Total
9961 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-68436 | 1 Craftcms | 1 Craft Cms | 2026-01-12 | 6.5 Medium |
| Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, authenticated users on a Craft installation could potentially expose sensitive assets via their user profile photo via maliciously crafted requests. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. | ||||
| CVE-2025-67732 | 2 Dify, Langgenius | 2 Dify, Dify | 2026-01-12 | 6.5 Medium |
| Dify is an open-source LLM app development platform. Prior to version 1.11.0, the API key is exposed in plaintext to the frontend, allowing non-administrator users to view and reuse it. This can lead to unauthorized access to third-party services, potentially consuming limited quotas. Version 1.11.0 fixes the issue. | ||||
| CVE-2024-50342 | 2 Sensiolabs, Symfony | 2 Httpclient, Symfony | 2026-01-12 | 3.1 Low |
| symfony/http-client is a module for the Symphony PHP framework which provides powerful methods to fetch HTTP resources synchronously or asynchronously. When using the `NoPrivateNetworkHttpClient`, some internal information is still leaking during host resolution, which leads to possible IP/port enumeration. As of versions 5.4.46, 6.4.14, and 7.1.7 the `NoPrivateNetworkHttpClient` now filters blocked IPs earlier to prevent such leaks. All users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2024-29720 | 1 Terrainformatica | 1 Sciter | 2026-01-09 | 6.2 Medium |
| An issue in Terra Informatica Software, Inc Sciter v.4.4.7.0 allows a local attacker to obtain sensitive information via the adopt component of the Sciter video rendering function. | ||||
| CVE-2021-33146 | 1 Intel | 7 Ethernet Adapter Complete Driver, Ethernet Controller I225-it, Ethernet Controller I225-it Firmware and 4 more | 2026-01-09 | 5.3 Medium |
| Improper input validation in some Intel(R) Ethernet Adapters and Intel(R) Ethernet Controller I225 Manageability firmware may allow an unauthenticated user to potentially enable information disclosure via network access. | ||||
| CVE-2025-14553 | 3 Apple, Google, Tp-link | 4 Ios, Android, Tapo and 1 more | 2026-01-09 | N/A |
| Exposure of password hashes through an unauthenticated API response in TP-Link Tapo app on iOS and Android for Tapo cameras, allowing attackers to brute force the password in the local network. Issue can be mitigated through mobile application updates. Device firmware remains unchanged. | ||||
| CVE-2024-29898 | 1 Miraheze | 1 Createwiki | 2026-01-08 | 4.9 Medium |
| CreateWiki is Miraheze's MediaWiki extension for requesting & creating wikis. An oversight during the writing of the patch for CVE-2024-29897 may have exposed suppressed wiki requests to private wikis that added Special:RequestWikiQueue to the read whitelist to users without the `(read)` permission. This vulnerability is fixed in 8f8442ed5299510ea3e58416004b9334134c149c. | ||||
| CVE-2025-12540 | 2 Sharethis, Wordpress | 2 Dashboard For Google Analytics, Wordpress | 2026-01-08 | 4.7 Medium |
| The ShareThis Dashboard for Google Analytics plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.4. This is due to the Google Analytics client_ID and client_secret being stored in plaintext in the publicly visible plugin source. This can allow unauthenticated attackers to craft a link to the sharethis.com server, which will share an authorization token for Google Analytics with a malicious website, if the attacker can trick an administrator logged into the website and Google Analytics to click the link. | ||||
| CVE-2025-13215 | 2 Averta, Wordpress | 2 Shortcodes And Extra Features For Phlox Theme, Wordpress | 2026-01-08 | 5.3 Medium |
| The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.17.13 via the auxels_ajax_search due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract titles of draft posts that they should not have access to. | ||||
| CVE-2026-20027 | 1 Cisco | 3 Secure Firewall Threat Defense, Snort, Utd Snort Ips Engine Software | 2026-01-08 | 5.3 Medium |
| Multiple Cisco products are affected by a vulnerability in the processing of DCE/RPC requests that could allow an unauthenticated, remote attacker to cause the Snort 3 Detection Engine to leak sensitive information or to restart, resulting in an interruption of packet inspection. This vulnerability is due to an error in buffer handling logic when processing DCE/RPC requests, which can result in a buffer out-of-bounds read. An attacker could exploit this vulnerability by sending a large number of DCE/RPC requests through an established connection that is inspected by Snort 3. A successful exploit could allow the attacker to obtain sensitive information in the Snort 3 data stream. | ||||
| CVE-2025-47369 | 1 Qualcomm | 1 Snapdragon | 2026-01-08 | 5.5 Medium |
| Information disclosure when a weak hashed value is returned to userland code in response to a IOCTL call to obtain a session ID. | ||||
| CVE-2025-13371 | 1 Wordpress | 1 Wordpress | 2026-01-08 | 8.6 High |
| The MoneySpace plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.13.9. This is due to the plugin storing full payment card details (PAN, card holder name, expiry month/year, and CVV) in WordPress post_meta using base64_encode(), and then embedding these values into the publicly accessible mspaylink page's inline JavaScript without any authentication or authorization check. This makes it possible for unauthenticated attackers who know or can guess an order_id to access the mspaylink endpoint and retrieve full credit card numbers and CVV codes directly from the HTML/JS response, constituting a severe PCI-DSS violation. | ||||
| CVE-2024-42508 | 1 Hpe | 1 Oneview | 2026-01-08 | 5.5 Medium |
| This vulnerability could be exploited, leading to unauthorized disclosure of information to authenticated users. | ||||
| CVE-2025-53512 | 1 Canonical | 1 Juju | 2026-01-08 | 6.5 Medium |
| The /log endpoint on a Juju controller lacked sufficient authorization checks, allowing unauthorized users to access debug messages that could contain sensitive information. | ||||
| CVE-2025-64670 | 1 Microsoft | 14 Windows 10 21h2, Windows 10 21h2, Windows 10 22h2 and 11 more | 2026-01-07 | 6.5 Medium |
| Exposure of sensitive information to an unauthorized actor in Microsoft Graphics Component allows an authorized attacker to disclose information over a network. | ||||
| CVE-2025-59716 | 1 Owncloud | 2 Guests, Owncloud | 2026-01-07 | 5.3 Medium |
| ownCloud Guests before 0.12.5 allows unauthenticated user enumeration via the /apps/guests/register/{email}/{token} endpoint. Because of insufficient validation of the supplied token in showPasswordForm, the server responds differently when an e-mail address corresponds to a valid pending guest user rather than a non-existent user. | ||||
| CVE-2025-15103 | 2 Delta Electronics, Deltaww | 3 Dvp-12se11t, Dvp-12se11t, Dvp-12se11t Firmware | 2026-01-06 | 8.1 High |
| DVP-12SE11T - Authentication Bypass via Partial Password Disclosure | ||||
| CVE-2025-68273 | 1 Signalk | 2 Signal K Server, Signalk-server | 2026-01-06 | 5.3 Medium |
| Signal K Server is a server application that runs on a central hub in a boat. An unauthenticated information disclosure vulnerability in versions prior to 2.19.0 allows any user to retrieve sensitive system information, including the full SignalK data schema, connected serial devices, and installed analyzer tools. This exposure facilitates reconnaissance for further attacks. Version 2.19.0 patches the issue. | ||||
| CVE-2025-27387 | 1 Oppo | 1 Oppo Clone Phone | 2026-01-06 | 7.4 High |
| OPPO Clone Phone uses a weak password WiFi hotspot to transfer files, resulting in Information disclosure. | ||||
| CVE-2025-14591 | 2 Microsoft, Perforce | 4 Ms-dos, Windows, Delphix Continuous Compliance and 1 more | 2026-01-05 | 7.5 High |
| In Delphix Continuous Compliance version 2025.3.0 and later, following a recent bug fix to correctly handle CR+LF (Windows and DOS) End-of-Record (EOR) characters in delimited files, an issue was identified: using an incorrect EOR configuration can cause inaccurate parsing and leave personally identifiable information (PII) unmasked. | ||||