Total
157 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-11959 | 2026-06-04 | N/A | 8.1 HIGH | ||
| Files or Directories Accessible to External Parties, Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Premierturk Information Technologies Inc. Excavation Management Information System allows Footprinting, Functionality Misuse. This issue affects Excavation Management Information System: before v.10.2025.01. | |||||
| CVE-2025-11145 | 2026-06-04 | N/A | 7.5 HIGH | ||
| Observable Discrepancy, Exposure of Sensitive Information to an Unauthorized Actor, Exposure of Private Personal Information to an Unauthorized Actor vulnerability in CBK Soft Software Hardware Electronic Computer Systems Industry and Trade Inc. EnVision allows Account Footprinting. This issue affects enVision: before 250566. | |||||
| CVE-2025-15623 | 1 Sparxsystems | 1 Pro Cloud Server | 2026-06-02 | N/A | 7.5 HIGH |
| Exposure of Private Personal Information to an Unauthorized Actor, : Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Sparx Systems Pty Ltd. Sparx Pro Cloud Server. Unauthenticated user can retrieve database password in plaintext in certain situations | |||||
| CVE-2025-66035 | 2026-06-02 | N/A | N/A | ||
| Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.16, 20.3.14, and 21.0.1, there is a XSRF token leakage via protocol-relative URLs in angular HTTP clients. The vulnerability is a Credential Leak by App Logic that leads to the unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token to an attacker-controlled domain. Angular's HttpClient has a built-in XSRF protection mechanism that works by checking if a request URL starts with a protocol (http:// or https://) to determine if it is cross-origin. If the URL starts with protocol-relative URL (//), it is incorrectly treated as a same-origin request, and the XSRF token is automatically added to the X-XSRF-TOKEN header. This issue has been patched in versions 19.2.16, 20.3.14, and 21.0.1. A workaround for this issue involves avoiding using protocol-relative URLs (URLs starting with //) in HttpClient requests. All backend communication URLs should be hardcoded as relative paths (starting with a single /) or fully qualified, trusted absolute URLs. | |||||
| CVE-2024-11216 | 2026-06-02 | N/A | 7.6 HIGH | ||
| Authorization Bypass Through User-Controlled Key, Exposure of Private Personal Information to an Unauthorized Actor vulnerability in PozitifIK Pik Online allows Account Footprinting, Session Hijacking. This issue affects Pik Online: before 3.1.5. | |||||
| CVE-2026-41182 | 2026-05-29 | N/A | 5.3 MEDIUM | ||
| LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. Prior to version 0.5.19 of the JavaScript SDK and version 0.7.31 of the Python SDK, the LangSmith SDK's output redaction controls (hideOutputs in JS, hide_outputs in Python) do not apply to streaming token events. When an LLM run produces streaming output, each chunk is recorded as a new_token event containing the raw token value. These events bypass the redaction pipeline entirely — prepareRunCreateOrUpdateInputs (JS) and _hide_run_outputs (Python) only process the inputs and outputs fields on a run, never the events array. As a result, applications relying on output redaction to prevent sensitive LLM output from being stored in LangSmith will still leak the full streamed content via run events. Version 0.5.19 of the JavaScript SDK and version 0.7.31 of the Python SDK fix the issue. | |||||
| CVE-2026-8990 | 2026-05-28 | N/A | N/A | ||
| A user with physical access to a smartphone can bypass authentication mechanism of Kidsview mobile application and grant himself full access to the device owner's account by interacting with application's push notification. This issue was fixed in version 4.4.3 | |||||
| CVE-2025-43357 | 1 Apple | 3 Ipados, Iphone Os, Macos | 2026-05-26 | N/A | 3.3 LOW |
| This issue was addressed with improved redaction of sensitive information. This issue is fixed in iOS 18.7 and iPadOS 18.7, iOS 26 and iPadOS 26, macOS Sequoia 15.7, macOS Sonoma 14.8, macOS Tahoe 26. An app may be able to fingerprint the user. | |||||
| CVE-2023-2703 | 1 Finexmedia | 1 Competition Management System | 2026-05-22 | N/A | 7.5 HIGH |
| Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Finex Media Competition Management System allows Retrieve Embedded Sensitive Data, Collect Data as Provided by Users. This issue affects Competition Management System: before 23.07. | |||||
| CVE-2025-13477 | 2026-05-21 | N/A | 7.1 HIGH | ||
| Exposure of private personal information to an unauthorized actor, Insufficiently Protected Credentials vulnerability in Digital Operations Services Inc. WifiBurada allows Authentication Bypass. This issue affects WifiBurada: through 21052026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-5983 | 1 Botanikyazilim | 1 Pharmacy Automation | 2026-05-20 | N/A | 7.5 HIGH |
| Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Botanik Software Pharmacy Automation allows Retrieve Embedded Sensitive Data. This issue affects Pharmacy Automation: before 2.1.133.0. | |||||
| CVE-2026-28950 | 1 Apple | 2 Ipados, Iphone Os | 2026-05-17 | N/A | 6.2 MEDIUM |
| A logging issue was addressed with improved data redaction. This issue is fixed in iOS 15.8.8 and iPadOS 15.8.8, iOS 16.7.16 and iPadOS 16.7.16, iOS 18.7.8 and iPadOS 18.7.8, iOS 26.4.2 and iPadOS 26.4.2, iPadOS 17.7.11. Notifications marked for deletion could be unexpectedly retained on the device. | |||||
| CVE-2026-28963 | 1 Apple | 2 Ipados, Iphone Os | 2026-05-13 | N/A | 4.6 MEDIUM |
| A privacy issue was addressed by removing the vulnerable code. This issue is fixed in iOS 26.5 and iPadOS 26.5. An attacker with physical access may be able to use Visual Intelligence to access sensitive user data during iPhone Mirroring. | |||||
| CVE-2026-28906 | 1 Apple | 4 Ipados, Iphone Os, Macos and 1 more | 2026-05-13 | N/A | 7.5 HIGH |
| This issue was addressed through improved state management. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, visionOS 26.5. An attacker may be able to track users through their IP address. | |||||
| CVE-2025-66171 | 1 Apache | 1 Cloudstack | 2026-05-12 | N/A | 6.5 MEDIUM |
| The CloudStack Backup plugin has an improper access logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is enabled and have access to specific APIs can create new VMs using backups of any other user of the environment. Backup plugin users using CloudStack 4.21.0.0+ are recommended to upgrade to CloudStack version 4.22.0.1, which fixes this issue. | |||||
| CVE-2025-66172 | 1 Apache | 1 Cloudstack | 2026-05-12 | N/A | 8.1 HIGH |
| The CloudStack Backup plugin has an improper access logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is enabled and have access to specific APIs can restore a volume from any other user's backups and attach the volume to their own VMs. Backup plugin users using CloudStack 4.21.0.0+ are recommended to upgrade to CloudStack version 4.22.0.1, which fixes this issue. | |||||
| CVE-2025-65857 | 1 Xiongmaitech | 2 Xm530v200 X6-weq 8m, Xm530v200 X6-weq 8m Firmware | 2026-05-07 | N/A | 7.5 HIGH |
| An issue was discovered in Xiongmai XM530 IP cameras on firmware V5.00.R02.000807D8.10010.346624.S.ONVIF 21.06. The GetStreamUri exposes RTSP URIs containing hardcoded credentials enabling direct unauthorized video stream access. | |||||
| CVE-2026-3911 | 1 Redhat | 1 Build Of Keycloak | 2026-05-07 | N/A | 2.7 LOW |
| A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. By accessing a specific administrative endpoint, this user could improperly retrieve user attributes that were configured to be hidden. This unauthorized information disclosure could expose sensitive user data. | |||||
| CVE-2026-7382 | 2026-04-30 | N/A | 6.5 MEDIUM | ||
| Exposure of Sensitive Information to an Unauthorized Actor, Exposure of private personal information to an unauthorized actor vulnerability in MeWare Software Development Inc. PDKS allows Excavation. This issue affects PDKS: from V16.20200313 before VMYR_3.5.2025117. | |||||
| CVE-2026-6765 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-04-22 | N/A | 5.3 MEDIUM |
| Information disclosure in the Form Autofill component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10. | |||||