Total
685 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-21484 | 2026-01-03 | N/A | 5.3 MEDIUM | ||
| AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to commit e287fab56089cf8fcea9ba579a3ecdeca0daa313, the password recovery endpoint returns different error messages depending on whether a username exists, so enabling username enumeration. Commit e287fab56089cf8fcea9ba579a3ecdeca0daa313 fixes this issue. | |||||
| CVE-2025-63094 | 1 Xiangshan | 1 Xiangshan | 2026-01-02 | N/A | 7.5 HIGH |
| XiangShan Nanhu V2 and XiangShan Kunmighu V3 were discovered to use speculative execution and indirect branch prediction, allowing attackers to access sensitive information via side-channel analysis of the data cache. | |||||
| CVE-2022-50800 | 2025-12-31 | N/A | 7.5 HIGH | ||
| H3C SSL VPN contains a user enumeration vulnerability that allows attackers to identify valid usernames through the 'txtUsrName' POST parameter. Attackers can submit different usernames to the login_submit.cgi endpoint and analyze response messages to distinguish between existing and non-existing accounts. | |||||
| CVE-2023-53943 | 1 Glpi-project | 1 Glpi | 2025-12-31 | N/A | 5.3 MEDIUM |
| GLPI 9.5.7 contains a username enumeration vulnerability in the lost password recovery mechanism that allows attackers to validate email addresses. Attackers can systematically test email addresses by submitting requests to the password reset endpoint and analyzing response differences to identify valid user accounts. | |||||
| CVE-2025-39665 | 1 Nagvis | 1 Nagvis | 2025-12-19 | N/A | 5.3 MEDIUM |
| User enumeration in Nagvis' Checkmk MultisiteAuth before version 1.9.48 allows an unauthenticated attacker to enumerate Checkmk usernames. | |||||
| CVE-2025-43739 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-12-19 | N/A | 4.3 MEDIUM |
| Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.6, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 GA through update 92 allow any authenticated user to modify the content of emails sent through the calendar portlet, allowing an attacker to send phishing emails to any other user in the same organization. | |||||
| CVE-2025-68164 | 1 Jetbrains | 1 Teamcity | 2025-12-18 | N/A | 2.7 LOW |
| In JetBrains TeamCity before 2025.11 port enumeration was possible via the Perforce connection test | |||||
| CVE-2024-10929 | 1 Arm | 8 Cortex-a57, Cortex-a57 Firmware, Cortex-a72 and 5 more | 2025-12-18 | N/A | 5.1 MEDIUM |
| In certain circumstances, an issue in Arm Cortex-A57, Cortex-A72 (revisions before r1p0), Cortex-A73 and Cortex-A75 may allow an adversary to gain a weak form of control over the victim's branch history. | |||||
| CVE-2024-7881 | 1 Arm | 18 C1-premium, C1-premium Firmware, C1-pro and 15 more | 2025-12-18 | N/A | 5.1 MEDIUM |
| An unprivileged context can trigger a data memory-dependent prefetch engine to fetch the contents of a privileged location and consume those contents as an address that is also dereferenced. | |||||
| CVE-2020-14145 | 2 Netapp, Openbsd | 10 Active Iq Unified Manager, Aff A700s, Aff A700s Firmware and 7 more | 2025-12-18 | 4.3 MEDIUM | 5.9 MEDIUM |
| The client side in OpenSSH 5.7 through 8.4 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client). NOTE: some reports state that 8.5 and 8.6 are also affected. | |||||
| CVE-2025-65185 | 2025-12-18 | N/A | 2.8 LOW | ||
| There is a username enumeration via local user login in Entrinsik Informer v5.10.1 which allows malicious users to enumerate users by entering an OTP code and new password then reviewing application responses. | |||||
| CVE-2025-43751 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-12-18 | N/A | 5.3 MEDIUM |
| User enumeration vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10 and 7.4 GA through update 92 allows remote attackers to determine if an account exist in the application via the create account page. | |||||
| CVE-2020-36888 | 1 Spinetix | 1 Fusion Digital Signage | 2025-12-17 | N/A | 5.3 MEDIUM |
| SpinetiX Fusion Digital Signage 3.4.8 contains a username enumeration vulnerability in its login script that allows attackers to identify valid user accounts. Attackers can send crafted login requests with different usernames to distinguish between existing and non-existing accounts by analyzing the server's error responses. | |||||
| CVE-2025-43786 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-12-16 | N/A | 5.3 MEDIUM |
| Enumeration of ERC from object entry in Liferay Portal 7.4.0 through 7.4.3.128, and Liferay DXP 2024.Q3.0 through 2024.Q3.1, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 and 7.4 GA through update 92 allow attackers to determine existent ERC in the application by exploit the time response. | |||||
| CVE-2025-43743 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-12-15 | N/A | 4.3 MEDIUM |
| Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.5, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15 and 7.4 GA through update 92 allows any authenticated remote user to view other calendars by allowing them to enumerate the names of other users, given an attacker the possibility to send phishing to these users. | |||||
| CVE-2025-13912 | 2025-12-12 | N/A | N/A | ||
| Multiple constant-time implementations in wolfSSL before version 5.8.4 may be transformed into non-constant-time binary by LLVM optimizations, which can potentially result in observable timing discrepancies and lead to information disclosure through timing side-channel attacks. | |||||
| CVE-2025-59702 | 1 Entrust | 10 Nshield 5c, Nshield 5c Firmware, Nshield Connect Xc Base and 7 more | 2025-12-08 | N/A | 7.2 HIGH |
| Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a physically proximate attacker with elevated privileges to falsify tamper events by accessing internal components. | |||||
| CVE-2025-64749 | 1 Monospace | 1 Directus | 2025-12-08 | N/A | 4.3 MEDIUM |
| Directus is a real-time API and App dashboard for managing SQL database content. An observable difference in error messaging was found in the Directus REST API in versions of Directus prior to version 11.13.0. The `/items/{collection}` API returns different error messages for two cases: when a user tries to access an existing collection which they are not authorized to access, and when user tries to access a non-existing collection. The two differing error messages leak the existence of collections to users which are not authorized to access these collections. Version 11.13.0 fixes the issue. | |||||
| CVE-2024-1544 | 1 Wolfssl | 1 Wolfssl | 2025-12-06 | N/A | 4.1 MEDIUM |
| Generating the ECDSA nonce k samples a random number r and then truncates this randomness with a modular reduction mod n where n is the order of the elliptic curve. Meaning k = r mod n. The division used during the reduction estimates a factor q_e by dividing the upper two digits (a digit having e.g. a size of 8 byte) of r by the upper digit of n and then decrements q_e in a loop until it has the correct size. Observing the number of times q_e is decremented through a control-flow revealing side-channel reveals a bias in the most significant bits of k. Depending on the curve this is either a negligible bias or a significant bias large enough to reconstruct k with lattice reduction methods. For SECP160R1, e.g., we find a bias of 15 bits. | |||||
| CVE-2025-11932 | 1 Wolfssl | 1 Wolfssl | 2025-12-04 | N/A | 4.3 MEDIUM |
| The server previously verified the TLS 1.3 PSK binder using a non-constant time method which could potentially leak information about the PSK binder | |||||