CVE-2026-5266

CVE-2026-5266 affects Wikimedia Foundation Echo, specifically the includes/Api/ApiEchoNotifications.Php component. The vulnerability allows exposure of sensitive information to an unauthorized actor and affects Echo versions before 1.43.7, 1.44.4, and 1.45.2. The Debian advisory notes the issue c...

EUVD-2017-4619

Malware in sbrugna...

EUVD-2022-49171

Malicious code in bioql PyPI...

EUVD-2023-57620

Malicious code in bioql PyPI...

EUVD-2024-41389

Malicious code in bioql PyPI...

EUVD-2024-33946

Malicious code in bioql PyPI...

EUVD-2024-31725

Malicious code in bioql PyPI...

CVE-2025-48355 WordPress ProveSource Social Proof plugin <= 3.0.5 - Sensitive Data Exposure vulnerability

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in ProveSource LTD ProveSource Social Proof allows Retrieve Embedded Sensitive Data.This issue affects ProveSource Social Proof: from n/a through 3.0.5...

CVE-2025-31953

HCL iAutomate is affected by a vulnerability due to hardcoded credentials that could lead to confidential data exposure. Affected component: HCL iAutomate (no specific versions provided in the documents). Root cause: hardcoded credentials enabling potential unauthorized access. Impact: confidenti...

CVE-2025-6235

CVE-2025-6235 affects ExtremeControl prior to 25.5.12, with an XSS in the login interface due to improper handling of user input in HTML attributes. The vulnerability can allow injected script to run in a user’s browser under certain interactions, potentially exposing user data or enabling unauth...

PT-2025-29227 · Apache · Apache Tgml

Name of the Vulnerable Software and Affected Versions: Apache TGML versions affected versions not specified Description: A CWE-668: Exposure of Resource to Wrong Sphere issue exists, exposing TGML diagram resources to an incorrect control sphere. This allows other authenticated users to potential...

CVE-2024-7049

In version v0.3.8 of open-webui/open-webui, a vulnerability exists where a token is returned when a user with a pending role logs in. This allows the user to perform actions without admin confirmation, bypassing the intended approval process...

CVE-2024-2364

A vulnerability classified as problematic has been found in Musicshelf 1.0/1.1 on Android. Affected is an unknown function of the file androidmanifest.xml of the component Backup Handler. The manipulation leads to exposure of backup file to an unauthorized control sphere. It is possible to launch...

CVE-2024-7651

The App Builder – Create Native Android & iOS Apps On The Flight plugin for WordPress is vulnerable to limited SQL Injection via the ‘app-builder-search’ parameter in all versions up to, and including, 4.2.6 due to insufficient escaping on the user supplied parameter and lack of sufficient...

CVE-2023-3300

HashiCorp Nomad and Nomad Enterprise 0.11.0 up to 1.5.6 and 1.4.1 HTTP search API can reveal names of available CSI plugins to unauthenticated users or users without the plugin:read policy. Fixed in 1.6.0, 1.5.7, and 1.4.1...

CVE-2021-32600

An exposure of sensitive information to an unauthorized actor vulnerability in FortiOS CLI 7.0.0, 6.4.0 through 6.4.6, 6.2.0 through 6.2.9, 6.0.x and 5.6.x may allow a local and authenticated user assigned to a specific VDOM to retrieve other VDOMs information such as the admin account list and t...

CVE-2025-47937

CVE-2025-47937 affects TYPO3 (PHP-based CMS). The issue arises in TYPO3 versions 9.0.0 through just before the fixed ELTS releases, where a DBAL multi-table query applies FrontendGroupRestriction only to the first table. This can allow data from additional tables in the same query to be exposed t...

CVE-2024-6866

corydolphin/flask-cors version 4.01 contains a vulnerability where the request path matching is case-insensitive due to the use of the trymatch function, which is originally intended for matching hosts. This results in a mismatch because paths in URLs are case-sensitive, but the regex matching...

CVE-2025-1259

On affected platforms running Arista EOS with OpenConfig configured, a gNOI request can be run when it should have been rejected. This issue can result in users retrieving data that should not have been available...

CVE-2024-26136

kedi ElectronCord is a bot management tool for Discord. Commit aaaeaf4e6c99893827b2eea4dd02f755e1e24041 exposes an account access token in the config.json file. Malicious actors could potentially exploit this vulnerability to gain unauthorized access to sensitive information or perform malicious...