Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-35142

Summary
Assigner-HCL
Assigner Org ID-1e47fe04-f25f-42fa-b674-36de2c5e3cfc
Published At-16 Jul, 2026 | 13:02
Updated At-16 Jul, 2026 | 14:14
Rejected At-
Credits

HCL DFXAnalytics is affected by an Internal IP Address Disclosure vulnerability.

HCL DFXAnalytics is affected by an Internal IP Address Disclosure vulnerability. The application includes internal IP address details within its generated server responses, which could allow a remote attacker to gather sensitive network topology information and use it to map the internal infrastructure for further targeted attacks.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:HCL
Assigner Org ID:1e47fe04-f25f-42fa-b674-36de2c5e3cfc
Published At:16 Jul, 2026 | 13:02
Updated At:16 Jul, 2026 | 14:14
Rejected At:
▼CVE Numbering Authority (CNA)
HCL DFXAnalytics is affected by an Internal IP Address Disclosure vulnerability.

HCL DFXAnalytics is affected by an Internal IP Address Disclosure vulnerability. The application includes internal IP address details within its generated server responses, which could allow a remote attacker to gather sensitive network topology information and use it to map the internal infrastructure for further targeted attacks.

Affected Products
Vendor
HCL Technologies Ltd.HCL Software
Product
DFXAnalytics
Default Status
unaffected
Versions
Affected
  • version 3.0 and below
Problem Types
TypeCWE IDDescription
CWECWE-200CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Type: CWE
CWE ID: CWE-200
Description: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Metrics
VersionBase scoreBase severityVector
3.12.6LOW
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:N
Version: 3.1
Base score: 2.6
Base severity: LOW
Vector:
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0131787
N/A
Hyperlink: https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0131787
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:psirt@hcl.com
Published At:16 Jul, 2026 | 14:16
Updated At:17 Jul, 2026 | 16:27

HCL DFXAnalytics is affected by an Internal IP Address Disclosure vulnerability. The application includes internal IP address details within its generated server responses, which could allow a remote attacker to gather sensitive network topology information and use it to map the internal infrastructure for further targeted attacks.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.12.6LOW
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:N
Primary3.18.2HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
N/A
Type: Secondary
Version: 3.1
Base score: 2.6
Base severity: LOW
Vector:
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:N
Type: Primary
Version: 3.1
Base score: 8.2
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Type: N/A
Version:
Base score:
Base severity: N/A
Vector:
CPE Matches

HCL Technologies Ltd.
hcltech
>>dfxanalytics>>Versions up to 3.0(inclusive)
cpe:2.3:a:hcltech:dfxanalytics:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-200Secondarypsirt@hcl.com
CWE ID: CWE-200
Type: Secondary
Source: psirt@hcl.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0131787psirt@hcl.com
Vendor Advisory
Hyperlink: https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0131787
Source: psirt@hcl.com
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

56Records found

CVE-2026-35141
Matching Score-8
Assigner-HCL Software
ShareView Details
Matching Score-8
Assigner-HCL Software
CVSS Score-2.6||LOW
EPSS-Not Assigned
Published-16 Jul, 2026 | 12:59
Updated-17 Jul, 2026 | 16:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL DFXAnalytics is affected by a Login Replay Attack vulnerability

HCL DFXAnalytics is affected by a Login Replay Attack vulnerability. The application allows a remote attacker to intercept, delay, or fraudulently retransmit valid authentication data to achieve unauthorized access. To mitigate this risk, the application must implement a mechanism to include timestamps with every message, ensuring that messages exceeding a specific age threshold are automatically rejected by the recipient system.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-dfxanalyticsDFXAnalytics
CWE ID-CWE-294
Authentication Bypass by Capture-replay
CVE-2026-35147
Matching Score-8
Assigner-HCL Software
ShareView Details
Matching Score-8
Assigner-HCL Software
CVSS Score-8.2||HIGH
EPSS-Not Assigned
Published-16 Jul, 2026 | 11:04
Updated-16 Jul, 2026 | 12:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL DFXServer is affected by a Broken Authentication vulnerability via direct API access.

HCL DFXServer is affected by a Broken Authentication vulnerability via direct API access. The application fails to verify the user's authentication status when accessing specific API endpoints, allowing an unauthenticated attacker to interact with the APIs and perform unauthorized actions without valid credentials.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-DFXServer
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2026-35149
Matching Score-8
Assigner-HCL Software
ShareView Details
Matching Score-8
Assigner-HCL Software
CVSS Score-8.2||HIGH
EPSS-Not Assigned
Published-16 Jul, 2026 | 11:03
Updated-16 Jul, 2026 | 12:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL DFXServer is affected by an Authentication Bypass vulnerability via server response manipulation.

HCL DFXServer is affected by an Authentication Bypass vulnerability via server response manipulation. An unauthorized user without valid credentials can exploit this flaw by intercepting and altering the server's authentication responses, allowing them to gain unauthorized access to the application without verification.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-DFXServer
CWE ID-CWE-294
Authentication Bypass by Capture-replay
CVE-2022-44757
Matching Score-8
Assigner-HCL Software
ShareView Details
Matching Score-8
Assigner-HCL Software
CVSS Score-6.5||MEDIUM
EPSS-0.33% / 25.05%
||
7 Day CHG~0.00%
Published-11 Oct, 2023 | 06:13
Updated-18 Sep, 2024 | 18:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL BigFix Insights for Vulnerability Remediation (IVR) is vulnerable to weak cryptography

BigFix Insights for Vulnerability Remediation (IVR) uses weak cryptography that can lead to credential exposure. An attacker could gain access to sensitive information, modify data in unexpected ways, etc.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-bigfix_insights_for_vulnerability_remediationBigFix Insights for Vulnerability Remediation
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2023-45724
Matching Score-8
Assigner-HCL Software
ShareView Details
Matching Score-8
Assigner-HCL Software
CVSS Score-8.2||HIGH
EPSS-0.53% / 41.07%
||
7 Day CHG~0.00%
Published-03 Jan, 2024 | 02:53
Updated-18 Jun, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unauthenticated File Upload affects DRYiCE MyXalytics

HCL DRYiCE MyXalytics product is impacted by unauthenticated file upload vulnerability. The web application permits the upload of a certain file without requiring user authentication.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-dryice_myxalyticsDRYiCE MyXalytics
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2023-50351
Matching Score-8
Assigner-HCL Software
ShareView Details
Matching Score-8
Assigner-HCL Software
CVSS Score-8.2||HIGH
EPSS-0.24% / 15.45%
||
7 Day CHG~0.00%
Published-03 Jan, 2024 | 01:45
Updated-18 Jun, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Insecure key rotation affects MyXalytics

HCL DRYiCE MyXalytics is impacted by the use of an insecure key rotation mechanism which can allow an attacker to compromise the confidentiality or integrity of data.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-dryice_myxalyticsDRYiCE MyXalytics
CWE ID-CWE-327
Use of a Broken or Risky Cryptographic Algorithm
CVE-2023-50350
Matching Score-8
Assigner-HCL Software
ShareView Details
Matching Score-8
Assigner-HCL Software
CVSS Score-8.2||HIGH
EPSS-0.15% / 4.97%
||
7 Day CHG~0.00%
Published-03 Jan, 2024 | 01:50
Updated-18 Jun, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
A broken cryptographic algorithm impacts MyXalytics

HCL DRYiCE MyXalytics is impacted by the use of a broken cryptographic algorithm for encryption, potentially giving an attacker ability to decrypt sensitive information.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-dryice_myxalyticsDRYiCE MyXalytics
CWE ID-CWE-327
Use of a Broken or Risky Cryptographic Algorithm
CVE-2023-28010
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-4||MEDIUM
EPSS-0.33% / 24.95%
||
7 Day CHG~0.00%
Published-08 Sep, 2023 | 17:36
Updated-26 Sep, 2024 | 16:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL Domino is susceptible to a sensitive information disclosure vulnerability

In some configuration scenarios, the Domino server host name can be exposed. This information could be used to target future attacks.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-dominoHCL Domino Server
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2026-35140
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-3||LOW
EPSS-Not Assigned
Published-16 Jul, 2026 | 12:48
Updated-17 Jul, 2026 | 17:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL DFXAnalytics is affected by a Missing Secure Attribute in Encrypted Session (SSL) Cookie vulnerability

HCL DFXAnalytics is affected by a Missing Secure Attribute in Encrypted Session (SSL) Cookie vulnerability. The application fails to set the "secure" attribute on session cookies generated during authentication, which could allow a remote attacker to intercept network traffic and capture sensitive cookies, session tokens, or credentials sent in cleartext over unencrypted channels.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-dfxanalyticsDFXAnalytics
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2026-35143
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-3||LOW
EPSS-Not Assigned
Published-16 Jul, 2026 | 13:04
Updated-17 Jul, 2026 | 16:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL DFXAnalytics is affected by a Missing SameSite Attribute vulnerability.

HCL DFXAnalytics is affected by a Missing SameSite Attribute vulnerability. The application fails to set the "SameSite" attribute on session cookies generated during authentication, which could allow a remote attacker to execute Cross-Site Request Forgery (CSRF) attacks if additional mitigations, such as Anti-CSRF tokens, are not implemented.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-dfxanalyticsDFXAnalytics
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2026-35145
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-3.1||LOW
EPSS-Not Assigned
Published-16 Jul, 2026 | 13:05
Updated-17 Jul, 2026 | 19:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL DFXAnalytics is affected by a Missing HTTP Strict-Transport-Security Header vulnerability.

HCL DFXAnalytics is affected by a Missing HTTP Strict-Transport-Security Header vulnerability. The application fails to implement the HTTP Strict Transport Security (HSTS) policy within its responses, which could allow a remote attacker to downgrade the communication channel to an unencrypted connection (HTTP) and conduct man-in-the-middle (MitM) attacks. To remediate this, the application must include the "Strict-Transport-Security" header in all web application responses.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-dfxanalyticsDFXAnalytics
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2026-56456
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-5.3||MEDIUM
EPSS-Not Assigned
Published-16 Jul, 2026 | 13:15
Updated-17 Jul, 2026 | 19:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL DFXAnalytics is affected by an Internal File Path Disclosure vulnerability.

HCL DFXAnalytics is affected by an Internal File Path Disclosure vulnerability. The application dashboard inadvertently leaks sensitive information regarding its internal file structure and directory paths through unhandled error messages, system logs, or debugging output, which could allow a remote attacker to map the underlying server environment and identify targets for further exploitation.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-dfxanalyticsDFXAnalytics
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2024-42209
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-3.5||LOW
EPSS-0.20% / 9.57%
||
7 Day CHG~0.00%
Published-17 Jul, 2025 | 19:24
Updated-29 Oct, 2025 | 14:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL Connections is vulnerable to an information disclosure vulnerability

HCL Connections is vulnerable to an information disclosure vulnerability that could allow a user to obtain sensitive information they are not entitled to, which is caused by improper handling of request data.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-connectionsConnections
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2024-42208
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-3.5||LOW
EPSS-0.25% / 16.31%
||
7 Day CHG~0.00%
Published-04 Apr, 2025 | 05:22
Updated-29 Oct, 2025 | 14:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL Connections is vulnerable to an information disclosure vulnerability

HCL Connections is vulnerable to an information disclosure vulnerability which could allow a user to obtain sensitive information they are not entitled to, caused by improper handling of request data.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-connectionsHCL Connections
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2024-42179
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-2||LOW
EPSS-0.22% / 12.95%
||
7 Day CHG~0.00%
Published-12 Jan, 2025 | 21:46
Updated-16 May, 2025 | 13:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL MyXalytics is affected by sensitive information disclosure vulnerability

HCL MyXalytics is affected by sensitive information disclosure vulnerability. The HTTP response header exposes the Microsoft-HTTP API∕2.0 as the server's name & version.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-dryice_myxalyticsDRYiCE MyXalytics
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2022-38654
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-5.5||MEDIUM
EPSS-0.18% / 8.24%
||
7 Day CHG~0.00%
Published-04 Nov, 2022 | 20:19
Updated-02 May, 2025 | 18:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL Domino is susceptible to an information disclosure vulnerability

HCL Domino is susceptible to an information disclosure vulnerability. In some scenarios, local calls made on the server to search the Domino directory will ignore xACL read restrictions. An authenticated attacker could leverage this vulnerability to access attributes from a user's person record.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-dominoHCL Domino
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2024-30135
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-3.3||LOW
EPSS-0.33% / 24.82%
||
7 Day CHG~0.00%
Published-28 Jun, 2024 | 07:22
Updated-30 Oct, 2025 | 18:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Sensitive Information Disclosure vulnerability affects DRYiCE AEX v10

HCL DRYiCE AEX is potentially impacted by disclosure of sensitive information in the mobile application when a snapshot is taken.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-dryice_aexDRYiCE AEX
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2024-23550
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-6.2||MEDIUM
EPSS-0.21% / 11.72%
||
7 Day CHG~0.00%
Published-03 Feb, 2024 | 05:32
Updated-03 Jun, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL DevOps Deploy / HCL Launch (UCD) may be vulnerable to sensitive information disclosure

HCL DevOps Deploy / HCL Launch (UCD) could disclose sensitive user information when installing the Windows agent.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-hcl_devops_deployhcl_launchLaunch / DevOps Deploy
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2023-50346
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-3.1||LOW
EPSS-0.31% / 23.45%
||
7 Day CHG~0.00%
Published-03 Jan, 2024 | 01:59
Updated-18 Jun, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
An information disclosure affects DRYiCE MyXalytics

HCL DRYiCE MyXalytics is impacted by an information disclosure vulnerability. Certain endpoints within the application disclose detailed file information.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-dryice_myxalyticsDRYiCE MyXalytics
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2024-23563
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-3.9||LOW
EPSS-0.15% / 4.77%
||
7 Day CHG+0.01%
Published-12 Feb, 2025 | 13:47
Updated-25 Nov, 2025 | 15:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL Connections Docs is vulnerable to a sensitive information disclosure

HCL Connections Docs is vulnerable to a sensitive information disclosure which could allow a user to obtain sensitive information they are not entitled to, caused by improper handling of request data.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-connections_docsConnections Docs
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2024-23562
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-5.3||MEDIUM
EPSS-0.47% / 37.93%
||
7 Day CHG~0.00%
Published-08 Jul, 2024 | 15:57
Updated-23 Oct, 2024 | 23:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL Domino is susceptible to an information disclosure vulnerability

A security vulnerability in HCL Domino could allow disclosure of sensitive configuration information. A remote unauthenticated attacker could exploit this vulnerability to obtain information to launch further attacks against the affected system.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-dominoDomino Serverdomino
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2024-30118
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-3.5||LOW
EPSS-0.29% / 21.07%
||
7 Day CHG~0.00%
Published-09 Oct, 2024 | 20:03
Updated-10 Oct, 2024 | 18:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL Connections is susceptible to a sensitive information disclosure vulnerability

HCL Connections is vulnerable to an information disclosure vulnerability which could allow a user to obtain sensitive information they are not entitled to because of improperly handling the request data.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-connectionsConnections
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2024-23557
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-3.5||LOW
EPSS-0.35% / 26.85%
||
7 Day CHG~0.00%
Published-18 Apr, 2024 | 18:21
Updated-29 Oct, 2025 | 14:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL Connections is vulnerable to a user enumeration vulnerability

HCL Connections contains a user enumeration vulnerability. Certain actions could allow an attacker to determine if the user is valid or not, leading to a possible brute force attack.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-connectionsConnectionsconnections
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2025-55272
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-3.1||LOW
EPSS-0.22% / 13.06%
||
7 Day CHG~0.00%
Published-26 Mar, 2026 | 12:55
Updated-26 Mar, 2026 | 19:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL Aftermarket DPC is affected by Banner Disclosure vulnerability

HCL Aftermarket DPC is affected by Banner Disclosure vulnerability where attackers gain insights into the system’s software and version details which would allow them to craft software specific attacks.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-aftermarket_cloudAftermarket DPC
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2025-55265
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-6.5||MEDIUM
EPSS-0.32% / 24.03%
||
7 Day CHG~0.00%
Published-26 Mar, 2026 | 13:02
Updated-26 Mar, 2026 | 20:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL Aftermarket DPC is affected by File Discovery

HCL Aftermarket DPC is affected by File Discovery which allows attacker could exploit this issue to read sensitive files present in the system and may use it to craft further attacks.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-aftermarket_cloudAftermarket DPC
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2025-52630
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-3.7||LOW
EPSS-0.22% / 12.86%
||
7 Day CHG~0.00%
Published-10 Oct, 2025 | 09:55
Updated-24 Oct, 2025 | 19:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL AION is susceptible to Missing or insecure "X-Content-Type-Options" header vulnerability

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in HCL AION.This issue affects AION: 2.0.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-aionAION
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2025-52634
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-3.7||LOW
EPSS-0.22% / 12.86%
||
7 Day CHG~0.00%
Published-10 Oct, 2025 | 09:40
Updated-24 Oct, 2025 | 19:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL AION is susceptible to Spring Boot Actuator Endpoints Exposed

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in HCL AION This issue affects HCL AION: 2.0.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-aionHCL AION
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2025-31985
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-3.7||LOW
EPSS-0.16% / 5.31%
||
7 Day CHG~0.00%
Published-20 May, 2026 | 11:28
Updated-20 May, 2026 | 19:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL BigFix Service Management (SM) is affected by a security misconfiguration due to a missing or insecure “X-Content-Type-Options” header

HCL BigFix Service Management (SM) is affected by a security misconfiguration due to a missing or insecure “X-Content-Type-Options” header. This could allow browsers to perform MIME-type sniffing, potentially causing malicious content to be interpreted and executed incorrectly.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-bigfix_service_managementBigFix Service Management (SM)
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2025-31975
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-2.6||LOW
EPSS-0.17% / 6.88%
||
7 Day CHG~0.00%
Published-06 May, 2026 | 13:51
Updated-07 May, 2026 | 16:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL BigFix Service Management (SM) is affected by an Information Disclosure – Server Banner issue was identified.

HCL BigFix Service Management (SM) is affected by an Information Disclosure – Server Banner issue was identified. Exposed server banners may reveal software versions and system details, potentially aiding attackers in targeting known vulnerabilities.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-bigfix_service_managementBigFix Service Management (SM)
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2025-31984
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-3.7||LOW
EPSS-0.14% / 3.36%
||
7 Day CHG~0.00%
Published-06 May, 2026 | 13:44
Updated-07 May, 2026 | 16:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL BigFix Service Management (SM) is affected by a security misconfiguration due to a missing or insecure “X-Content-Type-Options” header

HCL BigFix Service Management (SM) is affected by a security misconfiguration due to a missing or insecure “X-Content-Type-Options” header. This could allow browsers to perform MIME-type sniffing, potentially causing malicious content to be interpreted and executed incorrectly.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-bigfix_service_managementBigFix Service Management (SM)
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2025-31964
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-2.2||LOW
EPSS-0.31% / 23.22%
||
7 Day CHG~0.00%
Published-07 Jan, 2026 | 07:18
Updated-21 Jan, 2026 | 21:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL BigFix IVR is impacted by an improper service binding configuration

Improper service binding configuration in internal service components in HCL BigFix IVR version 4.2 allows a privileged attacker to impact service availability via exposure of administrative services bound to external network interfaces instead of the local authentication interface.

Action-Not Available
Vendor-HCLSoftwareHCL Technologies Ltd.
Product-bigfix_insights_for_vulnerability_remediationBigFix IVR
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-419
Unprotected Primary Channel
CVE-2025-31982
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-3.7||LOW
EPSS-0.15% / 4.89%
||
7 Day CHG~0.00%
Published-06 May, 2026 | 13:46
Updated-06 May, 2026 | 23:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL BigFix Service Management (SM) had directories that were not linked or publicly visible but could be accessed directl

HCL BigFix Service Management (SM) had directories that were not linked or publicly visible but could be accessed directly. This could allow an increased risk of information disclosure or misuse of sensitive functionality.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-bigfix_service_managementBigFix Service Management (SM)
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2025-52649
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-1.8||LOW
EPSS-0.13% / 3.04%
||
7 Day CHG~0.00%
Published-16 Mar, 2026 | 14:36
Updated-25 Apr, 2026 | 18:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL AION is affected by a vulnerability where certain identifiers may be predictable in nature

HCL AION is affected by a vulnerability where certain identifiers may be predictable in nature. Predictable identifiers may allow an attacker to infer or guess system-generated values, potentially leading to limited information disclosure or unintended access under specific conditions.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-aionAION
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2025-52631
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-3.7||LOW
EPSS-0.20% / 9.88%
||
7 Day CHG~0.00%
Published-03 Feb, 2026 | 18:16
Updated-11 Feb, 2026 | 15:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL AION is affected by a Missing or Insecure HTTP Strict-Transport-Security (HSTS) Header vulnerability.

HCL AION is affected by a Missing or Insecure HTTP Strict-Transport-Security (HSTS) Header vulnerability. This can allow insecure connections, potentially exposing the application to man-in-the-middle and protocol downgrade attacks.. This issue affects AION: 2.0.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-aionAION
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2025-52613
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-4.6||MEDIUM
EPSS-0.23% / 14.22%
||
7 Day CHG~0.00%
Published-06 May, 2026 | 13:50
Updated-07 May, 2026 | 14:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL BigFix Service Management (SM) is affected by use of a vulnerable component

HCL BigFix Service Management (SM) is affected by use of a vulnerable WSGI Server was identified. Deploying an outdated or insecure WSGI server may expose the application to known security weaknesses, potentially increasing the risk of exploitation and unauthorized access.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-bigfix_service_managementBigFix Service Management (SM)
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2025-31976
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-4.8||MEDIUM
EPSS-0.16% / 5.84%
||
7 Day CHG~0.00%
Published-06 May, 2026 | 13:49
Updated-29 Jun, 2026 | 14:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL BigFix Service Management (SM) is vulnerable to insufficiently protected credentials

HCL BigFix Service Management (SM) is vulnerable to insufficiently protected credentials for a short duration while communicating with a backend, internal application which could allow an attacker to potentially misuse them, if exfiltrated. .

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-bigfix_service_managementBigFix Service Management (SM)
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2025-31955
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-7.6||HIGH
EPSS-0.28% / 20.22%
||
7 Day CHG~0.00%
Published-24 Jul, 2025 | 20:59
Updated-10 Oct, 2025 | 16:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL iAutomate is affected by a sensitive data exposure vulnerability

HCL iAutomate is affected by a sensitive data exposure vulnerability. This issue may allow unauthorized access to sensitive information within the system.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-dryice_iautomateiAutomate
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2025-55276
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-3.1||LOW
EPSS-0.20% / 10.20%
||
7 Day CHG~0.00%
Published-26 Mar, 2026 | 12:46
Updated-26 Mar, 2026 | 20:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL Aftermarket DPC is affected by Internal IP Disclosure vulnerability

HCL Aftermarket DPC is affected by Internal IP Disclosure vulnerability will give attackers a clearer map of the organization’s network layout.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-aftermarket_cloudAftermarket DPC
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2024-30106
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-3.5||LOW
EPSS-0.26% / 17.64%
||
7 Day CHG~0.00%
Published-28 Oct, 2024 | 21:35
Updated-08 Nov, 2024 | 15:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL Connections is vulnerable to an information disclosure vulnerability

HCL Connections is vulnerable to an information disclosure vulnerability, due to an IBM WebSphere Application Server error, which could allow a user to obtain sensitive information they are not entitled to due to the improper handling of request data.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-connectionsConnections
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2026-56259
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-8.8||HIGH
EPSS-0.25% / 16.85%
||
7 Day CHG~0.00%
Published-12 Jul, 2026 | 12:06
Updated-14 Jul, 2026 | 21:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Crawl4AI - LLM Credential Exfiltration via base_url and Environment Variable Resolution

Crawl4AI before 0.8.8 contains credential exfiltration vulnerabilities in the Docker API server that allow attackers to redirect LLM API calls to attacker-controlled endpoints and read arbitrary environment variables. Attackers can exploit the unauthenticated /md, /llm, and /llm/job endpoints by supplying a malicious base_url parameter and setting api_token to env:VARIABLE_NAME to exfiltrate provider API keys and server secrets including JWT SECRET_KEY for authentication bypass.

Action-Not Available
Vendor-kidocodeCrawl4AI
Product-crawl4aiCrawl4AI
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2020-4927
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-5.7||MEDIUM
EPSS-0.35% / 26.91%
||
7 Day CHG~0.00%
Published-15 Mar, 2023 | 18:11
Updated-26 Feb, 2025 | 20:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Spectrum Scale information disclosure

A vulnerability in the Spectrum Scale 5.0.5.0 through 5.1.6.1 core component could allow unauthorized access to user data or injection of arbitrary data in the communication protocol. IBM X-Force ID: 191695.

Action-Not Available
Vendor-IBM Corporation
Product-spectrum_scaleSpectrum Scale
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2026-42564
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.2||HIGH
EPSS-0.32% / 23.79%
||
7 Day CHG~0.00%
Published-11 May, 2026 | 21:17
Updated-13 May, 2026 | 17:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
jotty·page: Unauthenticated Path Traversal leads to sensitive file disclosure and session-token reuse impact

jotty·page is a self-hosted app for your checklists and notes. Prior to 1.22.0, an unauthenticated path traversal vulnerability exists in /api/app-icons/[filename]. The filename route parameter is joined into a filesystem path without traversal/boundary validation, allowing file reads outside data/uploads/app-icons/. This vulnerability is fixed in 1.22.0.

Action-Not Available
Vendor-fccview
Product-jotty
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2026-30845
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.9||MEDIUM
EPSS-0.29% / 20.98%
||
7 Day CHG~0.00%
Published-06 Mar, 2026 | 19:34
Updated-11 Mar, 2026 | 14:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Wekan Exposes Sensitive Data through Lack of Field Filtering During Board Publication

Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the board composite publication in Wekan publishes all integration data for a board without any field filtering, exposing sensitive fields including webhook URLs and authentication tokens to any subscriber. Since board publications are accessible to all board members regardless of their role (including read-only and comment-only users), and even to unauthenticated DDP clients for public boards, any user who can access a board can retrieve its webhook credentials. This token leak allows attackers to make unauthenticated requests to the exposed webhooks, potentially triggering unauthorized actions in connected external services. This issue has been fixed in version 8.34.

Action-Not Available
Vendor-wekan_projectWekan
Product-wekanWekan
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-862
Missing Authorization
CVE-2022-47554
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
ShareView Details
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
CVSS Score-8.2||HIGH
EPSS-0.48% / 38.58%
||
7 Day CHG~0.00%
Published-19 Sep, 2023 | 12:35
Updated-03 Aug, 2024 | 14:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Exposure of Sensitive Information in Ormazabal products

Exposure of sensitive information in ekorCCP and ekorRCI, potentially allowing a remote attacker to obtain critical information from various .xml files, including .xml files containing credentials, without being authenticated within the web server.

Action-Not Available
Vendor-ormazabalOrmazabal
Product-ekorccp_firmwareekorrciekorrci_firmwareekorccpekorRCIekorCCP
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2026-29872
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.2||HIGH
EPSS-0.25% / 16.72%
||
7 Day CHG~0.00%
Published-30 Mar, 2026 | 00:00
Updated-06 Apr, 2026 | 16:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-session information disclosure vulnerability exists in the awesome-llm-apps project in commit e46690f99c3f08be80a9877fab52acacf7ab8251 (2026-01-19). The affected Streamlit-based GitHub MCP Agent stores user-supplied API tokens in process-wide environment variables using os.environ without proper session isolation. Because Streamlit serves multiple concurrent users from a single Python process, credentials provided by one user remain accessible to subsequent unauthenticated users. An attacker can exploit this issue to retrieve sensitive information such as GitHub Personal Access Tokens or LLM API keys, potentially leading to unauthorized access to private resources and financial abuse.

Action-Not Available
Vendor-theunwindain/a
Product-awesome_llm_appsn/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2024-34711
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.3||CRITICAL
EPSS-0.26% / 17.67%
||
7 Day CHG~0.00%
Published-10 Jun, 2025 | 14:33
Updated-26 Aug, 2025 | 16:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GeoServer has improper ENTITY_RESOLUTION_ALLOWLIST URI validation in XML Processing (SSRF)

GeoServer is an open source server that allows users to share and edit geospatial data. An improper URI validation vulnerability exists that enables an unauthorized attacker to perform XML External Entities (XEE) attack, then send GET request to any HTTP server. By default, GeoServer use PreventLocalEntityResolver class from GeoTools to filter out malicious URIs in XML entities before resolving them. The URI must match the regex (?i)(jar:file|http|vfs)[^?#;]*\\.xsd. But the regex leaves a chance for attackers to request to any HTTP server or limited file. Attacker can abuse this to scan internal networks and gain information about them then exploit further. GeoServer 2.25.0 and greater default to the use of ENTITY_RESOLUTION_ALLOWLIST and does not require you to provide a system property.

Action-Not Available
Vendor-osgeogeoserver
Product-geoservergeoserver
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2022-31112
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.2||HIGH
EPSS-1.21% / 64.99%
||
7 Day CHG~0.00%
Published-30 Jun, 2022 | 16:40
Updated-23 Apr, 2025 | 18:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Protected fields exposed via LiveQuery in parse-server

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In affected versions parse Server LiveQuery does not remove protected fields in classes, passing them to the client. The LiveQueryController now removes protected fields from the client response. Users are advised to upgrade. Users unable t upgrade should use `Parse.Cloud.afterLiveQueryEvent` to manually remove protected fields.

Action-Not Available
Vendor-parseplatformparse-community
Product-parse-serverparse-server
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-212
Improper Removal of Sensitive Information Before Storage or Transfer
CVE-2026-21532
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-8.2||HIGH
EPSS-0.84% / 53.76%
||
7 Day CHG~0.00%
Published-05 Feb, 2026 | 22:13
Updated-11 May, 2026 | 21:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Azure Function Information Disclosure Vulnerability

Azure Function Information Disclosure Vulnerability

Action-Not Available
Vendor-Microsoft Corporation
Product-azure_functionsAzure Functions
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2024-21095
Matching Score-4
Assigner-Oracle
ShareView Details
Matching Score-4
Assigner-Oracle
CVSS Score-8.2||HIGH
EPSS-0.53% / 41.06%
||
7 Day CHG~0.00%
Published-16 Apr, 2024 | 21:26
Updated-18 Jun, 2025 | 20:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Vulnerability in the Primavera P6 Enterprise Project Portfolio Management product of Oracle Construction and Engineering (component: Web Access). Supported versions that are affected are 19.12.0-19.12.22, 20.12.0-20.12.21, 21.12.0-21.12.18, 22.12.0-22.12.12 and 23.12.0-23.12.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Primavera P6 Enterprise Project Portfolio Management. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Primavera P6 Enterprise Project Portfolio Management accessible data as well as unauthorized update, insert or delete access to some of Primavera P6 Enterprise Project Portfolio Management accessible data. CVSS 3.1 Base Score 8.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N).

Action-Not Available
Vendor-Oracle Corporation
Product-primavera_p6_enterprise_project_portfolio_managementPrimavera P6 Enterprise Project Portfolio Managementprimavera_p6_enterprise_project_portfolio_management
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-1999-0468
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.2||HIGH
EPSS-3.25% / 86.91%
||
7 Day CHG~0.00%
Published-29 Sep, 1999 | 04:00
Updated-16 Apr, 2026 | 00:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Internet Explorer 5.0 allows a remote server to read arbitrary files on the client's file system using the Microsoft Scriptlet Component.

Action-Not Available
Vendor-n/aMicrosoft Corporation
Product-internet_explorern/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
  • Previous
  • 1
  • 2
  • Next
Details not found