28 matches found
CVE-2026-10597
OMICARD EDM developed by ITPison has a Insecure Direct Object Reference vulnerability, allowing unauthenticated remote attackers to modify a specific parameter to obtain user's email address...
CVE-2026-31381 Gainsight Assist plugin information disclosure
An attacker can extract user email addresses PII exposed in base64 encoding via the state parameter in the OAuth callback URL...
EUVD-2026-9093
Statmatic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.11 and 6.4.0, user email addresses were included in responses from the user fieldtype’s data endpoint for control panel users who did not have the "view users" permission. This has been fixed in 5.73.11 a...
EUVD-2025-203061
The Guest Support plugin for WordPress is vulnerable to User Email Disclosure in versions up to, and including, 1.2.3. This is due to the plugin exposing a public AJAX endpoint that allows anyone to search for and retrieve user email addresses without any authentication or capability checks. This...
GHSA-CW79-FQ4F-9R96 Liferay Portal Vulnerable to Information Exposure Through a Log File Vulnerability in LDAP Import Feature
Information exposure through log file vulnerability in LDAP import feature in Liferay Portal 7.4.0 through 7.4.3.97, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows local users t...
EUVD-2005-3337
Malware in sbrugna...
EUVD-2024-34087
Malicious code in bioql PyPI...
EUVD-2021-31508
Malicious code in bioql PyPI...
EUVD-2021-9395
Malicious code in bioql PyPI...
EUVD-2022-3402
Malicious code in bioql PyPI...
PT-2025-39658
Name of the Vulnerable Software and Affected Versions Flag Forge versions 2.0.0 through 2.3.0 Description Flag Forge, a Capture The Flag CTF platform, has an issue where the public API endpoint /api/user/username returns user email addresses in its JSON response. This exposes sensitive user...
CVE-2025-41685
A low-privileged remote attacker can obtain the username of another registered Sunny Portal user by entering that user's email address...
CVE-2023-5561
WordPress does not properly restrict which user fields are searchable via the REST API, allowing unauthenticated attackers to discern the email addresses of users who have published public posts on an affected website via an Oracle style attack...
CVE-2022-0287
The myCred WordPress plugin before 2.4.4.1 does not have any authorisation in place in its mycred-tools-select-user AJAX action, allowing any authenticated user, such as subscriber to call and retrieve all email addresses from the blog...
CVE-2021-34683
An issue was discovered in EXCELLENT INFOTEK CORPORATION EIC E-document System 3.0. A remote attacker can use kw/auth/bbs/asp/getuseremailinfobbs.asp to obtain the contact information name and e-mail address of everyone in the entire organization. This information can allow remote attackers to...
CVE-2025-1404
The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ayssccpreportsusersearch function in all versions up to, and including, 4.4.7. This makes it possible for unauthenticated attackers to...
CVE-2025-1404
CVE-2025-1404 affects the WordPress plugin Secure Copy Content Protection and Content Locking . The vulnerability is due to a missing capability check in the function ays_sccp_reports_user_search() and affects all versions up to 4.4.7. This allows unauthenticated attackers to retrieve a list of r...
WakaTime: User Email Disclosure via ID-Based Invitation
The issue occurs when inviting a user by their WakaTime ID. If a user has set their email to private, their email address was disclosed when they were invited using their ID. This contradicted the privacy settings and led to unintended email exposure...
CVE-2024-11717
Tokens in CTFd used for account activation and password resetting can be used interchangeably for these operations. When used, they are sent to the server as a GET parameter and they are not single use, which means, that during token expiration time an on-path attacker might reuse such a token to...
UBUNTU-CVE-2024-27937
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can obtain the email address of all GLPI users. This issue has been patched in version 10.0.13...