Total
9151 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-57441 | 1 Blackmagicdesign | 2 Atem Mini Pro, Atem Mini Pro Firmware | 2026-06-17 | N/A | 9.8 CRITICAL |
| The Blackmagic ATEM Mini Pro 2.7 exposes sensitive device and stream configuration information via an unauthenticated Telnet service on port 9990. Upon connection, the attacker can access a protocol preamble that leaks the video mode, routing configuration, input/output labels, device model, and even internal identifiers such as the unique ID. This can be used for reconnaissance and planning further attacks. | |||||
| CVE-2025-57437 | 1 Blackmagicdesign | 2 Web Presenter Hd, Web Presenter Hd Firmware | 2026-06-17 | N/A | 9.8 CRITICAL |
| The Blackmagic Web Presenter HD firmware version 3.3 exposes sensitive information via an unauthenticated Telnet service on port 9977. When connected, the service reveals extensive device configuration data including: - Model, version, and unique identifiers - Network settings including IP, MAC, DNS - Current stream platform, stream key, and streaming URL - Audio/video configuration This data can be used to hijack live streams or perform network reconnaissance. | |||||
| CVE-2025-57433 | 1 2wcom | 2 Ip-4c, Ip-4c Firmware | 2026-06-17 | N/A | 6.5 MEDIUM |
| The 2wcom IP-4c 2.15.5 device's web interface includes an information disclosure vulnerability. By sending a crafted POST request to a specific endpoint (/cwi/ajax_request/get_data.php), an authenticated attacker (even with a low-privileged account like guest) can retrieve the hashed passwords for the admin, manager, and guest accounts. This significantly weakens the system's security posture, as these hashes could be cracked offline, granting attackers administrative access to the device. | |||||
| CVE-2025-57430 | 1 Creacast | 1 Creabox Manager | 2026-06-17 | N/A | 7.5 HIGH |
| Creacast Creabox Manager 4.4.4 exposes sensitive configuration data via a publicly accessible endpoint /get. When accessed, this endpoint returns internal configuration including the creacodec.lua file, which contains plaintext admin credentials. | |||||
| CVE-2025-56467 | 2026-06-17 | N/A | 6.5 MEDIUM | ||
| An issue was discovered in AXIS BANK LIMITED Axis Mobile App 9.9 that allows attackers to obtain sensitive information without a UPI PIN, such as account information, balances, transaction history, and unspecified other information. NOTE: the Supplier's perspective is that this is an intended feature and "does not reveal much sensitive information." | |||||
| CVE-2025-56463 | 1 Mercusys | 2 Mw305r, Mw305r Firmware | 2026-06-17 | N/A | 6.8 MEDIUM |
| Mercusys MW305R 3.30 and below is has a Transport Layer Security (TLS) certificate private key disclosure. | |||||
| CVE-2025-56427 | 1 Composio | 1 Composio | 2026-06-17 | N/A | 7.5 HIGH |
| Directory Traversal vulnerability in ComposioHQ v.0.7.20 allows a remote attacker to obtain sensitive information via the _download_file_or_dir function. | |||||
| CVE-2025-56406 | 2026-06-17 | N/A | 7.5 HIGH | ||
| An issue was discovered in mcp-neo4j 0.3.0 allowing attackers to obtain sensitive information or execute arbitrary commands via the SSE service. NOTE: the Supplier's position is that authentication is not mandatory for MCP servers, and the mcp-neo4j MCP server is only intended for use in a local environment where authentication realistically would not be needed. Also, the Supplier provides middleware to help isolate the MCP server from external access (if needed). | |||||
| CVE-2025-56161 | 1 Yiovo | 1 Firefly Mall | 2026-06-17 | N/A | 7.5 HIGH |
| YOSHOP 2.0 allows unauthenticated information disclosure via comment-list API endpoints in the Goods module. The Comment model eagerly loads the related User model without field filtering; because User.php defines no $hidden or $visible attributes, sensitive fields (bcrypt password hash, mobile number, pay_money, expend_money.) are exposed in JSON responses. Route names vary per deployment (e.g. /api/goods.pinglun/list), but all call the same vulnerable model logic. | |||||
| CVE-2025-55976 | 1 Intelbras | 2 Iwr 3000n, Iwr 3000n Firmware | 2026-06-17 | N/A | 8.4 HIGH |
| Intelbras IWR 3000N 1.9.8 exposes the Wi-Fi password in plaintext via the /api/wireless endpoint. Any unauthenticated user on the local network can directly obtain the Wi-Fi network password by querying this endpoint. | |||||
| CVE-2025-55699 | 1 Microsoft | 14 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 11 more | 2026-06-17 | N/A | 5.5 MEDIUM |
| Exposure of sensitive information to an unauthorized actor in Windows Kernel allows an authorized attacker to disclose information locally. | |||||
| CVE-2025-55683 | 1 Microsoft | 5 Windows Server 2016, Windows Server 2019, Windows Server 2022 and 2 more | 2026-06-17 | N/A | 5.5 MEDIUM |
| Exposure of sensitive information to an unauthorized actor in Windows Kernel allows an authorized attacker to disclose information locally. | |||||
| CVE-2025-55679 | 1 Microsoft | 11 Windows 10 1809, Windows 10 21h2, Windows 10 22h2 and 8 more | 2026-06-17 | N/A | 5.1 MEDIUM |
| Improper input validation in Windows Kernel allows an unauthorized attacker to disclose information locally. | |||||
| CVE-2025-55673 | 1 Apache | 1 Superset | 2026-06-17 | N/A | 4.3 MEDIUM |
| When a guest user accesses a chart in Apache Superset, the API response from the /chart/data endpoint includes a query field in its payload. This field contains the underlying query, which improperly discloses database schema information, such as table names, to the low-privileged guest user. This issue affects Apache Superset: before 4.1.3. Users are recommended to upgrade to version 4.1.3, which fixes the issue. | |||||
| CVE-2025-55342 | 1 Quipux | 1 Quipux | 2026-06-17 | N/A | 5.3 MEDIUM |
| Quipux 4.0.1 through e1774ac allows enumeration of usernames, and accessing the Ecuadorean identification number for all registered users via the Administracion/usuarios/cambiar_password_olvido_validar.php txt_login parameter. | |||||
| CVE-2025-55336 | 1 Microsoft | 11 Windows 10 1809, Windows 10 21h2, Windows 10 22h2 and 8 more | 2026-06-17 | N/A | 5.5 MEDIUM |
| Exposure of sensitive information to an unauthorized actor in Windows Cloud Files Mini Filter Driver allows an authorized attacker to disclose information locally. | |||||
| CVE-2025-55243 | 1 Microsoft | 1 Officeplus | 2026-06-17 | N/A | 7.5 HIGH |
| Exposure of sensitive information to an unauthorized actor in Microsoft Office Plus allows an unauthorized attacker to perform spoofing over a network. | |||||
| CVE-2025-55242 | 1 Microsoft | 1 Xbox Gaming Services | 2026-06-17 | N/A | 6.5 MEDIUM |
| Exposure of sensitive information to an unauthorized actor in Xbox allows an unauthorized attacker to disclose information over a network. | |||||
| CVE-2025-55190 | 1 Argoproj | 1 Argo Cd | 2026-06-17 | N/A | 9.9 CRITICAL |
| Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. In versions 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12 and 3.1.0-rc1 through 3.1.1, API tokens with project-level permissions are able to retrieve sensitive repository credentials (usernames, passwords) through the project details API endpoint, even when the token only has standard application management permissions and no explicit access to secrets. This vulnerability does not only affect project-level permissions. Any token with project get permissions is also vulnerable, including global permissions such as: `p, role/user, projects, get, *, allow`. This issue is fixed in versions 2.13.9, 2.14.16, 3.0.14 and 3.1.2. | |||||
| CVE-2025-55165 | 2026-06-17 | N/A | 8.2 HIGH | ||
| Autocaliweb is a web app that offers an interface for browsing, reading, and downloading eBooks using a valid Calibre database. Prior to version 0.8.3, the debug pack generated by Autocaliweb can expose sensitive configuration data, including API keys. This occurs because the to_dict() method, used to serialize configuration for the debug pack, doesn't adequately filter out sensitive fields such as API tokens. Users, unaware of the full contents, might share these debug packs, inadvertently leaking their private API keys. This issue has been patched in version 0.8.3. | |||||