Total
9776 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-57839 | 1 Honor | 1 Magicos | 2025-10-21 | 4 Medium |
| Photo module is affected by information leak vulnerability, successful exploitation of this vulnerability may affect service confidentiality. | ||||
| CVE-2025-57838 | 1 Honor | 1 Magicos | 2025-10-21 | 4 Medium |
| Some Honor products are affected by information leak vulnerability, successful exploitation of this vulnerability may affect service confidentiality. | ||||
| CVE-2025-8886 | 1 Usta | 1 Aybs | 2025-10-21 | 6.7 Medium |
| Incorrect Permission Assignment for Critical Resource, Exposure of Sensitive Information to an Unauthorized Actor, Missing Authorization, Incorrect Authorization vulnerability in Usta Information Systems Inc. Aybs Interaktif allows Privilege Abuse, Authentication Bypass.This issue affects Aybs Interaktif: from 2024 through 28082025. | ||||
| CVE-2025-8887 | 1 Usta | 1 Aybs | 2025-10-21 | 6.1 Medium |
| Authorization Bypass Through User-Controlled Key, Missing Authorization, Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Usta Information Systems Inc. Aybs Interaktif allows Forceful Browsing, Parameter Injection, Input Data Manipulation.This issue affects Aybs Interaktif: from 2024 through 28082025. | ||||
| CVE-2025-62158 | 1 Frappe | 3 Frappe, Frappe Lms, Learning | 2025-10-21 | 5.3 Medium |
| Frappe Learning is a learning system that helps users structure their content. In versions prior to 2.38.0, the system did stored the attachments uploaded by the students in their assignments as public files. This issue potentially exposed student-uploaded files to the public. Anyone with the file URL could access these files without authentication. The issue has been fixed in version 2.38.0 by ensuring all student-uploaded assignment attachments are stored as private files by default. | ||||
| CVE-2025-58278 | 1 Huawei | 2 Appgallery, Harmonyos | 2025-10-21 | 6.2 Medium |
| Identity authentication bypass vulnerability in the Gallery app. Successful exploitation of this vulnerability may affect service confidentiality. | ||||
| CVE-2025-9196 | 2 Sergiotrinity, Wordpress | 2 Trinity Audio, Wordpress | 2025-10-21 | 5.3 Medium |
| The Trinity Audio – Text to Speech AI audio player to convert content into audio plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.21.0 via the ~/admin/inc/phpinfo.php file that gets created on install. This makes it possible for unauthenticated attackers to extract sensitive data including configuration data. | ||||
| CVE-2025-8915 | 1 Kiloview | 1 N30 | 2025-10-21 | N/A |
| Hardcoded TLS private key and certificate in firmware in Kiloview N30 2.02.246 allows malicious adversary to do a Mann-in-the-middle attack via the network | ||||
| CVE-2025-0403 | 1 1902756969 | 1 Reggie | 2025-10-21 | 5.3 Medium |
| A vulnerability, which was classified as problematic, has been found in 1902756969 reggie 1.0. Affected by this issue is some unknown functionality of the file /user/sendMsg of the component Phone Number Validation Handler. The manipulation of the argument code leads to information disclosure. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-9842 | 1 Das | 1 Parking Management System | 2025-10-20 | 5.3 Medium |
| A vulnerability was detected in Das Parking Management System 停车场管理系统 6.2.0. This impacts an unknown function of the file /Operator/Search. The manipulation results in information disclosure. The attack may be performed from remote. The exploit is now public and may be used. | ||||
| CVE-2025-9843 | 1 Das | 1 Parking Management System | 2025-10-20 | 5.3 Medium |
| A flaw has been found in Das Parking Management System 停车场管理系统 6.2.0. Affected is an unknown function of the file /Operator/FindAll. This manipulation causes information disclosure. It is possible to initiate the attack remotely. The exploit has been published and may be used. | ||||
| CVE-2025-61589 | 2 Anysphere, Cursor | 2 Cursor, Cursor | 2025-10-20 | 5.9 Medium |
| Cursor is a code editor built for programming with AI. In versions 1.6 and below, Mermaid (a to render diagrams) allows embedding images which then get rendered by Cursor in the chat box. An attacker can use this to exfiltrate sensitive information to a third-party attacker controlled server through an image fetch after successfully performing a prompt injection. A malicious model (or hallucination/backdoor) might also trigger this exploit at will. This issue requires prompt injection from malicious data (web, image upload, source code) in order to exploit. In that case, it can send sensitive information to an attacker-controlled external server. Some additional bypasses not covered in the initial fix to this issue were discovered, see GHSA-43wj-mwcc-x93p. This issue is fixed in version 1.7. | ||||
| CVE-2022-35715 | 3 Ibm, Linux, Microsoft | 4 Aix, Infosphere Information Server, Linux Kernel and 1 more | 2025-10-20 | 7.5 High |
| IBM InfoSphere Information Server 11.7 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in a stack trace. This information could be used in further attacks against the system. IBM X-Force ID: 231202. | ||||
| CVE-2024-35189 | 1 Ethyca | 1 Fides | 2025-10-20 | 6.5 Medium |
| Fides is an open-source privacy engineering platform. The Fides webserver has a number of endpoints that retrieve `ConnectionConfiguration` records and their associated `secrets` which _can_ contain sensitive data (e.g. passwords, private keys, etc.). These `secrets` are stored encrypted at rest (in the application database), and the associated endpoints are not meant to expose that sensitive data in plaintext to API clients, as it could be compromising. Fides's developers have available to them a Pydantic field-attribute (`sensitive`) that they can annotate as `True` to indicate that a given secret field should not be exposed via the API. The application has an internal function that uses `sensitive` annotations to mask the sensitive fields with a `"**********"` placeholder value. This vulnerability is due to a bug in that function, which prevented `sensitive` API model fields that were _nested_ below the root-level of a `secrets` object from being masked appropriately. Only the `BigQuery` connection configuration secrets meets these criteria: the secrets schema has a nested sensitive `keyfile_creds.private_key` property that is exposed in plaintext via the APIs. Connection types other than `BigQuery` with sensitive fields at the root-level that are not nested are properly masked with the placeholder and are not affected by this vulnerability. This vulnerability has been patched in Fides version 2.37.0. Users are advised to upgrade to this version or later to secure their systems against this threat. Users are also advised to rotate any Google Cloud secrets used for BigQuery integrations in their Fides deployments. There are no known workarounds for this vulnerability. | ||||
| CVE-2025-8484 | 1 Wordpress | 1 Wordpress | 2025-10-20 | 5.3 Medium |
| The Code Quality Control Tool plugin for WordPress is vulnerable to Sensitive Information Exposure in version 0.1 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log files. | ||||
| CVE-2025-61688 | 1 Siderolabs | 1 Omni | 2025-10-20 | 8.6 High |
| Omni manages Kubernetes on bare metal, virtual machines, or in a cloud. Prior to 1.1.5 and 1.0.2, Omni might leak sensitive information via an API. | ||||
| CVE-2024-36829 | 1 Teldat | 2 M1, M1 Firmware | 2025-10-20 | 7.5 High |
| Incorrect access control in Teldat M1 v11.00.05.50.01 allows attackers to obtain sensitive information via a crafted query string. | ||||
| CVE-2025-11196 | 1 Wordpress | 1 Wordpress | 2025-10-20 | 4.3 Medium |
| The External Login plugin for WordPress is vulnerable to sensitive information exposure in all versions up to, and including, 1.11.2 due to the 'exlog_test_connection' AJAX action lacking capability checks or nonce validation. This makes it possible for authenticated attackers, with subscriber-level access and above, to query the configured external database and retrieve truncated usernames, email addresses, and password hashes via the diagnostic test results view. | ||||
| CVE-2025-57441 | 2 Blackmagic, Blackmagicdesign | 3 Atem Mini Pro, Atem Mini Pro, Atem Mini Pro Firmware | 2025-10-17 | 9.8 Critical |
| The Blackmagic ATEM Mini Pro 2.7 exposes sensitive device and stream configuration information via an unauthenticated Telnet service on port 9990. Upon connection, the attacker can access a protocol preamble that leaks the video mode, routing configuration, input/output labels, device model, and even internal identifiers such as the unique ID. This can be used for reconnaissance and planning further attacks. | ||||
| CVE-2025-55976 | 1 Intelbras | 2 Iwr 3000n, Iwr 3000n Firmware | 2025-10-17 | 8.4 High |
| Intelbras IWR 3000N 1.9.8 exposes the Wi-Fi password in plaintext via the /api/wireless endpoint. Any unauthenticated user on the local network can directly obtain the Wi-Fi network password by querying this endpoint. | ||||