28221 matches found
EUVD-2026-43310
A flaw was found in the vllm-orchestrator-gateway component. The system's production binary logs all incoming authorization headers and full chat payloads, which may contain personally identifiable information PII and secrets, to persistent logs. This sensitive data, including bearer tokens and...
CVE-2026-61975
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Crocoblock JetReviews jet-reviews allows Retrieve Embedded Sensitive Data.This issue affects JetReviews: from n/a through = 3.0.1...
CVE-2026-61977
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Crocoblock JetSearch jet-search allows Retrieve Embedded Sensitive Data.This issue affects JetSearch: from n/a through = 3.6.1.2...
CVE-2026-61976
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Crocoblock JetBlocks For Elementor jet-blocks allows Retrieve Embedded Sensitive Data.This issue affects JetBlocks For Elementor: from n/a through = 1.5.0...
CVE-2026-57393
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in EDGARROJAS WooCommerce PDF Invoice Builder woo-pdf-invoice-builder allows Retrieve Embedded Sensitive Data.This issue affects WooCommerce PDF Invoice Builder: from n/a through = 2.0.8...
CVE-2026-15574
The CVE-2026-15574 issue affects the vllm-orchestrator-gateway component, where the production binary logs incoming authorization headers and full chat payloads, potentially exposing PII, secrets, bearer tokens, and conversation content. This data exposure arises from a hard-coded debug/default l...
Easy Appointments <= 3.12.21 - Information Disclosure
Easy Appointments WordPress plugin = 3.12.21 contains a sensitive information exposure caused by an unauthenticated REST API endpoint /wp-json/wp/v2/eablocks/eaappointments/ registered with permissioncallback allowing unrestricted access, letting unauthenticated attackers extract sensitive custom...
Gravity SMTP WordPress Plugin - Sensitive Information Exposure
Gravity SMTP WordPress plugin = 2.1.4 contains a sensitive information exposure caused by an unrestricted REST API endpoint at /wp-json/gravitysmtp/v1/tests/mock-data, letting unauthenticated attackers retrieve detailed system configuration data, exploit requires no authentication. id:...
Langflow - Broken Access Control
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0.dev45, multiple critical API endpoints in Langflow are missing authentication controls. The issue allows any unauthenticated user to access sensitive user conversation data, transaction histories...
WordPress Backup Migration <= 1.3.6 - Path Traversal
WordPress Backup Migration plugin versions up to 1.3.6 contain a path traversal and file validation issue in handledownloading function, letting unauthenticated attackers download backup files containing sensitive information. id: CVE-2023-6266 info: name: WordPress Backup Migration = 1.3.6 - Pat...
Trinity Audio <= 5.21.0 - Information Exposure
The Trinity Audio Text to Speech AI audio player to convert content into audio plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.21.0 via the /admin/inc/phpinfo.php file that gets created on install. This makes it possible for...
ListingPro < 2.6.1 - Sensitive Data Disclosure
The ListingPro - WordPress Directory & Listing Theme for WordPress is vulnerable to Sensitive Data Exposure in versions before 2.6.1 via the /listingpro-plugin/functions.php file. This makes it possible for unauthenticated attackers to extract sensitive data including usernames, full names, email...
HT Mega < 3.0.7 - Sensitive Information Disclosure
The HT Mega plugin for WordPress is vulnerable to Sensitive Information Exposure via AJAX actions. This template dynamically extracts the security nonce before exploitation. id: CVE-2026-4106 info: name: HT Mega 3.0.7 - Sensitive Information Disclosure author: EFETR severity: high description: |...
AntD Admin - Sensitive Information Disclosure
AntD Admin has a security vulnerability that stems from Antd-admin 5.5.0 being affected by an incorrect access control vulnerability. Attackers can exploit this vulnerability to gain unauthorized access to some front-end interfaces, resulting in the leakage of sensitive information such as user...
WordPress Perfect Images (WP Retina 2x) < 6.4.6 - Sensitive Information Exposure
Jordy Meow Perfect Images Manage Image Sizes, Thumbnails, Replace, Retina versions up to 6.4.5 contain a vulnerability that exposes sensitive information to unauthorized actors, letting attackers access confidential data, exploit requires no specific conditions. id: CVE-2023-44982 info: name:...
PraisonAI AgentOS - Information Disclosure
PraisonAI's AgentOS FastAPI application server exposes an unauthenticated GET /api/agents endpoint that lists every registered agent's name, role and the opening of its instructions system prompt. No authentication is enforced on the route, allowing a remote attacker to enumerate agent...
W3 Total Cache < 2.8.2 - Log File Exposure
The plugin is vulnerable to Information Exposure through the publicly exposed debug log file. This makes it possible for unauthenticated attackers to view potentially sensitive information in the exposed log file. For example, the log file may contain nonce values that can be used in further CSRF...
Palo Alto Networks Expedition - OS Command Injection
An OS command injection vulnerability in Palo Alto Networks Expedition enables an unauthenticated attacker to run arbitrary OS commands as the www-data user in Expedition, which results in the disclosure of usernames, cleartext passwords, device configurations, and device API keys for firewalls...
Jeecg-Boot v3.5.1 - SQL Injection
SQL injection vulnerability via the title parameter at /sys/dict/loadTreeData in jeecg-boot v3.5.1. id: CVE-2023-38992 info: name: Jeecg-Boot v3.5.1 - SQL Injection author: ritikchaddha severity: critical description: | SQL injection vulnerability via the title parameter at /sys/dict/loadTreeData...
Scoold < 1.64.0 - Authentication Bypass
Scoold is a Q&A and a knowledge sharing platform for teams. A semicolon path injection vulnerability was found on the /api;/config endpoint. By appending a semicolon in the URL, attackers can bypass authentication and gain unauthorised access to sensitive configuration data. Furthermore, PUT...