Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-56124

Summary
Assigner-VulnCheck
Assigner Org ID-83251b91-4cc7-4094-a5c7-464a1b83ea10
Published At-29 Jun, 2026 | 13:47
Updated At-29 Jun, 2026 | 15:11
Rejected At-
Credits

phpUploader < 2.0.2 Unauthenticated Database Exposure via index model

phpUploader before 2.0.2 contains an unauthenticated information disclosure vulnerability that allows remote attackers to access the full contents of the uploaded-files database table by visiting any page of the application. The index model executes an unbounded SELECT query and embeds the complete JSON-encoded result set in an inline script block, exposing uploader IP addresses, Argon2ID key hashes, internal filenames, and SHA-256 fingerprints.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:VulnCheck
Assigner Org ID:83251b91-4cc7-4094-a5c7-464a1b83ea10
Published At:29 Jun, 2026 | 13:47
Updated At:29 Jun, 2026 | 15:11
Rejected At:
▼CVE Numbering Authority (CNA)
phpUploader < 2.0.2 Unauthenticated Database Exposure via index model

phpUploader before 2.0.2 contains an unauthenticated information disclosure vulnerability that allows remote attackers to access the full contents of the uploaded-files database table by visiting any page of the application. The index model executes an unbounded SELECT query and embeds the complete JSON-encoded result set in an inline script block, exposing uploader IP addresses, Argon2ID key hashes, internal filenames, and SHA-256 fingerprints.

Affected Products
Vendor
shimosyan
Product
phpUploader
Repo
https://github.com/shimosyan/phpUploader
Default Status
affected
Versions
Affected
  • From 0 before 2.0.2 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-359Exposure of Private Personal Information to an Unauthorized Actor
CWECWE-497Exposure of Sensitive System Information to an Unauthorized Control Sphere
Type: CWE
CWE ID: CWE-359
Description: Exposure of Private Personal Information to an Unauthorized Actor
Type: CWE
CWE ID: CWE-497
Description: Exposure of Sensitive System Information to an Unauthorized Control Sphere
Metrics
VersionBase scoreBase severityVector
4.08.7HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Version: 4.0
Base score: 8.7
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

finder
@rayyb0t (https://github.com/rayyb0t)
coordinator
VulnCheck
Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/shimosyan/phpUploader/releases/tag/v2.0.2
release-notes
https://github.com/shimosyan/phpUploader/pull/294
issue-tracking
https://github.com/shimosyan/phpUploader/commit/45dc4f1c9a2de5ade427deebad0148834c0e8c50
patch
https://www.vulncheck.com/advisories/phpuploader-unauthenticated-database-exposure-via-index-model
third-party-advisory
Hyperlink: https://github.com/shimosyan/phpUploader/releases/tag/v2.0.2
Resource:
release-notes
Hyperlink: https://github.com/shimosyan/phpUploader/pull/294
Resource:
issue-tracking
Hyperlink: https://github.com/shimosyan/phpUploader/commit/45dc4f1c9a2de5ade427deebad0148834c0e8c50
Resource:
patch
Hyperlink: https://www.vulncheck.com/advisories/phpuploader-unauthenticated-database-exposure-via-index-model
Resource:
third-party-advisory
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:disclosure@vulncheck.com
Published At:29 Jun, 2026 | 15:16
Updated At:29 Jun, 2026 | 19:22

phpUploader before 2.0.2 contains an unauthenticated information disclosure vulnerability that allows remote attackers to access the full contents of the uploaded-files database table by visiting any page of the application. The index model executes an unbounded SELECT query and embeds the complete JSON-encoded result set in an inline script block, exposing uploader IP addresses, Argon2ID key hashes, internal filenames, and SHA-256 fingerprints.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.08.7HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Secondary3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
N/A
Type: Secondary
Version: 4.0
Base score: 8.7
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Secondary
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Type: N/A
Version:
Base score:
Base severity: N/A
Vector:
CPE Matches

Weaknesses
CWE IDTypeSource
CWE-359Secondarydisclosure@vulncheck.com
CWE-497Secondarydisclosure@vulncheck.com
CWE ID: CWE-359
Type: Secondary
Source: disclosure@vulncheck.com
CWE ID: CWE-497
Type: Secondary
Source: disclosure@vulncheck.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://github.com/shimosyan/phpUploader/commit/45dc4f1c9a2de5ade427deebad0148834c0e8c50disclosure@vulncheck.com
N/A
https://github.com/shimosyan/phpUploader/pull/294disclosure@vulncheck.com
N/A
https://github.com/shimosyan/phpUploader/releases/tag/v2.0.2disclosure@vulncheck.com
N/A
https://www.vulncheck.com/advisories/phpuploader-unauthenticated-database-exposure-via-index-modeldisclosure@vulncheck.com
N/A
Hyperlink: https://github.com/shimosyan/phpUploader/commit/45dc4f1c9a2de5ade427deebad0148834c0e8c50
Source: disclosure@vulncheck.com
Resource: N/A
Hyperlink: https://github.com/shimosyan/phpUploader/pull/294
Source: disclosure@vulncheck.com
Resource: N/A
Hyperlink: https://github.com/shimosyan/phpUploader/releases/tag/v2.0.2
Source: disclosure@vulncheck.com
Resource: N/A
Hyperlink: https://www.vulncheck.com/advisories/phpuploader-unauthenticated-database-exposure-via-index-model
Source: disclosure@vulncheck.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

83Records found

CVE-2025-31045
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.39% / 30.48%
||
7 Day CHG~0.00%
Published-09 Jun, 2025 | 15:56
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress elfsight Contact Form widget plugin <= 2.3.1 - Sensitive Data Exposure Vulnerability

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in elfsight elfsight Contact Form widget elfsight-contact-form allows Retrieve Embedded Sensitive Data.This issue affects elfsight Contact Form widget: from n/a through <= 2.3.1.

Action-Not Available
Vendor-elfsight
Product-elfsight Contact Form widget
CWE ID-CWE-497
Exposure of Sensitive System Information to an Unauthorized Control Sphere
CVE-2026-49056
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.29% / 21.12%
||
7 Day CHG~0.00%
Published-15 Jun, 2026 | 20:19
Updated-16 Jun, 2026 | 01:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels plugin <= 4.9.4 - Sensitive Data Exposure vulnerability

Unauthenticated Sensitive Data Exposure in WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels <= 4.9.4 versions.

Action-Not Available
Vendor-WebToffee
Product-WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels
CWE ID-CWE-497
Exposure of Sensitive System Information to an Unauthorized Control Sphere
CVE-2024-36677
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.38% / 29.83%
||
7 Day CHG~0.00%
Published-19 Jun, 2024 | 00:00
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In the module "Login as customer PRO" (loginascustomerpro) <1.2.7 from Weblir for PrestaShop, a guest can access direct link to connect to each customer account of the Shop if the module is not installed OR if a secret accessible to administrator is stolen.

Action-Not Available
Vendor-n/aPrestaShop S.A
Product-n/aloginascustomerpro
CWE ID-CWE-359
Exposure of Private Personal Information to an Unauthorized Actor
CVE-2024-36070
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.58% / 43.34%
||
7 Day CHG~0.00%
Published-19 May, 2024 | 18:48
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

tine before 2023.11.8, when an LDAP backend is used, allows anonymous remote attackers to obtain sensitive authentication information via setup.php because of getRegistryData in Setup/Frontend/Json.php. (An update is also available for the 2022.11 series.)

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-497
Exposure of Sensitive System Information to an Unauthorized Control Sphere
CVE-2019-25762
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-8.7||HIGH
EPSS-0.44% / 35.43%
||
7 Day CHG~0.00%
Published-19 Jun, 2026 | 17:48
Updated-22 Jun, 2026 | 18:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Joomla! Component JoomProject 1.1.3.2 Information Disclosure

Joomla! Component JoomProject 1.1.3.2 contains an information disclosure vulnerability that allows unauthenticated attackers to access sensitive user data by exploiting the projects endpoint. Attackers can send requests to index.php with option=com_jpprojects&view=projects&tmpl=component&format=json parameters to retrieve user IDs, names, and email addresses in JSON format.

Action-Not Available
Vendor-Joomboost
Product-JoomProject
CWE ID-CWE-359
Exposure of Private Personal Information to an Unauthorized Actor
CVE-2018-25358
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-8.7||HIGH
EPSS-0.58% / 43.69%
||
7 Day CHG~0.00%
Published-23 May, 2026 | 18:30
Updated-26 May, 2026 | 20:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
D-Link DIR601 2.02NA Credential Disclosure via my_cgi.cgi

D-Link DIR601 2.02NA contains a credential disclosure vulnerability that allows unauthenticated attackers to retrieve sensitive configuration data by manipulating the table_name parameter in POST requests. Attackers can send requests to /my_cgi.cgi with table_name values like admin_user, wireless_settings, and wireless_security to extract administrative credentials and wireless network keys in clear text.

Action-Not Available
Vendor-D-Link Corporation
Product-DIR-601
CWE ID-CWE-497
Exposure of Sensitive System Information to an Unauthorized Control Sphere
CVE-2025-9110
Matching Score-4
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-4
Assigner-QNAP Systems, Inc.
CVSS Score-2.7||LOW
EPSS-0.41% / 32.70%
||
7 Day CHG~0.00%
Published-02 Jan, 2026 | 15:17
Updated-06 Jan, 2026 | 13:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
QTS, QuTS hero

An exposure of sensitive system information to an unauthorized control sphere vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to read application data. We have already fixed the vulnerability in the following versions: QTS 5.2.8.3332 build 20251128 and later QuTS hero h5.2.8.3321 build 20251117 and later QuTS hero h5.3.1.3250 build 20250912 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-qtsquts_heroQTSQuTS hero
CWE ID-CWE-497
Exposure of Sensitive System Information to an Unauthorized Control Sphere
CVE-2022-4985
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-8.7||HIGH
EPSS-0.40% / 32.18%
||
7 Day CHG~0.00%
Published-14 Nov, 2025 | 22:49
Updated-07 Apr, 2026 | 14:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Vodafone H500s WiFi Password Disclosure via activation.json

Vodafone H500s devices running firmware v3.5.10 (hardware model Sercomm VFH500) expose the WiFi access point password via an unauthenticated HTTP endpoint. By sending a crafted GET request to /data/activation.json with specific headers and cookies, a remote attacker can retrieve a JSON document that contains the wifi_password field. This allows an unauthenticated attacker to obtain the WiFi credentials and gain unauthorized access to the wireless network, compromising confidentiality of network traffic and attached systems.

Action-Not Available
Vendor-Vodacom
Product-Vodafone H500s
CWE ID-CWE-497
Exposure of Sensitive System Information to an Unauthorized Control Sphere
CVE-2025-11145
Matching Score-4
Assigner-TR-CERT (Computer Emergency Response Team of the Republic of Türkiye)
ShareView Details
Matching Score-4
Assigner-TR-CERT (Computer Emergency Response Team of the Republic of Türkiye)
CVSS Score-7.5||HIGH
EPSS-0.31% / 23.07%
||
7 Day CHG~0.00%
Published-24 Oct, 2025 | 14:25
Updated-04 Jun, 2026 | 20:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
User Enumeration in CBK Soft's enVision

Observable Discrepancy, Exposure of Sensitive Information to an Unauthorized Actor, Exposure of Private Personal Information to an Unauthorized Actor vulnerability in CBK Soft Software Hardware Electronic Computer Systems Industry and Trade Inc. EnVision allows Account Footprinting. This issue affects enVision: before 250566.

Action-Not Available
Vendor-CBK Soft Software Hardware Electronic Computer Systems Industry and Trade Inc.
Product-enVision
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-203
Observable Discrepancy
CWE ID-CWE-359
Exposure of Private Personal Information to an Unauthorized Actor
CVE-2022-36091
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.68% / 47.94%
||
7 Day CHG~0.00%
Published-08 Sep, 2022 | 16:10
Updated-23 Apr, 2025 | 17:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XWiki Platform Web Templates vulnerable to Missing Authorization and Exposure of Private Personal Information to an Unauthorized Actor

XWiki Platform Web Templates are templates for XWiki Platform, a generic wiki platform. Through the suggestion feature, string and list properties of objects the user shouldn't have access to can be accessed in versions prior to 13.10.4 and 14.2. This includes private personal information like email addresses and salted password hashes of registered users but also other information stored in properties of objects. Sensitive configuration fields like passwords for LDAP or SMTP servers could be accessed. By exploiting an additional vulnerability, this issue can even be exploited on private wikis at least for string properties. The issue is patched in version 13.10.4 and 14.2. Password properties are no longer displayed and rights are checked for other properties. A workaround is available. The template file `suggest.vm` can be replaced by a patched version without upgrading or restarting XWiki unless it has been overridden, in which case the overridden template should be patched, too. This might need adjustments for older versions, though.

Action-Not Available
Vendor-XWiki SAS
Product-xwikixwiki-platform
CWE ID-CWE-359
Exposure of Private Personal Information to an Unauthorized Actor
CWE ID-CWE-862
Missing Authorization
CVE-2021-36723
Matching Score-4
Assigner-Israel National Cyber Directorate (INCD)
ShareView Details
Matching Score-4
Assigner-Israel National Cyber Directorate (INCD)
CVSS Score-6.1||MEDIUM
EPSS-0.53% / 40.88%
||
7 Day CHG~0.00%
Published-29 Dec, 2021 | 14:12
Updated-16 Sep, 2024 | 17:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Emuse - eServices / eNvoice Exposure Of Private Personal Information

Emuse - eServices / eNvoice Exposure Of Private Personal Information due to lack of identification mechanisms and predictable IDs an attacker can scrape all the files on the service.

Action-Not Available
Vendor-emuse_-_eservices_\/_envoice_projectEmuse
Product-emuse_-_eservices_\/_envoiceeServices / eNvoice
CWE ID-CWE-359
Exposure of Private Personal Information to an Unauthorized Actor
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2025-65857
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.45% / 35.87%
||
7 Day CHG~0.00%
Published-22 Dec, 2025 | 00:00
Updated-07 May, 2026 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Xiongmai XM530 IP cameras on firmware V5.00.R02.000807D8.10010.346624.S.ONVIF 21.06. The GetStreamUri exposes RTSP URIs containing hardcoded credentials enabling direct unauthorized video stream access.

Action-Not Available
Vendor-xiongmaitechn/a
Product-xm530v200_x6-weq_8mxm530v200_x6-weq_8m_firmwaren/a
CWE ID-CWE-359
Exposure of Private Personal Information to an Unauthorized Actor
CVE-2024-42494
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-7.1||HIGH
EPSS-0.44% / 35.39%
||
7 Day CHG+0.01%
Published-06 Dec, 2024 | 18:05
Updated-10 Dec, 2024 | 18:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ruijie Reyee OS Exposure of Private Personal Information to an Unauthorized Actor

Ruijie Reyee OS versions 2.206.x up to but not including 2.320.x contains a a feature that could enable sub accounts or attackers to view and exfiltrate sensitive information from all cloud accounts registered to Ruijie's services

Action-Not Available
Vendor-Ruijie Networks Co., Ltd.
Product-reyee_osReyee OS
CWE ID-CWE-359
Exposure of Private Personal Information to an Unauthorized Actor
CVE-2025-64258
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.30% / 21.97%
||
7 Day CHG~0.00%
Published-18 Dec, 2025 | 07:22
Updated-28 Apr, 2026 | 18:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Follow My Blog Post plugin <= 2.3.9 - Sensitive Data Exposure vulnerability

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in wpweb Follow My Blog Post follow-my-blog-post allows Retrieve Embedded Sensitive Data.This issue affects Follow My Blog Post: from n/a through <= 2.3.9.

Action-Not Available
Vendor-WPWeb Elite
Product-follow_my_blog_postFollow My Blog Post
CWE ID-CWE-497
Exposure of Sensitive System Information to an Unauthorized Control Sphere
CVE-2024-33271
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.48% / 37.66%
||
7 Day CHG~0.00%
Published-29 Apr, 2024 | 00:00
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in FME Modules eventsmanager before 4.4.0 allows an attacker to obtain sensitive information from the ps_customer component.

Action-Not Available
Vendor-n/aPrestaShop S.A
Product-n/afme
CWE ID-CWE-359
Exposure of Private Personal Information to an Unauthorized Actor
CVE-2024-31887
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-7.5||HIGH
EPSS-0.52% / 40.21%
||
7 Day CHG~0.00%
Published-16 Apr, 2024 | 21:18
Updated-13 Aug, 2025 | 13:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Security Verify Privilege information disclosure

IBM Security Verify Privilege 11.6.25 could allow an unauthenticated actor to obtain sensitive information from the SOAP API. IBM X-Force ID: 287651.

Action-Not Available
Vendor-IBM Corporation
Product-security_verify_privilege_on-premisesSecurity Verify Privilegesecurity_verify_privilege
CWE ID-CWE-497
Exposure of Sensitive System Information to an Unauthorized Control Sphere
CVE-2025-58015
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.31% / 23.14%
||
7 Day CHG~0.00%
Published-22 Sep, 2025 | 18:24
Updated-12 May, 2026 | 00:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Quiz Maker Plugin <= 6.7.0.65 - Sensitive Data Exposure Vulnerability

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Ays Pro Quiz Maker quiz-maker allows Retrieve Embedded Sensitive Data.This issue affects Quiz Maker: from n/a through <= 6.7.0.65.

Action-Not Available
Vendor-AYS Pro Extensions
Product-quiz_makerQuiz Maker
CWE ID-CWE-497
Exposure of Sensitive System Information to an Unauthorized Control Sphere
CVE-2025-58585
Matching Score-4
Assigner-SICK AG
ShareView Details
Matching Score-4
Assigner-SICK AG
CVSS Score-5.3||MEDIUM
EPSS-0.40% / 31.97%
||
7 Day CHG-0.00%
Published-06 Oct, 2025 | 07:01
Updated-13 May, 2026 | 11:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Sensitive Information Disclosure Through Missing Authentication

Multiple endpoints with sensitive information do not require authentication, making the application susceptible to information gathering.

Action-Not Available
Vendor-SICK AG
Product-logistic_diagnostic_analyticspackage_analyticstire_analyticsbaggage_analyticsBaggage AnalyticsLogistic Diagnostic AnalyticsTire AnalyticsPackage Analytics
CWE ID-CWE-497
Exposure of Sensitive System Information to an Unauthorized Control Sphere
CVE-2025-54459
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-8.7||HIGH
EPSS-0.41% / 32.94%
||
7 Day CHG+0.04%
Published-29 Oct, 2025 | 21:51
Updated-30 Oct, 2025 | 20:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Vertikal Systems Hospital Manager Backend Services Exposure of Sensitive System Information to an Unauthorized Control Sphere

Prior to September 19, 2025, the Hospital Manager Backend Services exposed the ASP.NET tracing endpoint /trace.axd without authentication, allowing a remote attacker to obtain live request traces and sensitive information such as request metadata, session identifiers, authorization headers, server variables, and internal file paths.

Action-Not Available
Vendor-Vertikal Systems
Product-Hospital Manager Backend Services
CWE ID-CWE-497
Exposure of Sensitive System Information to an Unauthorized Control Sphere
CVE-2025-54125
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.7||HIGH
EPSS-1.21% / 64.68%
||
7 Day CHG~0.00%
Published-05 Aug, 2025 | 23:30
Updated-02 Sep, 2025 | 19:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XWiki Platform: Password and email exposure in xml.vm fields

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 1.1 through 16.4.6, 16.5.0-rc-1 through 16.10.4 and 17.0.0-rc-1 through 17.1.0, the XML export of a page in XWiki that can be triggered by any user with view rights on a page by appending ?xpage=xml to the URL includes password and email properties stored on a document that aren't named password or email. This is fixed in versions 16.4.7, 16.10.5 and 17.2.0-rc-1. To work around this issue, the file templates/xml.vm in the deployed WAR can be deleted if the XML isn't needed. There isn't any feature in XWiki itself that depends on the XML export.

Action-Not Available
Vendor-XWiki SAS
Product-xwikixwiki-platform
CWE ID-CWE-359
Exposure of Private Personal Information to an Unauthorized Actor
CVE-2025-53625
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.7||HIGH
EPSS-0.45% / 35.83%
||
7 Day CHG~0.00%
Published-10 Jul, 2025 | 18:31
Updated-15 Jul, 2025 | 13:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
DynamicPageList3 exposes hidden/suppressed usernames

The DynamicPageList3 extension is a reporting tool for MediaWiki, listing category members and intersections with various formats and details. Several #dpl parameters can leak usernames that have been hidden using revision deletion, suppression, or the hideuser block flag. The vulnerability is fixed in 3.6.4.

Action-Not Available
Vendor-Universal-Omega
Product-DynamicPageList3
CWE ID-CWE-359
Exposure of Private Personal Information to an Unauthorized Actor
CVE-2025-52616
Matching Score-4
Assigner-HCL Software
ShareView Details
Matching Score-4
Assigner-HCL Software
CVSS Score-5.3||MEDIUM
EPSS-0.24% / 14.68%
||
7 Day CHG~0.00%
Published-12 Oct, 2025 | 04:24
Updated-21 Oct, 2025 | 14:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL Unica 12.1.10 is affected by an exposure of sensitive information

HCL Unica 12.1.10 can expose sensitive system information. An attacker could use this information to form an attack plan by leveraging known vulnerabilities in the application.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-unicaUnica
CWE ID-CWE-497
Exposure of Sensitive System Information to an Unauthorized Control Sphere
CVE-2025-47540
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.34% / 25.50%
||
7 Day CHG~0.00%
Published-07 May, 2025 | 14:20
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress weMail plugin <= 1.14.13 - Sensitive Data Exposure Vulnerability

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in weDevs weMail wemail allows Retrieve Embedded Sensitive Data.This issue affects weMail: from n/a through <= 1.14.13.

Action-Not Available
Vendor-weDevs Pte. Ltd.
Product-wemailweMail
CWE ID-CWE-497
Exposure of Sensitive System Information to an Unauthorized Control Sphere
CVE-2025-43399
Matching Score-4
Assigner-Apple Inc.
ShareView Details
Matching Score-4
Assigner-Apple Inc.
CVSS Score-7.5||HIGH
EPSS-0.54% / 41.38%
||
7 Day CHG+0.02%
Published-04 Nov, 2025 | 01:16
Updated-02 Apr, 2026 | 18:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This issue was addressed with improved redaction of sensitive information. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2, macOS Sequoia 15.7.2, macOS Tahoe 26.1. An app may be able to access protected user data.

Action-Not Available
Vendor-Apple Inc.
Product-macosmacOSiOS and iPadOS
CWE ID-CWE-359
Exposure of Private Personal Information to an Unauthorized Actor
CVE-2025-43405
Matching Score-4
Assigner-Apple Inc.
ShareView Details
Matching Score-4
Assigner-Apple Inc.
CVSS Score-7.5||HIGH
EPSS-0.54% / 41.38%
||
7 Day CHG+0.02%
Published-04 Nov, 2025 | 01:15
Updated-02 Apr, 2026 | 19:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A permissions issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Sequoia 15.7.2, macOS Sonoma 14.8.2, macOS Tahoe 26.1. An app may be able to access user-sensitive data.

Action-Not Available
Vendor-Apple Inc.
Product-macosmacOS
CWE ID-CWE-359
Exposure of Private Personal Information to an Unauthorized Actor
CVE-2025-43500
Matching Score-4
Assigner-Apple Inc.
ShareView Details
Matching Score-4
Assigner-Apple Inc.
CVSS Score-7.5||HIGH
EPSS-0.48% / 37.79%
||
7 Day CHG+0.02%
Published-04 Nov, 2025 | 01:15
Updated-02 Apr, 2026 | 19:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A privacy issue was addressed with improved handling of user preferences. This issue is fixed in iOS 26.1 and iPadOS 26.1, macOS Tahoe 26.1, visionOS 26.1, watchOS 26.1. An app may be able to access sensitive user data.

Action-Not Available
Vendor-Apple Inc.
Product-iphone_osvisionoswatchosipadosmacOSwatchOSiOS and iPadOSvisionOS
CWE ID-CWE-359
Exposure of Private Personal Information to an Unauthorized Actor
CVE-2025-4364
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-8.7||HIGH
EPSS-0.39% / 30.51%
||
7 Day CHG~0.00%
Published-20 May, 2025 | 17:48
Updated-21 May, 2025 | 20:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Exposure of Sensitive System Information to an Unauthorized Control Sphere

The affected products could allow an unauthenticated attacker to access system information that could enable further access to sensitive files and obtain administrative credentials.

Action-Not Available
Vendor-Assured Telematics Inc.
Product-Fleet Management System
CWE ID-CWE-497
Exposure of Sensitive System Information to an Unauthorized Control Sphere
CVE-2024-28387
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.45% / 35.91%
||
7 Day CHG~0.00%
Published-25 Mar, 2024 | 00:00
Updated-18 Sep, 2025 | 16:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in axonaut v.3.1.23 and before allows a remote attacker to obtain sensitive information via the log.txt component.

Action-Not Available
Vendor-axonautn/aaxonaut
Product-axonautn/aaxonaut
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
CWE ID-CWE-359
Exposure of Private Personal Information to an Unauthorized Actor
CVE-2024-22124
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-4.1||MEDIUM
EPSS-0.33% / 24.47%
||
7 Day CHG~0.00%
Published-09 Jan, 2024 | 01:19
Updated-14 Nov, 2024 | 16:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Information Disclosure vulnerability in SAP NetWeaver Internet Communication Manager

Under certain conditions, Internet Communication Manager (ICM) or SAP Web Dispatcher - versions KERNEL 7.22, KERNEL 7.53, KERNEL 7.54, KRNL64UC 7.22, KRNL64UC 7.22EXT, KRNL64UC 7.53, KRNL64NUC 7.22, KRNL64NUC 7.22_EXT, WEBDISP 7.22_EXT, WEBDISP 7.53, WEBDISP 7.54, could allow an attacker to access information which would otherwise be restricted causing high impact on confidentiality.

Action-Not Available
Vendor-SAP SE
Product-netweaverSAP NetWeaver (Internet Communication Manager)
CWE ID-CWE-497
Exposure of Sensitive System Information to an Unauthorized Control Sphere
CVE-2024-22125
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-7.4||HIGH
EPSS-0.52% / 40.24%
||
7 Day CHG~0.00%
Published-09 Jan, 2024 | 01:20
Updated-17 Jun, 2025 | 20:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Information Disclosure vulnerability in Microsoft Edge browser extension (SAP GUI connector for Microsoft Edge)

Under certain conditions the Microsoft Edge browser extension (SAP GUI connector for Microsoft Edge) - version 1.0, allows an attacker to access highly sensitive information which would otherwise be restricted causing high impact on confidentiality.

Action-Not Available
Vendor-SAP SE
Product-gui_connectorMicrosoft Edge browser extension (SAP GUI connector for Microsoft Edge)
CWE ID-CWE-497
Exposure of Sensitive System Information to an Unauthorized Control Sphere
CVE-2024-11206
Matching Score-4
Assigner-TECNO Mobile Limited
ShareView Details
Matching Score-4
Assigner-TECNO Mobile Limited
CVSS Score-7.5||HIGH
EPSS-0.38% / 29.67%
||
7 Day CHG~0.00%
Published-14 Nov, 2024 | 06:27
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unauthorized access vulnerability in the mobile application (com.transsion.phoenix) can lead to the leakage of user information.

Action-Not Available
Vendor-TECNO MOBILE LIMITED
Product-com.transsion.phoenixcom.transsion.phoenix
CWE ID-CWE-359
Exposure of Private Personal Information to an Unauthorized Actor
CVE-2023-5983
Matching Score-4
Assigner-TR-CERT (Computer Emergency Response Team of the Republic of Türkiye)
ShareView Details
Matching Score-4
Assigner-TR-CERT (Computer Emergency Response Team of the Republic of Türkiye)
CVSS Score-7.5||HIGH
EPSS-0.63% / 45.66%
||
7 Day CHG~0.00%
Published-22 Nov, 2023 | 11:54
Updated-20 May, 2026 | 14:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Information Disclosure in Botanik Software Pharmacy Automation

Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Botanik Software Pharmacy Automation allows Retrieve Embedded Sensitive Data. This issue affects Pharmacy Automation: before 2.1.133.0.

Action-Not Available
Vendor-botanikyazilimBotanik Software
Product-pharmacy_automationPharmacy Automation
CWE ID-CWE-359
Exposure of Private Personal Information to an Unauthorized Actor
CVE-2023-50719
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-83.55% / 99.65%
||
7 Day CHG~0.00%
Published-15 Dec, 2023 | 19:02
Updated-08 Oct, 2024 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XWiki Platform Solr search discloses password hashes of all users

XWiki Platform is a generic wiki platform. Starting in 7.2-milestone-2 and prior to versions 14.10.15, 15.5.2, and 15.7-rc-1, the Solr-based search in XWiki discloses the password hashes of all users to anyone with view right on the respective user profiles. By default, all user profiles are public. This vulnerability also affects any configurations used by extensions that contain passwords like API keys that are viewable for the attacker. Normally, such passwords aren't accessible but this vulnerability would disclose them as plain text. This has been patched in XWiki 14.10.15, 15.5.2 and 15.7RC1. There are no known workarounds for this vulnerability.

Action-Not Available
Vendor-XWiki SAS
Product-xwikixwiki-platform
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-359
Exposure of Private Personal Information to an Unauthorized Actor
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
  • Previous
  • 1
  • 2
  • Next
Details not found