Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2023-33960

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-01 Jun, 2023 | 16:20
Updated At-08 Jan, 2025 | 21:36
Rejected At-
Credits

OpenProject vulnerable to project identifier information leakage through robots.txt

OpenProject is web-based project management software. For any OpenProject installation, a `robots.txt` file is generated through the server to denote which routes shall or shall not be accessed by crawlers. These routes contain project identifiers of all public projects in the instance. Prior to version 12.5.6, even if the entire instance is marked as `Login required` and prevents all truly anonymous access, the `/robots.txt` route remains publicly available. Version 12.5.6 has a fix for this issue. Alternatively, users can download a patchfile to apply the patch to any OpenProject version greater than 10.0 As a workaround, one may mark any public project as non-public and give anyone in need of access to the project a membership.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:01 Jun, 2023 | 16:20
Updated At:08 Jan, 2025 | 21:36
Rejected At:
▼CVE Numbering Authority (CNA)
OpenProject vulnerable to project identifier information leakage through robots.txt

OpenProject is web-based project management software. For any OpenProject installation, a `robots.txt` file is generated through the server to denote which routes shall or shall not be accessed by crawlers. These routes contain project identifiers of all public projects in the instance. Prior to version 12.5.6, even if the entire instance is marked as `Login required` and prevents all truly anonymous access, the `/robots.txt` route remains publicly available. Version 12.5.6 has a fix for this issue. Alternatively, users can download a patchfile to apply the patch to any OpenProject version greater than 10.0 As a workaround, one may mark any public project as non-public and give anyone in need of access to the project a membership.

Affected Products
Vendor
opf
Product
openproject
Versions
Affected
  • < 12.5.6
Problem Types
TypeCWE IDDescription
CWECWE-200CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Type: CWE
CWE ID: CWE-200
Description: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Metrics
VersionBase scoreBase severityVector
3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/opf/openproject/security/advisories/GHSA-xjfc-fqm3-95q8
x_refsource_CONFIRM
https://github.com/opf/openproject/pull/12708
x_refsource_MISC
https://community.openproject.org/wp/48324
x_refsource_MISC
https://github.com/opf/openproject/releases/tag/v12.5.6
x_refsource_MISC
https://patch-diff.githubusercontent.com/raw/opf/openproject/pull/12708.patch
x_refsource_MISC
Hyperlink: https://github.com/opf/openproject/security/advisories/GHSA-xjfc-fqm3-95q8
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/opf/openproject/pull/12708
Resource:
x_refsource_MISC
Hyperlink: https://community.openproject.org/wp/48324
Resource:
x_refsource_MISC
Hyperlink: https://github.com/opf/openproject/releases/tag/v12.5.6
Resource:
x_refsource_MISC
Hyperlink: https://patch-diff.githubusercontent.com/raw/opf/openproject/pull/12708.patch
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/opf/openproject/security/advisories/GHSA-xjfc-fqm3-95q8
x_refsource_CONFIRM
x_transferred
https://github.com/opf/openproject/pull/12708
x_refsource_MISC
x_transferred
https://community.openproject.org/wp/48324
x_refsource_MISC
x_transferred
https://github.com/opf/openproject/releases/tag/v12.5.6
x_refsource_MISC
x_transferred
https://patch-diff.githubusercontent.com/raw/opf/openproject/pull/12708.patch
x_refsource_MISC
x_transferred
Hyperlink: https://github.com/opf/openproject/security/advisories/GHSA-xjfc-fqm3-95q8
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: https://github.com/opf/openproject/pull/12708
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://community.openproject.org/wp/48324
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://github.com/opf/openproject/releases/tag/v12.5.6
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://patch-diff.githubusercontent.com/raw/opf/openproject/pull/12708.patch
Resource:
x_refsource_MISC
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:01 Jun, 2023 | 17:15
Updated At:09 Jun, 2023 | 17:53

OpenProject is web-based project management software. For any OpenProject installation, a `robots.txt` file is generated through the server to denote which routes shall or shall not be accessed by crawlers. These routes contain project identifiers of all public projects in the instance. Prior to version 12.5.6, even if the entire instance is marked as `Login required` and prevents all truly anonymous access, the `/robots.txt` route remains publicly available. Version 12.5.6 has a fix for this issue. Alternatively, users can download a patchfile to apply the patch to any OpenProject version greater than 10.0 As a workaround, one may mark any public project as non-public and give anyone in need of access to the project a membership.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Secondary3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Type: Primary
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Type: Secondary
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CPE Matches

openproject
openproject
>>openproject>>Versions before 12.5.6(exclusive)
cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-319Primarynvd@nist.gov
CWE-200Secondarysecurity-advisories@github.com
CWE ID: CWE-319
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-200
Type: Secondary
Source: security-advisories@github.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://community.openproject.org/wp/48324security-advisories@github.com
Permissions Required
https://github.com/opf/openproject/pull/12708security-advisories@github.com
Patch
https://github.com/opf/openproject/releases/tag/v12.5.6security-advisories@github.com
Release Notes
https://github.com/opf/openproject/security/advisories/GHSA-xjfc-fqm3-95q8security-advisories@github.com
Vendor Advisory
https://patch-diff.githubusercontent.com/raw/opf/openproject/pull/12708.patchsecurity-advisories@github.com
Mailing List
Patch
Hyperlink: https://community.openproject.org/wp/48324
Source: security-advisories@github.com
Resource:
Permissions Required
Hyperlink: https://github.com/opf/openproject/pull/12708
Source: security-advisories@github.com
Resource:
Patch
Hyperlink: https://github.com/opf/openproject/releases/tag/v12.5.6
Source: security-advisories@github.com
Resource:
Release Notes
Hyperlink: https://github.com/opf/openproject/security/advisories/GHSA-xjfc-fqm3-95q8
Source: security-advisories@github.com
Resource:
Vendor Advisory
Hyperlink: https://patch-diff.githubusercontent.com/raw/opf/openproject/pull/12708.patch
Source: security-advisories@github.com
Resource:
Mailing List
Patch

Change History

0
Information is not available yet

Similar CVEs

1242Records found

CVE-2015-8559
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.93% / 77.52%
||
7 Day CHG~0.00%
Published-21 Sep, 2017 | 14:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The knife bootstrap command in chef Infra client before version 15.4.45 leaks the validator.pem private RSA key to /var/log/messages.

Action-Not Available
Vendor-n/aChef
Product-chefn/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2019-19889
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.10% / 61.55%
||
7 Day CHG~0.00%
Published-18 Dec, 2019 | 18:52
Updated-05 Aug, 2024 | 02:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered on Humax Wireless Voice Gateway HGB10R-2 20160817_1855 devices. The attacker can discover admin credentials in the backup file, aka backupsettings.conf.

Action-Not Available
Vendor-humaxdigitaln/a
Product-hgb10r-02_firmwarehgb10r-02n/a
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CVE-2026-50210
Matching Score-4
Assigner-8fc372e3-d9c5-46e4-9410-38469745c639
ShareView Details
Matching Score-4
Assigner-8fc372e3-d9c5-46e4-9410-38469745c639
CVSS Score-6.9||MEDIUM
EPSS-0.24% / 15.58%
||
7 Day CHG~0.00%
Published-04 Jun, 2026 | 07:22
Updated-04 Jun, 2026 | 19:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Weak Static Cryptographic Initialization Vectors

The device encrypts data using AES-CBC with static zero-filled Initialization Vectors (IVs), making it susceptible to replay attacks and known-plaintext decryption.

Action-Not Available
Vendor-Acer Inc.
Product-connect_m6e_5g_firmwareconnect_m6e_5gConnect M6E 5G Portable WiFi Router
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2026-49486
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-0.26% / 17.76%
||
7 Day CHG~0.00%
Published-26 Jun, 2026 | 07:05
Updated-26 Jun, 2026 | 19:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Airflow FTP provider: FTP Provider does not protect FTPS data channel (missing PROT_P)

The Apache Airflow FTP provider's `FTPSHook.get_conn()` created an `ftplib.FTP_TLS` connection but never called `prot_p()`, so although the control channel was TLS-protected the data channel was transmitted in cleartext. Any deployment using `FTPSHook` or `FTPSFileTransmitOperator` to move files over FTPS exposed file contents and credentials-in-transit to a network attacker able to observe the data connection. Upgrade apache-airflow-providers-ftp to `3.15.1` or later, which issues `PROT P` to encrypt the data channel.

Action-Not Available
Vendor-The Apache Software Foundation
Product-apache-airflow-providers-ftpApache Airflow FTP provider
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CVE-2026-50508
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.66% / 47.14%
||
7 Day CHG~0.00%
Published-09 Jun, 2026 | 17:05
Updated-01 Jul, 2026 | 20:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Windows NTLM Spoofing Vulnerability

Exposure of sensitive information to an unauthorized actor in Windows NTLM allows an unauthorized attacker to perform spoofing over a network.

Action-Not Available
Vendor-Microsoft Corporation
Product-windows_10_1607windows_server_2012windows_server_2016windows_11_22h2windows_server_2022windows_server_2004Windows Server 2012Windows 10 Version 1607Windows Server 2012 R2Windows 11 version 22H2Windows Server 2012 R2 (Server Core installation)Windows Server 2016 (Server Core installation)Windows Server 2022Windows Server 2016Windows Server 2012 (Server Core installation)Windows Server version 2004
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2019-20061
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.90% / 55.25%
||
7 Day CHG~0.00%
Published-10 Feb, 2020 | 12:19
Updated-05 Aug, 2024 | 02:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The user-introduction email in MFScripts YetiShare v3.5.2 through v4.5.4 may leak the (system-picked) password if this email is sent in cleartext. In other words, the user is not allowed to choose their own initial password.

Action-Not Available
Vendor-mfscriptsn/a
Product-yetisharen/a
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CVE-2026-50870
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.31% / 22.51%
||
7 Day CHG~0.00%
Published-15 Jun, 2026 | 00:00
Updated-16 Jun, 2026 | 15:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An information disclosure vulnerability in the configuration endpoint of Ben Busby whoogle-search v1.2.3 allows attackers to obtain sensitive information via a crafted GET request.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2003-1567
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-25.06% / 97.66%
||
7 Day CHG~0.00%
Published-15 Jan, 2009 | 00:00
Updated-28 May, 2026 | 19:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The undocumented TRACK method in Microsoft Internet Information Services (IIS) 5.0 returns the content of the original request in the body of the response, which makes it easier for remote attackers to steal cookies and authentication credentials, or bypass the HttpOnly protection mechanism, by using TRACK to read the contents of the HTTP headers that are returned in the response, a technique that is similar to cross-site tracing (XST) using HTTP TRACE.

Action-Not Available
Vendor-n/aMicrosoft Corporation
Product-internet_information_servicesn/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2025-41230
Matching Score-4
Assigner-VMware by Broadcom
ShareView Details
Matching Score-4
Assigner-VMware by Broadcom
CVSS Score-7.5||HIGH
EPSS-0.38% / 30.03%
||
7 Day CHG+0.01%
Published-20 May, 2025 | 12:54
Updated-24 Jun, 2025 | 14:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
VMware Cloud Foundation Information Disclosure Vulnerability

VMware Cloud Foundation contains an information disclosure vulnerability. A malicious actor with network access to port 443 on VMware Cloud Foundation may exploit this issue to gain access to sensitive information.

Action-Not Available
Vendor-VMware (Broadcom Inc.)
Product-Cloud Foundation
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2023-44982
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-1.44% / 69.89%
||
7 Day CHG~0.00%
Published-19 Dec, 2023 | 00:03
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Retina 2x Plugin <= 6.4.5 is vulnerable to Sensitive Data Exposure

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Jordy Meow Perfect Images (Manage Image Sizes, Thumbnails, Replace, Retina).This issue affects Perfect Images (Manage Image Sizes, Thumbnails, Replace, Retina): from n/a through 6.4.5.

Action-Not Available
Vendor-meowappsJordy Meow
Product-perfect_imagesPerfect Images (Manage Image Sizes, Thumbnails, Replace, Retina)
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2019-19316
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.00% / 58.45%
||
7 Day CHG~0.00%
Published-02 Dec, 2019 | 20:50
Updated-05 Aug, 2024 | 02:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

When using the Azure backend with a shared access signature (SAS), Terraform versions prior to 0.12.17 may transmit the token and state snapshot using cleartext HTTP.

Action-Not Available
Vendor-n/aHashiCorp, Inc.
Product-terraformn/a
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CVE-2015-8393
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-4.37% / 90.09%
||
7 Day CHG~0.00%
Published-02 Dec, 2015 | 00:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

pcregrep in PCRE before 8.38 mishandles the -q option for binary files, which might allow remote attackers to obtain sensitive information via a crafted file, as demonstrated by a CGI script that sends stdout data to a client.

Action-Not Available
Vendor-pcren/aThe PHP GroupFedora Project
Product-perl_compatible_regular_expression_libraryphpfedoran/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2019-1908
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-7.5||HIGH
EPSS-2.00% / 78.30%
||
7 Day CHG~0.00%
Published-21 Aug, 2019 | 18:25
Updated-19 Nov, 2024 | 19:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco Integrated Management Controller Information Disclosure Vulnerability

A vulnerability in the Intelligent Platform Management Interface (IPMI) implementation of Cisco Integrated Management Controller (IMC) could allow an unauthenticated, remote attacker to view sensitive system information. The vulnerability is due to insufficient security restrictions imposed by the affected software. A successful exploit could allow the attacker to view sensitive information that belongs to other users. The attacker could then use this information to conduct additional attacks.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-ucs_c125_m5ucs_s3260integrated_management_controller_supervisorucs_c4200unified_computing_systemCisco Unified Computing System (Management Software)
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2022-26077
Matching Score-4
Assigner-Talos
ShareView Details
Matching Score-4
Assigner-Talos
CVSS Score-7.5||HIGH
EPSS-1.09% / 61.36%
||
7 Day CHG~0.00%
Published-25 May, 2022 | 20:15
Updated-15 Apr, 2025 | 19:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cleartext transmission of sensitive information vulnerability exists in the OAS Engine configuration communications functionality of Open Automation Software OAS Platform V16.00.0112. A targeted network sniffing attack can lead to a disclosure of sensitive information. An attacker can sniff network traffic to trigger this vulnerability.

Action-Not Available
Vendor-openautomationsoftwareOpen Automation Software
Product-oas_platformOAS Platform
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CVE-2020-13787
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.90% / 55.38%
||
7 Day CHG~0.00%
Published-03 Jun, 2020 | 16:22
Updated-04 Aug, 2024 | 12:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

D-Link DIR-865L Ax 1.20B01 Beta devices have Cleartext Transmission of Sensitive Information.

Action-Not Available
Vendor-n/aD-Link Corporation
Product-dir-865l_firmwaredir-865ln/a
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CVE-2019-19967
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.95% / 56.97%
||
7 Day CHG~0.00%
Published-25 Dec, 2019 | 21:20
Updated-05 Aug, 2024 | 02:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Administration page on Connect Box EuroDOCSIS 3.0 Voice Gateway CH7465LG-NCIP-6.12.18.25-2p6-NOSH devices accepts a cleartext password in a POST request on port 80, as demonstrated by the Password field to the xml/setter.xml URI.

Action-Not Available
Vendor-upcn/a
Product-connect_box_eurodocsisconnect_box_eurodocsis_firmwaren/a
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CVE-2026-49187
Matching Score-4
Assigner-8fc372e3-d9c5-46e4-9410-38469745c639
ShareView Details
Matching Score-4
Assigner-8fc372e3-d9c5-46e4-9410-38469745c639
CVSS Score-8.7||HIGH
EPSS-0.24% / 15.57%
||
7 Day CHG~0.00%
Published-04 Jun, 2026 | 03:50
Updated-04 Jun, 2026 | 19:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Hard-coded APK Resource Credentials & Scepters

The hard-coded APK resource files never expire, and the shared scepter leads to information leaks and potential misuse.

Action-Not Available
Vendor-Acer Inc.
Product-connect_m6e_5g_firmwareconnect_m6e_5gConnect M6E 5G Portable WiFi Router
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2019-19890
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.99% / 58.13%
||
7 Day CHG~0.00%
Published-18 Dec, 2019 | 18:53
Updated-05 Aug, 2024 | 02:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered on Humax Wireless Voice Gateway HGB10R-2 20160817_1855 devices. Admin credentials are sent over cleartext HTTP.

Action-Not Available
Vendor-humaxdigitaln/a
Product-hgb10r-02_firmwarehgb10r-02n/a
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2025-3978
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.43% / 34.73%
||
7 Day CHG+0.02%
Published-27 Apr, 2025 | 17:00
Updated-12 May, 2025 | 19:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
dazhouda lecms user_set.htm information disclosure

A vulnerability was found in dazhouda lecms 3.0.3. It has been rated as problematic. Affected by this issue is some unknown functionality of the file admin/view/default/user_set.htm. The manipulation leads to information disclosure. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-lecmsdazhouda
Product-lecmslecms
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-284
Improper Access Control
CVE-2025-40662
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
ShareView Details
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
CVSS Score-6.9||MEDIUM
EPSS-0.30% / 21.64%
||
7 Day CHG~0.00%
Published-10 Jun, 2025 | 10:07
Updated-22 Oct, 2025 | 13:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Absolute path disclosure vulnerability in DM Corporative CMS

Absolute path disclosure vulnerability in DM Corporative CMS. This vulnerability allows an attacker to view the contents of webroot/file, if navigating to a non-existent file.

Action-Not Available
Vendor-accDmacroweb
Product-dm_corporative_cmsDM Corporative CMS
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2019-19022
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.42% / 69.59%
||
7 Day CHG~0.00%
Published-17 Nov, 2019 | 10:59
Updated-05 Aug, 2024 | 02:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

iTerm2 through 3.3.6 has potentially insufficient documentation about the presence of search history in com.googlecode.iterm2.plist, which might allow remote attackers to obtain sensitive information, as demonstrated by searching for the NoSyncSearchHistory string in .plist files within public Git repositories.

Action-Not Available
Vendor-iterm2n/a
Product-iterm2n/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2026-4712
Matching Score-4
Assigner-Mozilla Corporation
ShareView Details
Matching Score-4
Assigner-Mozilla Corporation
CVSS Score-7.5||HIGH
EPSS-0.39% / 30.48%
||
7 Day CHG~0.00%
Published-24 Mar, 2026 | 12:30
Updated-13 Apr, 2026 | 15:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Information disclosure in the Widget: Cocoa component

Information disclosure in the Widget: Cocoa component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefoxThunderbirdFirefox
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2002-1949
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.20% / 64.52%
||
7 Day CHG~0.00%
Published-28 Jun, 2005 | 04:00
Updated-16 Apr, 2026 | 00:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Network Attached Storage (NAS) Administration Web Page for Iomega NAS A300U transmits passwords in cleartext, which allows remote attackers to sniff the administrative password.

Action-Not Available
Vendor-iomegan/a
Product-nas_a300u_firmwarenas_a300un/a
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CVE-2020-12070
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.98% / 78.16%
||
7 Day CHG~0.00%
Published-24 Apr, 2020 | 22:44
Updated-04 Aug, 2024 | 11:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Advanced Woo Search plugin version through 1.99 for Wordpress suffers from a sensitive information disclosure vulnerability in every ajax search request via the sql field to includes/class-aws-search.php.

Action-Not Available
Vendor-advanced-woo-searchn/a
Product-advanced_woo_searchn/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2023-42387
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.73% / 49.65%
||
7 Day CHG~0.00%
Published-18 Sep, 2023 | 00:00
Updated-25 Sep, 2024 | 18:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in TDSQL Chitu management platform v.10.3.19.5.0 allows a remote attacker to obtain sensitive information via get_db_info function in install.php.

Action-Not Available
Vendor-tdsql_chitu_projectn/a
Product-tdsql_chitun/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2019-18679
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-40.98% / 98.49%
||
7 Day CHG~0.00%
Published-26 Nov, 2019 | 16:14
Updated-05 Aug, 2024 | 02:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Squid 2.x, 3.x, and 4.x through 4.8. Due to incorrect data management, it is vulnerable to information disclosure when processing HTTP Digest Authentication. Nonce tokens contain the raw byte value of a pointer that sits within heap memory allocation. This information reduces ASLR protections and may aid attackers isolating memory areas to target for remote code execution attacks.

Action-Not Available
Vendor-n/aDebian GNU/LinuxSquid CacheCanonical Ltd.Fedora Project
Product-ubuntu_linuxdebian_linuxfedorasquidn/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2026-4660
Matching Score-4
Assigner-HashiCorp Inc.
ShareView Details
Matching Score-4
Assigner-HashiCorp Inc.
CVSS Score-7.5||HIGH
EPSS-0.58% / 43.60%
||
7 Day CHG+0.16%
Published-09 Apr, 2026 | 13:47
Updated-30 Jun, 2026 | 12:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Go-getter may allow to arbitrary filesystem reads through git operations

HashiCorp’s go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This vulnerability, CVE-2026-4660, is fixed in go-getter v1.8.6. This vulnerability does not affect the go-getter/v2 branch and package.

Action-Not Available
Vendor-HashiCorp, Inc.Red Hat, Inc.
Product-ToolingRed Hat Trusted Artifact SignerRed Hat Trusted Artifact Signer 1.3Red Hat OpenShift Container Platform 4
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2015-6495
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.07% / 60.77%
||
7 Day CHG~0.00%
Published-26 Nov, 2019 | 14:00
Updated-06 Aug, 2024 | 07:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

There is Sensitive Information in Cloudera Manager before 5.4.6 Diagnostic Support Bundles.

Action-Not Available
Vendor-clouderan/a
Product-cloudera_managern/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2026-45553
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.26% / 16.75%
||
7 Day CHG~0.00%
Published-02 Jun, 2026 | 15:34
Updated-03 Jun, 2026 | 13:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
NiceGUI: Local file disclosure via Docutils file insertion in ui.restructured_text()

NiceGUI is a Python-based UI framework. Prior to version 3.12.0, ui.restructured_text() renders reStructuredText server-side with Docutils without disabling file insertion directives. When a NiceGUI application passes attacker-controlled content to ui.restructured_text(), an attacker can use standard Docutils directives (include, csv-table with :file:, raw with :file:) to read local files readable by the NiceGUI server process. Applications that only pass trusted static strings to ui.restructured_text() are not affected. This issue has been patched in version 3.12.0.

Action-Not Available
Vendor-zauberzeug
Product-nicegui
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2026-6782
Matching Score-4
Assigner-Mozilla Corporation
ShareView Details
Matching Score-4
Assigner-Mozilla Corporation
CVSS Score-7.5||HIGH
EPSS-0.25% / 16.55%
||
7 Day CHG~0.00%
Published-21 Apr, 2026 | 12:41
Updated-27 May, 2026 | 17:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Information disclosure in the IP Protection component

Information disclosure in the IP Protection component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.

Action-Not Available
Vendor-Mozilla Corporation
Product-thunderbirdfirefoxFirefoxThunderbird
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2026-45180
Matching Score-4
Assigner-CPAN Security Group
ShareView Details
Matching Score-4
Assigner-CPAN Security Group
CVSS Score-7.5||HIGH
EPSS-0.24% / 15.49%
||
7 Day CHG~0.00%
Published-10 May, 2026 | 20:03
Updated-12 May, 2026 | 16:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Catalyst::Plugin::Statsd versions through 0.10.0 for Perl may leak session ids

Catalyst::Plugin::Statsd versions through 0.10.0 for Perl may leak session ids. If the communication channel to the statsd daemon is not secured (for example, by sending UDP packets to a host on another network), then users' session ids may be leaked. This may allow an attacker to use session ids as authentication tokens.

Action-Not Available
Vendor-RRWO
Product-Catalyst::Plugin::Statsd
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CVE-2026-8966
Matching Score-4
Assigner-Mozilla Corporation
ShareView Details
Matching Score-4
Assigner-Mozilla Corporation
CVSS Score-7.5||HIGH
EPSS-0.33% / 25.15%
||
7 Day CHG~0.00%
Published-19 May, 2026 | 12:30
Updated-20 May, 2026 | 17:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Information disclosure in the IP Protection component

Information disclosure in the IP Protection component. This vulnerability was fixed in Firefox 151 and Thunderbird 151.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefoxthunderbirdFirefoxThunderbird
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2026-45332
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.30% / 21.51%
||
7 Day CHG~0.00%
Published-28 May, 2026 | 18:22
Updated-01 Jun, 2026 | 18:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Automad Broken Access Control: unauthenticated exposure of administrator bcrypt password hashes and TOTP secrets via public API endpoint

Automad is a flat-file content management system and template engine. From 2.0.0-alpha.1 to 2.0.0-beta.27, a Broken Access Control vulnerability allows an unauthenticated attacker to retrieve the bcrypt password hash of every administrator account with a single POST request. The /_api/user-collection/create-first-user setup endpoint remains publicly accessible once initial configuration is complete and returns full serialized user data in the JSON response body. This vulnerability is fixed in 2.0.0-beta.28.

Action-Not Available
Vendor-marcantondahmen
Product-automad
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2020-10624
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-7.5||HIGH
EPSS-0.74% / 50.20%
||
7 Day CHG~0.00%
Published-26 Jun, 2020 | 16:22
Updated-04 Aug, 2024 | 11:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ControlEdge PLC (R130.2, R140, R150, and R151) and RTU (R101, R110, R140, R150, and R151) exposes a session token on the network.

Action-Not Available
Vendor-n/aHoneywell International Inc.
Product-controledge_plccontroledge_rtucontroledge_plc_firmwarecontroledge_rtu_firmwareControlEdge RTUControlEdge PLC
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CVE-2025-36274
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-7.5||HIGH
EPSS-0.19% / 9.18%
||
7 Day CHG~0.00%
Published-26 Sep, 2025 | 14:14
Updated-11 Dec, 2025 | 22:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Aspera HTTP Gateway information disclosure

IBM Aspera HTTP Gateway 2.0.0 through 2.3.1 stores sensitive information in clear text in easily obtainable files which can be read by an unauthenticated user.

Action-Not Available
Vendor-IBM Corporation
Product-aspera_http_gatewayAspera HTTP Gateway
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CVE-2026-44786
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.26% / 17.21%
||
7 Day CHG~0.00%
Published-12 Jun, 2026 | 20:22
Updated-17 Jun, 2026 | 18:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Discourse: Public chat MessageBus broadcasts are not restricted to chat-eligible users

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, chat events for public category channels are published to MessageBus without permission scoping, so any MessageBus subscriber without chat enabled could receive chat message payloads in real time. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.

Action-Not Available
Vendor-Civilized Discourse Construction Kit, Inc.
Product-discoursediscourse
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2015-5738
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-2.43% / 82.20%
||
7 Day CHG~0.00%
Published-26 Jul, 2016 | 17:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The RSA-CRT implementation in the Cavium Software Development Kit (SDK) 2.x, when used on OCTEON II CN6xxx Hardware on Linux to support TLS with Perfect Forward Secrecy (PFS), makes it easier for remote attackers to obtain private RSA keys by conducting a Lenstra side-channel attack.

Action-Not Available
Vendor-marvelln/aF5, Inc.
Product-octeon_ii_cn6010octeon_ii_cn6020software_development_kitocteon_ii_cn6000traffix_signaling_delivery_controllern/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2026-56242
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-8.7||HIGH
EPSS-0.26% / 17.21%
||
7 Day CHG~0.00%
Published-21 Jun, 2026 | 13:26
Updated-22 Jun, 2026 | 18:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Capgo - Unauthenticated API Key Validity Oracle and User Identity Disclosure via get_identity_apikey_only RPC

Capgo before 12.128.2 contains an unauthenticated security definer RPC function get_identity_apikey_only that returns the owning user_id for supplied API keys, creating an API key validity oracle and user identity disclosure primitive. Attackers can call this endpoint with valid or invalid API keys to confirm key validity and map keys to user identifiers, then chain results into other exposed RPCs like get_orgs_v6 to retrieve organization membership and management email PII.

Action-Not Available
Vendor-Capgo
Product-Capgo
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2025-37165
Matching Score-4
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Matching Score-4
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-7.5||HIGH
EPSS-0.34% / 26.32%
||
7 Day CHG~0.00%
Published-13 Jan, 2026 | 17:40
Updated-02 Mar, 2026 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Exposure of VLAN information in unintended network interfaces

A vulnerability in the router mode configuration of HPE Instant On Access Points exposed certain network configuration details to unintended interfaces. A malicious actor could gain knowledge of internal network configuration details through inspecting impacted packets.

Action-Not Available
Vendor-Hewlett Packard Enterprise (HPE)
Product-Instant On
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2026-5585
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.64% / 46.22%
||
7 Day CHG~0.00%
Published-05 Apr, 2026 | 17:30
Updated-30 Apr, 2026 | 21:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tencent AI-Infra-Guard Task Detail Endpoint task_manager.go information disclosure

A vulnerability was found in Tencent AI-Infra-Guard 4.0. The affected element is an unknown function of the file common/websocket/task_manager.go of the component Task Detail Endpoint. Performing a manipulation results in information disclosure. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-tencentTencent
Product-ai-infra-guardAI-Infra-Guard
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-284
Improper Access Control
CVE-2026-5571
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.47% / 37.65%
||
7 Day CHG~0.00%
Published-05 Apr, 2026 | 13:45
Updated-30 Apr, 2026 | 20:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Technostrobe HI-LED-WR120-G2 Configuration Data fs information disclosure

A vulnerability was identified in Technostrobe HI-LED-WR120-G2 5.5.0.1R6.03.30. The impacted element is an unknown function of the file /fs of the component Configuration Data Handler. Such manipulation of the argument File leads to information disclosure. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-technostrobeTechnostrobe
Product-hi-led-wr120-g2hi-led-wr120-g2_firmwareHI-LED-WR120-G2
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-284
Improper Access Control
CVE-2015-5317
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-7.5||HIGH
EPSS-22.43% / 97.41%
||
7 Day CHG~0.00%
Published-25 Nov, 2015 | 20:00
Updated-22 Apr, 2026 | 14:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2023-06-02||Apply updates per vendor instructions.

The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive job and build name information via a direct request.

Action-Not Available
Vendor-n/aRed Hat, Inc.Jenkins
Product-jenkinsopenshiftn/aJenkins User Interface (UI)
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2025-36107
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-5.9||MEDIUM
EPSS-0.23% / 13.55%
||
7 Day CHG~0.00%
Published-21 Jul, 2025 | 18:07
Updated-18 Aug, 2025 | 01:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Cognos Analytics Mobile (iOS) information disclosure

IBM Cognos Analytics Mobile (iOS) 1.1.0 through 1.1.22 could allow malicious actors to obtain sensitive information due to the cleartext transmission of data.

Action-Not Available
Vendor-IBM Corporation
Product-cognos_analytics_mobileCognos Analytics Mobile
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CVE-2025-34185
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-8.7||HIGH
EPSS-0.80% / 52.07%
||
7 Day CHG~0.00%
Published-16 Sep, 2025 | 19:44
Updated-25 May, 2026 | 23:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ilevia EVE X1 Server 4.7.18.0.eden Unauthenticated File Disclosure

Ilevia EVE X1 Server version ≤ 4.7.18.0.eden contains a pre-authentication file disclosure vulnerability via the 'db_log' POST parameter. Remote attackers can retrieve arbitrary files from the server, exposing sensitive system information and credentials.

Action-Not Available
Vendor-ileviaIlevia Srl.
Product-eve_x1_server_firmwareeve_x1_serverEVE X1 Server
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2019-18460
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.16% / 63.13%
||
7 Day CHG~0.00%
Published-26 Nov, 2019 | 14:47
Updated-05 Aug, 2024 | 01:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in GitLab Community and Enterprise Edition 8.15 through 12.4 in the Comments Search feature provided by the Elasticsearch integration. It has Incorrect Access Control.

Action-Not Available
Vendor-n/aGitLab Inc.
Product-gitlabn/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2022-26423
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-8.2||HIGH
EPSS-0.69% / 48.26%
||
7 Day CHG~0.00%
Published-21 Oct, 2022 | 15:38
Updated-17 Apr, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MISSING AUTHORIZATION CWE-862

Aethon TUG Home Base Server versions prior to version 24 are affected by un unauthenticated attacker who can freely access hashed user credentials.

Action-Not Available
Vendor-Aethon, Inc.
Product-tug_home_base_serverTUG Home Base Server
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-862
Missing Authorization
CVE-2026-53571
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.2||HIGH
EPSS-0.39% / 31.21%
||
7 Day CHG~0.00%
Published-22 Jun, 2026 | 16:10
Updated-24 Jun, 2026 | 20:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Vite: `server.fs.deny` bypass on Windows alternate paths

Vite is a frontend tooling framework for JavaScript. Prior to 8.0.16, 7.3.5, and 6.4.3, the contents of files that are specified by server.fs.deny can be returned to the browser on Windows. Vite’s dev server denies direct access to sensitive files through server.fs.deny, including entries such as .env, .env.*, and *.{crt,pem}. However, on Windows, the deny logic does not correctly normalize NTFS ADS path forms before access checks are applied. Because of this, requests such as /.env::$DATA?raw are treated as allowed paths, while Windows resolves them to the original file's default data stream. Similar to that, Windows allows accessing a file using a different name with the 8.3 short name compatibility feature. Vite did not reject accessing files via them. This vulnerability is fixed in 8.0.16, 7.3.5, and 6.4.3.

Action-Not Available
Vendor-voidzerovitejsvitejsMicrosoft Corporation
Product-vitewindowsvite\+vite
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2023-42490
Matching Score-4
Assigner-Israel National Cyber Directorate (INCD)
ShareView Details
Matching Score-4
Assigner-Israel National Cyber Directorate (INCD)
CVSS Score-7.5||HIGH
EPSS-0.62% / 45.42%
||
7 Day CHG~0.00%
Published-25 Oct, 2023 | 14:41
Updated-10 Sep, 2024 | 20:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
EisBaer Scada - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

EisBaer Scada - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

Action-Not Available
Vendor-busbaerEisBaer Scada
Product-eisbaer_scadav3.0.6433.1964
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2019-18867
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.22% / 65.00%
||
7 Day CHG~0.00%
Published-07 May, 2020 | 12:59
Updated-05 Aug, 2024 | 02:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Browsable directories in Blaauw Remote Kiln Control through v3.00r4 allow an attacker to enumerate sensitive filenames and locations, including source code. This affects /ajax/, /common/, /engine/, /flash/, /images/, /Images/, /jscripts/, /lang/, /layout/, /programs/, and /sms/.

Action-Not Available
Vendor-blaauwproductsn/a
Product-remote_kiln_controln/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2026-53923
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.28% / 19.90%
||
7 Day CHG~0.00%
Published-22 Jun, 2026 | 21:55
Updated-24 Jun, 2026 | 16:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
vLLM GGUF Kernels: int64_t to int truncation of tensor dimensions causes GPU buffer overflow

vLLM is an inference and serving engine for large language models (LLMs). From 0.5.5 until 0.23.1rc0, integer truncation of tensor dimensions in vLLM's GGUF dequantize kernels (csrc/quantization/gguf/gguf_kernel.cu) causes partial tensor processing. The output tensor is allocated at full size via torch::empty (uninitialized memory), but the dequantize CUDA kernel processes only a truncated number of elements. The unfilled portion of the output tensor retains whatever was previously in GPU memory. In multi-tenant inference deployments, this residual GPU memory may contain tensor data from other users' inference requests, constituting information disclosure. This vulnerability is fixed in 0.23.1rc0.

Action-Not Available
Vendor-vllmvllm-project
Product-vllmvllm
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-681
Incorrect Conversion between Numeric Types
  • Previous
  • 1
  • 2
  • 3
  • 4
  • ...
  • 24
  • 25
  • Next
Details not found