| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| When an error occurs in the application a full stacktrace is provided to the user. The stacktrace lists class and method names as well as other internal information. An attacker can thus obtain information about the technology used and the structure of the application. |
| An Exposure of Sensitive Information to an Unauthorized Actor vulnerability in the command-line interface (CLI) of Juniper Networks Junos OS on SRX Series devices allows a local, low-privileged user with access to the Junos CLI to view the contents of sensitive files on the file system.
Through the execution of either 'show services advanced-anti-malware' or 'show services security-intelligence' command, a user with limited permissions (e.g., a low privilege login class user) can access protected files that should not be accessible to the user. These files may contain sensitive information that can be used to cause further impact to the system.
This issue affects Junos OS SRX Series:
* All versions before 21.4R3-S8,
* from 22.2 before 22.2R3-S5,
* from 22.3 before 22.3R3-S3,
* from 22.4 before 22.4R3-S2,
* from 23.2 before 23.2R2-S1,
* from 23.4 before 23.4R2. |
| The created backup files are unencrypted, making the application vulnerable for gathering sensitive information by downloading and decompressing the backup files. |
| A vulnerability exists in the Web interface of the MicroSCADA X SYS600 product. The filtering query in the Web interface can be malformed, so returning data can leak unauthorized information to the user. |
| The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the search feature in class-cubewp-search-ajax-hooks.php due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to. |
| The WP Directory Kit plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.9 via the wdk_public_action AJAX handler. This makes it possible for unauthenticated attackers to extract email addresses for users with Directory Kit-specific user roles. |
| The WP Hotel Booking plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.7. This is due to the plugin exposing the 'hotel_booking_fetch_customer_info' AJAX action to unauthenticated users without proper capability checks, relying only on a nonce for protection. This makes it possible for unauthenticated attackers to retrieve sensitive customer information including full names, addresses, phone numbers, and email addresses by providing a valid email address and a publicly accessible nonce. |
| The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to. |
| Neo4j Enterprise edition versions prior to 2025.11.2 and 5.26.17 are vulnerable to a potential information disclosure by an attacker who has some legitimate access to the database. The vulnerability allows attacker without read access to a property to infer information about its value by trying to enumerate all possible values through observing error messages of SET property.
We recommend upgrading to 2025.11.2 or 5.26.17 and above, where the issues is fixed. |
| libuser has information disclosure when moving user's home directory |
| An Exposure of Sensitive Information to an Unauthorized Actor vulnerability in the User Interface (UI) of Juniper Networks Junos OS and Junos OS Evolved allows a local, low-privileged, authenticated attacker with access to the CLI to access sensitive information.
Through the execution of a specific show mgd command, a user with limited permissions (e.g., a low-privileged login class user) can access sensitive information such as hashed passwords, that can be used to further impact the system.
This issue affects Junos OS: * All versions before 21.4R3-S10,
* from 22.2 before 22.2R3-S5,
* from 22.4 before 22.4R3-S5,
* from 23.2 before 23.2R2-S3,
* from 23.4 before 23.4R2-S3.
Junos OS Evolved:
* All versions before 21.4R3-S10-EVO,
* from 22.2-EVO before 22.2R3-S6-EVO,
* from 22.4-EVO before 22.4R3-S5-EVO,
* from 23.2-EVO before 23.2R2-S3-EVO,
* from 23.4-EVO before 23.4R2-S3-EVO. |
| Stop User Enumeration 1.3.8 allows user enumeration via the REST API |
| An Exposure of Sensitive Information to an Unauthorized Actor vulnerability in the command-line interface (CLI) of Juniper Networks Junos OS on SRX Series devices allows a local, low-privileged user with access to the Junos CLI to view the contents of protected files on the file system.
Through the execution of crafted CLI commands, a user with limited permissions (e.g., a low privilege login class user) can access protected files that should not be accessible to the user. These files may contain sensitive information that can be used to cause further impact to the system.
This issue affects Junos OS on SRX Series:
* All versions before 21.4R3-S8,
* 22.2 before 22.2R3-S5,
* 22.3 before 22.3R3-S4,
* 22.4 before 22.4R3-S4,
* 23.2 before 23.2R2-S2,
* 23.4 before 23.4R2. |
| Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11. |
| Information disclosure in the XML component. This vulnerability affects Firefox < 147 and Thunderbird < 147. |
| Information disclosure in the Networking component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. |
| Exposure of sensitive information in the TeamViewer entry dashboard component in Devolutions Remote Desktop Manager 2025.3.24.0 through 2025.3.28.0 on Windows allows an external observer to view a password on screen via a defective masking feature, for example during physical observation or screen sharing. |
| The Fancy Product Designer plugin for WordPress is vulnerable to Information Disclosure and PHAR Deserialization in all versions up to, and including, 6.4.8. This is due to insufficient validation of user-supplied input in the 'url' parameter of the 'fpd_custom_uplod_file' AJAX action, which flows directly into the 'getimagesize' function without sanitization. This makes it possible for unauthenticated attackers to read arbitrary sensitive files from the server, including wp-config.php. |
| Improper service binding configuration in internal service components in HCL BigFix IVR version 4.2 allows a privileged attacker to impact service availability via exposure of administrative services bound to external network interfaces instead of the local authentication interface. |
| In Apache Airflow versions before 3.1.6, when rendered template fields in a Dag exceed [core] max_templated_field_length, sensitive values could be exposed in cleartext in the Rendered Templates UI. This occurred because serialization of those fields used a secrets masker instance that did not include user-registered mask_secret() patterns, so secrets were not reliably masked before truncation and display.
Users are recommended to upgrade to 3.1.6 or later, which fixes this issue |
