Exposure of Sensitive Information Through Metadata

Overview org.apache.activemq:activemq-all is a package that puts together an ActiveMQ jar bundle. Affected versions of this package are vulnerable to Exposure of Sensitive Information Through Metadata in the BrokerInfo component. An attacker can obtain sensitive metadata, including client...

CVE-2025-14481 Yoast SEO <= 26.5 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Information Exposure via 'post_id' Parameter

The Yoast SEO plugin for WordPress is vulnerable to Insecure Direct Object References in all versions up to, and including, 26.5. This is due to insufficient authorization checks in the Meta Search REST API endpoint that fail to verify post ownership. This makes it possible for authenticated...

Missing Authorization

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Missing Authorization via the validatecollectionaccess function. An attacker can obtain sensitive metadata, such as IDs, names, and descriptions of all knowledge bases across users, by sending crafted API...

AWS VDP: Encryption context keys and values logged at INFO level

Component: cmd/server/main.go:101-106 Affected Version: aws-encryption-provider @ 4341c70 all versions Found by: Source audit TLP: TLP:Amber --- Summary The server startup code logs all encryption context key-value pairs at INFO level. Encryption context is metadata associated with KMS operations...

Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization in the stop triggers and /models command. An attacker can disrupt active sessions and access sensitive model or authentication metadata by sending unauthorized...

CVE-2025-12980

CVE-2025-12980 affects the WordPress plugin Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX . The vulnerability is a Missing Authorization to Unauthenticated Sensitive Information Exposure via the REST endpoint /ultp/v2/get_dynamic_content/ in all versions up to 5.0.3, enabl...

CVE-2025-13084

The groov View API exposes a users endpoint that returns a list of all users with metadata including their API keys. Access requires an Editor role, but the endpoint reveals API keys for all users, including Administrators, creating potential exposure and confidentiality impact. The issue is docu...

EUVD-2014-2339

Malware in sbrugna...

EUVD-2014-3544

Malware in sbrugna...

EUVD-2014-2557

Malware in sbrugna...

EUVD-2023-29957

Malicious code in bioql PyPI...

EUVD-2022-7271

Malicious code in bioql PyPI...

EUVD-2022-1885

Malicious code in bioql PyPI...

Exposure of Sensitive Information Through Metadata

Overview Affected versions of this package are vulnerable to Exposure of Sensitive Information Through Metadata through improper enforcement of channel member permissions for playbook run participants. An attacker can access sensitive information about linked private channels, such as channel nam...

CVE-2025-53018 Lychee has Server-Side Request Forgery (SSRF) in Photo::fromUrl API via unvalidated remote image URLs

Lychee is a free, open-source photo-management tool. Prior to version 6.6.13, a critical Server-Side Request Forgery SSRF vulnerability exists in the /api/v2/Photo::fromUrl endpoint. This flaw lets an attacker instruct the application’s backend to make HTTP requests to any URL they choose...

CVE-2024-1279

The Paid Memberships Pro WordPress plugin before 2.12.9 does not prevent user with at least the contributor role from leaking other users' sensitive metadata...

CVE-2023-7049

The Custom Field For WP Job Manager plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2 via the the 'cmfieldshow' shortcode due to missing validation on the 'jobid' user controlled key. This makes it possible for authenticated attackers...

CVE-2022-3866

HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.4.1 workload identity token can list non-sensitive metadata for paths under nomad/ that belong to other jobs in the same namespace. Fixed in 1.4.2...

Exposure of Sensitive Information Through Metadata

Overview Affected versions of this package are vulnerable to Exposure of Sensitive Information Through Metadata when executing the UpdateChannelBookmark function, due to improper handling of user permissions. By creating a bookmark referencing a deleted file, an attacker can expose metadata from...

Exposure of Sensitive Information Through Metadata

Overview Affected versions of this package are vulnerable to Exposure of Sensitive Information Through Metadata when executing the UpdateChannelBookmark function, due to improper handling of user permissions. By creating a bookmark referencing a deleted file, an attacker can expose metadata from...