CVE-2026-36719

An information disclosure vulnerability in the /api/v1/user/info endpoint of AgentChat v2.3.0 allows unauthenticated attackers to obtain sensitive information, including SHA256 password hashes, via enumerating user IDs...

CVE-2026-36719

An information disclosure vulnerability in the /api/v1/user/info endpoint of AgentChat v2.3.0 allows unauthenticated attackers to obtain sensitive information, including SHA256 password hashes, via enumerating user IDs...

CVE-2026-36719

An information disclosure vulnerability in the /api/v1/user/info endpoint of AgentChat v2.3.0 allows unauthenticated attackers to obtain sensitive information, including SHA256 password hashes, via enumerating user IDs...

CVE-2026-36719

AgentChat v2.3.0 contains an information disclosure vulnerability in the /api/v1/user/info endpoint. The flaw allows unauthenticated attackers to enumerate user IDs and access sensitive data, including SHA-256 password hashes. Publicly available documents do not provide a confirmed root cause or ...

CVE-2026-36719

An information disclosure vulnerability in the /api/v1/user/info endpoint of AgentChat v2.3.0 allows unauthenticated attackers to obtain sensitive information, including SHA256 password hashes, via enumerating user IDs...

BIT-NEO4J-2026-1471 Caching of authentication context

Excessive caching of authentication context in Neo4j Enterprise edition versions prior to 2026.1.4 leads to authenticated users inheriting the context of the first user who authenticated after restart. The issue is limited to certain non-default configurations of SSO UserInfo endpoint. We recomme...

CVE-2026-33708

Chamilo LMS is a learning management system. Prior to 1.11.38, the getuserinfofromusername REST API endpoint returns personal information email, first name, last name, user ID, active status of any user to any authenticated user, including students. There is no authorization check. This...

CVE-2025-60800

Incorrect access control in the /jshERP-boot/user/info interface of jshERP up to commit 90c411a allows attackers to access sensitive information via a crafted GET request...

CVE-2025-60800

Incorrect access control in the /jshERP-boot/user/info interface of jshERP up to commit 90c411a allows attackers to access sensitive information via a crafted GET request...

PT-2025-44195

Name of the Vulnerable Software and Affected Versions jshERP versions prior to commit 90c411a Description An access control issue exists in the /jshERP-boot/user/info interface of jshERP. An attacker can obtain sensitive information by sending a specially crafted GET request to this interface. Th...

PT-2024-34374 · Unknown · Python Food Ordering System

Name of the Vulnerable Software and Affected Versions: python food ordering system version V1.0 Description: The python food ordering system has an unauthorized vulnerability that leads to the leakage of sensitive user information. Attackers can access it through the...

Pomerium exposed OAuth2 access and ID tokens in user info endpoint response

Impact The Pomerium user info page at /.pomerium unintentionally included serialized OAuth2 access and ID tokens from the logged-in user's session. These tokens are not intended to be exposed to end users. This issue may be more severe in the presence of an XSS vulnerability in an upstream...

CVE-2024-39315 Pomerium exposed OAuth2 access and ID tokens in user info endpoint response

Pomerium is an identity and context-aware access proxy. Prior to version 0.26.1, the Pomerium user info page at /.pomerium unintentionally included serialized OAuth2 access and ID tokens from the logged-in user's session. These tokens are not intended to be exposed to end users. This issue may be...