193 matches found
CVE-2026-22602
CVE-2026-22602 affects OpenProject prior to version 16.6.2. A user with low privileges (logged in) can enumerate and view the full names of other users by iterating through sequential user IDs (e.g., 1, 2, 3, …) or via the OpenProject API, enabling automated retrieval of personal data. The issue ...
Unity Linux 20.1070e Security Update: kernel (UTSA-2026-000347)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-000347 advisory. In the Linux kernel 4.15.x through 4.19.x before 4.19.2, mapwrite in kernel/usernamespace.c allows privilege escalation because it mishandles nested user namespaces...
Mattermost Server 10.11.x < 10.11.8 / 10.12.x < 10.12.4 / 11.0.x <= 11.0.6 / 11.1.x <= 11.1.1 Improper Authentication (MMSA-2025-00555)
The version of Mattermost Server installed on the remote host is 10.11.x prior to 10.11.8, 10.12.x prior to 10.12.4, 11.0.x prior to 11.0.6, or 11.1.x prior to 11.1.1, and is, therefore, affected by an improper authentication vulnerability: - Mattermost versions 11.1.x = 11.1.0, 11.0.x = 11.0.5,...
CVE-2025-12492
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.11.0 via the ajaxgetmembers function. This is due to the use of a...
CVE-2025-67857
A flaw was found in moodle. During anonymous assignment submissions, user identifiers were inadvertently exposed in URLs. This data exposure allows unauthorized viewers to see internal user IDs, compromising the intended anonymity and potentially leading to information disclosure...
CVE-2025-12361
The CVE-2025-12361 entry concerns the WordPress plugin myCred (Points Management System) with vulnerability in versions up to and including 2.9.7.1. The root cause is Missing Authorization: authenticated users with Subscriber-level access and above can access sensitive information via the get_ban...
CVE-2025-12361 myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program <= 2.9.7.1 - Missing Authorization to Sensitive Information Exposure
The myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.9.7.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This...
CVE-2025-14440
The JAY Login & Register plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.4.01. This is due to incorrect authentication checking in the 'jayloginregisterprocessswitchback' function with the 'jayloginregisterprocessswitchback' cookie value. This makes...
CVE-2025-14159
The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.9.2. This is due to missing nonce validation on the 'ayssccpresultsexportfile' AJAX action. This makes it possible for unauthenticated...
CVE-2025-13494 SSP Debug <= 1.0.0 - Unauthenticated Sensitive Information Exposure
The SSP Debug plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.0. This is due to the plugin storing PHP error logs in a predictable, web-accessible location wp-content/uploads/ssp-debug/ssp-debug.log without any access controls. This...
CVE-2025-12681
The Comment Edit Core – Simple Comment Editing plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.1.0 via the 'ajaxgetcomment' function. This makes it possible for unauthenticated attackers to extract sensitive data including user IDs, IP...
CVE-2025-12681 Comment Edit Core – Simple Comment Editing <= 3.1.0 - Unauthenticated Sensitive Information Exposure
The Comment Edit Core – Simple Comment Editing plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.1.0 via the 'ajaxgetcomment' function. This makes it possible for unauthenticated attackers to extract sensitive data including user IDs, IP...
CVE-2025-12681
CVE-2025-12681 affects the WordPress plugin Comment Edit Core – Simple Comment Editing, up to version 3.1.0. The root cause is an unauthenticated exposure via the ajax_get_comment function, allowing any visitor to access sensitive data such as user IDs, IP addresses, and email addresses. Wordfenc...
PT-2025-46785
The Comment Edit Core – Simple Comment Editing plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.1.0 via the 'ajax get comment' function. This makes it possible for unauthenticated attackers to extract sensitive data including user IDs, I...
CVE-2025-52602
HCL BigFix Query is affected by a sensitive information disclosure in the WebUI Query application. An HTTP GET endpoint request returns discoverable responses that may disclose: group names, active user names or IDs. An attacker can use that information to target individuals with phishing or...
CVE-2025-52602 HCL BigFix Query is affected by a sensitive information disclosure vulnerability in the WebUI Query application
HCL BigFix Query is affected by a sensitive information disclosure in the WebUI Query application. An HTTP GET endpoint request returns discoverable responses that may disclose: group names, active user names or IDs. An attacker can use that information to target individuals with phishing or...
Ecuador Quipux 安全漏洞
Ecuador Quipux is an electronic document management and process system from Ecuador Ecuador. A security vulnerability exists in Ecuador Quipux versions 4.0.1 through e1774ac, which stems from improper handling of the txtlogin parameter and could lead to username enumeration and access to the...
CVE-2025-55342
Quipux 4.0.1 through e1774ac allows enumeration of usernames, and accessing the Ecuadorean identification number for all registered users via the Administracion/usuarios/cambiarpasswordolvidovalidar.php txtlogin parameter...
CVE-2021-4461
Seeyon Zhiyuan OA Web Application System versions up to and including 7.0 SP1 improperly decode and parse the enc parameter in thirdpartyController.do. The decoded map values can influence session attributes without sufficient authentication/authorization checks, enabling attackers to assign a...
EUVD-2023-32520
Malicious code in bioql PyPI...