Total
92 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-62483 | 1 Zoom | 5 Meeting Software Development Kit, Rooms, Rooms Controller and 2 more | 2026-01-13 | N/A | 5.3 MEDIUM |
| Improper removal of sensitive information in certain Zoom Clients before version 6.5.10 may allow an unauthenticated user to conduct a disclosure of information via network access. | |||||
| CVE-2025-59955 | 1 Coollabs | 1 Coolify | 2026-01-12 | N/A | 5.7 MEDIUM |
| Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify versions prior to and including v4.0.0-beta.420.8 have an information disclosure vulnerability in the `/api/v1/teams/{team_id}/members` and `/api/v1/teams/current/members` API endpoints allows authenticated team members to access a highly sensitive `email_change_code` from other users on the same team. This code is intended for a single-use email change verification and should be kept secret. Its exposure could enable a malicious actor to perform an unauthorized email address change on behalf of the victim. As of time of publication, no known patched versions exist. | |||||
| CVE-2025-14267 | 1 M-files | 1 M-files Server | 2026-01-06 | N/A | 4.9 MEDIUM |
| Incomplete removal of sensitive information before transfer vulnerability in M-Files Corporation M-Files Server allows data leak exposure affecting versions before 25.12.15491.7 | |||||
| CVE-2025-68131 | 1 Agronholm | 1 Cbor2 | 2026-01-02 | N/A | 7.5 HIGH |
| cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) serialization format. Starting in version 3.0.0 and prior to version 5.8.0, whhen a CBORDecoder instance is reused across multiple decode operations, values marked with the shareable tag (28) persist in memory and can be accessed by subsequent CBOR messages using the sharedref tag (29). This allows an attacker-controlled message to read data from previously decoded messages if the decoder is reused across trust boundaries. Version 5.8.0 patches the issue. | |||||
| CVE-2025-61594 | 2025-12-31 | N/A | N/A | ||
| URI is a module providing classes to handle Uniform Resource Identifiers. In versions prior to 0.12.5, 0.13.3, and 1.0.4, a bypass exists for the fix to CVE-2025-27221 that can expose user credentials. When using the `+` operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. Versions 0.12.5, 0.13.3, and 1.0.4 fix the issue. | |||||
| CVE-2025-65000 | 1 Checkmk | 1 Checkmk | 2025-12-23 | N/A | 5.3 MEDIUM |
| SSH private keys of the "Remote alert handlers (Linux)" rule were exposed in the rule page's HTML source in Checkmk <= 2.4.0p18 and all versions of Checkmk 2.3.0. This potentially allowed unauthorized triggering of predefined alert handlers on hosts where the handler was deployed. | |||||
| CVE-2025-64326 | 1 Weblate | 1 Weblate | 2025-12-04 | N/A | 2.6 LOW |
| Weblate is a web based localization tool. In versions 5.14 and below, Weblate leaks the IP address of the project member inviting the user to the project in the audit log. The audit log includes IP addresses from admin-triggered actions, which can be viewed by invited users. This issue is fixed in version 5.14.1. | |||||
| CVE-2025-65965 | 2025-11-25 | N/A | N/A | ||
| Grype is a vulnerability scanner for container images and filesystems. A credential disclosure vulnerability was found in Grype, affecting versions 0.68.0 through 0.104.0. If registry credentials are defined and the output of grype is written using the --file or --output json=<file> option, the registry credentials will be included unsanitized in the output file. This issue has been patched in version 0.104.1. Users running affected versions of grype can work around this vulnerability by redirecting stdout to a file instead of using the --file or --output options. | |||||
| CVE-2024-49997 | 1 Linux | 1 Linux Kernel | 2025-11-03 | N/A | 7.5 HIGH |
| In the Linux kernel, the following vulnerability has been resolved: net: ethernet: lantiq_etop: fix memory disclosure When applying padding, the buffer is not zeroed, which results in memory disclosure. The mentioned data is observed on the wire. This patch uses skb_put_padto() to pad Ethernet frames properly. The mentioned function zeroes the expanded buffer. In case the packet cannot be padded it is silently dropped. Statistics are also not incremented. This driver does not support statistics in the old 32-bit format or the new 64-bit format. These will be added in the future. In its current form, the patch should be easily backported to stable versions. Ethernet MACs on Amazon-SE and Danube cannot do padding of the packets in hardware, so software padding must be applied. | |||||
| CVE-2025-27221 | 1 Ruby-lang | 1 Uri | 2025-11-03 | N/A | 3.2 LOW |
| In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent leakage of authentication credentials because userinfo is retained even after changing the host. | |||||
| CVE-2025-0011 | 2025-09-08 | N/A | 3.3 LOW | ||
| Improper removal of sensitive information before storage or transfer in AMD Crash Defender could allow an attacker to obtain kernel address information potentially resulting in loss of confidentiality. | |||||
| CVE-2025-57757 | 1 Contao | 1 Contao | 2025-09-02 | N/A | 5.3 MEDIUM |
| Contao is an Open Source CMS. In versions starting from 5.0.0 and prior to 5.3.38 and 5.6.1, if a news feed contains protected news archives, their news items are not filtered and become publicly available in the RSS feed. This issue has been patched in versions 5.3.38 and 5.6.1. A workaround involves not adding protected news archives to the news feed page. | |||||
| CVE-2025-58049 | 1 Xwiki | 1 Xwiki | 2025-09-02 | N/A | 5.8 MEDIUM |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions from 14.4.2 to before 16.4.8, 16.5.0-rc-1 to before 16.10.7, and 17.0.0-rc-1 to before 17.4.0-rc-1, the PDF export jobs store sensitive cookies unencrypted in job statuses. XWiki shouldn't store passwords in plain text, and it shouldn't be possible to gain access to plain text passwords by gaining access to, e.g., a backup of the data directory. This vulnerability has been patched in XWiki 16.4.8, 16.10.7, and 17.4.0-rc-1. | |||||
| CVE-2025-33013 | 1 Ibm | 2 Mq Operator, Supplied Mq Advanced Container Images | 2025-08-22 | N/A | 6.2 MEDIUM |
| IBM MQ Operator LTS 2.0.0 through 2.0.29, MQ Operator CD 3.0.0, 3.0.1, 3.1.0 through 3.1.3, 3.3.0, 3.4.0, 3.4.1, 3.5.0, 3.5.1, 3.6.0, and MQ Operator SC2 3.2.0 through 3.2.13 Container could disclose sensitive information to a local user due to improper clearing of heap memory before release. | |||||
| CVE-2025-1759 | 1 Ibm | 1 Concert | 2025-08-21 | N/A | 5.9 MEDIUM |
| IBM Concert Software 1.0.0 through 1.1.0 could allow a remote attacker to obtain sensitive information from allocated memory due to improper clearing of heap memory. | |||||
| CVE-2025-20118 | 1 Cisco | 1 Application Policy Infrastructure Controller | 2025-07-31 | N/A | 4.4 MEDIUM |
| A vulnerability in the implementation of the internal system processes of Cisco APIC could allow an authenticated, local attacker to access sensitive information on an affected device. To exploit this vulnerability, the attacker must have valid administrative credentials. This vulnerability is due to insufficient masking of sensitive information that is displayed through system CLI commands. An attacker could exploit this vulnerability by using reconnaissance techniques at the device CLI. A successful exploit could allow the attacker to access sensitive information on an affected device that could be used for additional attacks. | |||||
| CVE-2025-53886 | 1 Monospace | 1 Directus | 2025-07-16 | N/A | 4.5 MEDIUM |
| Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, when using Directus Flows with the WebHook trigger all incoming request details are logged including security sensitive data like access and refresh tokens in cookies. Malicious admins with access to the logs can hijack the user sessions within the token expiration time of them triggering the Flow. Version 11.9.0 fixes the issue. | |||||
| CVE-2024-29120 | 1 Apache | 1 Streampark | 2025-06-23 | N/A | 5.9 MEDIUM |
| In Streampark (version < 2.1.4), when a user logged in successfully, the Backend service would return "Authorization" as the front-end authentication credential. User can use this credential to request other users' information, including the administrator's username, password, salt value, etc. Mitigation: all users should upgrade to 2.1.4 | |||||
| CVE-2025-48708 | 1 Artifex | 1 Ghostscript | 2025-06-20 | N/A | 4.0 MEDIUM |
| gs_lib_ctx_stash_sanitized_arg in base/gslibctx.c in Artifex Ghostscript before 10.05.1 lacks argument sanitization for the # case. A created PDF document includes its password in cleartext. | |||||
| CVE-2024-8474 | 1 Openvpn | 1 Connect | 2025-06-10 | N/A | 7.5 HIGH |
| OpenVPN Connect before version 3.5.0 can contain the configuration profile's clear-text private key which is logged in the application log, which an unauthorized actor can use to decrypt the VPN traffic | |||||