crafted Object Module Format file. An off-by-one bounds check error in the `rz_bin_omf_get_entry` function within `librz/bin/format/omf/omf.c` allows array access one element past the end of the allocated sections array, resulting in limited confidentiality impact (heap data disclosure). No public exploit exists and this is not listed in CISA KEV; the CVSS score of 3.3 accurately reflects constrained real-world risk due to local-only access and mandatory user interaction.

Information Disclosure Buffer Overflow Rizin
NVD GitHub
EPSS 0% CVSS 7.1
HIGH This Week

Union-based SQL injection in eZ Publish Legacy's dfscleanup.php script allows a local authenticated attacker with sufficient privileges to extract sensitive data, including user credentials, from the underlying MySQL database. The flaw resides in the `_getFileList` function of the `eZDFSFileHandlerMySQLiBackend` class and is permanently unpatched because all branches of the project have reached end of life. No public exploit identified at time of analysis, though a detailed researcher write-up exists on GitHub.

PHP Information Disclosure SQLi
NVD GitHub
EPSS 0% CVSS 5.8
MEDIUM This Month

Memory unsafety in unbounded-spsc 0.2.0 (Rust crate) allows a local attacker with low privileges to cause out-of-bounds reads, allocator corruption, and process crashes by winning a TOCTOU race between Sender::send and Receiver::drop. The root defect is a pointer-as-value transmute in the DISCONNECTED arm of Sender::send (src/lib.rs:384-401): the code transmutes an 8-byte raw pointer (*mut Producer<T>) directly into Consumer<T>, meaning the fake Consumer's internal Arc::ptr points at the Sender struct itself rather than the real ArcInner<Buffer<T>>. No public exploit identified at time of analysis, but a proof-of-concept reproducing SIGSEGV is included in the advisory and reproduces approximately 3 out of 10 trials under heavy contention in release mode.

Information Disclosure Canonical Buffer Overflow
NVD GitHub VulDB
Prev Page 37 of 741 Next

Quick Facts

Typical Severity
MEDIUM
Category
other
Total CVEs
66678

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy