Total
9510 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-31490 | 1 Fortinet | 1 Fortisandbox | 2026-01-14 | N/A | 4.3 MEDIUM |
| An exposure of sensitive information to an unauthorized actor vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.4, FortiSandbox 4.2.1 through 4.2.6, FortiSandbox 4.0 all versions, FortiSandbox 3.2.2 through 3.2.4, FortiSandbox 3.1.5 allows attacker to information disclosure via HTTP get requests. | |||||
| CVE-2026-20805 | 1 Microsoft | 13 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 10 more | 2026-01-14 | N/A | 5.5 MEDIUM |
| Exposure of sensitive information to an unauthorized actor in Desktop Windows Manager allows an authorized attacker to disclose information locally. | |||||
| CVE-2023-51787 | 1 Windriver | 1 Vxworks | 2026-01-13 | N/A | 7.5 HIGH |
| An issue was discovered in Wind River VxWorks 7 22.09 and 23.03. If a VxWorks task or POSIX thread that uses OpenSSL exits, limited per-task memory is not freed, resulting in a memory leak. | |||||
| CVE-2025-14574 | 2026-01-13 | N/A | 5.3 MEDIUM | ||
| The weDocs plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.15 via the `/wp-json/wp/v2/docs/settings` REST API endpoint. This makes it possible for unauthenticated attackers to extract sensitive data including third party services API keys. | |||||
| CVE-2025-14980 | 2026-01-13 | N/A | 6.5 MEDIUM | ||
| The BetterDocs plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.3 via the scripts() function. This makes it possible for authenticated attackers, with contributor-level access and above, to extract sensitive data including the OpenAI API key stored in plugin settings. | |||||
| CVE-2025-46676 | 2026-01-13 | N/A | 2.7 LOW | ||
| Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.4.0.0, LTS2025 release version 8.3.1.10, LTS2024 release versions 7.13.1.0 through 7.13.1.40, LTS 2023 release versions 7.10.1.0 through 7.10.1.70, contain an Exposure of Sensitive Information to an Unauthorized Actor vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure. | |||||
| CVE-2025-15070 | 1 Gmission | 1 Web Fax | 2026-01-13 | N/A | 5.5 MEDIUM |
| Exposure of Sensitive Information to an Unauthorized Actor, Missing Authorization vulnerability in Gmission Web Fax allows Authentication Abuse.This issue affects Web Fax: from 3.0 before 3.0.1 | |||||
| CVE-2016-6415 | 1 Cisco | 3 Ios, Ios Xe, Ios Xr | 2026-01-12 | 5.0 MEDIUM | 7.5 HIGH |
| The server IKEv1 implementation in Cisco IOS 12.2 through 12.4 and 15.0 through 15.6, IOS XE through 3.18S, IOS XR 4.3.x and 5.0.x through 5.2.x, and PIX before 7.0 allows remote attackers to obtain sensitive information from device memory via a Security Association (SA) negotiation request, aka Bug IDs CSCvb29204 and CSCvb36055 or BENIGNCERTAIN. | |||||
| CVE-2025-68436 | 1 Craftcms | 1 Craft Cms | 2026-01-12 | N/A | 6.5 MEDIUM |
| Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, authenticated users on a Craft installation could potentially expose sensitive assets via their user profile photo via maliciously crafted requests. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. | |||||
| CVE-2025-67732 | 1 Dify | 1 Dify | 2026-01-12 | N/A | 6.5 MEDIUM |
| Dify is an open-source LLM app development platform. Prior to version 1.11.0, the API key is exposed in plaintext to the frontend, allowing non-administrator users to view and reuse it. This can lead to unauthorized access to third-party services, potentially consuming limited quotas. Version 1.11.0 fixes the issue. | |||||
| CVE-2024-50342 | 1 Sensiolabs | 1 Httpclient | 2026-01-12 | N/A | 3.1 LOW |
| symfony/http-client is a module for the Symphony PHP framework which provides powerful methods to fetch HTTP resources synchronously or asynchronously. When using the `NoPrivateNetworkHttpClient`, some internal information is still leaking during host resolution, which leads to possible IP/port enumeration. As of versions 5.4.46, 6.4.14, and 7.1.7 the `NoPrivateNetworkHttpClient` now filters blocked IPs earlier to prevent such leaks. All users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-29720 | 1 Terrainformatica | 1 Sciter | 2026-01-09 | N/A | 5.5 MEDIUM |
| An issue in Terra Informatica Software, Inc Sciter v.4.4.7.0 allows a local attacker to obtain sensitive information via the adopt component of the Sciter video rendering function. | |||||
| CVE-2021-33146 | 1 Intel | 7 Ethernet Adapter Complete Driver, Ethernet Controller I225-it, Ethernet Controller I225-it Firmware and 4 more | 2026-01-09 | N/A | 5.3 MEDIUM |
| Improper input validation in some Intel(R) Ethernet Adapters and Intel(R) Ethernet Controller I225 Manageability firmware may allow an unauthenticated user to potentially enable information disclosure via network access. | |||||
| CVE-2025-14553 | 2026-01-09 | N/A | N/A | ||
| Exposure of password hashes through an unauthenticated API response in TP-Link Tapo app on iOS and Android for Tapo cameras, allowing attackers to brute force the password in the local network. Issue can be mitigated through mobile application updates. Device firmware remains unchanged. | |||||
| CVE-2024-29898 | 1 Miraheze | 1 Createwiki | 2026-01-08 | N/A | 4.9 MEDIUM |
| CreateWiki is Miraheze's MediaWiki extension for requesting & creating wikis. An oversight during the writing of the patch for CVE-2024-29897 may have exposed suppressed wiki requests to private wikis that added Special:RequestWikiQueue to the read whitelist to users without the `(read)` permission. This vulnerability is fixed in 8f8442ed5299510ea3e58416004b9334134c149c. | |||||
| CVE-2025-13215 | 2026-01-08 | N/A | 5.3 MEDIUM | ||
| The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.17.13 via the auxels_ajax_search due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract titles of draft posts that they should not have access to. | |||||
| CVE-2025-12540 | 2026-01-08 | N/A | 4.7 MEDIUM | ||
| The ShareThis Dashboard for Google Analytics plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.4. This is due to the Google Analytics client_ID and client_secret being stored in plaintext in the publicly visible plugin source. This can allow unauthenticated attackers to craft a link to the sharethis.com server, which will share an authorization token for Google Analytics with a malicious website, if the attacker can trick an administrator logged into the website and Google Analytics to click the link. | |||||
| CVE-2026-20027 | 2026-01-08 | N/A | 5.3 MEDIUM | ||
| Multiple Cisco products are affected by a vulnerability in the processing of DCE/RPC requests that could allow an unauthenticated, remote attacker to cause the Snort 3 Detection Engine to leak sensitive information or to restart, resulting in an interruption of packet inspection. This vulnerability is due to an error in buffer handling logic when processing DCE/RPC requests, which can result in a buffer out-of-bounds read. An attacker could exploit this vulnerability by sending a large number of DCE/RPC requests through an established connection that is inspected by Snort 3. A successful exploit could allow the attacker to obtain sensitive information in the Snort 3 data stream. | |||||
| CVE-2025-13371 | 2026-01-08 | N/A | 8.6 HIGH | ||
| The MoneySpace plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.13.9. This is due to the plugin storing full payment card details (PAN, card holder name, expiry month/year, and CVV) in WordPress post_meta using base64_encode(), and then embedding these values into the publicly accessible mspaylink page's inline JavaScript without any authentication or authorization check. This makes it possible for unauthenticated attackers who know or can guess an order_id to access the mspaylink endpoint and retrieve full credit card numbers and CVV codes directly from the HTML/JS response, constituting a severe PCI-DSS violation. | |||||
| CVE-2024-42508 | 1 Hpe | 1 Oneview | 2026-01-08 | N/A | 5.5 MEDIUM |
| This vulnerability could be exploited, leading to unauthorized disclosure of information to authenticated users. | |||||