Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-14611

Summary
Assigner-VulDB
Assigner Org ID-1af790b2-7ee1-4545-860a-a788eba489b5
Published At-03 Jul, 2026 | 21:00
Updated At-03 Jul, 2026 | 21:00
Rejected At-
Credits

DeepMyst Mysti Per-Project Auto-Memory MemoryManager.ts initProjectMemory exposure of resource

A vulnerability has been found in DeepMyst Mysti up to 0.4.0. The affected element is the function initProjectMemory of the file src/managers/MemoryManager.ts of the component Per-Project Auto-Memory Handler. Such manipulation of the argument workspacePath leads to exposure of resource. The attack may be performed from remote. Upgrading to version 0.4.0 is sufficient to fix this issue. The name of the patch is 6d709229b5199f6769fb3cf763e5122dcc43c079. It is advisable to upgrade the affected component.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:VulDB
Assigner Org ID:1af790b2-7ee1-4545-860a-a788eba489b5
Published At:03 Jul, 2026 | 21:00
Updated At:03 Jul, 2026 | 21:00
Rejected At:
â–¼CVE Numbering Authority (CNA)
DeepMyst Mysti Per-Project Auto-Memory MemoryManager.ts initProjectMemory exposure of resource

A vulnerability has been found in DeepMyst Mysti up to 0.4.0. The affected element is the function initProjectMemory of the file src/managers/MemoryManager.ts of the component Per-Project Auto-Memory Handler. Such manipulation of the argument workspacePath leads to exposure of resource. The attack may be performed from remote. Upgrading to version 0.4.0 is sufficient to fix this issue. The name of the patch is 6d709229b5199f6769fb3cf763e5122dcc43c079. It is advisable to upgrade the affected component.

Affected Products
Vendor
DeepMyst
Product
Mysti
CPEs
  • cpe:2.3:a:deepmyst:mysti:*:*:*:*:*:*:*:*
Modules
  • Per-Project Auto-Memory Handler
Versions
Affected
  • 0.1
  • 0.2
  • 0.3
  • 0.4.0
Unaffected
  • 0.4.0
Problem Types
TypeCWE IDDescription
CWECWE-668Exposure of Resource
CWECWE-200Information Disclosure
Type: CWE
CWE ID: CWE-668
Description: Exposure of Resource
Type: CWE
CWE ID: CWE-200
Description: Information Disclosure
Metrics
VersionBase scoreBase severityVector
4.05.3MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X
3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C
3.04.3MEDIUM
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C
2.04.0N/A
AV:N/AC:L/Au:S/C:P/I:N/A:N/E:ND/RL:OF/RC:C
Version: 4.0
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C
Version: 3.0
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C
Version: 2.0
Base score: 4.0
Base severity: N/A
Vector:
AV:N/AC:L/Au:S/C:P/I:N/A:N/E:ND/RL:OF/RC:C
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

reporter
Dem00000 (VulDB User)
Timeline
EventDate
Advisory disclosed2026-07-03 00:00:00
VulDB entry created2026-07-03 02:00:00
VulDB entry last update2026-07-03 16:14:24
Event: Advisory disclosed
Date: 2026-07-03 00:00:00
Event: VulDB entry created
Date: 2026-07-03 02:00:00
Event: VulDB entry last update
Date: 2026-07-03 16:14:24
Replaced By

Rejected Reason

References
HyperlinkResource
https://vuldb.com/vuln/376119
vdb-entry
technical-description
https://vuldb.com/vuln/376119/cti
signature
permissions-required
https://vuldb.com/cve/CVE-2026-14611
third-party-advisory
https://vuldb.com/submit/844651
third-party-advisory
https://github.com/DeepMyst/Mysti/issues/46
issue-tracking
https://github.com/DeepMyst/Mysti/pull/49
issue-tracking
patch
https://github.com/DeepMyst/Mysti/commit/6d709229b5199f6769fb3cf763e5122dcc43c079
patch
https://github.com/DeepMyst/Mysti/
product
Hyperlink: https://vuldb.com/vuln/376119
Resource:
vdb-entry
technical-description
Hyperlink: https://vuldb.com/vuln/376119/cti
Resource:
signature
permissions-required
Hyperlink: https://vuldb.com/cve/CVE-2026-14611
Resource:
third-party-advisory
Hyperlink: https://vuldb.com/submit/844651
Resource:
third-party-advisory
Hyperlink: https://github.com/DeepMyst/Mysti/issues/46
Resource:
issue-tracking
Hyperlink: https://github.com/DeepMyst/Mysti/pull/49
Resource:
issue-tracking
patch
Hyperlink: https://github.com/DeepMyst/Mysti/commit/6d709229b5199f6769fb3cf763e5122dcc43c079
Resource:
patch
Hyperlink: https://github.com/DeepMyst/Mysti/
Resource:
product
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cna@vuldb.com
Published At:03 Jul, 2026 | 21:16
Updated At:03 Jul, 2026 | 21:16

A vulnerability has been found in DeepMyst Mysti up to 0.4.0. The affected element is the function initProjectMemory of the file src/managers/MemoryManager.ts of the component Per-Project Auto-Memory Handler. Such manipulation of the argument workspacePath leads to exposure of resource. The attack may be performed from remote. Upgrading to version 0.4.0 is sufficient to fix this issue. The name of the patch is 6d709229b5199f6769fb3cf763e5122dcc43c079. It is advisable to upgrade the affected component.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.05.3MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Secondary2.04.0MEDIUM
AV:N/AC:L/Au:S/C:P/I:N/A:N
Type: Secondary
Version: 4.0
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Primary
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Type: Secondary
Version: 2.0
Base score: 4.0
Base severity: MEDIUM
Vector:
AV:N/AC:L/Au:S/C:P/I:N/A:N
CPE Matches

Weaknesses
CWE IDTypeSource
CWE-200Primarycna@vuldb.com
CWE-668Primarycna@vuldb.com
CWE ID: CWE-200
Type: Primary
Source: cna@vuldb.com
CWE ID: CWE-668
Type: Primary
Source: cna@vuldb.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://github.com/DeepMyst/Mysti/cna@vuldb.com
N/A
https://github.com/DeepMyst/Mysti/commit/6d709229b5199f6769fb3cf763e5122dcc43c079cna@vuldb.com
N/A
https://github.com/DeepMyst/Mysti/issues/46cna@vuldb.com
N/A
https://github.com/DeepMyst/Mysti/pull/49cna@vuldb.com
N/A
https://vuldb.com/cve/CVE-2026-14611cna@vuldb.com
N/A
https://vuldb.com/submit/844651cna@vuldb.com
N/A
https://vuldb.com/vuln/376119cna@vuldb.com
N/A
https://vuldb.com/vuln/376119/cticna@vuldb.com
N/A
Hyperlink: https://github.com/DeepMyst/Mysti/
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://github.com/DeepMyst/Mysti/commit/6d709229b5199f6769fb3cf763e5122dcc43c079
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://github.com/DeepMyst/Mysti/issues/46
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://github.com/DeepMyst/Mysti/pull/49
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://vuldb.com/cve/CVE-2026-14611
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://vuldb.com/submit/844651
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://vuldb.com/vuln/376119
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://vuldb.com/vuln/376119/cti
Source: cna@vuldb.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

1248Records found

CVE-2022-26850
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-4.3||MEDIUM
EPSS-1.44% / 69.85%
||
7 Day CHG~0.00%
Published-06 Apr, 2022 | 17:40
Updated-03 Aug, 2024 | 05:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Insufficiently protected credentials

When creating or updating credentials for single-user access, Apache NiFi wrote a copy of the Login Identity Providers configuration to the operating system temporary directory. On most platforms, the operating system temporary directory has global read permissions. NiFi immediately moved the temporary file to the final configuration directory, which significantly limited the window of opportunity for access. NiFi 1.16.0 includes updates to replace the Login Identity Providers configuration without writing a file to the operating system temporary directory.

Action-Not Available
Vendor-The Apache Software Foundation
Product-nifiApache NiFi
CWE ID-CWE-668
Exposure of Resource to Wrong Sphere
CVE-2026-54396
Matching Score-4
Assigner-Computer Incident Response Center Luxembourg (CIRCL)
ShareView Details
Matching Score-4
Assigner-Computer Incident Response Center Luxembourg (CIRCL)
CVSS Score-5.3||MEDIUM
EPSS-0.25% / 15.83%
||
7 Day CHG~0.00%
Published-12 Jun, 2026 | 20:48
Updated-15 Jun, 2026 | 17:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MISP AuthKey edit endpoint allows authenticated user email enumeration

An information disclosure vulnerability exists in the MISP AuthKey edit functionality. When a validation error occurs during an AuthKey edit request, the user dropdown was populated using the attacker-controlled AuthKey.user_id value from the submitted request data. An authenticated user with permission to edit an AuthKey could submit arbitrary user IDs and observe the returned dropdown data, allowing enumeration of user email addresses. The issue is fixed by deriving the dropdown user from the persisted AuthKey owner instead of the request body.

Action-Not Available
Vendor-misp
Product-misp
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2016-0267
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-7.7||HIGH
EPSS-1.05% / 60.03%
||
7 Day CHG~0.00%
Published-29 Jun, 2016 | 01:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM UrbanCode Deploy 6.0.x before 6.0.1.13, 6.1.x before 6.1.3.3, and 6.2.x before 6.2.1.1 allows remote authenticated users to obtain sensitive cleartext secure-property information via (1) the server UI or (2) a database request.

Action-Not Available
Vendor-n/aIBM Corporation
Product-urbancode_deployn/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2017-7531
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.91% / 55.49%
||
7 Day CHG~0.00%
Published-17 Jul, 2017 | 16:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Moodle 3.3, the course overview block reveals activities in hidden courses.

Action-Not Available
Vendor-n/aMoodle Pty Ltd
Product-moodlen/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2015-8336
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.60% / 44.23%
||
7 Day CHG~0.00%
Published-14 Apr, 2016 | 15:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Huawei FusionCompute with software before V100R005C10SPC700 allows remote authenticated users to obtain sensitive "role and permission" information via unspecified vectors.

Action-Not Available
Vendor-n/aHuawei Technologies Co., Ltd.
Product-fusioncomputen/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2026-49355
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.21% / 11.71%
||
7 Day CHG~0.00%
Published-26 Jun, 2026 | 19:29
Updated-29 Jun, 2026 | 14:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OpenProject: Private work package data disclosure through single meeting agenda item API

OpenProject is open-source, web-based project management software. Prior to 17.4.0, `GET /api/v3/meetings/:meeting_id/agenda_items/:agenda_item_id` discloses private work package data from a linked work package that belongs to a private/inaccessible project. This vulnerability is fixed in 17.4.0.

Action-Not Available
Vendor-opf
Product-openproject
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2026-49288
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.16% / 5.72%
||
7 Day CHG~0.00%
Published-19 Jun, 2026 | 18:11
Updated-22 Jun, 2026 | 19:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Statamic CMS missing authorization on Control Panel fieldtype endpoints allows disclosure of restricted resources

Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.23 and 6.20.0, an authenticated Control Panel user could view metadata and content for resources they don't have permission to view, including entries, assets, users, roles, groups, and other configured resources. Depending on the resource, this could expose titles, custom field values, entry content, asset metadata, and the existence of users, roles, and groups. No data could be modified. This has been fixed in 5.73.23 and 6.20.0.

Action-Not Available
Vendor-statamic
Product-cms
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-862
Missing Authorization
CWE ID-CWE-863
Incorrect Authorization
CVE-2015-4263
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-4||MEDIUM
EPSS-1.50% / 71.14%
||
7 Day CHG~0.00%
Published-10 Jul, 2015 | 19:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Control and Provisioning functionality in Cisco Mobility Services Engine (MSE) 10.0(0.1) allows remote authenticated users to obtain sensitive information by reading log files, aka Bug ID CSCut36851.

Action-Not Available
Vendor-n/aCisco Systems, Inc.
Product-mobility_services_enginen/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2015-7880
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-1.39% / 69.01%
||
7 Day CHG~0.00%
Published-13 Sep, 2017 | 16:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Entity Registration module 7.x-1.x before 7.x-1.5 for Drupal allows remote attackers to obtain sensitive event registration information by leveraging the "Register other accounts" permission and knowledge of usernames.

Action-Not Available
Vendor-n/aThe Drupal Association
Product-drupaln/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2020-6865
Matching Score-4
Assigner-ZTE Corporation
ShareView Details
Matching Score-4
Assigner-ZTE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.87% / 54.49%
||
7 Day CHG~0.00%
Published-30 Apr, 2020 | 21:16
Updated-04 Aug, 2024 | 09:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ZTE SDN controller platform is impacted by an information leakage vulnerability. Due to the program's failure to optimize the response of failure to the request, the caller can directly view the internal error code location of the component. Attackers could exploit this vulnerability to obtain sensitive information. This affects: OSCP versions V16.19.10 and V16.19.20.

Action-Not Available
Vendor-n/aZTE Corporation
Product-oscpOSCP
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2019-19091
Matching Score-4
Assigner-Asea Brown Boveri Ltd. (ABB)
ShareView Details
Matching Score-4
Assigner-Asea Brown Boveri Ltd. (ABB)
CVSS Score-4.3||MEDIUM
EPSS-0.76% / 50.90%
||
7 Day CHG~0.00%
Published-02 Apr, 2020 | 19:46
Updated-05 Aug, 2024 | 02:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ABB eSOMS: HTTP response information leakage

For ABB eSOMS versions 4.0 to 6.0.3, HTTPS responses contain comments with sensitive information about the application. An attacker might use this detail information to specifically craft the attack.

Action-Not Available
Vendor-Hitachi Energy Ltd.ABB
Product-esomseSOMS
CWE ID-CWE-16
Not Available
CWE ID-CWE-202
Exposure of Sensitive Information Through Data Queries
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2026-47351
Matching Score-4
Assigner-f4fb688c-4412-4426-b4b8-421ecf27b14a
ShareView Details
Matching Score-4
Assigner-f4fb688c-4412-4426-b4b8-421ecf27b14a
CVSS Score-5.3||MEDIUM
EPSS-0.24% / 14.75%
||
7 Day CHG~0.00%
Published-09 Jun, 2026 | 10:52
Updated-11 Jun, 2026 | 13:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
TYPO3 CMS - Broken Access Control in Clipboard

Backend users were able to insert arbitrary records and files into the TYPO3 clipboard without proper read permission checks, which allowed users to gather information about records and files they were not authorized to view. This issue affects TYPO3 CMS versions 10.4.0-13.4.30 and 14.0.0-14.3.2.

Action-Not Available
Vendor-TYPO3 Association
Product-TYPO3 CMS
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-862
Missing Authorization
CVE-2026-9583
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.24% / 15.24%
||
7 Day CHG~0.00%
Published-26 May, 2026 | 21:00
Updated-28 May, 2026 | 16:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester CET Automated Grading System with AI Predictive Analytics SQL index.php information exposure

A weakness has been identified in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0. This impacts an unknown function of the file /index.php of the component SQL Handler. Executing a manipulation can lead to information exposure through error message. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks.

Action-Not Available
Vendor-SourceCodester
Product-CET Automated Grading System with AI Predictive Analytics
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-209
Generation of Error Message Containing Sensitive Information
CVE-2015-7677
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-2.95% / 85.49%
||
7 Day CHG~0.00%
Published-10 Feb, 2016 | 15:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The MOVEitISAPI service in Ipswitch MOVEit DMZ before 8.2 provides different error messages depending on whether a FileID exists, which allows remote authenticated users to enumerate FileIDs via the X-siLock-FileID parameter in a download action to MOVEitISAPI/MOVEitISAPI.dll.

Action-Not Available
Vendor-n/aIpswitch, Inc.
Product-moveit_dmzn/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2026-8995
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.28% / 20.12%
||
7 Day CHG~0.00%
Published-29 May, 2026 | 02:27
Updated-29 May, 2026 | 13:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Poll Maker by AYS <= 6.3.7 - Authenticated (Subscriber+) Sensitive Information Exposure in 'ays_poll_get_user_information' AJAX Action

The Poll Maker – Versus Polls, Anonymous Polls, Image Polls plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to and including 6.3.7. This is due to insufficient access controls on the 'ays_poll_get_user_information' AJAX action, which serializes and returns the complete WP_User object — including the user_pass (bcrypt password hash), user_email, user_login, user_registered, roles, and all capabilities — without any nonce verification or capability check beyond is_user_logged_in(). This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve sensitive account data including their own password hash, which WordPress does not expose through any of its standard interfaces and which can be leveraged for offline password-cracking attacks.

Action-Not Available
Vendor-AYS Pro Extensions
Product-Poll Maker by AYS – Versus Polls, Anonymous Polls, Image Polls
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2022-26070
Matching Score-4
Assigner-Splunk Inc.
ShareView Details
Matching Score-4
Assigner-Splunk Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.60% / 44.63%
||
7 Day CHG+0.01%
Published-06 May, 2022 | 16:37
Updated-03 Aug, 2024 | 04:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Error message discloses internal path

When handling a mismatched pre-authentication cookie, the application leaks the internal error message in the response, which contains the Splunk Enterprise local system path. The vulnerability impacts Splunk Enterprise versions before 8.1.0.

Action-Not Available
Vendor-Splunk LLC (Cisco Systems, Inc.)
Product-splunkSplunk Enterprise
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-209
Generation of Error Message Containing Sensitive Information
CVE-2020-14371
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.87% / 54.31%
||
7 Day CHG~0.00%
Published-02 Jun, 2021 | 12:12
Updated-04 Aug, 2024 | 12:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A credential leak vulnerability was found in Red Hat Satellite. This flaw exposes the compute resources credentials through VMs that are running on these resources in Satellite.

Action-Not Available
Vendor-n/aRed Hat, Inc.
Product-satelliteRed Hat Satellite
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2015-8399
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-61.11% / 99.05%
||
7 Day CHG~0.00%
Published-11 Apr, 2016 | 21:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Atlassian Confluence before 5.8.17 allows remote authenticated users to read configuration files via the decoratorName parameter to (1) spaces/viewdefaultdecorator.action or (2) admin/viewdefaultdecorator.action.

Action-Not Available
Vendor-n/aAtlassian
Product-confluencen/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2015-8473
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-1.72% / 74.66%
||
7 Day CHG~0.00%
Published-12 Apr, 2016 | 14:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Issues API in Redmine before 2.6.8, 3.0.x before 3.0.6, and 3.1.x before 3.1.2 allows remote authenticated users to obtain sensitive information in changeset messages by leveraging permission to read issues with related changesets from other projects.

Action-Not Available
Vendor-redminen/aDebian GNU/Linux
Product-debian_linuxredminen/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2015-8703
Matching Score-4
Assigner-CERT/CC
ShareView Details
Matching Score-4
Assigner-CERT/CC
CVSS Score-6.5||MEDIUM
EPSS-4.86% / 90.95%
||
7 Day CHG~0.00%
Published-30 Dec, 2015 | 02:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE and ZXV10 W300 devices W300V1.0.0f_ER1_PE allow remote authenticated users to bypass intended access restrictions, and discover credentials and keys, by reading the configuration file, a different vulnerability than CVE-2015-7248.

Action-Not Available
Vendor-n/aZTE Corporation
Product-zxv10_w300_firmwarezxhn_h108n_r1azxhn_h108n_r1a_firmwarezxv10_w300n/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2025-3978
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.43% / 34.73%
||
7 Day CHG+0.02%
Published-27 Apr, 2025 | 17:00
Updated-12 May, 2025 | 19:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
dazhouda lecms user_set.htm information disclosure

A vulnerability was found in dazhouda lecms 3.0.3. It has been rated as problematic. Affected by this issue is some unknown functionality of the file admin/view/default/user_set.htm. The manipulation leads to information disclosure. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-lecmsdazhouda
Product-lecmslecms
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-284
Improper Access Control
CVE-2015-7675
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-3.11% / 86.19%
||
7 Day CHG~0.00%
Published-10 Feb, 2016 | 15:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The "Send as attachment" feature in Ipswitch MOVEit DMZ before 8.2 and MOVEit Mobile before 1.2.2 allow remote authenticated users to bypass authorization and read uploaded files via a valid FileID in the (1) serverFileIds parameter to mobile/sendMsg or (2) arg01 parameter to human.aspx.

Action-Not Available
Vendor-n/aIpswitch, Inc.
Product-moveit_mobilemoveit_dmzn/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2015-8007
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4||MEDIUM
EPSS-1.63% / 73.35%
||
7 Day CHG~0.00%
Published-09 Nov, 2015 | 18:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Echo extension for MediWiki does not properly implement the hideuser functionality, which allows remote authenticated users to see hidden usernames in "non-revision based" notifications, as demonstrated by viewing a hidden username in a Thanks notification.

Action-Not Available
Vendor-echo_projectn/a
Product-echon/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2017-6793
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-6.5||MEDIUM
EPSS-1.20% / 64.50%
||
7 Day CHG~0.00%
Published-07 Sep, 2017 | 21:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in the Inventory Management feature of Cisco Prime Collaboration Provisioning Tool could allow an authenticated, remote attacker to view sensitive information on the system. The vulnerability is due to insufficient protection of restricted information. An attacker could exploit this vulnerability by accessing unauthorized information via the user interface. Cisco Bug IDs: CSCvd61932.

Action-Not Available
Vendor-n/aCisco Systems, Inc.
Product-prime_collaboration_provisioningCisco Prime Collaboration Provisioning Tool
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2015-7456
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-6.5||MEDIUM
EPSS-1.04% / 59.68%
||
7 Day CHG~0.00%
Published-01 Jan, 2016 | 11:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Spectrum Scale 4.1.1 before 4.1.1.4, and 4.2.0.0, allows remote authenticated users to discover object-storage admin passwords via unspecified vectors.

Action-Not Available
Vendor-n/aIBM Corporation
Product-spectrum_scalen/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2015-7424
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-4.3||MEDIUM
EPSS-1.34% / 67.89%
||
7 Day CHG~0.00%
Published-26 Mar, 2018 | 18:00
Updated-06 Aug, 2024 | 07:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM InfoSphere Master Data Management (MDM) - Collaborative Edition 9.1, 10.1, 11.0, 11.3, 11.4, and 11.5 allow remote authenticated users to bypass intended access restrictions and obtain sensitive information by leveraging Catalogs access. IBM X-Force ID: 107780.

Action-Not Available
Vendor-n/aIBM Corporation
Product-infosphere_master_data_managementn/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2015-6404
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-4||MEDIUM
EPSS-0.95% / 57.05%
||
7 Day CHG~0.00%
Published-15 Dec, 2015 | 02:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cisco Hosted Collaboration Mediation Fulfillment 10.6(3) does not use RBAC, which allows remote authenticated users to obtain sensitive credential information by leveraging admin access and making SOAP API requests, aka Bug ID CSCuw84374.

Action-Not Available
Vendor-n/aCisco Systems, Inc.
Product-hosted_collaboration_solutionn/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2015-1907
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-4||MEDIUM
EPSS-1.63% / 73.35%
||
7 Day CHG~0.00%
Published-08 May, 2015 | 01:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Administration and Reporting Tool in IBM Rational License Key Server (RLKS) 8.1.4 before 8.1.4.7 allows remote authenticated users to read cookies via unspecified vectors.

Action-Not Available
Vendor-n/aIBM Corporation
Product-rational_license_key_servern/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2015-7452
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.89% / 54.90%
||
7 Day CHG~0.00%
Published-02 Jan, 2016 | 21:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Maximo Asset Management 7.5 before 7.5.0.9 FP9 and 7.6 before 7.6.0.3 FP3 and Maximo Asset Management 7.5 before 7.5.0.9 FP9, 7.5.1, and 7.6 before 7.6.0.3 FP3 for SmartCloud Control Desk allow remote authenticated users to obtain sensitive information via the REST API.

Action-Not Available
Vendor-n/aIBM Corporation
Product-maximo_for_life_sciencesmaximo_for_transportationmaximo_asset_management_essentialsmaximo_for_governmentmaximo_for_nuclear_powermaximo_asset_managementmaximo_for_oil_and_gasmaximo_for_utilitiessmartcloud_control_deskn/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2017-10334
Matching Score-4
Assigner-Oracle
ShareView Details
Matching Score-4
Assigner-Oracle
CVSS Score-4.3||MEDIUM
EPSS-1.05% / 60.18%
||
7 Day CHG~0.00%
Published-19 Oct, 2017 | 17:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Container). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).

Action-Not Available
Vendor-n/aOracle Corporation
Product-weblogic_servern/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2015-7401
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-4.3||MEDIUM
EPSS-1.34% / 67.89%
||
7 Day CHG~0.00%
Published-26 Mar, 2018 | 18:00
Updated-06 Aug, 2024 | 07:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Curam Social Program Management 6.1.x before 6.1.1.1 allows remote authenticated users to bypass intended access restrictions and obtain sensitive document information by guessing the document id. IBM X-Force ID: 107106.

Action-Not Available
Vendor-n/aIBM Corporation
Product-curam_social_program_managementn/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2015-7484
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.95% / 56.72%
||
7 Day CHG-0.02%
Published-16 Jan, 2018 | 19:00
Updated-06 Aug, 2024 | 07:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Rational Engineering Lifecycle Manager 3.0 before 3.0.1.6 iFix7 Interim Fix 1 and 4.0 before 4.0.7 iFix10 allow remote authenticated users with access to lifecycle projects to obtain sensitive information by sending a crafted URL to the Lifecycle Query Engine. IBM X-Force ID: 108619.

Action-Not Available
Vendor-n/aIBM Corporation
Product-rational_engineering_lifecycle_managern/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2015-7514
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-6.5||MEDIUM
EPSS-1.58% / 72.47%
||
7 Day CHG~0.00%
Published-07 Jun, 2017 | 14:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OpenStack Ironic 4.2.0 through 4.2.1 does not "clean" the disk after use, which allows remote authenticated users to obtain sensitive information.

Action-Not Available
Vendor-n/aOpenStack
Product-ironicn/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2019-18461
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.77% / 51.09%
||
7 Day CHG~0.00%
Published-26 Nov, 2019 | 14:44
Updated-05 Aug, 2024 | 01:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in GitLab Community and Enterprise Edition 11.3 through 12.3 when a sub group epic is added to a public group. It has Incorrect Access Control.

Action-Not Available
Vendor-n/aGitLab Inc.
Product-gitlabn/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2015-6344
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-4||MEDIUM
EPSS-1.37% / 68.52%
||
7 Day CHG~0.00%
Published-30 Oct, 2015 | 10:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The web-based GUI in Cisco Adaptive Security Appliance (ASA) CX Context-Aware Security 9.3(4.1.11) allows remote authenticated users to bypass intended access restrictions and obtain sensitive user information via an unspecified HTTP request, aka Bug ID CSCuv74105.

Action-Not Available
Vendor-n/aCisco Systems, Inc.
Product-asa_cx_context-aware_security_softwaren/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2026-44780
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.19% / 8.69%
||
7 Day CHG~0.00%
Published-12 Jun, 2026 | 20:22
Updated-17 Jun, 2026 | 18:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Discourse: Category queue reviewers can read raw incoming emails from queued posts

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, ReviewableQueuedPostSerializer unconditionally included payload["raw_email"] for posts that arrived via incoming email. Category moderation group members reaching the review queue could therefore read the full inbound email source (headers, sender trace, MUA, body) without being in view_raw_email_allowed_groups — the trust boundary that gates the dedicated raw-email endpoint. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.

Action-Not Available
Vendor-Civilized Discourse Construction Kit, Inc.
Product-discoursediscourse
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2025-3966
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.40% / 31.63%
||
7 Day CHG+0.02%
Published-27 Apr, 2025 | 10:00
Updated-12 May, 2025 | 19:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
itwanger paicoding Browsing History home information disclosure

A vulnerability was found in itwanger paicoding 1.0.3 and classified as problematic. Affected by this issue is some unknown functionality of the file /user/home?userId=1&homeSelectType=read of the component Browsing History Handler. The manipulation leads to information disclosure. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-itwangeritwanger
Product-paicodingpaicoding
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-284
Improper Access Control
CVE-2025-3851
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.24% / 14.84%
||
7 Day CHG~0.00%
Published-07 May, 2025 | 01:43
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Download Manager and Payment Form WordPress Plugin – WP SmartPay 1.1.0 - 2.7.13 - Authenticated (Subscriber+) Information Exposure

The Download Manager and Payment Form WordPress Plugin – WP SmartPay plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions 1.1.0 to 2.7.13 via the show() function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view other user's data like email address, name, and notes.

Action-Not Available
Vendor-themesgrove
Product-Download Manager and Payment Form WordPress Plugin – WP SmartPay
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2015-6261
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-4||MEDIUM
EPSS-1.55% / 71.96%
||
7 Day CHG~0.00%
Published-26 Aug, 2015 | 14:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cisco TelePresence Video Communication Server (VCS) Expressway X8.5.2 allows remote authenticated users to bypass intended access restrictions and read configuration files by leveraging the Mobile and Remote Access (MRA) role and establishing a TFTP session, aka Bug ID CSCuv78531.

Action-Not Available
Vendor-n/aCisco Systems, Inc.
Product-telepresence_video_communication_server_softwaren/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2015-5443
Matching Score-4
Assigner-HP Inc.
ShareView Details
Matching Score-4
Assigner-HP Inc.
CVSS Score-4||MEDIUM
EPSS-1.17% / 63.52%
||
7 Day CHG~0.00%
Published-12 Oct, 2015 | 10:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

HP 3PAR Service Processor SP 4.2.0.GA-29 (GA) SPOCC, SP 4.3.0.GA-17 (GA) SPOCC, and SP 4.3.0-GA-24 (MU1) SPOCC allows remote authenticated users to obtain sensitive information via unspecified vectors.

Action-Not Available
Vendor-n/aHP Inc.
Product-3par_service_processor_spn/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2015-5712
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4||MEDIUM
EPSS-1.69% / 74.22%
||
7 Day CHG~0.00%
Published-28 Oct, 2015 | 10:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Spotfire Parsing Library and Spotfire Security Filter in TIBCO Spotfire Server 5.5.x before 5.5.4, 6.0.x before 6.0.5, 6.5.x before 6.5.4, and 7.0.x before 7.0.1 and Spotfire Analytics Platform before 7.0.2 for AWS Marketplace allow remote authenticated users to obtain sensitive system information by visiting an unspecified URL.

Action-Not Available
Vendor-n/aTIBCO (Cloud Software Group, Inc.)
Product-spotfire_analytics_platform_for_awsspotfire_servern/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2015-5268
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-4.3||MEDIUM
EPSS-1.58% / 72.50%
||
7 Day CHG~0.00%
Published-22 Feb, 2016 | 02:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The rating component in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 mishandles group-based authorization checks, which allows remote authenticated users to obtain sensitive information by reading a rating value.

Action-Not Available
Vendor-n/aMoodle Pty Ltd
Product-moodlen/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2022-25780
Matching Score-4
Assigner-Secomea A/S
ShareView Details
Matching Score-4
Assigner-Secomea A/S
CVSS Score-4.3||MEDIUM
EPSS-0.58% / 43.61%
||
7 Day CHG+0.01%
Published-04 May, 2022 | 13:52
Updated-03 Aug, 2024 | 04:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Information leak via device availability query function

Information Exposure vulnerability in web UI of Secomea GateManager allows logged in user to query devices outside own scope.

Action-Not Available
Vendor-Secomea A/S
Product-gatemanager_9250_firmwaregatemanager_8250gatemanager_8250_firmwaregatemanager_9250gatemanager_4250gatemanager_4260gatemanager_4250_firmwaregatemanager_4260_firmwareGateManager
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2015-5403
Matching Score-4
Assigner-HP Inc.
ShareView Details
Matching Score-4
Assigner-HP Inc.
CVSS Score-4||MEDIUM
EPSS-1.60% / 72.81%
||
7 Day CHG~0.00%
Published-27 Aug, 2015 | 01:50
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

HP Systems Insight Manager (SIM) before 7.5.0, as used in HP Matrix Operating Environment before 7.5.0 and other products, allows remote authenticated users to obtain sensitive information via unspecified vectors, a different vulnerability than CVE-2015-2139.

Action-Not Available
Vendor-n/aHP Inc.
Product-systems_insight_managermatrix_operating_environmentn/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2026-44779
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.24% / 14.33%
||
7 Day CHG~0.00%
Published-12 Jun, 2026 | 20:22
Updated-15 Jun, 2026 | 20:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Discourse: Bot debug endpoints disclose whisper translation audit logs

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, bot debug endpoints disclose whisper translation audit logs. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.

Action-Not Available
Vendor-Civilized Discourse Construction Kit, Inc.
Product-discourse
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2026-44785
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.19% / 8.69%
||
7 Day CHG~0.00%
Published-12 Jun, 2026 | 20:24
Updated-17 Jun, 2026 | 18:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Discourse: Hidden reply-to post raw can be disclosed through AI explain prompts

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, the AI "explain" helper only checks can_see? on the post being explained, not its reply_to_post, so any authenticated user with access to the AI helper could read the raw contents of a hidden parent post by invoking "Explain" on a reply to it. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.

Action-Not Available
Vendor-Civilized Discourse Construction Kit, Inc.
Product-discoursediscourse
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2015-5711
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4||MEDIUM
EPSS-2.28% / 81.01%
||
7 Day CHG~0.00%
Published-29 Sep, 2015 | 18:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TIBCO Managed File Transfer Internet Server before 7.2.5, Managed File Transfer Command Center before 7.2.5, Slingshot before 1.9.4, and Vault before 2.0.1 allow remote authenticated users to obtain sensitive information via a crafted HTTP request.

Action-Not Available
Vendor-n/aTIBCO (Cloud Software Group, Inc.)
Product-vaultmanaged_file_transfer_internet_serverslingshotmanaged_file_transfer_command_centern/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2020-10104
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.83% / 52.99%
||
7 Day CHG~0.00%
Published-05 Mar, 2020 | 00:37
Updated-04 Aug, 2024 | 10:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Zammad 3.0 through 3.2. After authentication, it transmits sensitive information to the user that may be compromised and used by an attacker to gain unauthorized access. Hashed passwords are returned to the user when visiting a certain URL.

Action-Not Available
Vendor-zammadn/a
Product-zammadn/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2025-3628
Matching Score-4
Assigner-Fedora Project
ShareView Details
Matching Score-4
Assigner-Fedora Project
CVSS Score-4.3||MEDIUM
EPSS-0.27% / 18.91%
||
7 Day CHG~0.00%
Published-25 Apr, 2025 | 14:42
Updated-29 Apr, 2025 | 13:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Moodle: moodle assignment submission search leaks anonymous student identities

A flaw has was found in Moodle where anonymous assignment submissions can be de-anonymized via search, revealing student identities.

Action-Not Available
Vendor-
Product-
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2015-5340
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-4.3||MEDIUM
EPSS-1.28% / 66.43%
||
7 Day CHG-0.04%
Published-22 Feb, 2016 | 02:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 does not consider the moodle/badges:viewbadges capability, which allows remote authenticated users to obtain sensitive badge information via a request involving (1) badges/overview.php or (2) badges/view.php.

Action-Not Available
Vendor-n/aMoodle Pty Ltd
Product-moodlen/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
  • Previous
  • 1
  • 2
  • 3
  • 4
  • ...
  • 24
  • 25
  • Next
Details not found