Total
122 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-47775 | 1 Bullfrogsec | 1 Bullfrog | 2025-07-11 | N/A | 6.2 MEDIUM |
| Bullfrog is a GithHb Action to block unauthorized outbound traffic in GitHub workflows. Prior to version 0.8.4, using tcp breaks blocking and allows DNS exfiltration. This can result in sandbox bypass. Version 0.8.4 fixes the issue. | |||||
| CVE-2024-50378 | 1 Apache | 1 Airflow | 2025-07-10 | N/A | 4.9 MEDIUM |
| Airflow versions before 2.10.3 have a vulnerability that allows authenticated users with audit log access to see sensitive values in audit logs which they should not see. When sensitive variables were set via airflow CLI, values of those variables appeared in the audit log and were stored unencrypted in the Airflow database. While this risk is limited to users with audit log access, it is recommended to upgrade to Airflow 2.10.3 or a later version, which addresses this issue. Users who previously used the CLI to set secret variables should manually delete entries with those variables from the log table. | |||||
| CVE-2025-7204 | 2025-07-10 | N/A | 6.5 MEDIUM | ||
| In ConnectWise PSA versions older than 2025.9, a vulnerability exists where authenticated users could gain access to sensitive user information. Specific API requests were found to return an overly verbose user object, which included encrypted password hashes for other users. Authenticated users could then retrieve these hashes. An attacker or privileged user could then use these exposed hashes to conduct offline brute-force or dictionary attacks. Such attacks could lead to credential compromise, allowing unauthorized access to accounts, and potentially privilege escalation within the system. | |||||
| CVE-2025-48261 | 1 Multivendorx | 1 Multivendorx | 2025-07-02 | N/A | 7.5 HIGH |
| Insertion of Sensitive Information Into Sent Data vulnerability in MultiVendorX MultiVendorX allows Retrieve Embedded Sensitive Data. This issue affects MultiVendorX: from n/a through 4.2.22. | |||||
| CVE-2025-48934 | 1 Deno | 1 Deno | 2025-07-02 | N/A | 5.3 MEDIUM |
| Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to versions 2.1.13 and 2.2.13, the `Deno.env.toObject` method ignores any variables listed in the `--deny-env` option of the `deno run` command. When looking at the documentation of the `--deny-env` option this might lead to a false impression that variables listed in the option are impossible to read. Software relying on the combination of both flags to allow access to most environment variables except a few sensitive ones will be vulnerable to malicious code trying to steal secrets using the `Deno.env.toObject()` method. Versions 2.1.13 and 2.2.13 contains a patch. | |||||
| CVE-2025-53309 | 2025-06-30 | N/A | 5.3 MEDIUM | ||
| Insertion of Sensitive Information Into Sent Data vulnerability in ZealousWeb Accept Stripe Payments Using Contact Form 7 allows Retrieve Embedded Sensitive Data. This issue affects Accept Stripe Payments Using Contact Form 7: from n/a through 3.0. | |||||
| CVE-2025-53322 | 2025-06-30 | N/A | 5.3 MEDIUM | ||
| Insertion of Sensitive Information Into Sent Data vulnerability in ZealousWeb Accept Authorize.NET Payments Using Contact Form 7 allows Retrieve Embedded Sensitive Data. This issue affects Accept Authorize.NET Payments Using Contact Form 7: from n/a through 2.5. | |||||
| CVE-2025-48749 | 1 Netwrix | 1 Directory Manager | 2025-06-18 | N/A | 9.1 CRITICAL |
| Netwrix Directory Manager (formerly Imanami GroupID) v11.0.0.0 and before & after v.11.1.25134.03 inserts Sensitive Information into Sent Data. | |||||
| CVE-2025-49584 | 2025-06-16 | N/A | N/A | ||
| XWiki is a generic wiki platform. In XWiki Platform versions 10.9 through 16.4.6, 16.5.0-rc-1 through 16.10.2, and 17.0.0-rc-1, the title of every single page whose reference is known can be accessed through the REST API as long as an XClass with a page property is accessible, this is the default for an XWiki installation. This allows an attacker to get titles of pages whose reference is known, one title per request. This doesn't affect fully private wikis as the REST endpoint checks access rights on the XClass definition. The impact on confidentiality depends on the strategy for page names. By default, page names match the title, so the impact should be low but if page names are intentionally obfuscated because the titles are sensitive, the impact could be high. This has been fixed in XWiki 16.4.7, 16.10.3 and 17.0.0 by adding access control checks before getting the title of any page. | |||||
| CVE-2025-31134 | 1 Freshrss | 1 Freshrss | 2025-06-10 | N/A | 7.5 HIGH |
| FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, an attacker can gain additional information about the server by checking if certain directories exist. An attacker can, for example, check if older PHP versions are installed or if certain software is installed on the server and potentially use that information to further attack the server. Version 1.26.2 contains a patch for the issue. | |||||
| CVE-2025-5733 | 2025-06-06 | N/A | 5.3 MEDIUM | ||
| The Modern Events Calendar Lite plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 7.21.9. This is due improper or insufficient validation of the id property when exporting calendars. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website. | |||||
| CVE-2025-49294 | 2025-06-06 | N/A | 5.3 MEDIUM | ||
| Insertion of Sensitive Information Into Sent Data vulnerability in CodeRevolution Crawlomatic Multisite Scraper Post Generator allows Retrieve Embedded Sensitive Data. This issue affects Crawlomatic Multisite Scraper Post Generator: from n/a through 2.6.8.2. | |||||
| CVE-2024-13254 | 1 Rest Views Project | 1 Rest Views | 2025-06-04 | N/A | 7.5 HIGH |
| Insertion of Sensitive Information Into Sent Data vulnerability in Drupal REST Views allows Forceful Browsing.This issue affects REST Views: from 0.0.0 before 3.0.1. | |||||
| CVE-2024-13259 | 1 Image Sizes Project | 1 Image Sizes | 2025-06-04 | N/A | 7.5 HIGH |
| Insertion of Sensitive Information Into Sent Data vulnerability in Drupal Image Sizes allows Forceful Browsing.This issue affects Image Sizes: from 0.0.0 before 3.0.2. | |||||
| CVE-2025-48996 | 2025-06-04 | N/A | 5.3 MEDIUM | ||
| HAX open-apis provides microservice apis for HAX webcomponents repo that are shared infrastructure calls. An unauthenticated information disclosure vulnerability exists in the Penn State University deployment of the HAX content management system via the `haxPsuUsage` API endpoint, related to a flat present in open-apis versions up to and including 10.0.2. This allows any remote unauthenticated user to retrieve a full list of PSU websites hosted on HAX CMS. When chained with other authorization issues (e.g., HAX-3), this could assist in targeted attacks such as unauthorized content modification or deletion. Commit 06c2e1fbb7131a8fe66aa0600f38dcacae6b7ac7 patches the vulnerability. | |||||
| CVE-2025-48381 | 2025-05-30 | N/A | N/A | ||
| Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. In versions starting from 2.4.0 to before 2.38.0, an authenticated CVAT user may be able to retrieve the IDs and names of all tasks, projects, labels, and the IDs of all jobs and quality reports on the CVAT instance. In addition, if the instance contains many resources of a particular type, retrieving this information may tie up system resources, denying access to legitimate users. This issue has been patched in version 2.38.0. | |||||
| CVE-2025-48331 | 2025-05-30 | N/A | 7.5 HIGH | ||
| Insertion of Sensitive Information Into Sent Data vulnerability in Vanquish WooCommerce Orders & Customers Exporter allows Retrieve Embedded Sensitive Data.This issue affects WooCommerce Orders & Customers Exporter: from n/a through 5.0. | |||||
| CVE-2025-48045 | 2025-05-29 | N/A | N/A | ||
| An unauthenticated HTTP GET request to the /client.php endpoint will disclose the default administrator user credentials. | |||||
| CVE-2025-39498 | 2025-05-28 | N/A | 5.3 MEDIUM | ||
| Insertion of Sensitive Information Into Sent Data vulnerability in Spotlight Spotlight - Social Media Feeds (Premium) allows Retrieve Embedded Sensitive Data.This issue affects Spotlight - Social Media Feeds (Premium): from n/a through 1.7.1. | |||||
| CVE-2025-47541 | 2025-05-23 | N/A | 7.5 HIGH | ||
| Insertion of Sensitive Information Into Sent Data vulnerability in WPFunnels Mail Mint allows Retrieve Embedded Sensitive Data. This issue affects Mail Mint: from n/a through 1.17.7. | |||||