Total
8367 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-34098 | 2025-07-15 | N/A | N/A | ||
| A path traversal vulnerability exists in Riverbed SteelHead VCX appliances (confirmed in VCX255U 9.6.0a) due to improper input validation in the log filtering functionality exposed via the management web interface. An authenticated attacker can exploit this flaw by submitting crafted filter expressions to the log_filter endpoint using the filterStr parameter. This input is processed by a backend parser that permits execution of file expansion syntax, allowing the attacker to retrieve arbitrary system files via the log viewing interface. | |||||
| CVE-2025-6745 | 2025-07-15 | N/A | 5.3 MEDIUM | ||
| The WoodMart plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 8.2.5 via the woodmart_get_posts_by_query() function due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to. | |||||
| CVE-2025-4593 | 2025-07-15 | N/A | 6.5 MEDIUM | ||
| The WP Register Profile With Shortcode plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.6.2 via the 'rp_user_data' shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data from user meta like hashed passwords, usernames, and more. | |||||
| CVE-2025-7573 | 2025-07-15 | 5.0 MEDIUM | 5.3 MEDIUM | ||
| A vulnerability, which was classified as critical, has been found in LB-LINK BL-AC1900, BL-AC2100_AZ3, BL-AC3600, BL-AX1800, BL-AX5400P and BL-WR9000 up to 20250702. This issue affects the function bs_GetManPwd in the library libblinkapi.so of the file /cgi-bin/lighttpd.cgi. The manipulation leads to information disclosure. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-7572 | 2025-07-15 | 5.0 MEDIUM | 5.3 MEDIUM | ||
| A vulnerability classified as critical was found in LB-LINK BL-AC1900, BL-AC2100_AZ3, BL-AC3600, BL-AX1800, BL-AX5400P and BL-WR9000 up to 20250702. This vulnerability affects the function bs_GetHostInfo in the library libblinkapi.so of the file /cgi-bin/lighttpd.cgi. The manipulation leads to information disclosure. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-6432 | 1 Mozilla | 1 Firefox | 2025-07-14 | N/A | 8.6 HIGH |
| When Multi-Account Containers was enabled, DNS requests could have bypassed a SOCKS proxy when the domain name was invalid or the SOCKS proxy was not responding. This vulnerability affects Firefox < 140 and Thunderbird < 140. | |||||
| CVE-2025-30474 | 1 Apache | 1 Commons Vfs | 2025-07-14 | N/A | 5.0 MEDIUM |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Commons VFS. The FtpFileObject class can throw an exception when a file is not found, revealing the original URI in its message, which may include a password. The fix is to mask the password in the exception message This issue affects Apache Commons VFS: before 2.10.0. Users are recommended to upgrade to version 2.10.0, which fixes the issue. | |||||
| CVE-2025-47980 | 1 Microsoft | 15 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 12 more | 2025-07-14 | N/A | 6.2 MEDIUM |
| Exposure of sensitive information to an unauthorized actor in Windows Imaging Component allows an unauthorized attacker to disclose information locally. | |||||
| CVE-2024-25591 | 1 Benjaminrojas | 1 Wp Editor | 2025-07-11 | N/A | 5.3 MEDIUM |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Benjamin Rojas WP Editor.This issue affects WP Editor: from n/a through 1.2.7. | |||||
| CVE-2024-38290 | 1 Extremenetworks | 1 Xiq-se | 2025-07-11 | N/A | 5.3 MEDIUM |
| In XIQ-SE before 24.2.11, a server misconfiguration may allow user enumeration when specific conditions are met. | |||||
| CVE-2025-26795 | 1 Apache | 1 Iotdb | 2025-07-11 | N/A | 7.5 HIGH |
| Exposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Log File vulnerability in Apache IoTDB JDBC driver. This issue affects iotdb-jdbc: from 0.10.0 through 1.3.3, from 2.0.1-beta before 2.0.2. Users are recommended to upgrade to version 2.0.2 and 1.3.4, which fix the issue. | |||||
| CVE-2025-20221 | 1 Cisco | 1 Ios Xe | 2025-07-11 | N/A | 5.3 MEDIUM |
| A vulnerability in the packet filtering features of Cisco IOS XE SD-WAN Software could allow an unauthenticated, remote attacker to bypass Layer 3 and Layer 4 traffic filters. This vulnerability is due to improper traffic filtering conditions on an affected device. An attacker could exploit this vulnerability by sending a crafted packet to the affected device. A successful exploit could allow the attacker to bypass the Layer 3 and Layer 4 traffic filters and inject a crafted packet into the network. | |||||
| CVE-2024-10084 | 1 Sevenspark | 1 Contact Form 7 - Dynamic Text Extension | 2025-07-11 | N/A | 4.3 MEDIUM |
| The Contact Form 7 – Dynamic Text Extension plugin for WordPress is vulnerable to Basic Information Disclosure in all versions up to, and including, 4.5 via the CF7_get_post_var shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract the titles and text contents of private and password-protected posts, they do not own. | |||||
| CVE-2018-9379 | 1 Google | 1 Android | 2025-07-10 | N/A | 5.5 MEDIUM |
| In multiple functions of MiniThumbFile.java, there is a possible way to view the thumbnails of deleted photos due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2018-9384 | 1 Google | 1 Android | 2025-07-10 | N/A | 4.4 MEDIUM |
| In multiple locations, there is a possible way to bypass KASLR due to an unusual root cause. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2025-27736 | 1 Microsoft | 12 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 9 more | 2025-07-10 | N/A | 5.5 MEDIUM |
| Exposure of sensitive information to an unauthorized actor in Windows Power Dependency Coordinator allows an authorized attacker to disclose information locally. | |||||
| CVE-2024-13451 | 1 Bitapps | 1 Bit Form | 2025-07-10 | N/A | 5.3 MEDIUM |
| The Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.17.4 via file uploads due to insufficient directory listing prevention and lack of randomization of file names. This makes it possible for unauthenticated attackers to extract sensitive data including files uploaded via a form. The vulnerability was partially patched in version 2.17.5. | |||||
| CVE-2025-29805 | 1 Microsoft | 1 Outlook | 2025-07-10 | N/A | 7.5 HIGH |
| Exposure of sensitive information to an unauthorized actor in Outlook for Android allows an unauthorized attacker to disclose information over a network. | |||||
| CVE-2024-39925 | 1 Dani-garcia | 1 Vaultwarden | 2025-07-10 | N/A | 6.5 MEDIUM |
| An issue was discovered in Vaultwarden (formerly Bitwarden_RS) 1.30.3. It lacks an offboarding process for members who leave an organization. As a result, the shared organization key is not rotated when a member departs. Consequently, the departing member, whose access should be revoked, retains a copy of the organization key. Additionally, the application fails to adequately protect some encrypted data stored on the server. Consequently, an authenticated user could gain unauthorized access to encrypted data of any organization, even if the user is not a member of the targeted organization. However, the user would need to know the corresponding organizationId. Hence, if a user (whose access to an organization has been revoked) already possesses the organization key, that user could use the key to decrypt the leaked data. | |||||
| CVE-2025-53624 | 2025-07-10 | N/A | 10.0 CRITICAL | ||
| The Docusaurus gists plugin adds a page to your Docusaurus instance, displaying all public gists of a GitHub user. docusaurus-plugin-content-gists versions prior to 4.0.0 are vulnerable to exposing GitHub Personal Access Tokens in production build artifacts when passed through plugin configuration options. The token, intended for build-time API access only, is inadvertently included in client-side JavaScript bundles, making it accessible to anyone who can view the website's source code. This vulnerability is fixed in 4.0.0. | |||||