CVE-2026-7864 Exposure of Sensitive Information to an Unauthorized Actor

SEPPmail Secure Email Gateway before version 15.0.4 exposes server environment variables through an unauthenticated endpoint in the new GINA UI, allowing remote attackers to obtain sensitive system information...

CVE-2026-23493 Pimcore ENV Variables and Cookie Informations are exposed in http_error_log

Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the httperrorlog file stores the $COOKIE and $SERVER variables, which means sensitive information such as database passwords, cookie session data, and other details can be accessed or recovered through t...

EUVD-2025-36741

Prior to September 19, 2025, the Hospital Manager Backend Services exposed the ASP.NET tracing endpoint /trace.axd without authentication, allowing a remote attacker to obtain live request traces and sensitive information such as request metadata, session identifiers, authorization headers, serve...

CVE-2025-54459

Prior to September 19, 2025, the Hospital Manager Backend Services exposed the ASP.NET tracing endpoint /trace.axd without authentication, allowing a remote attacker to obtain live request traces and sensitive information such as request metadata, session identifiers, authorization headers, serve...

EUVD-2012-4208

Malware in sbrugna...

CMS Made Simple Cross-Site Scripting Vulnerability

CMS Made Simple is an open source content management system. CMS Made Simple fails to properly handle the $SERVER variable, allowing remote attackers to construct malicious URIs, tricking users into parsing them, which can be used in the target user context to perform malicious actions...

Cross site scripting

Multiple cross-site scripting XSS vulnerabilities in the Better WP Security betterwpsecurity plugin before 3.2.5 for WordPress allow remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "server variables," a different vulnerability than CVE-2012-4263...

CVE-2012-4264

Multiple cross-site scripting XSS vulnerabilities in the Better WP Security betterwpsecurity plugin before 3.2.5 for WordPress allow remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "server variables," a different vulnerability than CVE-2012-4263...

WordPress Better WP Security Plugin <= 3.2.4 - Multiple XSS

Because of this vulnerabilities, the attackers can inject arbitrary web script or HTML via unspecified vectors related to "server variables". Solution Update the plugin...

Struts2/XWork < 2.2.0 remote execution of arbitrary code vulnerability analysis and patch-vulnerability warning-the black bar safety net

Neeao's Blog http://neeao.com/ : 1. exploit-db website on 7 month 1 4 day broke aStruts2 remote execution of arbitrary code vulnerabilityvulnerability, hazard of large, can be described as a crack shot, directly to the root, as long as the use Struts2 and webwork framework of the system for the...

cpCommerce 1.2.6 (URL Rewrite) Input variable overwrite / Auth bypass

Exploit for unknown platform in category web applications ===================================================================== cpCommerce 1.2.6 URL Rewrite Input variable overwrite / Auth bypass ===================================================================== Author: girex CMS: cpCommerce...

Sql injection

The pnVarPrepForStore function in PostNuke 0.764 and earlier skips input sanitization when magicquotesruntime is enabled, which allows remote attackers to conduct SQL injection attacks and execute arbitrary SQL commands via input associated with server variables, as demonstrated by the CLIENTIP...

Dora Emlak Script v1.0 &#40;tr&#41; Admin Login ByPass

Dora Emlak Script v1.0 tr Admin Login ByPass ilker kandemir ilkerkandemiratmynet.com Download: http://aspindir.com/goster/5027 TnX.: Ajann, Dumenci, H0tTurk, Str0ke Bug in ../dora/administartor/yonetim/patron/default.asp cookFirstLevel = Session"FirstLevelSecurity" 'Ilk Gьvenlik Session...

FreeBSD : drupal -- Multiple XSS vulnerabilities (1f5b711b-3d0e-11dc-b3d3-0016179b2dd5)

The Drupal Project reports : Some server variables are not escaped consistently. When a malicious user is able to entice a victim to visit a specially crafted link or webpage, arbitrary HTML and script code can be injected and executed in the context of the victim's session on the targeted websit...

drupal -- Multiple cross-site scripting vulnerabilities

The Drupal Project reports: Some server variables are not escaped consistently. When a malicious user is able to entice a victim to visit a specially crafted link or webpage, arbitrary HTML and script code can be injected and executed in the context of the victim's session on the targeted website...

Drupal core - Multiple cross site scripting vulnerabilities

Some server variables are not escaped consistently. When a malicious user is able to entice a victim to visit a specially crafted link or webpage, arbitrary HTML and script code can be injected and executed in the context of the victim's session on the targeted website. Custom content type names...

CVE-2005-2574

xmb.php in XMB Forum 1.9.1 extracts and defines all provided variables, which allows remote attackers to modify arbitrary server variables such as SERVERREMOTEADDR...

Information leakage in Quake2

It's possible to retrieve any server variables vaules including $rconpassword by using modified client without $-variables expanding...

Утечка информации в Webridge &#40;information leak&#41;

В случае ошибюки показываются все серверные переменные...

Cart32 3.0 - &#039;expdate&#039; Administrative Information Disclosure

source: https://www.securityfocus.com/bid/1358/info By appending the string "/expdate" to a request for the cart32.exe executable, http: //target/cgi-bin/cart32.exe/expdate an attacker can access an error message followed by a debugging page containing the server variables, the Cart32...