Total
9815 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-9843 | 1 Das | 1 Parking Management System | 2025-10-20 | 5.3 Medium |
| A flaw has been found in Das Parking Management System 停车场管理系统 6.2.0. Affected is an unknown function of the file /Operator/FindAll. This manipulation causes information disclosure. It is possible to initiate the attack remotely. The exploit has been published and may be used. | ||||
| CVE-2025-61589 | 2 Anysphere, Cursor | 2 Cursor, Cursor | 2025-10-20 | 5.9 Medium |
| Cursor is a code editor built for programming with AI. In versions 1.6 and below, Mermaid (a to render diagrams) allows embedding images which then get rendered by Cursor in the chat box. An attacker can use this to exfiltrate sensitive information to a third-party attacker controlled server through an image fetch after successfully performing a prompt injection. A malicious model (or hallucination/backdoor) might also trigger this exploit at will. This issue requires prompt injection from malicious data (web, image upload, source code) in order to exploit. In that case, it can send sensitive information to an attacker-controlled external server. Some additional bypasses not covered in the initial fix to this issue were discovered, see GHSA-43wj-mwcc-x93p. This issue is fixed in version 1.7. | ||||
| CVE-2022-35715 | 3 Ibm, Linux, Microsoft | 4 Aix, Infosphere Information Server, Linux Kernel and 1 more | 2025-10-20 | 7.5 High |
| IBM InfoSphere Information Server 11.7 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in a stack trace. This information could be used in further attacks against the system. IBM X-Force ID: 231202. | ||||
| CVE-2024-35189 | 1 Ethyca | 1 Fides | 2025-10-20 | 6.5 Medium |
| Fides is an open-source privacy engineering platform. The Fides webserver has a number of endpoints that retrieve `ConnectionConfiguration` records and their associated `secrets` which _can_ contain sensitive data (e.g. passwords, private keys, etc.). These `secrets` are stored encrypted at rest (in the application database), and the associated endpoints are not meant to expose that sensitive data in plaintext to API clients, as it could be compromising. Fides's developers have available to them a Pydantic field-attribute (`sensitive`) that they can annotate as `True` to indicate that a given secret field should not be exposed via the API. The application has an internal function that uses `sensitive` annotations to mask the sensitive fields with a `"**********"` placeholder value. This vulnerability is due to a bug in that function, which prevented `sensitive` API model fields that were _nested_ below the root-level of a `secrets` object from being masked appropriately. Only the `BigQuery` connection configuration secrets meets these criteria: the secrets schema has a nested sensitive `keyfile_creds.private_key` property that is exposed in plaintext via the APIs. Connection types other than `BigQuery` with sensitive fields at the root-level that are not nested are properly masked with the placeholder and are not affected by this vulnerability. This vulnerability has been patched in Fides version 2.37.0. Users are advised to upgrade to this version or later to secure their systems against this threat. Users are also advised to rotate any Google Cloud secrets used for BigQuery integrations in their Fides deployments. There are no known workarounds for this vulnerability. | ||||
| CVE-2025-8484 | 1 Wordpress | 1 Wordpress | 2025-10-20 | 5.3 Medium |
| The Code Quality Control Tool plugin for WordPress is vulnerable to Sensitive Information Exposure in version 0.1 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log files. | ||||
| CVE-2025-61688 | 1 Siderolabs | 1 Omni | 2025-10-20 | 8.6 High |
| Omni manages Kubernetes on bare metal, virtual machines, or in a cloud. Prior to 1.1.5 and 1.0.2, Omni might leak sensitive information via an API. | ||||
| CVE-2024-36829 | 1 Teldat | 2 M1, M1 Firmware | 2025-10-20 | 7.5 High |
| Incorrect access control in Teldat M1 v11.00.05.50.01 allows attackers to obtain sensitive information via a crafted query string. | ||||
| CVE-2025-11196 | 1 Wordpress | 1 Wordpress | 2025-10-20 | 4.3 Medium |
| The External Login plugin for WordPress is vulnerable to sensitive information exposure in all versions up to, and including, 1.11.2 due to the 'exlog_test_connection' AJAX action lacking capability checks or nonce validation. This makes it possible for authenticated attackers, with subscriber-level access and above, to query the configured external database and retrieve truncated usernames, email addresses, and password hashes via the diagnostic test results view. | ||||
| CVE-2025-57441 | 2 Blackmagic, Blackmagicdesign | 3 Atem Mini Pro, Atem Mini Pro, Atem Mini Pro Firmware | 2025-10-17 | 9.8 Critical |
| The Blackmagic ATEM Mini Pro 2.7 exposes sensitive device and stream configuration information via an unauthenticated Telnet service on port 9990. Upon connection, the attacker can access a protocol preamble that leaks the video mode, routing configuration, input/output labels, device model, and even internal identifiers such as the unique ID. This can be used for reconnaissance and planning further attacks. | ||||
| CVE-2025-55976 | 1 Intelbras | 2 Iwr 3000n, Iwr 3000n Firmware | 2025-10-17 | 8.4 High |
| Intelbras IWR 3000N 1.9.8 exposes the Wi-Fi password in plaintext via the /api/wireless endpoint. Any unauthenticated user on the local network can directly obtain the Wi-Fi network password by querying this endpoint. | ||||
| CVE-2025-23073 | 2025-10-16 | 3.5 Low | ||
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation Mediawiki - GlobalBlocking Extension allows Retrieve Embedded Sensitive Data. This issue briefly impacted the master branch of MediaWiki’s GlobalBlocking Extension. | ||||
| CVE-2025-8868 | 2 Chef, Linux | 4 Automate, Chef, Linux and 1 more | 2025-10-16 | 9.8 Critical |
| In Progress Chef Automate, versions earlier than 4.13.295, on Linux x86 platform, an authenticated attacker can gain access to Chef Automate restricted functionality in the compliance service via improperly neutralized inputs used in an SQL command using a well-known token. | ||||
| CVE-2025-59921 | 1 Fortinet | 1 Fortiadc | 2025-10-16 | 6.2 Medium |
| An exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] in Fortinet FortiADC version 7.4.0, version 7.2.3 and below, version 7.1.4 and below, 7.0 all versions, 6.2 all versions may allow an authenticated attacker to obtain sensitive data via crafted HTTP or HTTPs requests. | ||||
| CVE-2024-2725 | 2 Atisoluciones, Ciges | 2 Ciges, Cigesv2 | 2025-10-15 | 7.5 High |
| Information exposure vulnerability in the CIGESv2 system. A remote attacker might be able to access /vendor/composer/installed.json and retrieve all installed packages used by the application. | ||||
| CVE-2024-2728 | 2 Atisoluciones, Ciges | 2 Ciges, Cigesv2 | 2025-10-15 | 4.1 Medium |
| Information exposure vulnerability in the CIGESv2 system. This vulnerability could allow a local attacker to intercept traffic due to the lack of proper implementation of the TLS protocol. | ||||
| CVE-2024-5133 | 1 Lunary | 1 Lunary | 2025-10-15 | 8.1 High |
| In lunary-ai/lunary version 1.2.4, an account takeover vulnerability exists due to the exposure of password recovery tokens in API responses. Specifically, when a user initiates the password reset process, the recovery token is included in the response of the `GET /v1/users/me/org` endpoint, which lists all users in a team. This allows any authenticated user to capture the recovery token of another user and subsequently change that user's password without consent, effectively taking over the account. The issue lies in the inclusion of the `recovery_token` attribute in the users object returned by the API. | ||||
| CVE-2024-38030 | 1 Microsoft | 12 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 9 more | 2025-10-14 | 6.5 Medium |
| Windows Themes Spoofing Vulnerability | ||||
| CVE-2024-38020 | 1 Microsoft | 4 365 Apps, Office, Office Long Term Servicing Channel and 1 more | 2025-10-14 | 6.5 Medium |
| Microsoft Outlook Spoofing Vulnerability | ||||
| CVE-2024-38017 | 1 Microsoft | 14 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 11 more | 2025-10-14 | 5.5 Medium |
| Microsoft Message Queuing Information Disclosure Vulnerability | ||||
| CVE-2024-38041 | 1 Microsoft | 11 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 8 more | 2025-10-14 | 5.5 Medium |
| Windows Kernel Information Disclosure Vulnerability | ||||