Information Disclosure
Information disclosure occurs when an application unintentionally exposes sensitive data that aids attackers in reconnaissance or directly compromises security.
How It Works
Information disclosure occurs when an application unintentionally exposes sensitive data that aids attackers in reconnaissance or directly compromises security. This happens through multiple channels: verbose error messages that display stack traces revealing internal paths and frameworks, improperly secured debug endpoints left active in production, and misconfigured servers that expose directory listings or version control artifacts like .git folders. APIs often leak excessive data in responses—returning full user objects when only a name is needed, or revealing system internals through metadata fields.
Attackers exploit these exposures systematically. They probe for common sensitive files (.env, config.php, backup archives), trigger error conditions to extract framework details, and analyze response timing or content differences to enumerate valid usernames or resources. Even subtle variations—like "invalid password" versus "user not found"—enable account enumeration. Exposed configuration files frequently contain database credentials, API keys, or internal service URLs that unlock further attack vectors.
The attack flow typically starts with passive reconnaissance: examining HTTP headers, JavaScript bundles, and public endpoints for version information and architecture clues. Active probing follows—testing predictable paths, manipulating parameters to trigger exceptions, and comparing responses across similar requests to identify information leakage patterns.
Impact
- Credential compromise: Exposed configuration files, hardcoded secrets in source code, or API keys enable direct authentication bypass
- Attack surface mapping: Stack traces, framework versions, and internal paths help attackers craft targeted exploits for known vulnerabilities
- Data breach: Direct exposure of user data, payment information, or proprietary business logic through oversharing APIs or accessible backups
- Privilege escalation pathway: Internal URLs, service discovery information, and architecture details facilitate lateral movement and SSRF attacks
- Compliance violations: GDPR, PCI-DSS, and HIPAA penalties for exposing regulated data through preventable disclosures
Real-World Examples
A major Git repository exposure affected thousands of websites when .git folders remained accessible on production servers, allowing attackers to reconstruct entire source code histories including deleted commits containing credentials. Tools like GitDumper automated mass exploitation of this misconfiguration.
Cloud storage misconfigurations have repeatedly exposed sensitive data when companies left S3 buckets or Azure Blob containers publicly readable. One incident exposed 150 million voter records because verbose API error messages revealed the storage URL structure, and no authentication was required.
Framework debug modes left enabled in production have caused numerous breaches. Django's DEBUG=True setting exposed complete stack traces with database queries and environment variables, while Laravel's debug pages revealed encryption keys through the APP_KEY variable in environment dumps.
Mitigation
- Generic error pages: Return uniform error messages to users; log detailed exceptions server-side only
- Disable debug modes: Enforce production configurations that suppress stack traces, verbose logging, and debug endpoints through deployment automation
- Access control audits: Restrict or remove development artifacts (
.git, backup files,phpinfo()) and internal endpoints before deployment - Response minimization: API responses should return only necessary fields; implement allowlists rather than blocklists for data exposure
- Security headers: Deploy
X-Content-Type-Options, remove server version banners, and disable directory indexing - Timing consistency: Ensure authentication and validation responses take uniform time regardless of input validity
Recent CVEs (66654)
OpenSSH's internal-sftp subsystem silently discards all command-line arguments beyond position 9, allowing authenticated SFTP users to bypass security restrictions that administrators intended to enforce via those later-positioned arguments. All OpenSSH releases before 10.4 are affected when sshd_config supplies more than nine arguments to the internal-sftp subsystem, which is a non-default but legitimate administrative pattern used for directory restriction, read-only enforcement, and umask control. No public exploit has been identified and this vulnerability is not listed in the CISA KEV catalog; however, sites relying on complex internal-sftp argument chains for access policy enforcement face a direct, silent policy bypass.
Path traversal in the scp utility of OpenSSH before 10.4 causes files to be written into the parent directory of the intended destination during remote-to-remote copy operations. The root cause is CWE-23 (Relative Path Traversal): scp fails to canonicalize or sanitize paths when relaying data between two remote hosts, allowing an attacker controlling a malicious endpoint to influence where transferred files land. No public exploit identified at time of analysis, and active exploitation has not been confirmed by CISA KEV; the CVSS AC:H and UI:R metrics significantly constrain real-world exploitability.
Path traversal in the OpenSSH sftp client before version 10.4p1 allows an attacker-controlled server to write downloaded files outside the user's intended target directory when the 'sftp server:/path .' bulk-download syntax is used. Affected are all OpenSSH deployments where users sftp from untrusted or attacker-controlled hosts, which in practice spans virtually every Linux and Unix environment. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, though the ubiquity of OpenSSH elevates aggregate exposure despite the moderate per-instance severity.
Out-of-bounds read in the Perl DBI module's preparse() SQL-normalisation routine allows an attacker who controls SQL passed to the method (where the statement begins with a comment line) to trigger a one-byte read past a buffer, in all DBI releases before 1.650. On memory-hardened builds this faults and crashes the process (availability impact); on normal builds it produces nondeterministic newline retention. This is a CWE-125 flaw reported by CPANSec with no public exploit identified at time of analysis; EPSS is low at 0.19% (8th percentile) and it is not in CISA KEV.
Cross-tenant authorization bypass in FastGPT (versions 4.14.17 through pre-4.15.0-beta4) permits an authenticated tenant user to inject a foreign tenant's datasetId via the POST /api/core/dataset/collection/create/reTrainingCollection endpoint, corrupting ownership anchors in persisted dataset objects. Downstream dataset, collection, and training endpoints then derive authorization decisions from these poisoned records, granting the attacker cross-tenant read, update, and delete access to another tenant's data. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; the vendor released version 4.15.0-beta4 as the confirmed fix.
Arbitrary file read and exfiltration in Anki prior to 25.09.4 allows a remote attacker to access sensitive files on a victim's system by distributing a maliciously crafted card package (.apkg). The root cause is an origin validation failure (CWE-346) in Anki's internal localhost API, which fails to block iframe-embedded scripts from accessing privileged backend methods such as getImageForOcclusion. Exploitation requires the victim to import the malicious deck; no public exploit code or CISA KEV listing has been identified at time of analysis.
Cross-origin request forgery against Anki's local HTTP server allows a malicious website to trigger unauthorized side-effecting requests to the application while it is running on the victim's machine. All Anki versions prior to 25.09.3 are affected (CPE: cpe:2.3:a:ankitects:anki:*:*:*:*:*:*:*:*). The practical severity varies significantly by browser: implementations with Private Network Access (PNA) protections block such requests by default, limiting real-world impact to older or less-restrictive browser configurations. No public exploit identified at time of analysis, though security researcher Tavis Ormandy (Google Project Zero) publicly discussed the issue on X, indicating independent researcher awareness.
Denial of service in GNU Wget through 1.25.0 lets a malicious or compromised HTTP(S) server crash the client by serving a Metalink document whose URL element contains only whitespace, causing clean_metalink_string() in src/metalink.c to decrement a pointer past the start of the heap buffer. The out-of-bounds read (CWE-125) produces abnormal program behavior and is reported by VulnCheck; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The fix landed upstream in GitLab commit 37a40fc.
Sensitive cryptographic material on HPE Networking Instant On 1830, 1930, and 1960 switches is exposed to remote network actors through an information disclosure vulnerability. Exploitation allows retrieval of cryptographic secrets such as private keys, certificates, or pre-shared credentials, which could subsequently enable man-in-the-middle attacks, traffic decryption, or device impersonation. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
Credential leakage in the Perl HTTP::Tiny client (all versions before 0.095) lets an attacker who controls a redirect destination harvest sensitive headers. When a server answers with a 3xx redirect, HTTP::Tiny re-sends caller-supplied Authorization, Cookie and Proxy-Authorization headers to the new host without verifying it shares the original origin, including across scheme, host or port boundaries and over https-to-http downgrades that expose them in cleartext on the wire. No public exploit is identified at time of analysis and CISA SSVC rates exploitation as none, but the flaw is well-documented and a vendor patch is available in 0.095.
Arbitrary file disclosure in AWS Research and Engineering Studio (RES) prior to version 2026.06 allows an authenticated remote user to read any file readable by root on the cluster-manager EC2 instance. The Auth.GetUserPrivateKey API follows a user-controlled symbolic link at ~/.ssh/id_rsa, and because the cluster-manager process runs as root, an attacker can exfiltrate other users' SSH private keys and application secrets. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Attribute encryption in the 389-ds-base LDBM backend exposes a cryptographic design flaw affecting Red Hat Directory Server 11, 12, and 13 across all supported RHEL releases (6 through 10). The LDBM backend applies a static, hardcoded initialization vector (IV) for both AES-CBC and 3DES-CBC encryption of directory attribute values, meaning that two entries storing identical plaintext for an encrypted attribute will always produce identical ciphertext blocks - a classic ciphertext equality oracle. An attacker with privileged filesystem-level read access to the LDBM database files can exploit this to determine whether any two encrypted attribute values are identical, leaking relational information about the directory without recovering plaintext. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Memory over-read in Django's GIS module allows unauthenticated remote attackers to potentially disclose adjacent heap memory or degrade service availability via a segmentation fault. The `django.contrib.gis.gdal.GDALRaster` class fails to correctly bound its read when constructed from a bytes object, exposing raw memory when the `vsi_buffer` property is subsequently accessed. Affects Django 6.0 before 6.0.7 and 5.2 before 5.2.16; no public exploit identified at time of analysis and not listed in CISA KEV.
Cache poisoning in Django's UpdateCacheMiddleware and cache_page() decorator exposes private user data to unauthenticated remote attackers by incorrectly serving cached responses across different cookie contexts. Versions 6.0 before 6.0.7 and 5.2 before 5.2.16 are confirmed affected; older unsupported branches (5.0.x, 4.1.x, 3.2.x) were not evaluated but may share the flaw. No public exploit or CISA KEV listing exists at time of analysis, and the low CVSS 4.0 score of 2.3 reflects meaningful preconditions, though the data-disclosure consequence for applications serving personalized, cookie-gated content through a shared cache is concrete.
Path traversal in XWiki running on Jetty 12+ lets remote users read arbitrary files the Jetty process can access by sending doubly URL-encoded '../' sequences to the skin resource endpoint (e.g. /xwiki/bin/skin/..%252f/..). Depending on how deep the webapp sits below root, this exposes both in-webapp secrets such as WEB-INF/xwiki.cfg and Hibernate configuration, and out-of-webapp OS files like /etc/passwd. No public exploit or active exploitation is tracked, but the vendor advisory (GHSA-qj4x-9g63-25g6) itself publishes working request URLs, so weaponization is trivial.
Signature verification bypass in HAVELSAN Liman MYS (versions before release.Master.1107) lets remote attackers forge the source/authenticity of data - tagged as a JWT attack - enabling identity spoofing and likely authentication bypass. Per CVSS the vector is network-based and unauthenticated (AV:N/PR:N) with high impact to confidentiality and integrity. No public exploit is identified at time of analysis and it is not on CISA KEV.
Privilege escalation in ARC Informatique PcVue SCADA/HMI software (all versions prior to 17.0.0) arises because the encryption algorithm protecting user-account configuration in the built-in user directory is cryptographically inadequate (CWE-326). A local attacker with low privileges can decrypt or tamper with the stored account configuration and ultimately obtain privileged access to the PcVue application. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the vendor CVSS 4.0 base score is 8.4 (High).
Insecure credential storage in PcVue exposes built-in user account passwords to any local attacker with low-privileged filesystem access, across all versions prior to 17.0.0. The credentials are stored unprotected in the project's User directory, recoverable without elevated OS privileges. No public exploit code has been identified at time of analysis, but in OT/SCADA environments where PcVue is deployed, recovered credentials could enable unauthorized control of industrial processes.
Apache Airflow REST API exposes provider secrets in plaintext through the task-instance detail and list endpoints when tasks are in a deferred state. Any authenticated user holding DAG-scoped task-instance read access - a permission commonly granted to non-admin roles - can retrieve API keys, passwords, or other secrets passed by deferred operators into trigger kwargs. Fixed in Apache Airflow 3.3.0; no public exploit code identified at time of analysis, though exploitation is trivially achievable by any authenticated user with the requisite read permission.
Sensitive credential exposure in Apache Airflow's Bulk Variables API allows authenticated users with bulk Variable read permission to retrieve plaintext values from JSON-typed variables whose key names use secret-suffixed conventions such as `*_password`, `*_token`, or `*_secret`. The redactor function was invoked without passing the variable key, so the `should_hide_value_for_key` check - which is responsible for masking secrets based on key-name patterns - could never fire for JSON-decodable variable values. This affects all deployments prior to 3.3.0 that store sensitive credentials in JSON-typed Airflow Variables under secret-suffixed key names; no public exploit has been identified at time of analysis, and exploitation is bounded by the requirement for authenticated access with a specific permission grant.
Incomplete authorization filtering in Apache Airflow's `/ui/dependencies` scheduling graph endpoint exposes restricted DAG identifiers to authenticated users who lack read permission on those DAGs. The endpoint correctly filters top-level serialized DAG keys against the caller's ACL but leaks referenced DAG IDs through `dep.source` and `dep.target` fields of trigger and sensor dependency entries, enabling cross-team DAG enumeration in multi-tenant deployments. This is a residual gap from an incomplete fix for CVE-2026-28563; no public exploit has been identified at time of analysis, and a vendor patch is available in apache-airflow 3.3.0.
Apache Airflow's Config API leaks plaintext secrets-backend credentials to authenticated users with Config read permission, because per-key environment variable overrides (e.g., AIRFLOW__SECRETS__BACKEND_KWARG__SECRET_ID) generate synthetic config entries whose names are absent from the sensitive_config_values masking list. Affected deployments are those that configure secrets backends such as HashiCorp Vault via these per-key environment variable patterns, exposing credentials like Vault role_id and secret_id through normal API responses. No public exploit has been identified at the time of analysis; the vendor-released fix is apache-airflow 3.3.0.
Predictable KASLR offsets and RNG seeds in Raspberry Pi 5 and Compute Module 5 EEPROM firmware undermine kernel address space layout randomization across all affected devices and reboots. Because the entropy source is deterministic, any attacker who can identify the firmware version can predict kernel memory addresses, reducing KASLR to a known-offset bypass. This does not itself enable code execution, but it significantly lowers the bar for chaining with any memory-corruption vulnerability targeting these devices. No public exploit code has been identified at time of analysis and this is not listed in the CISA KEV catalog.
Arbitrary file deletion in the WordPress Frontend File Manager Plugin (versions up to and including 23.6) lets unauthenticated visitors remove any file on the server when guest upload mode is enabled, because a user-supplied file path is not validated before the delete operation. Removing critical files such as wp-config.php drops the site into its installation/setup routine, which an attacker can chain toward a complete site takeover. No public exploit is identified at time of analysis and EPSS is low (0.15%, 4th percentile), but the unauthenticated network vector and scope-changing impact make this a serious risk for exposed sites running the vulnerable configuration.
The WP Travel Engine WordPress plugin before 6.8.1 does not properly validate the source of a user-supplied profile image path before moving the file, allowing authenticated users with subscriber-level access and above to relocate arbitrary files within the WordPress uploads directory into their own profile-image path. This removes the targeted media from its original location and can break content across the site.
Incorrect privilege assignment in Gallagher Command Centre Server permits an authenticated low-privilege operator to execute operations restricted to higher-privilege roles, enabling unauthorized integrity impacts on physical security configurations. Affected versions span the 9.10 through 9.50 release lines, with patches available for 9.20-9.50 but no fix for the fully end-of-support 9.10 branch. No public exploit code exists and this vulnerability is not listed in CISA KEV; it was disclosed directly by the vendor Gallagher.
Password reset poisoning in Coolify prior to 4.0.0-beta.471 enables unauthenticated account takeover by injecting a forged X-Forwarded-Host header during a password reset request. Two compounding middleware failures make this possible: TrustProxies trusts all proxy sources unconditionally, and TrustHosts is rendered inoperable by a circular caching dependency, meaning the Host header is never validated. The reset URL is generated from the spoofed request host, so the victim's reset token is delivered to an attacker-controlled domain. No public exploit is identified at time of analysis, but the attack is low-friction and the fix is confirmed in version 4.0.0-beta.471.
Sanctum API tokens in Coolify never expire prior to v4.0.0-beta.474, meaning any token that is leaked or stolen remains permanently valid until an administrator manually revokes it. This affects the self-hosted server, application, and database management platform across all versions below 4.0.0-beta.474. An attacker who obtains a valid API token via secondary means retains indefinite read access to the Coolify API without natural time-bounded expiry as a safeguard. No public exploit has been identified at time of analysis, and the low CVSS score of 3.1 reflects the constrained real-world impact.
File path collision in FOSSBilling's downloadable product service allows an authenticated administrator to silently overwrite another product's stored file by uploading a file with an identical original filename. Because FOSSBilling stores uploaded files at a path derived solely from md5(<original filename>), two uploads sharing the same filename map to the same storage location - the later upload wins, and customers downloading the earlier product receive the substituted file instead. No public exploit exists and this is not in CISA KEV, but the integrity and information-disclosure impact are concrete: customers may receive incorrect - potentially confidential - product files. Version 0.8.1 patches the issue.
Unauthenticated information disclosure in FOSSBilling 0.5.3-0.7.2 exposes administrator-defined custom API key configuration fields (`custom_*`) to any caller possessing a valid API key via the guest-tier `serviceapikey/get_info` endpoint. The affected fields may contain business-sensitive operational data including pricing tiers, feature flags, rate limits, expiry overrides, and access scope data as populated by billing administrators. No public exploit has been identified and no CISA KEV listing exists, but the network-accessible, low-complexity nature of the flaw makes it trivially exploitable by any party holding or able to obtain a valid API key. Vendor patch is confirmed available in version 0.8.0.
Address bar spoofing in Firefox for iOS allows a remote unauthenticated attacker to display a trusted origin in the browser's address bar while the victim views and interacts with fully attacker-controlled content - a classic and effective phishing enabler. The attack exploits a race condition in navigation handling: a malicious page enqueues a synchronous JavaScript dialog at the moment a user navigates away, freezing the address bar on the destination's legitimate origin while the malicious page's content continues to render. No public exploit code has been identified and EPSS is 0.15% (4th percentile), indicating no observed widespread exploitation; however, the technique is conceptually simple and phishing value is high.
Minosoft is an open-source, multi-version Minecraft Java Edition client written in Kotlin. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable. No vendor patch available.
Out-of-bounds read in FreeType 2.14.3 exposes partial heap memory and risks process crashes when processing crafted variable fonts via the TT_Get_Var_Design code path. The CVSS vector (AV:N/AC:L/PR:N/UI:N) reflects server-side or automated font processing pipelines where untrusted font data reaches FT_Get_Var_Design_Coordinates without authentication barriers. No active exploitation is confirmed in CISA KEV; however, a researcher-published gist suggests working proof-of-concept material exists, and EPSS at 0.17% (7th percentile) indicates minimal observed exploitation activity to date.
Account takeover in FOSSBilling 0.5.6 through 0.7.2 arises because the reset_password guest API endpoint reuses an existing, unexpired ClientPasswordReset token rather than rotating it on each request. An attacker who has captured a victim's earlier reset link retains a valid path to hijack the account even after the victim requests a fresh reset, since the original token is never invalidated and its 15-minute window is anchored to the first request. No public exploit is identified at time of analysis, and the CVSS 4.0 score is 7.7 (High); version 0.8.0 fixes the flaw.
Privilege escalation and unauthorized access in FOSSBilling before 0.8.0 lets authenticated low-privileged staff accounts invoke admin API endpoints they should not reach, exposing sensitive data and enabling actions reserved for higher-privilege roles. The flaw stems from the framework-level can_always_access module flag combined with weak per-endpoint permission checks, so any staff login becomes a stepping stone to sensitive settings. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; the GitHub Security Advisory rates it CVSS 4.0 8.7 (High).
FOSSBilling prior to version 0.8.0 exposes sensitive administrative data to low-privileged staff accounts through an asymmetric access control flaw: write-side admin API endpoints correctly enforce fine-grained permissions, but their corresponding read endpoints lack any authorization guards entirely. Any authenticated staff user can call these read endpoints over the network and retrieve data beyond their intended access scope. No public exploit code has been identified and the vulnerability is not in CISA KEV; risk is primarily an insider-threat scenario within organizations with staff-level access to the billing platform.
FOSSBilling's PayPalEmail payment adapter prior to version 0.8.0 fails to validate IPN-supplied payment amounts against invoice totals, enabling authenticated clients to underpay invoices while having them marked as fully paid. The PayPal IPN field `mc_gross` is credited directly to the client balance without cross-checking the corresponding invoice amount, and a pre-existing $0.05 floating-point epsilon in the credit-payment logic expands the exploitable gap to $0.04 per invoice. No public exploit code exists and the vulnerability is not in CISA KEV; however, the attack is trivially executable by any registered client on a system with the PayPalEmail adapter enabled.
Race condition in FOSSBilling's cart checkout flow allows authenticated clients to exploit promo codes beyond their configured usage limits by submitting concurrent checkout requests. Affected versions prior to 0.8.0 fail to atomically check and increment promo code usage counts (CWE-367), enabling a single limited-use or one-time-use code to be redeemed unlimited times. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the attack is straightforward to automate for any authenticated user with knowledge of a valid promo code.
Complete database export and overwrite in the 9router npm application is possible for any authenticated user via the /api/settings/database endpoint, which is guarded only by the ALWAYS_PROTECTED session check (JWT or CLI token). A low-privileged attacker can GET the full database - including plaintext API keys, OAuth tokens, and OIDC client secrets - and POST an attacker-crafted database that wipes and replaces all tables, including the password hash, yielding total takeover. No CISA KEV listing exists and no standalone exploit is published, but the advisory (GHSA-qvfm-67h2-2qfx) includes detailed reproduction steps, and the default password '123456' makes obtaining the required session trivial in unhardened deployments.
Proof-system soundness bypass in the Zcash Orchard shielded pool lets a malicious prover forge valid zero-knowledge proofs that satisfy the diversified-address-integrity check pk_d = [ivk] g_d for arbitrary key triples, breaking the binding between an Action and the note's real incoming viewing key, nullifier, and spend authorizing key. The flaw enables an undetectable double-spend within the Orchard pool (bounded only by Zcash's turnstile supply limit) and, given knowledge of a note plaintext, theft of another user's funds by forging spend authorization. No public exploit is identified and there is no evidence of exploitation before remediation, but the bug was live in consensus since NU5 (May 31, 2022) and was fixed via the NU6.2 hard fork on June 3, 2026.
Privilege retention in FOSSBilling before 0.8.0 allows a suspended or deactivated client, staff, or admin to keep full authenticated access because the session identity loaders in src/di.php never re-check account status. Suspending or deactivating a user does not terminate their live session - access persists until the session expires naturally. This is an authenticated (PR:L) session-management flaw with no public exploit identified at time of analysis and no CISA KEV listing; the vendor rates it 8.7 (CVSS 4.0).
Cross-boundary information disclosure in Coder's workspace app proxy allows an attacker who controls a shared workspace app to read a victim user's private app responses by forging the X-Forwarded-Host header. The proxy trusts this client-supplied header for routing decisions while simultaneously authorizing the request with the victim's own session cookie - which the browser attaches to any subdomain because cookies are scoped to the wildcard parent domain - enabling the attacker to steer responses from private apps back through their own JavaScript. Exploitation requires subdomain app routing (wildcard hostname) to be enabled and the victim to visit the attacker's shared app; no public exploit code or CISA KEV listing has been identified at time of analysis.
HSTS header delivery is permanently broken in gofiber/fiber's helmet middleware due to a logic error that compares the HTTP protocol version string ('HTTP/1.1', 'HTTP/2.0') against the literal string 'https' - a comparison that is always false in any real deployment, making the entire HSTS conditional block dead code. Applications using Fiber that configure HSTSMaxAge expecting HSTS protection receive none, silently eliminating a security control that operators believe is active. A maintainer-runnable POC confirming the bug has been published with the advisory; no CISA KEV listing exists, but any application relying on helmet for HSTS protection has had that protection stripped since the erroneous code was introduced.
Unauthorized tool invocation in the Langroid Python LLM-agent framework lets a user of an exposed chat interface directly execute server-side tool handlers by sending raw tool JSON, even when the tool was registered with use=False, handle=True. Because the dispatch path (agent_response → handle_message → get_tool_messages) never checks whether a message originated from Entity.USER versus Entity.LLM, the use=False guard — which developers reasonably assume blocks end-user invocation — only stops the LLM from emitting the tool, not a user from calling it. A working PoC exists in the advisory (publicly available exploit code exists); depending on which handled tools are enabled, this yields file read/write, database queries, or access to internal orchestration tools.
Sensitive key material can be exposed in Qualcomm Snapdragon platforms because AES-GCM key wrapping is performed with a hardcoded/static initialization vector instead of a unique per-call nonce. A local, low-privileged attacker who can collect multiple wrapped outputs can exploit the resulting IV/nonce reuse to recover confidentiality and forge integrity of wrapped keys. There is no public exploit identified at time of analysis, and the issue is disclosed via Qualcomm's July 2026 security bulletin.
Remote image auto-fetch in the OpenAI Codex desktop app for macOS (versions prior to 26.527.31326) enables silent exfiltration of session secrets via indirect prompt injection. An attacker who can place malicious instructions into content processed by Codex - such as a tool result, API response, or file read during a session - can manipulate the model into generating a Markdown image tag whose URL encodes sensitive data; the app then automatically fetches that URL, transmitting API keys, source code, or tool-returned data to an attacker-controlled server with no additional user action. No active exploitation is confirmed (not listed in CISA KEV), no public proof-of-concept is identified, and EPSS sits at 0.16% (6th percentile), indicating low current exploitation probability despite the high-value target profile of affected users.
RSA PKCS#1 v1.5 decryption in OP-TEE's Hisilicon HPRE hardware accelerator driver exposes a Bleichenbacher-style padding oracle, allowing a local attacker to recover RSA plaintext by adaptively querying the oracle. Affected are optee_os versions 4.5.0 through 4.10.x built with Hisilicon HPRE support (CFG_HISILICON_ACC_V3=y) on Arm TrustZone-based platforms. No public exploit code or CISA KEV listing exists; exploitation is constrained by local access requirements and the high query volume characteristic of Bleichenbacher-class attacks.
Symlink traversal in Hugo's virtual filesystem (v0.123.0-v0.163.0) allows a symlink planted inside a theme or local mount to escape the mount sandbox and return the contents of arbitrary files accessible to the OS user running the hugo build. A regression in RootMappingFs.statRoot introduced a Stat call where Lstat was required, silently resolving symlinks that cross mount boundaries. No public exploit code or CISA KEV listing exists; the issue is fixed in v0.163.1.
RSA-OAEP decryption in OP-TEE OS versions 3.9.0 through 4.10.x exposes a Manger-style padding oracle via the NXP CAAM hardware crypto driver, enabling local low-privileged attackers to recover RSA-OAEP plaintext through approximately 1,000-2,000 adaptive chosen-ciphertext queries. The flaw arises from non-constant-time memcmp() usage during label hash verification combined with multiple distinguishable error paths that leak oracle-exploitable timing and response information. No public exploit code or CISA KEV listing has been identified at time of analysis, and exploitation is constrained to NXP CAAM-equipped platforms with the RSA driver enabled.
Authentication bypass in Tenda router firmware (AC10, AC5, AC6, FH1201, W15E) lets any user log in as administrator via a hidden vendor backdoor: after normal MD5-based login fails, the /bin/httpd login() routine at 0x4c88b8 falls back to a plaintext strcmp() against the 'sys.rzadmin.password' config value, granting role=2 (admin) with any username. Reported through CERT/CC (VU#213560), it is not in CISA KEV and has no public exploit identified at time of analysis, with a low EPSS score of 0.24% (15th percentile). The flaw is a classic CWE-912 hidden-functionality backdoor mapped to CVSS 9.8.
RSA-OAEP decryption in OP-TEE OS versions 4.5.0 through 4.10.x exposes a Manger-style padding oracle via the Hisilicon HPRE hardware crypto driver, enabling a local attacker to recover RSA-OAEP plaintext through approximately 1000-2000 adaptive chosen ciphertext queries. The root cause is a non-constant-time `memcmp()` used for label hash verification combined with distinguishable error paths - classic CWE-208 timing side-channel conditions. Impact is heavily constrained by a non-default build requirement: only Hisilicon D06 (plat-d06) hardware built with `CFG_HISILICON_ACC_V3=y` is exposed, and no public exploit or active exploitation has been identified at time of analysis.
Channel-binding downgrade in the pgjdbc PostgreSQL JDBC Driver (releases 42.7.4 through 42.7.11) lets an active man-in-the-middle silently strip SCRAM-SHA-256-PLUS channel binding down to plain SCRAM-SHA-256 even when the client explicitly set channelBinding=require, defeating the exact protection that setting promises. The flaw stems from the bundled com.ongres.scram:scram-client returning an empty binding for certificates whose signature algorithm lacks a tls-server-end-point hash, combined with pgJDBC's ScramAuthenticator failing to reject that empty binding. No public exploit identified at time of analysis and it is not listed in CISA KEV; it is fixed in 42.7.12.
Denial-of-service via memory exhaustion in Python Pillow before 12.3.0 allows a crafted GD-format (.gd) image to trigger excessive C-heap allocation when opened, because GdImageFile._open() reads image dimensions straight from the GD 2.x header without invoking Pillow's Image._decompression_bomb_check() guard. Any application that loads untrusted .gd files with a vulnerable Pillow version can be crashed or driven into out-of-memory conditions. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV; the CVSS 3.1 base score is 7.5 (availability-only impact).
Uncontrolled memory allocation in Python Pillow before 12.3.0 allows a maliciously crafted font file to trigger excessive memory consumption and denial of service when its glyphs are compiled into a combined bitmap. FontFile.compile() builds the output image via Image.new("1", (xsize, ysize)) without invoking Pillow's decompression-bomb guard, so oversized glyph dimensions are allocated unchecked during conversion or saving. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV; the availability-only impact (CVSS 7.5) reflects resource exhaustion rather than code execution or data disclosure.
Uncontrolled memory allocation in the Python Pillow imaging library (all versions prior to 12.3.0) allows a crafted PCF bitmap font to exhaust process memory and crash the host application. The PcfFontFile bitmap loader trusts attacker-supplied glyph dimensions from the font's METRICS section and hands them straight to Image.frombytes() while skipping Pillow's decompression-bomb guard. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the flaw is an availability-only denial of service (CVSS 7.5), not the information disclosure implied by the source tag.
c-ares, the widely-embedded asynchronous DNS resolver library, received a security fix in version 1.34.7 addressing CVE-2026-33630, disclosed via the oss-security mailing list. The vulnerability was reported by Haruto Kimura of Stella and is also tracked under GHSA-pjmc-gx33-gc76 and GHSA-jv8r-gqr9-68wj. The nature of the flaw, its exploitability, and precise impact are not determinable from the available input data - no description, CVSS vector, or CWE was provided.
Information disclosure in HP Deskjet 2800 Series printers running firmware TBP1CN2612AR or earlier lets an unauthenticated attacker on the network read sensitive configuration - including plaintext Wi‑Fi Direct credentials, device identity, and administrative security state - by sending plain GET requests to administrative API endpoints. The same data is gated behind administrator login in the web UI, so these API endpoints bypass the product's own access-control model. No public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Improper data-query neutralization (NoSQL injection) in the web application component of BeyondTrust Remote Support and Privileged Remote Access allows an authenticated, low-privileged attacker to manipulate input parameters and read resources or data beyond their authorization scope. The flaw enables information disclosure across authorization boundaries and, per the vendor's CVSS 4.0 vector, can impact downstream systems. No public exploit identified at time of analysis, and it is not listed in CISA KEV; exploitation is restricted to accounts holding specific permissions.
Heap out-of-bounds read in the Perl Imager module (versions before 1.032) lets a crafted SGI image over-read past a decode buffer and crash the process. The flaw lives in the bundled Imager::File::SGI reader's read_rgb_16_rle routine, where a 16-bit RLE literal run is length-checked in pixels but consumed as two bytes per pixel, defeating the bounds guard. No public exploit is identified at time of analysis and it is not listed in CISA KEV; a vendor patch shipped in 1.032.
Double-free memory corruption in GPAC MP4Box up to version 2.5-DEV allows a local, low-privileged attacker to trigger heap corruption via a crafted MP4 file processed by the `gf_isom_nalu_sample_rewrite` function, resulting in low availability impact (crash). No confidentiality or integrity impact is indicated by the CVSS 4.0 vector despite the 'Information Disclosure' tag in VulDB, which appears inconsistent with the scored metrics. A public POC exists at GitHub, but no active exploitation has been confirmed and this CVE is not listed in CISA KEV.
Local privilege/code manipulation in B&R Industrial Automation's APROL process control system (all versions before R 4.4-01P5) arises from an untrusted search path (CWE-426), allowing a low-privileged local user to plant a malicious executable or library that the application loads from an attacker-influenced directory. Successful exploitation yields high confidentiality and integrity impact on the affected engineering/operator station. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the CVSS 4.0 base score is 8.4 (High).
Improper TLS certificate validation in B&R Industrial Automation's APROL process control system (all versions before R 4.4-01P5) lets a network-positioned attacker intercept and tamper with supposedly encrypted communications. Because APROL fails to properly verify certificates (CWE-295), an adversary able to sit between components can decrypt sensitive process data and inject manipulated messages. No public exploit identified at time of analysis and the flaw is not in CISA KEV, but the CVSS 4.0 base score of 9.1 reflects the high confidentiality and integrity impact.
Improper input validation in Apache Camel (versions through 4.14.7, 4.15.0-4.18.2, and 4.19.0-4.20.0) allows remote attackers to trigger information disclosure and limited integrity/availability effects against exposed Camel integration endpoints. The CVSS 3.1 base score is 7.3 (High) with a fully remote, unauthenticated vector, and the Apache-issued advisory tags the flaw as Information Disclosure. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the network-reachable, no-privilege vector warrants prompt patching.
Improper input validation in Apache Camel - the open-source Java integration framework - affects versions through 4.14.7, 4.15.0 through 4.18.2, and 4.19.0 through 4.20.0, and per the Apache-published advisory carries partial (Low) impact to confidentiality, integrity, and availability. Tagged as an Information Disclosure issue, it is remotely reachable per the CVSS network vector and appears to let a remote attacker submit malformed input that the framework fails to properly validate, potentially exposing limited data or perturbing message processing. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Improper input validation in Apache Camel versions 4.8.0 through 4.18.2 and 4.19.0 through 4.20.0 allows remote unauthenticated attackers to send crafted input that the framework fails to validate, yielding limited information disclosure and partial integrity/availability impact per the CVSS vector. The flaw is reported directly by the Apache Software Foundation and is fixed in 4.18.3 and 4.21.0; there is no public exploit identified at time of analysis and it is not on the CISA KEV list. The moderate 7.3 (High) score reflects easy network reachability but limited per-impact severity (C:L/I:L/A:L).
Information disclosure in SUSE Rancher AI Agent 1.0 before 1.0.2 writes API keys and raw LLM response text (which may contain sensitive data) into logfiles when the DEBUG loglevel is enabled, letting a local attacker with access to those logs harvest credentials and confidential model output. Rated CVSS 4.0 base 7.0, the flaw requires local access and high privileges plus a non-default debug configuration. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Information disclosure in uniFLOW Universal Login Manager (ULM) Standalone exposes sensitive SMTP and LDAP integration configuration data to authenticated administrators via the Remote User Interface (RUI). The flaw, classified under CWE-522 (Insufficiently Protected Credentials), applies exclusively to Standalone ULM deployments - environments integrated with uniFLOW Server or uniFLOW Online are explicitly confirmed unaffected. No public exploit code has been identified at time of analysis, and exploitation requires high-privilege access on an adjacent network, substantially limiting real-world risk.
Confused-deputy operation redirection in the Apache Camel camel-cxf SOAP component (versions 4.0.0 before 4.14.8, 4.15.0 before 4.18.3, and 4.19.0 before 4.21.0) lets an attacker steer which backend SOAP operation gets invoked. Because the operationName / operationNamespace selection headers lacked the Camel/camel prefix, HttpHeaderFilterStrategy failed to strip them at the HTTP boundary, so in any route bridging an HTTP consumer (e.g. platform-http) into a cxf: producer, an HTTP client could inject these headers and force CxfProducer to call a different WSDL operation than intended - for example swapping a read for a destructive write. No public exploit is identified at time of analysis, EPSS is low (0.15%), and it is not in CISA KEV.
Header injection in Apache Camel Mail Component enables attackers to override SMTP JavaMail session properties by supplying crafted headers in the mail.smtp./ mail.smtps. namespace through any untrusted inbound protocol - including HTTP query parameters, JMS, or Kafka - that feeds into a Camel route terminating at an SMTP producer. On releases before 4.19.0, the most severe impact is full SMTP host redirection: the producer reconnects to an attacker-controlled server and authenticates with the endpoint's configured credentials, resulting in credential theft. On 4.19.0 through pre-4.21.0, host redirection is blocked, but attackers can still weaken transport security (disabling STARTTLS, manipulating SSL trust, or injecting a SOCKS proxy) and intercept outgoing mail content. No public exploit identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Header injection in the Apache Camel camel-nats component (4.0.0-4.14.7, 4.15.0-4.18.2, 4.19.0-4.20.x) allows any NATS client that can publish to a consumed subject to inject arbitrary Camel-internal control headers into the Exchange because the consumer's default DefaultHeaderFilterStrategy has no inbound filter rules. An attacker can override headers such as CamelHttpUri, CamelFileName, or CamelSqlQuery to redirect HTTP producers, rename files, or alter queries in downstream route steps. No public exploit identified at time of analysis; EPSS is low (0.19%, 9th percentile) and CISA SSVC lists exploitation as none, but the flaw is remotely reachable without credentials when the NATS server runs with its default (no-auth) configuration.
Authentication token-lifetime bypass in the Apache Camel Keycloak component (camel-keycloak) affects versions 4.18.0-4.18.2 and 4.19.0-4.20.x, allowing expired or not-yet-valid Keycloak access tokens to be accepted as valid. The KeycloakSecurityHelper builds its TokenVerifier via withChecks() with only subject and issuer checks, so Keycloak's IS_ACTIVE exp/nbf validation is never installed, and any route relying on this helper will trust tokens outside their intended lifetime. NVD scores it CVSS 9.8, though EPSS is low (0.15%, 5th percentile) and there is no public exploit identified at time of analysis.
Sensitive information exposure in Prog Management System (developed by PROG MIS) allows unauthenticated remote attackers to access a specific page that discloses the database account name and password. With valid database credentials leaked, an attacker gains a direct path to full compromise of the backing database and any data it holds. There is no public exploit identified at time of analysis, but the flaw is trivially exploitable given the CVSS 4.0 score of 9.3 (critical) and reported unauthenticated network vector.
Divide-by-zero in GPAC's TeXML file handler crashes the process when a crafted file carries a zero or invalid txml_timescale value, triggering an unhandled arithmetic exception in txtin_probe_duration. The affected version is the development snapshot 26.03-DEV-rev342-g80071f700-master; exploitation is constrained to local users able to supply malicious input files, with impact limited to a process-level denial of service. No active exploitation or public proof-of-concept has been identified; an upstream fix commit is available on GitHub but no patched stable release has been independently confirmed.
The Admin and Site Enhancements (ASE) WordPress plugin before 8.8.4, admin-site-enhancements-pro WordPress plugin before 8.8.4 does not perform authentication, authorization, or nonce checks on a role-restoration request handler, allowing unauthenticated attackers to restore a previously demoted administrator account back to the administrator role. This is an incomplete fix of CVE-2024-43333 / CVE-2025-24648, which closed the issue for only one of the demotion paths the WordPress role API exposes.
The Ultimate Member WordPress plugin before 2.12.0 does not properly sanitise and escape the value of custom textarea profile fields before outputting it on user profiles, allowing authenticated users with Subscriber-level access and above to store JavaScript that executes when any user, including an administrator, views the affected profile.
The AllCoach WordPress plugin before 1.0.2 does not verify that an email address submitted to a public account-registration endpoint is not already associated with an existing user before overwriting that user's password, allowing unauthenticated attackers to reset the password of arbitrary accounts, including administrators, and take over the site.
The Notifications for Forms & WordPress Actions WordPress plugin before 2.6 does not validate a user-supplied value before using it to build a server-side file inclusion path, allowing authenticated. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. Public exploit code available.
Improper authorization in SourceCodester Online Examination & Learning Management System 1.0 allows unauthenticated remote attackers to manipulate enrollment records by supplying arbitrary student_id, schedule_id, or action values to /ajax_enroll.php. The vulnerability is an Insecure Direct Object Reference (IDOR) - the application performs no ownership or privilege check before processing enrollment actions on behalf of any student. A public proof-of-concept has been disclosed (referenced by VulDB submission 850695 and GitHub advisory OE-LMS-IDOR-ajax_enroll.md); no active exploitation via CISA KEV has been confirmed at time of analysis.
Sandbox boundary enforcement failure in PentAGI (vxcontrol) versions up to 2.1.0 allows authenticated remote users to break Docker containment controls via the Docker API client component in `backend/pkg/docker/client.go`, enabling limited information disclosure and unauthorized low-impact modifications within the Docker environment. The CVSS 4.0 vector (PR:L, AV:N, AC:L) confirms low-privilege network-reachable exploitation with no user interaction required, though all impact metrics remain Low and no host-level breakout is indicated. No public exploit code exists and this vulnerability is not listed in CISA KEV; an upstream fix is pending as an unmerged GitHub pull request.
CVE-2026-58212 is reported by Ubuntu with no publicly available description, CVSS score, CWE classification, or technical detail at time of analysis. The sole intelligence signal is attribution to the Ubuntu vendor source, leaving the affected component, vulnerability class, and impact entirely uncharacterized. No meaningful risk assessment is possible without additional data from Ubuntu's security tracker or an upstream advisory.
mrubyc through release3.4.1 was found to contain an out-of-bounds read in builtin missing-method lookup inside mrbc_find_method().
Remote denial-of-service in NATS Server (nats-server) affects deployments with the WebSocket listener enabled but MQTT disabled; per the GHSA-p957-7v2w-g93g advisory and the fixing commit, an unauthenticated attacker can send an MQTT-over-WebSocket upgrade request to the WebSocket endpoint while MQTT is turned off, triggering an uncaught exception (CWE-248) that crashes the server (CVSS 7.5, availability-only impact). This is a Linux Foundation CNCF messaging component fixed in nats-server 2.12.12 and 2.14.3. No public exploit identified at time of analysis; not listed in CISA KEV, and EPSS is low at 0.53% (41st percentile), consistent with the SSVC assessment of exploitation 'none' and only partial technical impact.
Denial of service in NATS Server (nats-io/nats-server) affects the HTTP monitoring endpoints /connz and /subsz, where attacker-controlled offset and limit pagination parameters trigger a signed integer overflow (Offset+Limit wrapping from math.MaxInt64 to math.MinInt64), producing invalid slice bounds and a server panic. Any client able to reach the monitoring interface can crash the broker, disrupting all connected messaging clients. There is no public exploit identified at time of analysis and the issue is not in CISA KEV; the upstream fix clamps offsets using min/max bounds.
Protocol injection in NATS Server MQTT support allows an authenticated MQTT client to smuggle control characters (tab, newline, carriage return, form feed) inside publish and Will topics, which corrupt the NATS wire protocol when the topic is converted to a NATS subject and forwarded across leaf node connections. Fixed in nats-server v2.12.9 and v2.14.1, the flaw (GHSA-qrcv-3558-gj4f, CWE-74) is tagged Information Disclosure and lets a low-privileged publisher influence how messages are framed and routed to other connections. No public exploit identified at time of analysis and it is not listed in CISA KEV.
Out-of-bounds read in Zephyr RTOS's mDNS detection logic crashes devices resolving short-suffix hostnames when CONFIG_MDNS_RESOLVER is compiled in. The flaw in dns_resolve_name_internal() reads a fixed 7 bytes from a suffix pointer regardless of the actual string length, causing a 1-2 byte over-read past the NUL terminator for suffixes like .org, .com, .net, or .io. Under the specific runtime condition of a tightly-sized allocation adjacent to an unmapped boundary (guard page, MPU domain, or ASAN), the over-read faults and crashes the device; no public exploit has been identified at time of analysis and CVSS 3.7 with AC:H accurately reflects the narrow crash preconditions.
Sensitive data exposure in Softaculous FormLayer WordPress plugin through version 1.0.6 allows remote unauthenticated attackers to retrieve embedded sensitive information from data transmitted by the plugin. The root cause (CWE-201) indicates the plugin inserts sensitive content - potentially API keys, tokens, or internal configuration - into outbound data visible to requesting clients. No public exploit code and no active exploitation have been identified at time of analysis, though the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms trivial remote accessibility.
Sensitive data exposure in Exclusive Addons Elementor (WordPress plugin by Tim Strifler) through version 2.7.9.9 enables unauthenticated remote attackers to retrieve sensitive information embedded within HTTP responses. The CWE-201 root cause indicates the plugin incorrectly includes sensitive data in outbound responses accessible to any network client without authentication, as confirmed by the CVSS vector (PR:N/UI:N). No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, though the network-accessible, zero-prerequisite attack surface warrants prompt patching on internet-facing WordPress installations.
Camel-internal control header injection in the Apache Camel AWS2-SQS component (camel-aws2-sqs) lets any principal holding sqs:SendMessage on a consumed SQS queue override downstream producer behaviour in a route. Because Sqs2HeaderFilterStrategy defined only an outbound filter and no inbound filter, DefaultHeaderFilterStrategy copied sender-supplied attributes such as CamelHttpUri, CamelFileName and CamelSqlQuery verbatim into the Exchange, so an attacker can redirect HTTP producers, rename files or override SQL queries. This is a design flaw with no public exploit identified at time of analysis; EPSS is low (0.16%, 6th percentile) and it is not on CISA KEV.
Information disclosure in Apache Camel's camel-undertow HTTP server consumer (versions 4.0.0 through 4.21.0) exposes complete Java stack traces to unauthenticated HTTP clients whenever a route processing exception occurs, due to a misconfigured default and a code-level bypass. Unlike every other Camel HTTP server component (camel-http, camel-jetty, camel-servlet, camel-platform-http), all of which default muteException to true, camel-undertow defaulted this option to false - and for Rest DSL consumers the option was silently ignored entirely due to a hard-coded false in RestUndertowHttpBinding, meaning muteException=true gave false confidence without actual protection. No public exploit has been identified at time of analysis; however exploitation requires only the ability to send a malformed HTTP request to a reachable endpoint, making this trivially accessible to any network-level attacker.
Stack trace disclosure in Apache Camel's camel-netty-http component (versions 4.0.0-4.21.0 across three release streams) exposes full Java Throwable stack traces to unauthenticated HTTP clients whenever a route processing error occurs under the default configuration. The root cause is an insecure default: the muteException option backed by an uninitialized Java primitive boolean defaulted to false in camel-netty-http while all other Camel HTTP server components (camel-http, camel-jetty, camel-servlet, camel-platform-http) correctly default it to true. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the low-effort triggering condition - any malformed request that causes a route exception - makes opportunistic enumeration straightforward against exposed endpoints.