CVE-2020-25900

HelloTalk through 3.4.1 stores full-precision GPS coordinates even when the user had intended to share only a country or city. Furthermore, these coordinates are placed into a database on the client of other users. The client side was changed in 2019 to encrypt that database...

CVE-2026-41712

The CVE-2026-41712 entry concerns Spring AI's chat memory component, where a problematic default (DEFAULT_CONVERSATION_ID) can cause cross-user data exposure when not explicitly overridden. Affected element: the chat memory/session handling; root cause: default configuration that ties user conver...

Missing Authorization

Overview org.springframework.ai:spring-ai-openai is an OpenAI models support Affected versions of this package are vulnerable to Missing Authorization via the default configuration of the Spring AI chat memory component. An attacker can access data from other users when DEFAULTCONVERSATIONID is n...

OpenMage Magento Lts（Magento） 安全漏洞

OpenMage Magento Lts Magento is an e-commerce system developed by the OpenMage organization. Versions of OpenMage Magento Lts prior to 20.17.0 contained security vulnerabilities. These vulnerabilities stemmed from defects in the authorization logic for adding shared wish lists to the shopping car...

Authorization Bypass

Axios Cache Interceptor is vulnerable to an Authorization Bypass. The vulnerability is due to improper cache key generation, where cached responses are keyed only by URL and ignore the Authorization header and Vary: Authorization, causing responses generated for one user’s auth token to be reused...

Security Bulletin: VInsecure Default Permissions in Apache Hadoop's RunJar.run() Expose Sensitive Data in Shared Temporary Directory, which affects IBM watsonx.data

Summary Apache Hadoop's RunJar.run does not set permissions for temporary directory by default. If sensitive data will be present in this file, all the other local users may be able to view the content. This is because, on unix-like systems, the system temporary directory is shared between all...

CVE-2025-0082

In multiple functions of StatusHint.java and TelecomServiceImpl.java, there is a possible way to reveal images across users due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation...

CVE-2025-20060

CVE-2025-20060 affects the Dario Health Android application and its database. An attacker could expose cross-user PII and PHI transmitted via the Dario Health app database. The available documents provide impact (privacy leakage) and CVSS-derived severity (high), but do not specify affected versi...

PYSEC-2024-125

DIRAC is a distributed resource framework. In affected versions any user could get a token that has been requested by another user/agent. This may expose resources to unintended parties. This issue has been addressed in release version 8.0.37. Users are advised to upgrade. There are no known...

PT-2022-11481 · Apache +1 · Apache Guacamole +1

Name of the Vulnerable Software and Affected Versions: Apache Guacamole versions 1.3.0 and older Description: The issue allows an authenticated user who already has permission to access a particular connection to potentially read from or interact with another user's active use of that same...