GHSA-XR49-F4RH-QCJF AVideo Vulnerable to Exposure of Sensitive Information to an Unauthorized Actor and Missing Authorization

Summary An unauthenticated user can read APISecret from objects/plugins.json.php and use it to call protected API endpoints e.g. userslist without logging in. Details objects/plugins.json.php is public and still exposes plugin objectdata containing APISecret. That secret is accepted by...

CVE-2025-58427

CVE-2025-58427 affects Canva Affinity for EMF processing. Talos reports an out-of-bounds read in the EMF handling within the EMR_EXTTEXTOUTW record, triggered by specially crafted EMF files. The vulnerability stems from reading an intercharacter spacing array using an offset (offDx) that can exce...

EUVD-2026-9945

Sensitive information disclosure and manipulation due to improper authentication. The following products are affected: Acronis Cyber Protect 17 Linux, Windows before build 41186...

Sensitive Information Disclosure

Umbraco.cms is vulnerable to Sensitive Information Disclosure. The vulnerability is due to unsafe handling and cleanup of temporary files during the dictionary upload process, which allows an attacker with backoffice access to infer the existence of arbitrary files on the server and, in some...

PT-2025-47890

A sensitive information disclosure vulnerability exists in the error handling component of ATISoluciones CIGES Application version 2.15.6 and earlier. When certain unexpected conditions trigger unhandled exceptions, the application returns detailed error messages and stack traces to the client...

A flaw was found in the xdg-email component of xdg-utils-1.1.0-rc1 and newer. When handling mailto: URIs, xdg-email allows attachments to be discreetly added via the URI when being passed to Thunderbird. An attacker could potentially send a victim a URI that automatically attaches a sensitive file to a new email. If a victim user does not notice that an attachment was added and sends the email, this could result in sensitive information disclosure. It has been confirmed that the code behind this issue is in xdg-email and not in Thunderbird.

...

Adobe Acrobat Reader Buffer Overflow Vulnerability (CNVD-2025-16322)

Adobe Acrobat Reader is a PDF viewer from the American company Audobee Adobe. The software is used to print, sign and annotate PDF. A buffer overflow vulnerability exists in Adobe Acrobat Reader 24.001.30225, 20.005.30748, 25.001.20428 and earlier versions, which originates from an out-of-bounds...

WordPress plugin Vimeography 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security...

CVE-2024-30614

An issue in Ametys CMS v4.5.0 and before allows attackers to obtain sensitive information via exposed resources to the error scope...

PHP MySQL User Signup Login System Security Vulnerability

PHP MySQL User Signup Login System is a login and registration form using HTML, PHP and MySQL. A security vulnerability exists in PHP MySQL User Signup Login System version 1.0, which originates from a sensitive information disclosure vulnerability in the file login.sql...

CVE-2023-44334 Adobe Photoshop 2023 CC 24.7 Memory Corruption Vulnerability VI.

Adobe Photoshop versions 24.7.1 and earlier and 25.0 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user...

CVE-2023-45242

Sensitive information disclosure due to missing authorization. The following products are affected: Acronis Cyber Protect Cloud Agent Linux, macOS, Windows before build 35739, Acronis Cyber Protect 17 Linux, macOS, Windows before build 41186...

slovensky-raj.sk Cross Site Scripting vulnerability OBB-3390538

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...

adomne.rs Cross Site Scripting vulnerability OBB-3325039

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...

euclidquartet.com Cross Site Scripting vulnerability OBB-3233815

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...

Electron 安全漏洞

Electron is a personal developer of a user to write cross-platform desktop application JavaScript framework. The framework is based on nodejs and Chromium can use HTML, CSS to achieve cross-platform desktop application writing . A security vulnerability exists in Electron versions 20.x before...

The vulnerability of the command-line processor of the NGINX Ingress Controller, which allows a hacker to disclose protected information.

The vulnerability of the command-line processor of the NGINX Ingress Controller monitoring and application management platform is related to insufficient checks for granting permissions to critical resources. Exploiting this vulnerability could allow a malicious actor to disclose sensitive...

MoinMoin Exposure of Sensitive Disclosure when GATEWAY_INTERFACE variable is set

MoinMoin 1.9 before 1.9.1 does not perform the expected clearing of the sys.argv array in situations where the GATEWAYINTERFACE environment variable is set, which allows remote attackers to obtain sensitive information via unspecified vectors...

jetty: Ambiguous paths can access WEB-INF

In Jetty the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. An attacker can use this vulnerability to reveal sensitive information regarding the implementation of a web application...

PT-2021-22211 · Best Practical +2 · Request Tracker +2

Name of the Vulnerable Software and Affected Versions: Best Practical Request Tracker RT versions 4.2 through 4.2.16 Best Practical Request Tracker RT versions 4.4 through 4.4.4 Best Practical Request Tracker RT versions 5.0 through 5.0.1 Description: The issue allows sensitive information...