CVE-2026-32736

The Hytale Modding Wiki is a free service for Hytale mods to host their documentation & wikis. An Insecure Direct Object Reference IDOR vulnerability in versions of the wiki prior to 1.0.0 exposes mod authors' personal information - including full names and email addresses - to any authenticated...

CVE-2026-32736 Hytale Modding Wiki has Insecure Direct Object Reference / GDPR PII Exposure

The Hytale Modding Wiki is a free service for Hytale mods to host their documentation & wikis. An Insecure Direct Object Reference IDOR vulnerability in versions of the wiki prior to 1.0.0 exposes mod authors' personal information - including full names and email addresses - to any authenticated...

CVE-2026-25729

DeepAudit is a multi-agent system for code vulnerability discovery. In 3.0.4 and earlier, there is an improper access control vulnerability in the /api/v1/users/ endpoint allows any authenticated user to enumerate all users in the system and retrieve sensitive information including email addresse...

CVE-2026-25729 DeepAudit Affected by User Enumeration via Broken Access Control

DeepAudit is a multi-agent system for code vulnerability discovery. In 3.0.4 and earlier, there is an improper access control vulnerability in the /api/v1/users/ endpoint allows any authenticated user to enumerate all users in the system and retrieve sensitive information including email addresse...

Carlsberg Event Wristband Leaked PII, Researcher Told Not to Disclose

A poorly secured wristband system used at a Carlsberg exhibition allowed access to visitor photos, videos, and full names. Attempts to report the issue were ignored for months...

CVE-2025-14075

The WP Hotel Booking plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.7. This is due to the plugin exposing the 'hotelbookingfetchcustomerinfo' AJAX action to unauthenticated users without proper capability checks, relying only on a...

CVE-2026-22602

OpenProject is an open-source, web-based project management software. Prior to version 16.6.2, a low‑privileged logged-in user can view the full names of other users. Since user IDs are assigned sequentially and predictably e.g., 1 to 1000, an attacker can extract a complete list of all users’ fu...

CVE-2026-22602

CVE-2026-22602 affects OpenProject prior to version 16.6.2. A user with low privileges (logged in) can enumerate and view the full names of other users by iterating through sequential user IDs (e.g., 1, 2, 3, …) or via the OpenProject API, enabling automated retrieval of personal data. The issue ...

CVE-2026-22602 OpenProject is Vulnerable to User Enumeration via User ID

OpenProject is an open-source, web-based project management software. Prior to version 16.6.2, a low‑privileged logged-in user can view the full names of other users. Since user IDs are assigned sequentially and predictably e.g., 1 to 1000, an attacker can extract a complete list of all users’ fu...

CVE-2026-22602 OpenProject is Vulnerable to User Enumeration via User ID

OpenProject is an open-source, web-based project management software. Prior to version 16.6.2, a low‑privileged logged-in user can view the full names of other users. Since user IDs are assigned sequentially and predictably e.g., 1 to 1000, an attacker can extract a complete list of all users’ fu...

EUVD-2026-1885

OpenProject is an open-source, web-based project management software. Prior to version 16.6.2, a low‑privileged logged-in user can view the full names of other users. Since user IDs are assigned sequentially and predictably e.g., 1 to 1000, an attacker can extract a complete list of all users’ fu...

CVE-2025-64528

Discourse is an open source discussion platform. Prior to versions 3.5.3, 2025.11.1, and 2025.12.0, an attacker who knows part of a username can find the user and their full name via UI or API, even when enablenames is disabled. Versions 3.5.3, 2025.11.1, and 2025.12.0 contain a fix...

PT-2025-54189

Discourse is an open source discussion platform. Prior to versions 3.5.3, 2025.11.1, and 2025.12.0, an attacker who knows part of a username can find the user and their full name via UI or API, even when enable names is disabled. Versions 3.5.3, 2025.11.1, and 2025.12.0 contain a fix...

Linux Distros Unpatched Vulnerability : CVE-2019-3810

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A flaw was found in moodle versions 3.6 to 3.6.1, 3.5 to 3.5.3, 3.4 to 3.4.6, 3.1 to 3.1.15 and earlier unsupported versions. The /userpix/ page did not escape...

Linux Distros Unpatched Vulnerability : CVE-2021-20281

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - It was possible for some users without permission to view other users' full names to do so via the online users block in moodle before 3.10.2, 3.9.5, 3.8.8,...

Linux Distros Unpatched Vulnerability : CVE-2025-3640

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A flaw was found in Moodle. Insufficient capability checks made it possible for a user enrolled in a course to access some details, such as the full name and...

UBUNTU-CVE-2024-48896

A vulnerability was found in Moodle. It is possible for users with the "send message" capability to view other users' names that they may not otherwise have access to via an error message in Messaging. Note: The name returned follows the full name format configured on the site...

CVE-2020-36723

The ListingPro - WordPress Directory & Listing Theme for WordPress is vulnerable to Sensitive Data Exposure in versions before 2.6.1 via the /listingpro-plugin/functions.php file. This makes it possible for unauthenticated attackers to extract sensitive data including usernames, full names, email...

CVE-2022-30076

ENTAB ERP 1.0 allows attackers to discover users' full names via a brute force attack with a series of student usernames such as s10000 through s20000. There is no rate limiting...

WP Simple Shopping Cart 4.6.3 - Unauthenticated PII Disclosure

The plugin saves exported shopping cart data in a publicly accessible directory, allowing unauthenticated users to retrieve PII such as full names, email/IP address etc...