Total
9301 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-55699 | 1 Microsoft | 14 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 11 more | 2025-10-31 | N/A | 5.5 MEDIUM |
| Exposure of sensitive information to an unauthorized actor in Windows Kernel allows an authorized attacker to disclose information locally. | |||||
| CVE-2023-49103 | 1 Owncloud | 1 Graph Api | 2025-10-31 | N/A | 10.0 CRITICAL |
| An issue was discovered in ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The graphapi app relies on a third-party GetPhpInfo.php library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo). This information includes all the environment variables of the webserver. In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key. Simply disabling the graphapi app does not eliminate the vulnerability. Additionally, phpinfo exposes various other potentially sensitive configuration details that could be exploited by an attacker to gather information about the system. Therefore, even if ownCloud is not running in a containerized environment, this vulnerability should still be a cause for concern. Note that Docker containers from before February 2023 are not vulnerable to the credential disclosure. | |||||
| CVE-2025-36601 | 1 Dell | 1 Powerscale Onefs | 2025-10-31 | N/A | 4.0 MEDIUM |
| Dell PowerScale OneFS, versions 9.5.0.0 through 9.11.0.0, contains an exposure of sensitive information to an unauthorized actor vulnerability. An unauthenticated remote attacker could potentially exploit this vulnerability, leading to Information disclosure. | |||||
| CVE-2024-57096 | 1 Kingsoft | 1 Wps Office | 2025-10-30 | N/A | 5.5 MEDIUM |
| An issue in wps office before v.19302 allows a local attacker to obtain sensitive information via a crafted file. | |||||
| CVE-2025-11634 | 1 Furbo | 4 Furbo 360 Dog Camera, Furbo 360 Dog Camera Firmware, Furbo Mini and 1 more | 2025-10-30 | 2.1 LOW | 2.4 LOW |
| A security flaw has been discovered in Tomofun Furbo 360 and Furbo Mini. This affects an unknown part of the component UART Interface. The manipulation results in information disclosure. An attack on the physical device is feasible. The exploit has been released to the public and may be exploited. The firmware versions determined to be affected are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-30135 | 1 Hcltech | 1 Dryice Aex | 2025-10-30 | N/A | 3.3 LOW |
| HCL DRYiCE AEX is potentially impacted by disclosure of sensitive information in the mobile application when a snapshot is taken. | |||||
| CVE-2025-56161 | 1 Yiovo | 1 Firefly Mall | 2025-10-30 | N/A | 7.5 HIGH |
| YOSHOP 2.0 allows unauthenticated information disclosure via comment-list API endpoints in the Goods module. The Comment model eagerly loads the related User model without field filtering; because User.php defines no $hidden or $visible attributes, sensitive fields (bcrypt password hash, mobile number, pay_money, expend_money.) are exposed in JSON responses. Route names vary per deployment (e.g. /api/goods.pinglun/list), but all call the same vulnerable model logic. | |||||
| CVE-2025-61481 | 2025-10-30 | N/A | 10.0 CRITICAL | ||
| An issue in MikroTik RouterOS v.7.14.2 and SwOS v.2.18 exposes the WebFig management interface over cleartext HTTP by default, allowing an on-path attacker to execute injected JavaScript in the administrator’s browser and intercept credentials. | |||||
| CVE-2025-10535 | 1 Mozilla | 1 Firefox | 2025-10-30 | N/A | 7.5 HIGH |
| Information disclosure, mitigation bypass in the Privacy component in Firefox for Android. This vulnerability affects Firefox < 143. | |||||
| CVE-2021-25369 | 1 Samsung | 1 Android | 2025-10-30 | 2.1 LOW | 6.2 MEDIUM |
| An improper access control vulnerability in sec_log file prior to SMR MAR-2021 Release 1 exposes sensitive kernel information to userspace. | |||||
| CVE-2025-61482 | 2025-10-30 | N/A | 7.2 HIGH | ||
| Improper handling of OTP/TOTP/HOTP values in NetKnights GmbH privacyIDEA Authenticator v.4.3.0 on Android allows local attackers with root access to bypass two factor authentication. By hooking into app crypto routines and intercepting decryption paths, attacker can recover plaintext secrets, enabling generation of valid one-time passwords, and bypassing authentication for enrolled accounts. | |||||
| CVE-2025-12297 | 2025-10-30 | 4.0 MEDIUM | 4.3 MEDIUM | ||
| A vulnerability was detected in atjiu pybbs up to 6.0.0. This affects an unknown function of the file UserApiController.java. The manipulation results in information disclosure. The attack may be launched remotely. The exploit is now public and may be used. | |||||
| CVE-2025-12363 | 2025-10-30 | N/A | N/A | ||
| Email Password Disclosure.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5. | |||||
| CVE-2025-52268 | 2025-10-30 | N/A | 7.5 HIGH | ||
| StarCharge Artemis AC Charger 7-22 kW v1.0.4 was discovered to contain a hardcoded AES key which allows attackers to forge or decrypt valid login tokens. | |||||
| CVE-2025-60805 | 2025-10-30 | N/A | 7.5 HIGH | ||
| An issue was discovered in BESSystem BES Application Server thru 9.5.x allowing unauthorized attackers to gain sensitive information via the "pre-resource" option in bes-web.xml. | |||||
| CVE-2025-60858 | 2025-10-30 | N/A | 7.5 HIGH | ||
| Reolink Video Doorbell Wi-Fi DB_566128M5MP_W stores and transmits DDNS credentials in plaintext within its configuration and update scripts, allowing attackers to intercept or extract sensitive information. | |||||
| CVE-2025-54548 | 2025-10-30 | N/A | 4.3 MEDIUM | ||
| On affected platforms, restricted users could view sensitive portions of the config database via a debug API (e.g., user password hashes) | |||||
| CVE-2025-11203 | 2025-10-30 | N/A | 3.5 LOW | ||
| LiteLLM Information health API_KEY Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of LiteLLM. Authentication is required to exploit this vulnerability. The specific flaw exists within the handling of the API_KEY parameter provided to the health endpoint. The issue results from exposing sensitive information to an unauthorized actor. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-26585. | |||||
| CVE-2023-7320 | 2025-10-30 | N/A | 5.3 MEDIUM | ||
| The WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 7.8.2, due to improper CORS handling on the Store API's REST endpoints allowing direct external access from any origin. This can allow unauthenticated attackers to extract sensitive user information including PII(Personal Identifiable Information). | |||||
| CVE-2025-12147 | 2025-10-30 | N/A | N/A | ||
| In Search Guard FLX versions 3.1.1 and earlier, Field-Level Security (FLS) rules are improperly enforced on object-valued fields. When an FLS exclusion rule (e.g., ~field) is applied to a field which contains an object as its value, the object is correctly removed from the _source returned by search operations. However, the object members (i.e., child attributes) remain accessible to search queries. This exposure allows adversaries to infer or reconstruct the original contents of the excluded object. Workaround - If you cannot upgrade immediately and FLS exclusion rules are used for object valued attributes (like ~object), add an additional exclusion rule for the members of the object (like ~object.*). | |||||