Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-24477

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-26 Jan, 2026 | 23:22
Updated At-27 Jan, 2026 | 21:30
Rejected At-
Credits

AnythingLLM has key leak in `systemSettings.js`

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. If AnythingLLM prior to version 1.10.0 is configured to use Qdrant as the vector database with an API key, this QdrantApiKey could be exposed in plain text to unauthenticated users via the `/api/setup-complete` endpoint. Leakage of QdrantApiKey allows an unauthenticated attacker full read/write access to the Qdrant vector database instance used by AnythingLLM. Since Qdrant often stores the core knowledge base for RAG in AnythingLLM, this can lead to complete compromise of the semantic search / retrieval functionality and indirect leakage of confidential uploaded documents. Version 1.10.0 patches the issue.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:26 Jan, 2026 | 23:22
Updated At:27 Jan, 2026 | 21:30
Rejected At:
â–¼CVE Numbering Authority (CNA)
AnythingLLM has key leak in `systemSettings.js`

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. If AnythingLLM prior to version 1.10.0 is configured to use Qdrant as the vector database with an API key, this QdrantApiKey could be exposed in plain text to unauthenticated users via the `/api/setup-complete` endpoint. Leakage of QdrantApiKey allows an unauthenticated attacker full read/write access to the Qdrant vector database instance used by AnythingLLM. Since Qdrant often stores the core knowledge base for RAG in AnythingLLM, this can lead to complete compromise of the semantic search / retrieval functionality and indirect leakage of confidential uploaded documents. Version 1.10.0 patches the issue.

Affected Products
Vendor
Mintplex-Labs
Product
anything-llm
Versions
Affected
  • < 1.10.0
Problem Types
TypeCWE IDDescription
CWECWE-201CWE-201: Insertion of Sensitive Information Into Sent Data
Type: CWE
CWE ID: CWE-201
Description: CWE-201: Insertion of Sensitive Information Into Sent Data
Metrics
VersionBase scoreBase severityVector
4.08.7HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Version: 4.0
Base score: 8.7
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-gm94-qc2p-xcwf
x_refsource_CONFIRM
Hyperlink: https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-gm94-qc2p-xcwf
Resource:
x_refsource_CONFIRM
â–¼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:27 Jan, 2026 | 00:15
Updated At:28 Jan, 2026 | 15:59

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. If AnythingLLM prior to version 1.10.0 is configured to use Qdrant as the vector database with an API key, this QdrantApiKey could be exposed in plain text to unauthenticated users via the `/api/setup-complete` endpoint. Leakage of QdrantApiKey allows an unauthenticated attacker full read/write access to the Qdrant vector database instance used by AnythingLLM. Since Qdrant often stores the core knowledge base for RAG in AnythingLLM, this can lead to complete compromise of the semantic search / retrieval functionality and indirect leakage of confidential uploaded documents. Version 1.10.0 patches the issue.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.08.7HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Type: Secondary
Version: 4.0
Base score: 8.7
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Primary
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CPE Matches
mintplexlabs
mintplexlabs
>>anythingllm>>Versions before 1.10.0(exclusive)
cpe:2.3:a:mintplexlabs:anythingllm:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-201Primarysecurity-advisories@github.com
CWE ID: CWE-201
Type: Primary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-gm94-qc2p-xcwfsecurity-advisories@github.com
Exploit
Vendor Advisory
Hyperlink: https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-gm94-qc2p-xcwf
Source: security-advisories@github.com
Resource:
Exploit
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

53Records found
CVE-2024-7783
Matching Score-8
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-8
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-5.9||MEDIUM
EPSS-0.10% / 26.68%
||
7 Day CHG~0.00%
Published-29 Oct, 2024 | 12:49
Updated-31 Oct, 2024 | 15:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Storage of Sensitive Information in Bearer Token in mintplex-labs/anything-llm

mintplex-labs/anything-llm version latest contains a vulnerability where sensitive information, specifically a password, is improperly stored within a JWT (JSON Web Token) used as a bearer token in single user mode. When decoded, the JWT reveals the password in plaintext. This improper storage of sensitive information poses significant security risks, as an attacker who gains access to the JWT can easily decode it and retrieve the password. The issue is fixed in version 1.0.3.

Action-Not Available
Vendor-mintplexlabsmintplex-labsminiplex_labs
Product-anythingllmmintplex-labs/anything-llmminiplex_labs\/anything_lim
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
CVE-2023-4898
Matching Score-8
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-8
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-8.2||HIGH
EPSS-0.08% / 23.98%
||
7 Day CHG~0.00%
Published-11 Sep, 2023 | 23:27
Updated-26 Sep, 2024 | 16:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authentication Bypass by Primary Weakness in mintplex-labs/anything-llm

Authentication Bypass by Primary Weakness in GitHub repository mintplex-labs/anything-llm prior to 0.0.1.

Action-Not Available
Vendor-mintplexlabsmintplex-labsmintplexlabs
Product-anything-llmmintplex-labs/anything-llmanything-llm
CWE ID-CWE-305
Authentication Bypass by Primary Weakness
CVE-2024-0455
Matching Score-8
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-8
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-9.9||CRITICAL
EPSS-0.13% / 32.84%
||
7 Day CHG~0.00%
Published-25 Feb, 2024 | 08:10
Updated-27 Feb, 2025 | 03:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SSRF on AWS deployed instances of AnythingLLM via /metadata

The inclusion of the web scraper for AnythingLLM means that any user with the proper authorization level (manager, admin, and when in single user) could put in the URL ``` http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance ``` which is a special IP and URL that resolves only when the request comes from within an EC2 instance. This would allow the user to see the connection/secret credentials for their specific instance and be able to manage it regardless of who deployed it. The user would have to have pre-existing knowledge of the hosting infra which the target instance is deployed on, but if sent - would resolve if on EC2 and the proper `iptable` or firewall rule is not configured for their setup.

Action-Not Available
Vendor-mintplexlabsmintplex-labsmintplex-labs
Product-anythingllmmintplex-labs/anything-llmmintplex-labs\/anything-llm
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2024-4084
Matching Score-8
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-8
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-7.7||HIGH
EPSS-0.08% / 23.21%
||
7 Day CHG~0.00%
Published-05 Jun, 2024 | 00:00
Updated-01 Aug, 2024 | 20:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SSRF vulnerability in mintplex-labs/anything-llm

A Server-Side Request Forgery (SSRF) vulnerability exists in the latest version of mintplex-labs/anything-llm, allowing attackers to bypass the official fix intended to restrict access to intranet IP addresses and protocols. Despite efforts to filter out intranet IP addresses starting with 192, 172, 10, and 127 through regular expressions and limit access protocols to HTTP and HTTPS, attackers can still bypass these restrictions using alternative representations of IP addresses and accessing other ports running on localhost. This vulnerability enables attackers to access any asset on the internal network, attack web services on the internal network, scan hosts on the internal network, and potentially access AWS metadata endpoints. The vulnerability is due to insufficient validation of user-supplied URLs, which can be exploited to perform SSRF attacks.

Action-Not Available
Vendor-mintplexlabsmintplex-labsmintplex-labs
Product-anythingllmmintplex-labs/anything-llmmintplex-labs\/anything-llm
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2024-5213
Matching Score-6
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-6
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-5.3||MEDIUM
EPSS-0.25% / 47.62%
||
7 Day CHG~0.00%
Published-20 Jun, 2024 | 02:15
Updated-15 Oct, 2025 | 13:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Exposure of Sensitive Information in mintplex-labs/anything-llm

In mintplex-labs/anything-llm versions up to and including 1.5.3, an issue was discovered where the password hash of a user is returned in the response after login (`POST /api/request-token`) and after account creations (`POST /api/admin/users/new`). This exposure occurs because the entire User object, including the bcrypt password hash, is included in the response sent to the frontend. This practice could potentially lead to sensitive information exposure despite the use of bcrypt, a strong hashing algorithm. It is recommended not to expose any clues about passwords to the frontend.

Action-Not Available
Vendor-mintplexlabsmintplex-labs
Product-anythingllmmintplex-labs/anything-llm
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2023-49261
Matching Score-4
Assigner-CERT.PL
ShareView Details
Matching Score-4
Assigner-CERT.PL
CVSS Score-7.5||HIGH
EPSS-0.09% / 26.06%
||
7 Day CHG~0.00%
Published-12 Jan, 2024 | 14:25
Updated-10 Oct, 2024 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Sensitive authentication-related value accessible publicly

The "tokenKey" value used in user authorization is visible in the HTML source of the login page.

Action-Not Available
Vendor-hongdianHongdianhongdian
Product-h8951-4g-esph8951-4g-esp_firmwareH8951-4G-ESPh8951-4g-esp_firmware
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2020-5364
Matching Score-4
Assigner-Dell
ShareView Details
Matching Score-4
Assigner-Dell
CVSS Score-5.3||MEDIUM
EPSS-0.26% / 49.06%
||
7 Day CHG~0.00%
Published-20 May, 2020 | 20:45
Updated-16 Sep, 2024 | 19:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell EMC Isilon OneFS versions 8.2.2 and earlier contain an SNMPv2 vulnerability. The SNMPv2 services is enabled, by default, with a pre-configured community string. This community string allows read-only access to many aspects of the Isilon cluster, some of which are considered sensitive and can foster additional access.

Action-Not Available
Vendor-Dell Inc.
Product-emc_isilon_onefsIsilon OneFS
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2023-38013
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.11% / 29.54%
||
7 Day CHG~0.00%
Published-25 Jan, 2025 | 13:55
Updated-13 Aug, 2025 | 18:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Cloud Pak System information disclosure

IBM Cloud Pak System 2.3.3.0, 2.3.3.3, 2.3.3.3 iFix1, 2.3.3.4, 2.3.3.5, 2.3.3.6, 2.3.3.6 iFix1, 2.3.3.6 iFix2, 2.3.3.7, and 2.3.3.7 iFix1 could disclose sensitive information in HTTP responses that could aid in further attacks against the system.

Action-Not Available
Vendor-IBM Corporation
Product-cloud_pak_systemCloud Pak System
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2025-13295
Matching Score-4
Assigner-TR-CERT (Computer Emergency Response Team of the Republic of Türkiye)
ShareView Details
Matching Score-4
Assigner-TR-CERT (Computer Emergency Response Team of the Republic of Türkiye)
CVSS Score-7.5||HIGH
EPSS-0.04% / 13.46%
||
7 Day CHG~0.00%
Published-02 Dec, 2025 | 13:43
Updated-12 Feb, 2026 | 17:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Sensitive Data Exposure in ArgusTech's BILGER

Insertion of Sensitive Information Into Sent Data vulnerability in Argus Technology Inc. BILGER allows Choosing Message Identifier.This issue affects BILGER: before 2.4.9.

Action-Not Available
Vendor-argusteknolojiArgus Technology Inc.
Product-bilgerBILGER
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2025-68989
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.04% / 13.58%
||
7 Day CHG~0.00%
Published-30 Dec, 2025 | 10:47
Updated-20 Jan, 2026 | 15:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Contact Form 7 Extension For Mailchimp plugin <= 0.9.49 - Sensitive Data Exposure vulnerability

Insertion of Sensitive Information Into Sent Data vulnerability in Renzo Johnson Contact Form 7 Extension For Mailchimp contact-form-7-mailchimp-extension allows Retrieve Embedded Sensitive Data.This issue affects Contact Form 7 Extension For Mailchimp: from n/a through <= 0.9.49.

Action-Not Available
Vendor-Renzo Johnson
Product-Contact Form 7 Extension For Mailchimp
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2025-68033
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.04% / 13.58%
||
7 Day CHG~0.00%
Published-05 Jan, 2026 | 10:39
Updated-20 Jan, 2026 | 15:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Custom Related Posts plugin <= 1.8.0 - Sensitive Data Exposure vulnerability

Insertion of Sensitive Information Into Sent Data vulnerability in Brecht Custom Related Posts allows Retrieve Embedded Sensitive Data.This issue affects Custom Related Posts: from n/a through 1.8.0.

Action-Not Available
Vendor-Brecht
Product-Custom Related Posts
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2025-68516
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.04% / 13.58%
||
7 Day CHG~0.00%
Published-24 Dec, 2025 | 12:31
Updated-20 Jan, 2026 | 15:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Tablesome plugin <= 1.1.35.1 - Sensitive Data Exposure vulnerability

Insertion of Sensitive Information Into Sent Data vulnerability in Essekia Tablesome tablesome allows Retrieve Embedded Sensitive Data.This issue affects Tablesome: from n/a through <= 1.1.35.1.

Action-Not Available
Vendor-Essekia
Product-Tablesome
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2025-67931
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.04% / 13.58%
||
7 Day CHG~0.00%
Published-08 Jan, 2026 | 09:17
Updated-20 Jan, 2026 | 15:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress BulletProof Security plugin <= 6.9 - Sensitive Data Exposure vulnerability

Insertion of Sensitive Information Into Sent Data vulnerability in AITpro BulletProof Security bulletproof-security allows Retrieve Embedded Sensitive Data.This issue affects BulletProof Security: from n/a through <= 6.9.

Action-Not Available
Vendor-AITpro
Product-BulletProof Security
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2024-7713
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-7.5||HIGH
EPSS-0.41% / 61.02%
||
7 Day CHG+0.11%
Published-27 Sep, 2024 | 06:00
Updated-27 Aug, 2025 | 12:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AI Chatbot with ChatGPT by AYS <= 2.0.9 - Unauthenticated OpenAI Key Disclosure

The AI ChatBot with ChatGPT and Content Generator by AYS WordPress plugin before 2.1.0 discloses the Open AI API Key, allowing unauthenticated users to obtain it

Action-Not Available
Vendor-UnknownAYS Pro Extensions
Product-chatgpt_assistantAI ChatBot with ChatGPT and Content Generator by AYSai_chatbot_with_chatgpt
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CVE-2025-64213
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.04% / 13.58%
||
7 Day CHG~0.00%
Published-18 Dec, 2025 | 07:22
Updated-20 Jan, 2026 | 15:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress MasterStudy LMS Pro plugin < 4.7.16 - Sensitive Data Exposure vulnerability

Insertion of Sensitive Information Into Sent Data vulnerability in StylemixThemes MasterStudy LMS Pro masterstudy-lms-learning-management-system-pro allows Retrieve Embedded Sensitive Data.This issue affects MasterStudy LMS Pro: from n/a through < 4.7.16.

Action-Not Available
Vendor-StylemixThemes
Product-MasterStudy LMS Pro
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2025-63019
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.04% / 12.36%
||
7 Day CHG~0.00%
Published-22 Jan, 2026 | 16:51
Updated-26 Jan, 2026 | 23:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Cookies and Content Security Policy plugin <= 2.34 - Sensitive Data Exposure vulnerability

Insertion of Sensitive Information Into Sent Data vulnerability in Johan Jonk Stenström Cookies and Content Security Policy cookies-and-content-security-policy allows Retrieve Embedded Sensitive Data.This issue affects Cookies and Content Security Policy: from n/a through <= 2.34.

Action-Not Available
Vendor-Johan Jonk Stenström
Product-Cookies and Content Security Policy
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2024-56300
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.54% / 67.03%
||
7 Day CHG-0.16%
Published-07 Jan, 2025 | 10:49
Updated-07 Jan, 2025 | 14:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Post/Page Copying Tool plugin <= 2.0.0 - Sensitive Data Exposure vulnerability

Insertion of Sensitive Information Into Sent Data vulnerability in WPSpins Post/Page Copying Tool allows Retrieve Embedded Sensitive Data.This issue affects Post/Page Copying Tool: from n/a through 2.0.0.

Action-Not Available
Vendor-WPSpins
Product-Post/Page Copying Tool
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2025-62039
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.05% / 14.28%
||
7 Day CHG~0.00%
Published-06 Nov, 2025 | 15:55
Updated-20 Jan, 2026 | 15:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress AI ChatBot with ChatGPT and Content Generator by AYS plugin <= 2.6.6 - Sensitive Data Exposure vulnerability

Insertion of Sensitive Information Into Sent Data vulnerability in Ays Pro AI ChatBot with ChatGPT and Content Generator by AYS ays-chatgpt-assistant allows Retrieve Embedded Sensitive Data.This issue affects AI ChatBot with ChatGPT and Content Generator by AYS: from n/a through <= 2.6.6.

Action-Not Available
Vendor-AYS Pro Extensions
Product-AI ChatBot with ChatGPT and Content Generator by AYS
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2025-59010
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.04% / 10.90%
||
7 Day CHG-0.02%
Published-26 Sep, 2025 | 08:31
Updated-30 Sep, 2025 | 15:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Permalink Manager Lite Plugin <= 2.5.1.3 - Sensitive Data Exposure Vulnerability

Insertion of Sensitive Information Into Sent Data vulnerability in Maciej Bis Permalink Manager Lite allows Retrieve Embedded Sensitive Data. This issue affects Permalink Manager Lite: from n/a through 2.5.1.3.

Action-Not Available
Vendor-Maciej Bis
Product-Permalink Manager Lite
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2025-5920
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-7.5||HIGH
EPSS-0.06% / 19.46%
||
7 Day CHG~0.00%
Published-04 Jul, 2025 | 09:52
Updated-13 Jan, 2026 | 21:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Sharable Password Protected Posts < 1.1.1 - Unauthenticated Password Protect Post Access

The Sharable Password Protected Posts before version 1.1.1 allows access to password protected posts by providing a secret key in a GET parameter. However, the key is exposed by the REST API.

Action-Not Available
Vendor-fabiantodtUnknown
Product-private_post_shareSharable Password Protected Posts
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2025-59579
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.06% / 17.62%
||
7 Day CHG+0.01%
Published-22 Oct, 2025 | 14:32
Updated-20 Jan, 2026 | 15:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Simple Job Board plugin <= 2.13.7 - Sensitive Data Exposure vulnerability

Insertion of Sensitive Information Into Sent Data vulnerability in PressTigers Simple Job Board simple-job-board allows Retrieve Embedded Sensitive Data.This issue affects Simple Job Board: from n/a through <= 2.13.7.

Action-Not Available
Vendor-PressTigers
Product-Simple Job Board
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2025-55715
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.04% / 12.75%
||
7 Day CHG~0.00%
Published-20 Aug, 2025 | 08:02
Updated-20 Aug, 2025 | 17:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Otter - Gutenberg Block Plugin <= 3.1.0 - Sensitive Data Exposure Vulnerability

Insertion of Sensitive Information Into Sent Data vulnerability in Themeisle Otter - Gutenberg Block allows Retrieve Embedded Sensitive Data. This issue affects Otter - Gutenberg Block: from n/a through 3.1.0.

Action-Not Available
Vendor-Themeisle
Product-Otter - Gutenberg Block
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2024-53804
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.70% / 71.65%
||
7 Day CHG~0.00%
Published-06 Dec, 2024 | 13:05
Updated-11 Feb, 2025 | 17:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Mailster plugin <= 1.8.16.0 - Sensitive Data Exposure vulnerability

Insertion of Sensitive Information Into Sent Data vulnerability in brandtoss WP Mailster allows Retrieve Embedded Sensitive Data.This issue affects WP Mailster: from n/a through 1.8.16.0.

Action-Not Available
Vendor-wpmailsterbrandtossbrandtoss
Product-wp_mailsterWP Mailsterwpmailster
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2024-50633
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||NONE
EPSS-6.45% / 90.87%
||
7 Day CHG~0.00%
Published-16 Jan, 2025 | 00:00
Updated-19 Sep, 2025 | 18:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Broken Object Level Authorization (BOLA) vulnerability in Indico through 3.3.5 allows attackers to read information by sending a crafted POST request to the component /api/principals. NOTE: this is disputed by the Supplier because the product intentionally lets all users retrieve certain information about other user accounts (this functionality is, in the current design, not restricted to any privileged roles such as event organizer).

Action-Not Available
Vendor-cernCERN
Product-indicoIndico
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2020-8975
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
ShareView Details
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
CVSS Score-7.5||HIGH
EPSS-0.23% / 45.76%
||
7 Day CHG~0.00%
Published-17 Oct, 2022 | 21:15
Updated-12 May, 2025 | 18:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ZGR TPS200 NG Information Exposure

ZGR TPS200 NG in its 2.00 firmware version and 1.01 hardware version, allows a remote attacker with access to the web application and knowledge of the routes (URIs) used by the application, to access sensitive information about the system.

Action-Not Available
Vendor-zigorZGR
Product-zgr_tps200_ng_firmwarezgr_tps200_ngZGR TPS200 NG
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2023-3413
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.22% / 44.53%
||
7 Day CHG~0.00%
Published-29 Sep, 2023 | 08:30
Updated-20 Nov, 2025 | 04:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Insertion of Sensitive Information Into Sent Data in GitLab

An issue has been discovered in GitLab affecting all versions starting from 16.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible to read the source code of a project through a fork created before changing visibility to only project members.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2026-24430
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-8.2||HIGH
EPSS-0.04% / 12.36%
||
7 Day CHG~0.00%
Published-26 Jan, 2026 | 17:39
Updated-28 Jan, 2026 | 20:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tenda W30E V2 HTTP Responses Expose Plaintext Credentials

Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) disclose sensitive account credentials in cleartext within HTTP responses generated by the maintenance interface. Because the management interface is accessible over unencrypted HTTP by default, credentials may be exposed to network-based interception.

Action-Not Available
Vendor-Shenzhen Tenda Technology Co., Ltd.Tenda Technology Co., Ltd.
Product-w30ew30e_firmwareW30E V2
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2025-23781
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.17% / 37.62%
||
7 Day CHG~0.00%
Published-22 Jan, 2025 | 14:29
Updated-23 Jan, 2025 | 16:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WM Options Import Export plugin <= 1.0.1 - Sensitive Data Exposure vulnerability

Insertion of Sensitive Information Into Sent Data vulnerability in NotFound WM Options Import Export allows Retrieve Embedded Sensitive Data. This issue affects WM Options Import Export: from n/a through 1.0.1.

Action-Not Available
Vendor-NotFound
Product-WM Options Import Export
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2025-22303
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.16% / 36.98%
||
7 Day CHG~0.00%
Published-07 Jan, 2025 | 10:48
Updated-11 Feb, 2025 | 19:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Mailster plugin <= 1.8.17.0 - Sensitive Data Exposure vulnerability

Insertion of Sensitive Information Into Sent Data vulnerability in brandtoss WP Mailster allows Retrieve Embedded Sensitive Data.This issue affects WP Mailster: from n/a through 1.8.17.0.

Action-Not Available
Vendor-wpmailsterbrandtoss
Product-wp_mailsterWP Mailster
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2025-48261
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.05% / 15.18%
||
7 Day CHG~0.00%
Published-09 Jun, 2025 | 15:53
Updated-02 Jul, 2025 | 19:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress MultiVendorX <= 4.2.22 - Sensitive Data Exposure Vulnerability

Insertion of Sensitive Information Into Sent Data vulnerability in MultiVendorX MultiVendorX allows Retrieve Embedded Sensitive Data. This issue affects MultiVendorX: from n/a through 4.2.22.

Action-Not Available
Vendor-multivendorxMultiVendorX
Product-multivendorxMultiVendorX
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2025-68035
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.04% / 12.36%
||
7 Day CHG~0.00%
Published-22 Jan, 2026 | 16:52
Updated-28 Jan, 2026 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Tabby Checkout plugin <= 5.8.4 - Sensitive Data Exposure vulnerability

Insertion of Sensitive Information Into Sent Data vulnerability in tabbyai Tabby Checkout tabby-checkout allows Retrieve Embedded Sensitive Data.This issue affects Tabby Checkout: from n/a through <= 5.8.4.

Action-Not Available
Vendor-tabbyai
Product-Tabby Checkout
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2025-66116
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.04% / 13.58%
||
7 Day CHG~0.00%
Published-18 Dec, 2025 | 07:22
Updated-20 Jan, 2026 | 15:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Ultimate Member Widgets for Elementor plugin <= 2.3 - Sensitive Data Exposure vulnerability

Insertion of Sensitive Information Into Sent Data vulnerability in UserElements Ultimate Member Widgets for Elementor ultimate-member-widgets-for-elementor allows Retrieve Embedded Sensitive Data.This issue affects Ultimate Member Widgets for Elementor: from n/a through <= 2.3.

Action-Not Available
Vendor-UserElements
Product-Ultimate Member Widgets for Elementor
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2025-64218
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.04% / 13.58%
||
7 Day CHG~0.00%
Published-18 Dec, 2025 | 07:22
Updated-20 Jan, 2026 | 15:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Passster plugin <= 4.2.19 - Sensitive Data Exposure vulnerability

Insertion of Sensitive Information Into Sent Data vulnerability in WP Chill Passster content-protector allows Retrieve Embedded Sensitive Data.This issue affects Passster: from n/a through <= 4.2.19.

Action-Not Available
Vendor-WP Chill
Product-Passster
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2025-62947
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.05% / 14.28%
||
7 Day CHG~0.00%
Published-27 Oct, 2025 | 01:34
Updated-20 Jan, 2026 | 15:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Publitio plugin <= 2.2.3 - Sensitive Data Exposure vulnerability

Insertion of Sensitive Information Into Sent Data vulnerability in publitio Publitio publitio allows Retrieve Embedded Sensitive Data.This issue affects Publitio: from n/a through <= 2.2.3.

Action-Not Available
Vendor-publitio
Product-Publitio
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2025-62109
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.05% / 14.28%
||
7 Day CHG~0.00%
Published-09 Dec, 2025 | 14:52
Updated-20 Jan, 2026 | 15:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Geo Controller plugin <= 8.9.4 - Sensitive Data Exposure vulnerability

Insertion of Sensitive Information Into Sent Data vulnerability in INFINITUM FORM Geo Controller cf-geoplugin allows Retrieve Embedded Sensitive Data.This issue affects Geo Controller: from n/a through <= 8.9.4.

Action-Not Available
Vendor-INFINITUM FORM
Product-Geo Controller
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2025-62895
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.05% / 14.28%
||
7 Day CHG~0.00%
Published-27 Oct, 2025 | 01:33
Updated-20 Jan, 2026 | 15:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Atarim plugin <= 4.2 - Sensitive Data Exposure vulnerability

Insertion of Sensitive Information Into Sent Data vulnerability in Vito Peleg Atarim atarim-visual-collaboration allows Retrieve Embedded Sensitive Data.This issue affects Atarim: from n/a through <= 4.2.

Action-Not Available
Vendor-Vito Peleg
Product-Atarim
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2025-31134
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.5||MEDIUM
EPSS-0.11% / 30.40%
||
7 Day CHG+0.04%
Published-04 Jun, 2025 | 19:35
Updated-10 Jun, 2025 | 15:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
FreshRSS vulnerable to directory enumeration via ext.php

FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, an attacker can gain additional information about the server by checking if certain directories exist. An attacker can, for example, check if older PHP versions are installed or if certain software is installed on the server and potentially use that information to further attack the server. Version 1.26.2 contains a patch for the issue.

Action-Not Available
Vendor-freshrssFreshRSS
Product-freshrssFreshRSS
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2025-23774
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.17% / 37.62%
||
7 Day CHG~0.00%
Published-22 Jan, 2025 | 14:29
Updated-23 Jan, 2025 | 16:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WPDB to Sql plugin <= 1.2 - Sensitive Data Exposure vulnerability

Insertion of Sensitive Information Into Sent Data vulnerability in NotFound WPDB to Sql allows Retrieve Embedded Sensitive Data. This issue affects WPDB to Sql: from n/a through 1.2.

Action-Not Available
Vendor-NotFound
Product-WPDB to Sql
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2025-49584
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.7||HIGH
EPSS-0.02% / 6.26%
||
7 Day CHG-0.01%
Published-13 Jun, 2025 | 17:21
Updated-03 Sep, 2025 | 17:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XWiki makes title of inaccessible pages available through the class property values REST API

XWiki is a generic wiki platform. In XWiki Platform versions 10.9 through 16.4.6, 16.5.0-rc-1 through 16.10.2, and 17.0.0-rc-1, the title of every single page whose reference is known can be accessed through the REST API as long as an XClass with a page property is accessible, this is the default for an XWiki installation. This allows an attacker to get titles of pages whose reference is known, one title per request. This doesn't affect fully private wikis as the REST endpoint checks access rights on the XClass definition. The impact on confidentiality depends on the strategy for page names. By default, page names match the title, so the impact should be low but if page names are intentionally obfuscated because the titles are sensitive, the impact could be high. This has been fixed in XWiki 16.4.7, 16.10.3 and 17.0.0 by adding access control checks before getting the title of any page.

Action-Not Available
Vendor-XWiki SAS
Product-xwikixwiki-platform
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2025-48331
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.07% / 21.40%
||
7 Day CHG~0.00%
Published-30 May, 2025 | 14:01
Updated-30 May, 2025 | 22:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WooCommerce Orders & Customers Exporter <= 5.0 - Sensitive Data Exposure Vulnerability

Insertion of Sensitive Information Into Sent Data vulnerability in Vanquish WooCommerce Orders & Customers Exporter allows Retrieve Embedded Sensitive Data.This issue affects WooCommerce Orders & Customers Exporter: from n/a through 5.0.

Action-Not Available
Vendor-Vanquish
Product-WooCommerce Orders & Customers Exporter
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2025-48045
Matching Score-4
Assigner-Rapid7, Inc.
ShareView Details
Matching Score-4
Assigner-Rapid7, Inc.
CVSS Score-8.7||HIGH
EPSS-0.14% / 34.11%
||
7 Day CHG+0.01%
Published-29 May, 2025 | 12:29
Updated-29 May, 2025 | 14:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MICI Network Co. Ltd. NetFax Server Default Administrator Credentials Disclosure

An unauthenticated HTTP GET request to the /client.php endpoint will disclose the default administrator user credentials.

Action-Not Available
Vendor-MICI Network Co. Ltd.
Product-NetFax Server
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2025-47541
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.08% / 23.16%
||
7 Day CHG+0.01%
Published-23 May, 2025 | 12:43
Updated-23 May, 2025 | 15:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Mail Mint <= 1.17.7 - Sensitive Data Exposure Vulnerability

Insertion of Sensitive Information Into Sent Data vulnerability in WPFunnels Mail Mint allows Retrieve Embedded Sensitive Data. This issue affects Mail Mint: from n/a through 1.17.7.

Action-Not Available
Vendor-WPFunnels
Product-Mail Mint
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2025-47444
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.04% / 12.75%
||
7 Day CHG~0.00%
Published-12 Aug, 2025 | 06:37
Updated-13 Nov, 2025 | 11:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress GiveWP Plugin < 4.6.1 is vulnerable to Sensitive Data (PII) Exposure

Insertion of Sensitive Information Into Sent Data vulnerability in Liquid Web GiveWP allows Retrieve Embedded Sensitive Data.This issue affects GiveWP: from n/a before 4.6.1.

Action-Not Available
Vendor-Liquid Web, LLC
Product-GiveWP
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2020-37150
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-8.7||HIGH
EPSS-0.23% / 46.05%
||
7 Day CHG+0.09%
Published-05 Feb, 2026 | 16:13
Updated-18 Feb, 2026 | 17:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Edimax Technology EW-7438RPn-v3 Mini 1.27 - Unauthorized Access: Wi-Fi Password Disclosure

Edimax EW-7438RPn-v3 Mini 1.27 allows unauthenticated attackers to access the /wizard_reboot.asp page in unsetup mode, which discloses the Wi-Fi SSID and security key. Attackers can retrieve the wireless password by sending a GET request to this endpoint, exposing sensitive information without authentication.

Action-Not Available
Vendor-EDIMAX TechnologyEdimax Technology Company Ltd.
Product-ew-7438rpn_miniew-7438rpn_mini_firmwareEW-7438RPn Mini
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2020-37093
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-8.7||HIGH
EPSS-0.05% / 15.84%
||
7 Day CHG~0.00%
Published-03 Feb, 2026 | 22:01
Updated-04 Feb, 2026 | 19:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Netis E1+ 1.2.32533 - Unauthenticated WiFi Password Leak

Netis E1+ 1.2.32533 contains an information disclosure vulnerability that allows unauthenticated attackers to retrieve WiFi passwords through the netcore_get.cgi endpoint. Attackers can send a GET request to the endpoint to extract sensitive network credentials including SSID and WiFi passwords in plain text.

Action-Not Available
Vendor-Netis Systems Co., Ltd.
Product-Netis E1+
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2024-13259
Matching Score-4
Assigner-Drupal.org
ShareView Details
Matching Score-4
Assigner-Drupal.org
CVSS Score-7.5||HIGH
EPSS-0.39% / 59.25%
||
7 Day CHG+0.21%
Published-09 Jan, 2025 | 19:11
Updated-04 Jun, 2025 | 15:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Image Sizes - Moderately critical - Access bypass - SA-CONTRIB-2024-023

Insertion of Sensitive Information Into Sent Data vulnerability in Drupal Image Sizes allows Forceful Browsing.This issue affects Image Sizes: from 0.0.0 before 3.0.2.

Action-Not Available
Vendor-image_sizes_projectThe Drupal Association
Product-image_sizesImage Sizes
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2024-13276
Matching Score-4
Assigner-Drupal.org
ShareView Details
Matching Score-4
Assigner-Drupal.org
CVSS Score-7.5||HIGH
EPSS-0.19% / 41.29%
||
7 Day CHG+0.03%
Published-09 Jan, 2025 | 19:28
Updated-02 Sep, 2025 | 18:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
File Entity (fieldable files) - Moderately critical - Information Disclosure - SA-CONTRIB-2024-040

Insertion of Sensitive Information Into Sent Data vulnerability in Drupal File Entity (fieldable files) allows Forceful Browsing.This issue affects File Entity (fieldable files): from 7.X-* before 7.X-2.39.

Action-Not Available
Vendor-file_entity_projectThe Drupal Association
Product-file_entityFile Entity (fieldable files)
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2024-6747
Matching Score-4
Assigner-Checkmk GmbH
ShareView Details
Matching Score-4
Assigner-Checkmk GmbH
CVSS Score-5.3||MEDIUM
EPSS-0.31% / 53.81%
||
7 Day CHG~0.00%
Published-10 Oct, 2024 | 07:43
Updated-15 Oct, 2024 | 13:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Information leak in mknotifyd

Information leakage in mknotifyd in Checkmk before 2.3.0p18, 2.2.0p36, 2.1.0p49 and in 2.0.0p39 (EOL) allows attacker to get potentially sensitive data

Action-Not Available
Vendor-Checkmk GmbH
Product-checkmkCheckmkcheckmk
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2025-32635
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.31% / 53.52%
||
7 Day CHG~0.00%
Published-17 Apr, 2025 | 15:47
Updated-17 Apr, 2025 | 20:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Hive Support plugin <= 1.2.2 - Sensitive Data Exposure vulnerability

Insertion of Sensitive Information Into Sent Data vulnerability in Hive Support Hive Support allows Retrieve Embedded Sensitive Data. This issue affects Hive Support: from n/a through 1.2.2.

Action-Not Available
Vendor-Hive Support
Product-Hive Support
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2025-32594
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.31% / 53.52%
||
7 Day CHG~0.00%
Published-17 Apr, 2025 | 15:47
Updated-17 Apr, 2025 | 20:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Simple WP Events plugin <= 1.8.17 - Sensitive Data Exposure vulnerability

Insertion of Sensitive Information Into Sent Data vulnerability in WPMinds Simple WP Events allows Retrieve Embedded Sensitive Data. This issue affects Simple WP Events: from n/a through 1.8.17.

Action-Not Available
Vendor-WPMinds
Product-Simple WP Events
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
  • Previous
  • 1
  • 2
  • Next
Details not found