Total
9490 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-13451 | 1 Bitapps | 1 Bit Form | 2025-07-10 | 5.3 Medium |
| The Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.17.4 via file uploads due to insufficient directory listing prevention and lack of randomization of file names. This makes it possible for unauthenticated attackers to extract sensitive data including files uploaded via a form. The vulnerability was partially patched in version 2.17.5. | ||||
| CVE-2025-53624 | 2025-07-10 | 10 Critical | ||
| The Docusaurus gists plugin adds a page to your Docusaurus instance, displaying all public gists of a GitHub user. docusaurus-plugin-content-gists versions prior to 4.0.0 are vulnerable to exposing GitHub Personal Access Tokens in production build artifacts when passed through plugin configuration options. The token, intended for build-time API access only, is inadvertently included in client-side JavaScript bundles, making it accessible to anyone who can view the website's source code. This vulnerability is fixed in 4.0.0. | ||||
| CVE-2025-29805 | 1 Microsoft | 1 Outlook | 2025-07-10 | 7.5 High |
| Exposure of sensitive information to an unauthorized actor in Outlook for Android allows an unauthorized attacker to disclose information over a network. | ||||
| CVE-2024-39925 | 2 Dani-garcia, Vaultwarden | 2 Vaultwarden, Vaultwarden | 2025-07-10 | 6.5 Medium |
| An issue was discovered in Vaultwarden (formerly Bitwarden_RS) 1.30.3. It lacks an offboarding process for members who leave an organization. As a result, the shared organization key is not rotated when a member departs. Consequently, the departing member, whose access should be revoked, retains a copy of the organization key. Additionally, the application fails to adequately protect some encrypted data stored on the server. Consequently, an authenticated user could gain unauthorized access to encrypted data of any organization, even if the user is not a member of the targeted organization. However, the user would need to know the corresponding organizationId. Hence, if a user (whose access to an organization has been revoked) already possesses the organization key, that user could use the key to decrypt the leaked data. | ||||
| CVE-2025-48808 | 2025-07-10 | 5.5 Medium | ||
| Exposure of sensitive information to an unauthorized actor in Windows Kernel allows an authorized attacker to disclose information locally. | ||||
| CVE-2025-47980 | 2025-07-10 | 6.2 Medium | ||
| Exposure of sensitive information to an unauthorized actor in Windows Imaging Component allows an unauthorized attacker to disclose information locally. | ||||
| CVE-2025-53512 | 2025-07-10 | 6.5 Medium | ||
| The /log endpoint on a Juju controller lacked sufficient authorization checks, allowing unauthorized users to access debug messages that could contain sensitive information. | ||||
| CVE-2025-49671 | 2025-07-10 | 6.5 Medium | ||
| Exposure of sensitive information to an unauthorized actor in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network. | ||||
| CVE-2025-49664 | 2025-07-10 | 5.5 Medium | ||
| Exposure of sensitive information to an unauthorized actor in Windows User-Mode Driver Framework Host allows an authorized attacker to disclose information locally. | ||||
| CVE-2025-34084 | 2025-07-10 | N/A | ||
| An unauthenticated information disclosure vulnerability exists in the WordPress Total Upkeep plugin (also known as BoldGrid Backup) prior to version 1.14.10. The plugin exposes multiple endpoints that allow unauthenticated users to retrieve detailed server configuration (env-info.php) and discover backup metadata (restore-info.json). These backups, which may include full SQL database dumps, are accessible without authentication if their paths are known or guessed. The restore-info.json endpoint discloses the absolute filesystem path of the latest backup, which attackers can convert into a web-accessible URL under wp-content/uploads/ and download. Extracting the database archive may yield credential hashes from the wp_users table, facilitating offline password cracking or credential stuffing attacks. | ||||
| CVE-2024-27905 | 2 Apache, Apache Software Foundation | 2 Aurora, Apache Aurora | 2025-07-10 | 9.1 Critical |
| ** UNSUPPORTED WHEN ASSIGNED ** Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Aurora. An endpoint exposing internals to unauthenticated users can be used as a "padding oracle" allowing an anonymous attacker to construct a valid authentication cookie. Potentially this could be combined with vulnerabilities in other components to achieve remote code execution. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | ||||
| CVE-2025-34031 | 1 Geoffrowland | 1 Jmol | 2025-07-09 | 7.5 High |
| A path traversal vulnerability exists in the Moodle LMS Jmol plugin version 6.1 and prior via the query parameter in jsmol.php. The script directly passes user input to the file_get_contents() function without proper validation, allowing attackers to read arbitrary files from the server's filesystem by crafting a malicious query value. This vulnerability can be exploited without authentication and may expose sensitive configuration data, including database credentials. | ||||
| CVE-2025-4798 | 1 Wp-downloadmanager Project | 1 Wp-downloadmanager | 2025-07-09 | 4.9 Medium |
| The WP-DownloadManager plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 1.68.10. This is due to a lack of restriction on the directory an administrator can select for storing downloads. This makes it possible for authenticated attackers, with Administrator-level access and above, to download and read any file on the server, including system and configuration files. | ||||
| CVE-2025-47969 | 1 Microsoft | 4 Windows 11 22h2, Windows 11 23h2, Windows 11 24h2 and 1 more | 2025-07-09 | 4.4 Medium |
| Exposure of sensitive information to an unauthorized actor in Windows Hello allows an authorized attacker to disclose information locally. | ||||
| CVE-2025-26667 | 1 Microsoft | 7 Windows Server 2008, Windows Server 2012, Windows Server 2016 and 4 more | 2025-07-09 | 6.5 Medium |
| Exposure of sensitive information to an unauthorized actor in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network. | ||||
| CVE-2019-5418 | 5 Debian, Fedoraproject, Opensuse and 2 more | 8 Debian Linux, Fedora, Leap and 5 more | 2025-07-09 | 7.5 High |
| There is a File Content Disclosure vulnerability in Action View <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 and v3 where specially crafted accept headers can cause contents of arbitrary files on the target system's filesystem to be exposed. | ||||
| CVE-2024-6448 | 1 Mollie | 1 Mollie Payments For Woocommerce | 2025-07-09 | 5.3 Medium |
| The Mollie Payments for WooCommerce plugin for WordPress is vulnerable to information exposure in all versions up to, and including, 7.7.0. This is due to the error reporting being enabled by default in multiple plugin files. This makes it possible for unauthenticated attackers to obtain the full path to instances, which they may be able to use in combination with other vulnerabilities or to simplify reconnaissance work. On its own, this information is of very limited use. | ||||
| CVE-2023-36908 | 1 Microsoft | 12 Windows 10, Windows 10 1607, Windows 10 1809 and 9 more | 2025-07-09 | 6.5 Medium |
| Windows Hyper-V Information Disclosure Vulnerability | ||||
| CVE-2025-49741 | 1 Microsoft | 1 Edge Chromium | 2025-07-08 | 7.4 High |
| No cwe for this issue in Microsoft Edge (Chromium-based) allows an unauthorized attacker to disclose information over a network. | ||||
| CVE-2024-37325 | 1 Microsoft | 1 Azure Data Science Virtual Machine | 2025-07-08 | 8.1 High |
| Azure Science Virtual Machine (DSVM) Elevation of Privilege Vulnerability | ||||