Total
697 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-50800 | 2025-12-31 | N/A | 7.5 HIGH | ||
| H3C SSL VPN contains a user enumeration vulnerability that allows attackers to identify valid usernames through the 'txtUsrName' POST parameter. Attackers can submit different usernames to the login_submit.cgi endpoint and analyze response messages to distinguish between existing and non-existing accounts. | |||||
| CVE-2023-53943 | 1 Glpi-project | 1 Glpi | 2025-12-31 | N/A | 5.3 MEDIUM |
| GLPI 9.5.7 contains a username enumeration vulnerability in the lost password recovery mechanism that allows attackers to validate email addresses. Attackers can systematically test email addresses by submitting requests to the password reset endpoint and analyzing response differences to identify valid user accounts. | |||||
| CVE-2025-39665 | 1 Nagvis | 1 Nagvis | 2025-12-19 | N/A | 5.3 MEDIUM |
| User enumeration in Nagvis' Checkmk MultisiteAuth before version 1.9.48 allows an unauthenticated attacker to enumerate Checkmk usernames. | |||||
| CVE-2025-43739 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-12-19 | N/A | 4.3 MEDIUM |
| Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.6, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 GA through update 92 allow any authenticated user to modify the content of emails sent through the calendar portlet, allowing an attacker to send phishing emails to any other user in the same organization. | |||||
| CVE-2025-68164 | 1 Jetbrains | 1 Teamcity | 2025-12-18 | N/A | 2.7 LOW |
| In JetBrains TeamCity before 2025.11 port enumeration was possible via the Perforce connection test | |||||
| CVE-2024-10929 | 1 Arm | 8 Cortex-a57, Cortex-a57 Firmware, Cortex-a72 and 5 more | 2025-12-18 | N/A | 5.1 MEDIUM |
| In certain circumstances, an issue in Arm Cortex-A57, Cortex-A72 (revisions before r1p0), Cortex-A73 and Cortex-A75 may allow an adversary to gain a weak form of control over the victim's branch history. | |||||
| CVE-2024-7881 | 1 Arm | 18 C1-premium, C1-premium Firmware, C1-pro and 15 more | 2025-12-18 | N/A | 5.1 MEDIUM |
| An unprivileged context can trigger a data memory-dependent prefetch engine to fetch the contents of a privileged location and consume those contents as an address that is also dereferenced. | |||||
| CVE-2020-14145 | 2 Netapp, Openbsd | 10 Active Iq Unified Manager, Aff A700s, Aff A700s Firmware and 7 more | 2025-12-18 | 4.3 MEDIUM | 5.9 MEDIUM |
| The client side in OpenSSH 5.7 through 8.4 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client). NOTE: some reports state that 8.5 and 8.6 are also affected. | |||||
| CVE-2025-43751 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-12-18 | N/A | 5.3 MEDIUM |
| User enumeration vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10 and 7.4 GA through update 92 allows remote attackers to determine if an account exist in the application via the create account page. | |||||
| CVE-2020-36888 | 1 Spinetix | 1 Fusion Digital Signage | 2025-12-17 | N/A | 5.3 MEDIUM |
| SpinetiX Fusion Digital Signage 3.4.8 contains a username enumeration vulnerability in its login script that allows attackers to identify valid user accounts. Attackers can send crafted login requests with different usernames to distinguish between existing and non-existing accounts by analyzing the server's error responses. | |||||
| CVE-2025-43786 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-12-16 | N/A | 5.3 MEDIUM |
| Enumeration of ERC from object entry in Liferay Portal 7.4.0 through 7.4.3.128, and Liferay DXP 2024.Q3.0 through 2024.Q3.1, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 and 7.4 GA through update 92 allow attackers to determine existent ERC in the application by exploit the time response. | |||||
| CVE-2025-43743 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-12-15 | N/A | 4.3 MEDIUM |
| Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.5, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15 and 7.4 GA through update 92 allows any authenticated remote user to view other calendars by allowing them to enumerate the names of other users, given an attacker the possibility to send phishing to these users. | |||||
| CVE-2025-13912 | 2025-12-12 | N/A | N/A | ||
| Multiple constant-time implementations in wolfSSL before version 5.8.4 may be transformed into non-constant-time binary by LLVM optimizations, which can potentially result in observable timing discrepancies and lead to information disclosure through timing side-channel attacks. | |||||
| CVE-2025-59702 | 1 Entrust | 10 Nshield 5c, Nshield 5c Firmware, Nshield Connect Xc Base and 7 more | 2025-12-08 | N/A | 7.2 HIGH |
| Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a physically proximate attacker with elevated privileges to falsify tamper events by accessing internal components. | |||||
| CVE-2025-64749 | 1 Monospace | 1 Directus | 2025-12-08 | N/A | 4.3 MEDIUM |
| Directus is a real-time API and App dashboard for managing SQL database content. An observable difference in error messaging was found in the Directus REST API in versions of Directus prior to version 11.13.0. The `/items/{collection}` API returns different error messages for two cases: when a user tries to access an existing collection which they are not authorized to access, and when user tries to access a non-existing collection. The two differing error messages leak the existence of collections to users which are not authorized to access these collections. Version 11.13.0 fixes the issue. | |||||
| CVE-2025-11932 | 1 Wolfssl | 1 Wolfssl | 2025-12-04 | N/A | 4.3 MEDIUM |
| The server previously verified the TLS 1.3 PSK binder using a non-constant time method which could potentially leak information about the PSK binder | |||||
| CVE-2025-12888 | 1 Wolfssl | 1 Wolfssl | 2025-12-04 | N/A | 7.5 HIGH |
| Vulnerability in X25519 constant-time cryptographic implementations due to timing side channels introduced by compiler optimizations and CPU architecture limitations, specifically with the Xtensa-based ESP32 chips. If targeting Xtensa it is recommended to use the low memory implementations of X25519, which is now turned on as the default for Xtensa. | |||||
| CVE-2020-36421 | 2 Arm, Debian | 2 Mbed Tls, Debian Linux | 2025-12-03 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Arm Mbed TLS before 2.23.0. Because of a side channel in modular exponentiation, an RSA private key used in a secure enclave could be disclosed. | |||||
| CVE-2021-33560 | 4 Debian, Fedoraproject, Gnupg and 1 more | 8 Debian Linux, Fedora, Libgcrypt and 5 more | 2025-12-03 | 5.0 MEDIUM | 7.5 HIGH |
| Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm, and the window size is not chosen appropriately. This, for example, affects use of ElGamal in OpenPGP. | |||||
| CVE-2025-56423 | 1 Craws | 1 Openatlas | 2025-11-28 | N/A | 5.3 MEDIUM |
| An issue in Austrian Academy of Sciences (AW) Austrian Archaeological Institute OpenAtlas v.8.12.0 allows a remote attacker to obtain sensitive information via the login error messages | |||||