Total
175 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-66388 | 1 Apache | 1 Airflow | 2025-12-16 | N/A | 6.5 MEDIUM |
| A vulnerability in Apache Airflow allowed authenticated UI users to view secret values in rendered templates due to secrets not being properly redacted, potentially exposing secrets to users without the appropriate authorization. Users are recommended to upgrade to version 3.1.4, which fixes this issue. | |||||
| CVE-2025-2565 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-12-16 | N/A | 4.3 MEDIUM |
| The data exposure vulnerability in Liferay Portal 7.4.0 through 7.4.3.126, and Liferay DXP 2024.Q3.0, 2024.Q2.0 through 2024.Q2.12, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92 allows an unauthorized user to obtain entry data from forms. | |||||
| CVE-2025-66125 | 2025-12-16 | N/A | 5.3 MEDIUM | ||
| Insertion of Sensitive Information Into Sent Data vulnerability in Nitesh Ultimate Auction ultimate-auction allows Retrieve Embedded Sensitive Data.This issue affects Ultimate Auction : from n/a through <= 4.3.2. | |||||
| CVE-2025-49300 | 2025-12-16 | N/A | 2.7 LOW | ||
| Insertion of Sensitive Information Into Sent Data vulnerability in shinetheme Traveler Option Tree custom-option-tree allows Retrieve Embedded Sensitive Data.This issue affects Traveler Option Tree: from n/a through <= 2.8. | |||||
| CVE-2025-66126 | 2025-12-16 | N/A | N/A | ||
| Insertion of Sensitive Information Into Sent Data vulnerability in wowpress.host Fix Media Library wow-media-library-fix allows Retrieve Embedded Sensitive Data.This issue affects Fix Media Library: from n/a through <= 2.0. | |||||
| CVE-2025-67721 | 2025-12-15 | N/A | N/A | ||
| Aircompressor is a library with ports of the Snappy, LZO, LZ4, and Zstandard compression algorithms to Java. In versions 3.3 and below, incorrect handling of malformed data in Java-based decompressor implementations for Snappy and LZ4 allow remote attackers to read previous buffer contents via crafted compressed input. With certain crafted compressed inputs, elements from the output buffer can end up in the uncompressed output, potentially leaking sensitive data. This is relevant for applications that reuse the same output buffer to uncompress multiple inputs. This can be the case of a web server that allocates a fix-sized buffer for performance purposes. There is similar vulnerability in GHSA-cmp6-m4wj-q63q. This issue is fixed in version 3.4. | |||||
| CVE-2025-43825 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-12-15 | N/A | 6.5 MEDIUM |
| A vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.4, 2024.Q4.0 through 2024.Q4.5, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92 allows sensitive user data to be included in the Freemarker template. This weakness permits an unauthorized actor to gain access to, and potentially render, confidential information that should remain restricted. | |||||
| CVE-2025-43768 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-12-12 | N/A | 7.7 HIGH |
| Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15 and 7.4 GA through update 92 allows authenticated users without any permissions to access sensitive information of admin users using JSONWS APIs. | |||||
| CVE-2025-43814 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-12-12 | N/A | 6.5 MEDIUM |
| In Liferay Portal 7.4.0 through 7.4.3.112, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions the audit events records a user’s password reminder answer, which allows remote authenticated users to obtain a user’s password reminder answer via the audit events. | |||||
| CVE-2025-62109 | 2025-12-11 | N/A | 7.5 HIGH | ||
| Insertion of Sensitive Information Into Sent Data vulnerability in INFINITUM FORM Geo Controller cf-geoplugin allows Retrieve Embedded Sensitive Data.This issue affects Geo Controller: from n/a through <= 8.9.4. | |||||
| CVE-2025-63007 | 2025-12-11 | N/A | 4.3 MEDIUM | ||
| Insertion of Sensitive Information Into Sent Data vulnerability in Metagauss EventPrime eventprime-event-calendar-management allows Retrieve Embedded Sensitive Data.This issue affects EventPrime: from n/a through <= 4.2.4.1. | |||||
| CVE-2025-62997 | 2025-12-10 | N/A | 5.3 MEDIUM | ||
| Insertion of Sensitive Information Into Sent Data vulnerability in levelfourdevelopment WP EasyCart wp-easycart allows Retrieve Embedded Sensitive Data.This issue affects WP EasyCart: from n/a through <= 5.8.11. | |||||
| CVE-2025-62994 | 2025-12-10 | N/A | 4.3 MEDIUM | ||
| Insertion of Sensitive Information Into Sent Data vulnerability in WP Messiah WP AI CoPilot ai-co-pilot-for-wp allows Retrieve Embedded Sensitive Data.This issue affects WP AI CoPilot: from n/a through <= 1.2.7. | |||||
| CVE-2025-63071 | 2025-12-09 | N/A | 5.3 MEDIUM | ||
| Insertion of Sensitive Information Into Sent Data vulnerability in averta Shortcodes and extra features for Phlox theme auxin-elements allows Retrieve Embedded Sensitive Data.This issue affects Shortcodes and extra features for Phlox theme: from n/a through <= 2.17.12. | |||||
| CVE-2025-58098 | 1 Apache | 1 Http Server | 2025-12-08 | N/A | 8.3 HIGH |
| Apache HTTP Server 2.4.65 and earlier with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi) passes the shell-escaped query string to #exec cmd="..." directives. This issue affects Apache HTTP Server before 2.4.66. Users are recommended to upgrade to version 2.4.66, which fixes the issue. | |||||
| CVE-2025-66566 | 2025-12-08 | N/A | N/A | ||
| yawkat LZ4 Java provides LZ4 compression for Java. Insufficient clearing of the output buffer in Java-based decompressor implementations in lz4-java 1.10.0 and earlier allows remote attackers to read previous buffer contents via crafted compressed input. In applications where the output buffer is reused without being cleared, this may lead to disclosure of sensitive data. JNI-based implementations are not affected. This vulnerability is fixed in 1.10.1. | |||||
| CVE-2025-64748 | 1 Monospace | 1 Directus | 2025-12-08 | N/A | 6.5 MEDIUM |
| Directus is a real-time API and App dashboard for managing SQL database content. A vulnerability in versions prior to 11.13.0 allows authenticated users to search concealed/sensitive fields when they have read permissions. While actual values remain masked (`****`), successful matches can be detected through returned records, enabling enumeration attacks on sensitive data. Version 11.13.0 fixes the issue. | |||||
| CVE-2025-20789 | 2 Google, Mediatek | 7 Android, Mt6781, Mt6833 and 4 more | 2025-12-03 | N/A | 4.4 MEDIUM |
| In GPU pdma, there is a possible information disclosure due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS10117741; Issue ID: MSV-4538. | |||||
| CVE-2025-66304 | 1 Getgrav | 1 Grav | 2025-12-03 | N/A | 6.2 MEDIUM |
| Grav is a file-based Web platform. Prior to 1.8.0-beta.27, users with read access on the user account management section of the admin panel can view the password hashes of all users, including the admin user. This exposure can potentially lead to privilege escalation if an attacker can crack these password hashes. This vulnerability is fixed in 1.8.0-beta.27. | |||||
| CVE-2025-64299 | 3 Linux, Microsoft, Secuavail | 3 Linux Kernel, Windows, Logstare Collector | 2025-12-02 | N/A | 2.7 LOW |
| LogStare Collector improperly handles the password hash data. An administrative user may obtain the other users' password hashes. | |||||