Total
978 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-34183 | 1 Ilevia | 2 Eve X1 Server, Eve X1 Server Firmware | 2025-09-25 | N/A | 7.5 HIGH |
| Ilevia EVE X1 Server version ≤ 4.7.18.0.eden contains a vulnerability in its server-side logging mechanism that allows unauthenticated remote attackers to retrieve plaintext credentials from exposed .log files. This flaw enables full authentication bypass and system compromise through credential reuse. | |||||
| CVE-2025-54376 | 1 Hoverfly | 1 Hoverfly | 2025-09-24 | N/A | 7.5 HIGH |
| Hoverfly is an open source API simulation tool. In versions 1.11.3 and prior, Hoverfly’s admin WebSocket endpoint /api/v2/ws/logs is not protected by the same authentication middleware that guards the REST admin API. Consequently, an unauthenticated remote attacker can stream real-time application logs (information disclosure) and/or gain insight into internal file paths, request/response bodies, and other potentially sensitive data emitted in logs. Version 1.12.0 contains a fix for the issue. | |||||
| CVE-2025-4090 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-09-23 | N/A | 5.3 MEDIUM |
| A vulnerability existed in Thunderbird for Android where potentially sensitive library locations were logged via Logcat. This vulnerability affects Firefox < 138 and Thunderbird < 138. | |||||
| CVE-2025-48493 | 1 Yiiframework | 1 Yii2-redis | 2025-09-18 | N/A | 6.5 MEDIUM |
| The Yii 2 Redis extension provides the redis key-value store support for the Yii framework 2.0. On failing connection, the extension writes commands sequence to logs. Prior to version 2.0.20, AUTH parameters are written in plain text exposing username and password. That might be an issue if attacker has access to logs. Version 2.0.20 fixes the issue. | |||||
| CVE-2025-4234 | 2025-09-15 | N/A | N/A | ||
| A problem with the Palo Alto Networks Cortex XDR Microsoft 365 Defender Pack can result in exposure of user credentials in application logs. Normally, these application logs are only viewable by local users and are included when generating logs for troubleshooting purposes. This means that these credentials are exposed to recipients of the application logs. | |||||
| CVE-2024-51752 | 1 Workos | 1 Authkit | 2025-09-10 | N/A | 5.5 MEDIUM |
| The AuthKit library for Next.js provides convenient helpers for authentication and session management using WorkOS & AuthKit with Next.js. In affected versions refresh tokens are logged to the console when the disabled by default `debug` flag, is enabled. This issue has been patched in version 0.13.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2025-23261 | 2025-09-05 | N/A | 5.5 MEDIUM | ||
| NVIDIA Cumulus Linux and NVOS products contain a vulnerability, where hashed user passwords are not properly suppressed in log files, potentially disclosing information to unauthorized users. | |||||
| CVE-2025-7445 | 2025-09-05 | N/A | 6.5 MEDIUM | ||
| Kubernetes secrets-store-sync-controller in versions before 0.0.2 discloses service account tokens in logs. | |||||
| CVE-2025-8663 | 2025-09-04 | N/A | N/A | ||
| Insertion of Sensitive Information into Log File vulnerability in upKeeper Solutions upKeeper Manager allows Use of Known Domain Credentials.This issue affects upKeeper Manager: from 5.0.0 before 5.2.12. | |||||
| CVE-2025-41690 | 2025-09-02 | N/A | 7.4 HIGH | ||
| A low-privileged attacker in bluetooth range may be able to access the password of a higher-privilege user (Maintenance) by viewing the device’s event log. This vulnerability could allow the Operator to authenticate as the Maintenance user, thereby gaining unauthorized access to sensitive configuration settings and the ability to modify device parameters. | |||||
| CVE-2025-36133 | 2025-09-02 | N/A | 5.9 MEDIUM | ||
| IBM App Connect Enterprise Certified Container CD: 9.2.0 through 11.6.0, 12.1.0 through 12.14.0, and 12.0 LTS: 12.0.0 through 12.0.14stores potentially sensitive information in log files during installation that could be read by a local user on the container. | |||||
| CVE-2025-57813 | 2025-08-29 | N/A | 5.9 MEDIUM | ||
| traQ is a messenger application built for Digital Creators Club traP. Prior to version 3.25.0, a vulnerability exists where sensitive information, such as OAuth tokens, are recorded in log files when an error occurs during the execution of an SQL query. An attacker could intentionally trigger an SQL error by methods such as placing a high load on the database. This could allow an attacker who has the authority to view the log files to illicitly acquire the recorded sensitive information. This vulnerability has been patched in version 3.25.0. If upgrading is not possible, a temporary workaround involves reviewing access permissions for SQL error logs and strictly limiting access to prevent unauthorized users from viewing them. | |||||
| CVE-2022-31674 | 1 Vmware | 1 Vrealize Operations | 2025-08-27 | N/A | 4.3 MEDIUM |
| VMware vRealize Operations contains an information disclosure vulnerability. A low-privileged malicious actor with network access can access log files that lead to information disclosure. | |||||
| CVE-2025-6392 | 1 Broadcom | 1 Brocade Sannav | 2025-08-27 | N/A | 4.4 MEDIUM |
| Brocade SANnav before Brocade SANnav 2.4.0a could log database passwords in clear text in audit logs when the daily data dump collector invokes docker exec commands. These audit logs are the local server VM’s audit logs and are not controlled by SANnav. These logs are only visible to the server admin of the host server and are not visible to the SANnav admin or any SANnav user. | |||||
| CVE-2024-12569 | 2025-08-26 | N/A | 7.8 HIGH | ||
| Disclosure of sensitive information in a Milestone XProtect Device Pack driver’s log file for third-party cameras, allows an attacker to read camera credentials stored in the Recording Server under specific conditions. | |||||
| CVE-2024-55891 | 1 Typo3 | 1 Typo3 | 2025-08-26 | N/A | 3.1 LOW |
| TYPO3 is a free and open source Content Management Framework. It has been discovered that the install tool password has been logged as plaintext in case the password hashing mechanism used for the password was incorrect. Users are advised to update to TYPO3 versions 13.4.3 ELTS which fixes the problem described. There are no known workarounds for this vulnerability. | |||||
| CVE-2025-7426 | 2025-08-25 | N/A | N/A | ||
| Information disclosure and exposure of authentication FTP credentials over the debug port 1604 in the MINOVA TTA service. This allows unauthenticated remote access to an active FTP account containing sensitive internal data and import structures. In environments where this FTP server is part of automated business processes (e.g. EDI or data integration), this could lead to data manipulation, extraction, or abuse. Debug ports 1602, 1603 and 1636 also expose service architecture information and system activity logs | |||||
| CVE-2025-3456 | 2025-08-25 | N/A | 3.8 LOW | ||
| On affected platforms running Arista EOS, the global common encryption key configuration may be logged in clear text, in local or remote accounting logs. Knowledge of both the encryption key and protocol specific encrypted secrets from the device running-config could then be used to obtain protocol specific passwords in cases where symmetric passwords are required between devices with neighbor protocol relationships. | |||||
| CVE-2025-2092 | 1 Checkmk | 1 Checkmk | 2025-08-25 | N/A | 7.5 HIGH |
| Insertion of Sensitive Information into Log File in Checkmk GmbH's Checkmk versions <2.3.0p29, <2.2.0p41 and <=2.1.0p49 (EOL) causes remote site authentication secrets to be written to log files accessible to administrators. | |||||
| CVE-2025-1075 | 1 Checkmk | 1 Checkmk | 2025-08-25 | N/A | 7.5 HIGH |
| Insertion of Sensitive Information into Log File in Checkmk GmbH's Checkmk versions <2.3.0p27, <2.2.0p40, and 2.1.0p51 (EOL) causes LDAP credentials to be written to Apache error log file accessible to administrators. | |||||