Total
1106 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-22782 | 1 Rustfs | 1 Rustfs | 2026-02-09 | N/A | 7.5 HIGH |
| RustFS is a distributed object storage system built in Rust. From >= 1.0.0-alpha.1 to 1.0.0-alpha.79, invalid RPC signatures cause the server to log the shared HMAC secret (and expected signature), which exposes the secret to log readers and enables forged RPC calls. In crates/ecstore/src/rpc/http_auth.rs, the invalid signature branch logs sensitive data. This log line includes secret and expected_signature, both derived from the shared HMAC key. Any invalidly signed request triggers this path. The function is reachable from RPC and admin request handlers. This vulnerability is fixed in 1.0.0-alpha.80. | |||||
| CVE-2026-0519 | 1 Absolute | 1 Secure Access | 2026-02-02 | N/A | 3.4 LOW |
| In Secure Access 12.70 and prior to 14.20, the logging subsystem may write an unredacted authentication token to logs under certain configurations. Any party with access to those logs could read the token and reuse it to access an integrated system. | |||||
| CVE-2025-13743 | 1 Docker | 1 Docker Desktop | 2026-01-30 | N/A | 7.5 HIGH |
| Docker Desktop diagnostics bundles were found to include expired Hub PATs in log output due to error object serialization. This poses a risk of leaking sensitive information in exported diagnostics, especially when access denied errors occurred. | |||||
| CVE-2025-13925 | 1 Ibm | 1 Aspera Console | 2026-01-30 | N/A | 4.9 MEDIUM |
| IBM Aspera Console 3.4.7 stores potentially sensitive information in log files that could be read by a local privileged user. | |||||
| CVE-2025-58189 | 1 Golang | 1 Go | 2026-01-29 | N/A | 5.3 MEDIUM |
| When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped. | |||||
| CVE-2025-59355 | 1 Apache | 1 Linkis | 2026-01-27 | N/A | 6.5 MEDIUM |
| A vulnerability. When org.apache.linkis.metadata.util.HiveUtils.decode() fails to perform Base64 decoding, it records the complete input parameter string in the log via logger.error(str + "decode failed", e). If the input parameter contains sensitive information such as Hive Metastore keys, plaintext passwords will be left in the log files when decoding fails, resulting in information leakage. Affected Scope Component: Sensitive fields in hive-site.xml (e.g., javax.jdo.option.ConnectionPassword) or other fields encoded in Base64. Version: Apache Linkis 1.0.0 – 1.7.0 Trigger Conditions The value of the configuration item is an invalid Base64 string. Log files are readable by users other than hive-site.xml administrators. Severity: Low The probability of Base64 decoding failure is low. The leakage is only triggered when logs at the Error level are exposed. Remediation Apache Linkis 1.8.0 and later versions have replaced the log with desensitized content. logger.error("URL decode failed: {}", e.getMessage()); // 不再输出 str Users are recommended to upgrade to version 1.8.0, which fixes the issue. | |||||
| CVE-2025-43508 | 1 Apple | 1 Macos | 2026-01-27 | N/A | 5.5 MEDIUM |
| A logging issue was addressed with improved data redaction. This issue is fixed in macOS Tahoe 26.1. An app may be able to access sensitive user data. | |||||
| CVE-2024-39532 | 1 Juniper | 2 Junos, Junos Os Evolved | 2026-01-22 | N/A | 6.3 MEDIUM |
| An Insertion of Sensitive Information into Log File vulnerability in Juniper Networks Junos OS and Junos OS Evolved allows a local, authenticated attacker with high privileges to access sensitive information. When another user performs a specific operation, sensitive information is stored as plain text in a specific log file, so that a high-privileged attacker has access to this information. This issue affects: Junos OS: * All versions before 21.2R3-S9; * 21.4 versions before 21.4R3-S9; * 22.2 versions before 22.2R2-S1, 22.2R3; * 22.3 versions before 22.3R1-S1, 22.3R2; Junos OS Evolved: * All versions before before 22.1R3-EVO; * 22.2-EVO versions before 22.2R2-S1-EVO, 22.2R3-EVO; * 22.3-EVO versions before 22.3R1-S1-EVO, 22.3R2-EVO. | |||||
| CVE-2026-23493 | 1 Pimcore | 1 Pimcore | 2026-01-20 | N/A | 8.6 HIGH |
| Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the http_error_log file stores the $_COOKIE and $_SERVER variables, which means sensitive information such as database passwords, cookie session data, and other details can be accessed or recovered through the Pimcore backend. This vulnerability is fixed in 12.3.1 and 11.5.14. | |||||
| CVE-2025-36599 | 1 Dell | 1 Powerflex Manager | 2026-01-16 | N/A | 4.3 MEDIUM |
| Dell PowerFlex Manager VM, versions prior to 4.6.2.1, contains an Insertion of Sensitive Information into Log File vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the system with privileges of the compromised account. | |||||
| CVE-2025-25002 | 1 Microsoft | 1 Azure Local Cluster | 2026-01-16 | N/A | 6.8 MEDIUM |
| Insertion of sensitive information into log file in Azure Local Cluster allows an authorized attacker to disclose information over an adjacent network. | |||||
| CVE-2026-20818 | 1 Microsoft | 5 Windows Server 2016, Windows Server 2019, Windows Server 2022 and 2 more | 2026-01-14 | N/A | 6.2 MEDIUM |
| Insertion of sensitive information into log file in Windows Kernel allows an unauthorized attacker to disclose information locally. | |||||
| CVE-2025-26332 | 1 Dell | 3 Techadvisor, Xtremio Management Server, Xtremio X2 | 2026-01-14 | N/A | 8.8 HIGH |
| TechAdvisor versions 2.6 through 3.37-30 for Dell XtremIO X2, contain(s) an Insertion of Sensitive Information into Log File vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information exposure. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account. | |||||
| CVE-2025-30105 | 1 Dell | 3 Techadvisor, Xtremio Management Server, Xtremio X2 | 2026-01-14 | N/A | 8.8 HIGH |
| Dell XtremIO, version(s) 6.4.0-22, contain(s) an Insertion of Sensitive Information into Log File vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information exposure. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account. | |||||
| CVE-2025-36573 | 1 Dell | 4 Pro Smart Dock Sd25, Pro Smart Dock Sd25 Firmware, Pro Thunderbolt 4 Smart Dock Sd25tb4 and 1 more | 2026-01-13 | N/A | 7.1 HIGH |
| Dell Smart Dock Firmware, versions prior to 01.00.08.01, contain an Insertion of Sensitive Information into Log File vulnerability. A user with local access could potentially exploit this vulnerability, leading to Information disclosure. | |||||
| CVE-2024-27784 | 1 Fortinet | 1 Fortiaiops | 2026-01-09 | N/A | 8.8 HIGH |
| Multiple Exposure of sensitive information to an unauthorized actor weaknesses [CWE-200] vulnerability in Fortinet FortiAIOps 2.0.0 may allow an authenticated, remote attacker to retrieve sensitive information from the API endpoint or log files. | |||||
| CVE-2025-66910 | 1 Turms-im | 1 Turms | 2026-01-02 | N/A | 6.0 MEDIUM |
| Turms Server v0.10.0-SNAPSHOT and earlier contains a plaintext password storage vulnerability in the administrator authentication system. The BaseAdminService class caches administrator passwords in plaintext within AdminInfo objects to optimize authentication performance. Upon successful login, raw passwords are stored unencrypted in memory in the rawPassword field. Attackers with local system access can extract these passwords through memory dumps, heap analysis, or debugger attachment, bypassing bcrypt protection. | |||||
| CVE-2025-63729 | 1 Syrotech | 2 Sy-gpon-1110-wdont, Sy-gpon-1110-wdont Firmware | 2025-12-30 | N/A | 9.0 CRITICAL |
| An issue was discovered in Syrotech SY-GPON-1110-WDONT SYRO_3.7L_3.1.02-240517 allowing attackers to exctract the SSL Private Key, CA Certificate, SSL Certificate, and Client Certificates in .pem format in firmware in etc folder. | |||||
| CVE-2025-37727 | 1 Elastic | 1 Elasticsearch | 2025-12-23 | N/A | 5.7 MEDIUM |
| Insertion of sensitive information in log file in Elasticsearch can lead to loss of confidentiality under specific preconditions when auditing requests to the reindex API https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-reindex | |||||
| CVE-2025-12996 | 1 Medtronic | 1 Carelink Network | 2025-12-22 | N/A | 4.1 MEDIUM |
| Medtronic CareLink Network allows a local attacker with access to log files on an internal API server to view plaintext passwords from errors logged under certain circumstances. This issue affects CareLink Network: before December 4, 2025. | |||||