Total
9601 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-20611 | 2025-05-16 | 4.7 Medium | ||
| Exposure of sensitive information to an unauthorized actor for some Edge Orchestrator software for Intel(R) Tiber™ Edge Platform may allow an authenticated user to potentially enable information disclosure via local access. | ||||
| CVE-2025-25370 | 2025-05-16 | 4.6 Medium | ||
| An issue in realme GT 2 (RMX3311) running Android 14 with realme UI 5.0 allows a physically proximate attacker to obtain sensitive information via the show app only setting function. | ||||
| CVE-2024-42179 | 1 Hcltech | 1 Dryice Myxalytics | 2025-05-16 | 2 Low |
| HCL MyXalytics is affected by sensitive information disclosure vulnerability. The HTTP response header exposes the Microsoft-HTTP API∕2.0 as the server's name & version. | ||||
| CVE-2024-25839 | 1 Webbax | 1 Super Newsletter | 2025-05-15 | 7.5 High |
| An issue was discovered in Webbax "Super Newsletter" (supernewsletter) module for PrestaShop versions 1.4.21 and before, allows local attackers to escalate privileges and obtain sensitive information. | ||||
| CVE-2024-20904 | 1 Oracle | 1 Business Intelligence | 2025-05-15 | 5 Medium |
| Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics (component: Pod Admin). Supported versions that are affected are 6.4.0.0.0 and 12.2.1.4.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. While the vulnerability is in Oracle Business Intelligence Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Business Intelligence Enterprise Edition accessible data. CVSS 3.1 Base Score 5.0 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N). | ||||
| CVE-2024-1404 | 1 Linksys | 2 Wrt54gl, Wrt54gl Firmware | 2025-05-15 | 4.3 Medium |
| A vulnerability was found in Linksys WRT54GL 4.30.18 and classified as problematic. Affected by this issue is some unknown functionality of the file /SysInfo.htm of the component Web Management Interface. The manipulation leads to information disclosure. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-253328. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-1405 | 1 Linksys | 2 Wrt54gl, Wrt54gl Firmware | 2025-05-15 | 4.3 Medium |
| A vulnerability was found in Linksys WRT54GL 4.30.18. It has been classified as problematic. This affects an unknown part of the file /wlaninfo.htm of the component Web Management Interface. The manipulation leads to information disclosure. The exploit has been disclosed to the public and may be used. The identifier VDB-253329 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-21626 | 3 Fedoraproject, Linuxfoundation, Redhat | 10 Fedora, Runc, Enterprise Linux and 7 more | 2025-05-15 | 8.6 High |
| runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue. | ||||
| CVE-2022-33919 | 1 Dell | 1 Geodrive | 2025-05-15 | 7.8 High |
| Dell GeoDrive, versions 2.1 - 2.2, contains an information disclosure vulnerability in GUI. An authenticated non-admin user could potentially exploit this vulnerability and view sensitive information. | ||||
| CVE-2024-23206 | 1 Apple | 6 Ipados, Iphone Os, Macos and 3 more | 2025-05-15 | 6.5 Medium |
| An access issue was addressed with improved access restrictions. This issue is fixed in watchOS 10.3, tvOS 17.3, iOS 17.3 and iPadOS 17.3, macOS Sonoma 14.3, iOS 16.7.5 and iPadOS 16.7.5, Safari 17.3. A maliciously crafted webpage may be able to fingerprint the user. | ||||
| CVE-2022-38689 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2025-05-15 | 5.5 Medium |
| In telephony service, there is a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. | ||||
| CVE-2022-38688 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2025-05-15 | 5.5 Medium |
| In telephony service, there is a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. | ||||
| CVE-2022-32931 | 1 Apple | 1 Macos | 2025-05-15 | 5.5 Medium |
| This issue was addressed with improved data protection. This issue is fixed in macOS Ventura 13. An app with root privileges may be able to access private information. | ||||
| CVE-2025-30202 | 1 Vllm | 1 Vllm | 2025-05-14 | 7.5 High |
| vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Versions starting from 0.5.2 and prior to 0.8.5 are vulnerable to denial of service and data exposure via ZeroMQ on multi-node vLLM deployment. In a multi-node vLLM deployment, vLLM uses ZeroMQ for some multi-node communication purposes. The primary vLLM host opens an XPUB ZeroMQ socket and binds it to ALL interfaces. While the socket is always opened for a multi-node deployment, it is only used when doing tensor parallelism across multiple hosts. Any client with network access to this host can connect to this XPUB socket unless its port is blocked by a firewall. Once connected, these arbitrary clients will receive all of the same data broadcasted to all of the secondary vLLM hosts. This data is internal vLLM state information that is not useful to an attacker. By potentially connecting to this socket many times and not reading data published to them, an attacker can also cause a denial of service by slowing down or potentially blocking the publisher. This issue has been patched in version 0.8.5. | ||||
| CVE-2024-29400 | 1 Ruoyi | 1 Ruoyi | 2025-05-14 | 7.5 High |
| An issue was discovered in RuoYi v4.5.1, allows attackers to obtain sensitive information via the status parameter. | ||||
| CVE-2025-24899 | 1 Yogeshojha | 1 Rengine | 2025-05-13 | 7.5 High |
| reNgine is an automated reconnaissance framework for web applications. A vulnerability was discovered in reNgine, where **an insider attacker with any role** (such as Auditor, Penetration Tester, or Sys Admin) **can extract sensitive information from other reNgine users.** After running a scan and obtaining vulnerabilities from a target, the attacker can retrieve details such as `username`, `password`, `email`, `role`, `first name`, `last name`, `status`, and `activity information` by making a GET request to `/api/listVulnerability/`. This issue has been addressed in version 2.2.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2025-4222 | 2025-05-13 | 5.9 Medium | ||
| The Database Toolset plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.4 via backup files stored in a publicly accessible location. This makes it possible for unauthenticated attackers to extract sensitive data from database backup files. An index file is present, so a brute force attack would need to be successful in order to compromise any data. | ||||
| CVE-2025-25945 | 1 Axiosys | 1 Bento4 | 2025-05-13 | 6.5 Medium |
| An issue in Bento4 v1.6.0-641 allows an attacker to obtain sensitive information via the the Mp4Fragment.cpp and in AP4_DescriptorFactory::CreateDescriptorFromStream at Ap4DescriptorFactory.cpp. | ||||
| CVE-2025-25942 | 1 Axiosys | 1 Bento4 | 2025-05-13 | 6.5 Medium |
| An issue in Bento4 v1.6.0-641 allows an attacker to obtain sensitive information via the the mp4fragment tool when processing invalid files. Specifically, memory allocated in SampleArray::SampleArray in Mp4Fragment.cpp is not properly released. | ||||
| CVE-2023-35750 | 1 Dlink | 2 Dap-2622, Dap-2622 Firmware | 2025-05-13 | 6.5 Medium |
| D-Link DAP-2622 DDP Get SSID List WPA PSK Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of D-Link DAP-2622 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the DDP service. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. . Was ZDI-CAN-20078. | ||||