GHSA-QRCH-52M5-VV85 Flight vulnerable to sensitive information disclosure via default error handler

Summary The default error handler Engine::error writes the full exception message, exception code, and stack trace including absolute filesystem paths directly into the HTTP 500 response, with no debug gating. Production deployments leak internal paths, any secret interpolated into an exception...

CVE-2026-21783

HCL Traveler is affected by sensitive information disclosure. The application generates some error messages that provide detailed information about errors and failures, such as internal paths, file names, sensitive tokens, credentials, error codes, or stack traces. Attackers could exploit this...

CVE-2026-2250

The /dbviewer/ web endpoint in METIS WIC devices is exposed without authentication. A remote attacker can access and export the internal telemetry SQLite database containing sensitive operational data. Additionally, the application is configured with debug mode enabled, causing malformed requests...

CVE-2025-67739

In JetBrains TeamCity before 2025.11.2 improper repository URL validation could lead to local paths disclosure...

CVE-2025-67739

In JetBrains TeamCity before 2025.11.2 improper repository URL validation could lead to local paths disclosure...

PT-2025-50625

In JetBrains TeamCity before 2025.11.2 improper repository URL validation could lead to local paths disclosure...

Code injection

Calendar app for Nextcloud easily sync events from various devices with your Nextcloud. Some internal paths of the website are disclosed when the SMTP server is unavailable. It is recommended that the Calendar app is updated to 3.5.5 or 4.2.3...

Webvendome 路径遍历漏洞

Webvendome is an application from Webvendome, Inc. Webvendome suffers from a path traversal vulnerability that stems from an internal server IP and full path disclosure, which can be exploited by an attacker to send GET requests...

CVE-2022-0344

An issue has been discovered in GitLab affecting all versions starting from 10.0 before 14.5.4, all versions starting from 10.1 before 14.6.4, all versions starting from 10.2 before 14.7.1. Private project paths can be disclosed to unauthorized users via system notes when an Issue is closed via a...

CVE-2021-40875

Improper Access Control in Gurock TestRail versions 7.2.0.3014 resulted in sensitive information exposure. A threat actor can access the /files.md5 file on the client side of a Gurock TestRail application, disclosing a full list of application files and the corresponding file paths. The...

Authorization

Om BIG-IP 15.0.0-15.0.1.3 and 14.1.0-14.1.2.3, the restjavad process may expose a way for attackers to upload arbitrary files on the BIG-IP system, bypassing the authorization system. Resulting error messages may also reveal internal paths of the server...

Mail.ru: Local paths disclosure through error message

bonus.mail.ru disclosed trace information with absolute paths via 5xx error messages bonus.mail.ru is not covered by bug bounty scope...