Total
9510 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-53512 | 1 Canonical | 1 Juju | 2026-01-08 | N/A | 6.5 MEDIUM |
| The /log endpoint on a Juju controller lacked sufficient authorization checks, allowing unauthorized users to access debug messages that could contain sensitive information. | |||||
| CVE-2025-59716 | 1 Owncloud | 1 Guests | 2026-01-07 | N/A | 5.3 MEDIUM |
| ownCloud Guests before 0.12.5 allows unauthenticated user enumeration via the /apps/guests/register/{email}/{token} endpoint. Because of insufficient validation of the supplied token in showPasswordForm, the server responds differently when an e-mail address corresponds to a valid pending guest user rather than a non-existent user. | |||||
| CVE-2025-15103 | 1 Deltaww | 2 Dvp-12se11t, Dvp-12se11t Firmware | 2026-01-06 | N/A | 8.1 HIGH |
| DVP-12SE11T - Authentication Bypass via Partial Password Disclosure | |||||
| CVE-2025-68273 | 1 Signalk | 1 Signal K Server | 2026-01-06 | N/A | 5.3 MEDIUM |
| Signal K Server is a server application that runs on a central hub in a boat. An unauthenticated information disclosure vulnerability in versions prior to 2.19.0 allows any user to retrieve sensitive system information, including the full SignalK data schema, connected serial devices, and installed analyzer tools. This exposure facilitates reconnaissance for further attacks. Version 2.19.0 patches the issue. | |||||
| CVE-2025-14591 | 1 Perforce | 1 Delphix Continuous Compliance | 2026-01-05 | N/A | 7.5 HIGH |
| In Delphix Continuous Compliance version 2025.3.0 and later, following a recent bug fix to correctly handle CR+LF (Windows and DOS) End-of-Record (EOR) characters in delimited files, an issue was identified: using an incorrect EOR configuration can cause inaccurate parsing and leave personally identifiable information (PII) unmasked. | |||||
| CVE-2025-63662 | 1 Gtedge | 1 Gt Edge Ai | 2026-01-05 | N/A | 7.5 HIGH |
| Insecure permissions in the /api/v1/agents API of GT Edge AI Platform before v2.0.10-dev allows unauthorized attackers to access sensitive information. | |||||
| CVE-2024-20445 | 1 Cisco | 36 Desk Phone 9841, Desk Phone 9841 Firmware, Desk Phone 9851 and 33 more | 2026-01-05 | N/A | 5.3 MEDIUM |
| A vulnerability in the web UI of Cisco Desk Phone 9800 Series, Cisco IP Phone 7800 and 8800 Series, and Cisco Video Phone 8875 could allow an unauthenticated, remote attacker to access sensitive information on an affected device. This vulnerability is due to improper storage of sensitive information within the web UI of Session Initiation Protocol (SIP)-based phone loads. An attacker could exploit this vulnerability by browsing to the IP address of a device that has Web Access enabled. A successful exploit could allow the attacker to access sensitive information, including incoming and outgoing call records. Note: Web Access is disabled by default. | |||||
| CVE-2025-20336 | 1 Cisco | 34 Desk Phone 9841, Desk Phone 9841 Firmware, Desk Phone 9851 and 31 more | 2026-01-05 | N/A | 5.3 MEDIUM |
| A vulnerability in the directory permissions of Cisco Desk Phone 9800 Series, Cisco IP Phone 7800 and 8800 Series, and Cisco Video Phone 8875 could allow an unauthenticated, remote attacker to access sensitive information on an affected device. This vulnerability exists because the product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. An attacker could exploit this vulnerability by sending a crafted packet to the IP address of a device that has Web Access enabled. A successful exploit could allow the attacker to access sensitive information from the device. Note: To exploit this vulnerability, Web Access must be enabled on the phone. Web Access is disabled by default. | |||||
| CVE-2025-66625 | 1 Umbraco | 1 Umbraco Cms | 2026-01-02 | N/A | 4.9 MEDIUM |
| Umbraco is an ASP.NET CMS. Due to unsafe handling and deletion of temporary files in versions 10.0.0 through 13.12.0, during the dictionary upload process an attacker with access to the backoffice can trigger predictable requests to temporary file paths. The application’s error responses (HTTP 500 when a file exists, 404 when it does not) allow the attacker to enumerate the existence of arbitrary files on the server’s filesystem. This vulnerability does not allow reading or writing file contents. In certain configurations, incomplete clean-up of temporary upload files may additionally expose the NTLM hash of the Windows account running the Umbraco application. This issue is fixed in version 13.12.1. | |||||
| CVE-2025-63094 | 1 Xiangshan | 1 Xiangshan | 2026-01-02 | N/A | 7.5 HIGH |
| XiangShan Nanhu V2 and XiangShan Kunmighu V3 were discovered to use speculative execution and indirect branch prediction, allowing attackers to access sensitive information via side-channel analysis of the data cache. | |||||
| CVE-2025-68279 | 1 Weblate | 1 Weblate | 2026-01-02 | N/A | 7.7 HIGH |
| Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to read arbitrary files from the server file system using crafted symbolic links in the repository. Version 5.15.1 fixes the issue. | |||||
| CVE-2025-52493 | 1 Pagerduty | 1 Runbook Automation | 2026-01-02 | N/A | 6.5 MEDIUM |
| PagerDuty Runbook through 2025-06-12 exposes stored secrets directly in the webpage DOM at the configuration page. Although these secrets appear masked as password fields, the actual secret values are present in the page source and can be revealed by simply modifying the input field type from "password" to "text" using browser developer tools. This vulnerability is exploitable by administrative users who have access to the configuration page. | |||||
| CVE-2024-29883 | 1 Miraheze | 1 Createwiki | 2026-01-02 | N/A | 4.9 MEDIUM |
| CreateWiki is Miraheze's MediaWiki extension for requesting & creating wikis. Suppression of wiki requests does not work as intended, and always restricts visibility to those with the `(createwiki)` user right regardless of the settings one sets on a given wiki request. This may expose information to users who are not supposed to be able to access it. | |||||
| CVE-2025-14280 | 2025-12-31 | N/A | 5.3 MEDIUM | ||
| The PixelYourSite plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.1.5 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log files, when the "Meta API logs" setting is enabled (disabled by default). The vulnerability was partially patched in version 11.1.5 and fully patched in version 11.1.5.1. | |||||
| CVE-2025-15065 | 2025-12-31 | N/A | 6.3 MEDIUM | ||
| Exposure of Sensitive Information to an Unauthorized Actor, Missing Encryption of Sensitive Data, Files or Directories Accessible to External Parties vulnerability in Kings Information & Network Co. KESS Enterprise on Windows allows Privilege Escalation, Modify Existing Service, Modify Shared File.This issue affects KESS Enterprise: before *.25.9.19.exe | |||||
| CVE-2025-15121 | 1 Jeecg | 1 Jeecg Boot | 2025-12-30 | 2.2 LOW | 2.4 LOW |
| A vulnerability has been found in JeecgBoot up to 3.9.0. The affected element is the function getDeptRoleByUserId of the file /sys/sysDepartRole/getDeptRoleByUserId. Such manipulation of the argument departId leads to information disclosure. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-63958 | 1 Millensys | 1 Vision Tools Workspace | 2025-12-30 | N/A | 9.8 CRITICAL |
| MILLENSYS Vision Tools Workspace 6.5.0.2585 exposes a sensitive configuration endpoint (/MILLENSYS/settings) that is accessible without authentication. This page leaks plaintext database credentials, file share paths, internal license server configuration, and software update parameters. An unauthenticated attacker can retrieve this information by accessing the endpoint directly, potentially leading to full system compromise. The vulnerability is due to missing access controls on a privileged administrative function. | |||||
| CVE-2025-63729 | 1 Syrotech | 2 Sy-gpon-1110-wdont, Sy-gpon-1110-wdont Firmware | 2025-12-30 | N/A | 9.0 CRITICAL |
| An issue was discovered in Syrotech SY-GPON-1110-WDONT SYRO_3.7L_3.1.02-240517 allowing attackers to exctract the SSL Private Key, CA Certificate, SSL Certificate, and Client Certificates in .pem format in firmware in etc folder. | |||||
| CVE-2025-60739 | 1 Ilevia | 2 Eve X1 Server, Eve X1 Server Firmware | 2025-12-30 | N/A | 9.6 CRITICAL |
| Cross Site Request Forgery (CSRF) vulnerability in Ilevia EVE X1 Server Firmware Version v4.7.18.0.eden and before, Logic Version v6.00 - 2025_07_21 allows a remote attacker to execute arbitrary code via the /bh_web_backend component | |||||
| CVE-2025-43530 | 1 Apple | 1 Macos | 2025-12-30 | N/A | 5.5 MEDIUM |
| This issue was addressed with improved checks. This issue is fixed in macOS Tahoe 26.2, macOS Sonoma 14.8.3, macOS Sequoia 15.7.3, iOS 18.7.3 and iPadOS 18.7.3. An app may be able to access sensitive user data. | |||||