Total
9510 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-63212 | 1 Gatesair | 8 Flexiva Lx100, Flexiva Lx1000, Flexiva Lx1000 Firmware and 5 more | 2026-01-15 | N/A | 6.5 MEDIUM |
| GatesAir Flexiva-LX devices on firmware 1.0.13 and 2.0, including models LX100, LX300, LX600, and LX1000, expose sensitive session identifiers (sid) in the publicly accessible log file located at /log/Flexiva%20LX.log. An unauthenticated attacker can retrieve valid session IDs and hijack sessions without providing any credentials. This attack requires the legitimate user (admin) to have previously closed the browser window without logging out. | |||||
| CVE-2025-68959 | 1 Huawei | 2 Emui, Harmonyos | 2026-01-15 | N/A | 6.2 MEDIUM |
| Permission verification bypass vulnerability in the media library module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | |||||
| CVE-2025-68966 | 1 Huawei | 1 Harmonyos | 2026-01-15 | N/A | 5.1 MEDIUM |
| Permission control vulnerability in the Notepad module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | |||||
| CVE-2025-68965 | 1 Huawei | 1 Harmonyos | 2026-01-15 | N/A | 4.7 MEDIUM |
| Permission control vulnerability in the Notepad module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | |||||
| CVE-2026-20862 | 1 Microsoft | 10 Windows 10 1809, Windows 10 21h2, Windows 10 22h2 and 7 more | 2026-01-15 | N/A | 5.5 MEDIUM |
| Exposure of sensitive information to an unauthorized actor in Windows Management Services allows an authorized attacker to disclose information locally. | |||||
| CVE-2026-20847 | 1 Microsoft | 14 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 11 more | 2026-01-15 | N/A | 6.5 MEDIUM |
| Exposure of sensitive information to an unauthorized actor in Windows Shell allows an authorized attacker to perform spoofing over a network. | |||||
| CVE-2026-20823 | 1 Microsoft | 12 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 9 more | 2026-01-15 | N/A | 5.5 MEDIUM |
| Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally. | |||||
| CVE-2026-20827 | 1 Microsoft | 12 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 9 more | 2026-01-15 | N/A | 5.5 MEDIUM |
| Exposure of sensitive information to an unauthorized actor in Tablet Windows User Interface (TWINUI) Subsystem allows an authorized attacker to disclose information locally. | |||||
| CVE-2026-22604 | 1 Openproject | 1 Openproject | 2026-01-14 | N/A | 5.3 MEDIUM |
| OpenProject is an open-source, web-based project management software. For OpenProject versions from 11.2.1 to before 16.6.2, when sending a POST request to the /account/change_password endpoint with an arbitrary User ID as the password_change_user_id parameter, the resulting error page would show the username for the requested user. Since this endpoint is intended to be called without being authenticated, this allows to enumerate the user names of all accounts registered in an OpenProject instance. This issue has been patched in version 16.6.2. | |||||
| CVE-2026-22602 | 1 Openproject | 1 Openproject | 2026-01-14 | N/A | 3.5 LOW |
| OpenProject is an open-source, web-based project management software. Prior to version 16.6.2, a low‑privileged logged-in user can view the full names of other users. Since user IDs are assigned sequentially and predictably (e.g., 1 to 1000), an attacker can extract a complete list of all users’ full names by iterating through these URLs. The same behavior can also be reproduced via the OpenProject API, allowing automated retrieval of full names through the API as well. This issue has been patched in version 16.6.2. Those who are unable to upgrade may apply the patch manually. | |||||
| CVE-2026-22600 | 1 Openproject | 1 Openproject | 2026-01-14 | N/A | 9.1 CRITICAL |
| OpenProject is an open-source, web-based project management software. A Local File Read (LFR) vulnerability exists in the work package PDF export functionality of OpenProject prior to version 16.6.4. By uploading a specially crafted SVG file (disguised as a PNG) as a work package attachment, an attacker can exploit the backend image processing engine (ImageMagick). When the work package is exported to PDF, the backend attempts to resize the image, triggering the ImageMagick text: coder. This allows an attacker to read arbitrary local files that the application user has permissions to access (e.g., /etc/passwd, all project configuration files, private project data, etc.). The attack requires permissions to upload attachments to a container that can be exported to PDF, such as a work package. The issue has been patched in version 16.6.4. Those who are unable to upgrade may apply the patch manually. | |||||
| CVE-2025-59469 | 1 Veeam | 1 Veeam Backup \& Replication | 2026-01-14 | N/A | 9.0 CRITICAL |
| This vulnerability allows a Backup or Tape Operator to write files as root. | |||||
| CVE-2026-20821 | 1 Microsoft | 14 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 11 more | 2026-01-14 | N/A | 6.2 MEDIUM |
| Exposure of sensitive information to an unauthorized actor in Windows Remote Procedure Call allows an unauthorized attacker to disclose information locally. | |||||
| CVE-2025-69226 | 1 Aiohttp | 1 Aiohttp | 2026-01-14 | N/A | 5.3 MEDIUM |
| AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below enable an attacker to ascertain the existence of absolute path components through the path normalization logic for static files meant to prevent path traversal. If an application uses web.static() (not recommended for production deployments), it may be possible for an attacker to ascertain the existence of path components. This issue is fixed in version 3.13.3. | |||||
| CVE-2025-67399 | 2026-01-14 | N/A | 4.6 MEDIUM | ||
| An issue in AIRTH SMART HOME AQI MONITOR Bootloader v.1.005 allows a physically proximate attacker to obtain sensitive information via the UART port of the BK7231N controller (Wi-Fi and BLE module) on the device is open to access | |||||
| CVE-2025-14507 | 2026-01-14 | N/A | 5.3 MEDIUM | ||
| The EventPrime - Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.2.7.0 via the REST API. This makes it possible for unauthenticated attackers to extract sensitive booking data including user names, email addresses, ticket details, payment information, and order keys when the API is enabled by an administrator. The vulnerability was partially patched in version 4.2.7.0. | |||||
| CVE-2025-47855 | 2026-01-14 | N/A | 9.8 CRITICAL | ||
| An exposure of sensitive information to an unauthorized actor [CWE-200] vulnerability in Fortinet FortiFone 7.0.0 through 7.0.1, FortiFone 3.0.13 through 3.0.23 allows an unauthenticated attacker to obtain the device configuration via crafted HTTP or HTTPS requests. | |||||
| CVE-2026-0717 | 2026-01-14 | N/A | 5.3 MEDIUM | ||
| The LottieFiles – Lottie block for Gutenberg plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.0.0 via the `/wp-json/lottiefiles/v1/settings/` REST API endpoint. This makes it possible for unauthenticated attackers to retrieve the site owner's LottieFiles.com account credentials including their API access token and email address when the 'Share LottieFiles account with other WordPress users' option is enabled. | |||||
| CVE-2025-14464 | 2026-01-14 | N/A | 5.3 MEDIUM | ||
| The PDF Resume Parser plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0. This is due to the plugin registering an AJAX action handler that is accessible to unauthenticated users and exposes SMTP configuration data including credentials. This makes it possible for unauthenticated attackers to extract sensitive SMTP credentials (username and password) from the WordPress configuration, which could be leveraged to compromise email accounts and potentially gain unauthorized access to other systems using the same credentials. | |||||
| CVE-2025-55342 | 1 Quipux | 1 Quipux | 2026-01-14 | N/A | 5.3 MEDIUM |
| Quipux 4.0.1 through e1774ac allows enumeration of usernames, and accessing the Ecuadorean identification number for all registered users via the Administracion/usuarios/cambiar_password_olvido_validar.php txt_login parameter. | |||||