Search Results (10714 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-8448 1 Schneider-electric 2 Ecostruxure Building Operation Enterprise Server, Ecostruxure Workstation 2026-04-15 N/A
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists that could cause unauthorized access to sensitive credential data when an attacker is able to capture local SMB traffic between a valid user within the BMS network and the vulnerable products.
CVE-2025-8866 1 Yugabyte 1 Yugabytedb 2026-04-15 5.3 Medium
YugabyteDB Anywhere web server does not properly enforce authentication for the /metamaster/universe API endpoint. An unauthenticated attacker could exploit this flaw to obtain server networking configuration details, including private and public IP addresses and DNS records.
CVE-2025-23074 2026-04-15 2.4 Low
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation Mediawiki - SocialProfile Extension allows Functionality Misuse.This issue affects Mediawiki - SocialProfile Extension: from 1.39.X before 1.39.11, from 1.41.X before 1.41.3, from 1.42.X before 1.42.2.
CVE-2025-7919 2026-04-15 6.5 Medium
WinMatrix3 Web package developed by Simopro Technology has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.
CVE-2025-6984 1 Langchain-ai 1 Langchain 2026-04-15 N/A
The langchain-ai/langchain project, specifically the EverNoteLoader component, is vulnerable to XML External Entity (XXE) attacks due to insecure XML parsing. The affected version is 0.3.63. The vulnerability arises from the use of etree.iterparse() without disabling external entity references, which can lead to sensitive information disclosure. An attacker could exploit this by crafting a malicious XML payload that references local files, potentially exposing sensitive data such as /etc/passwd.
CVE-2024-2795 2 Looswebstudio, Wordpress 2 Seo Simple Pack, Wordpress 2026-04-15 5.3 Medium
The SEO SIMPLE PACK plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 3.2.1 via META description. This makes it possible for unauthenticated attackers to extract limited information about password protected posts.
CVE-2024-3870 1 Arshidkv12 1 Contact Form Addon 2026-04-15 5.3 Medium
The Contact Form 7 Database Addon – CFDB7 plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.2.6.8 via the cfdb7_before_send_mail function. This can allow unauthenticated attackers to extract sensitive data, such as Personally Identifiable Information, from files uploaded by users.
CVE-2024-11295 2 Pluginsandsnippets, Wordpress 2 Simple Page Access Restriction, Wordpress 2026-04-15 5.3 Medium
The Simple Page Access Restriction plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.29 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as logged-in users.
CVE-2024-40633 1 Sylius 1 Sylius 2026-04-15 5.3 Medium
Sylius is an Open Source eCommerce Framework on Symfony. A security vulnerability was discovered in the `/api/v2/shop/adjustments/{id}` endpoint, which retrieves order adjustments based on incremental integer IDs. The vulnerability allows an attacker to enumerate valid adjustment IDs and retrieve order tokens. Using these tokens, an attacker can access guest customer order details - sensitive guest customer information. The issue is fixed in versions: 1.12.19, 1.13.4 and above. The `/api/v2/shop/adjustments/{id}` will always return `404` status. Users are advised to upgrade. Users unable to upgrade may alter their config to mitigate this issue. Please see the linked GHSA for details.
CVE-2024-42049 1 Tightvnc 1 Tightvnc 2026-04-15 9.1 Critical
TightVNC (Server for Windows) before 2.8.84 allows attackers to connect to the control pipe via a network connection.
CVE-2024-6557 1 Wpdeveloper 1 Schedulepress 2026-04-15 5.3 Medium
The SchedulePress – Auto Post & Publish, Auto Social Share, Schedule Posts with Editorial Calendar & Missed Schedule Post Publisher plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 5.1.3. This is due the plugin utilizing the wpdeveloper library and leaving the demo files in place with display_errors on. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.
CVE-2024-6646 1 Netgear 1 Wn604 2026-04-15 5.3 Medium
A vulnerability was found in Netgear WN604 up to 20240710. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /downloadFile.php of the component Web Interface. The manipulation of the argument file with the input config leads to information disclosure. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-271052. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2024-32754 2026-04-15 3.1 Low
Under certain circumstances, when the controller is in factory reset mode waiting for initial setup, it will broadcast its MAC address, serial number, and firmware version. Once configured, the controller will no longer broadcast this information.
CVE-2025-11998 1 Hp 1 Card Readers B Model 2026-04-15 N/A
The following HP Card Readers B Models (X3D03B & Y7C05B) are potentially vulnerable to information disclosure, allowing prior user identity to be inherited under certain conditions —e.g., when an NFC device (such as a smartphone/smartwatches) is in proximity during a card swipe event.
CVE-2025-23073 2026-04-15 3.5 Low
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation Mediawiki - GlobalBlocking Extension allows Retrieve Embedded Sensitive Data. This issue briefly impacted the master branch of MediaWiki’s GlobalBlocking Extension.
CVE-2025-9036 1 Rockwellautomation 1 Factorytalk Action Manager 2026-04-15 N/A
A security issue in the runtime event system allows unauthenticated connections to receive a reusable API token. This token is broadcasted over a WebSocket and can be intercepted by any local client listening on the connection.
CVE-2024-44082 1 Redhat 3 Openshift, Openshift Ironic, Openstack 2026-04-15 4.3 Medium
In OpenStack Ironic before 26.0.1 and ironic-python-agent before 9.13.1, there is a vulnerability in image processing, in which a crafted image could be used by an authenticated user to exploit undesired behaviors in qemu-img, including possible unauthorized access to potentially sensitive data. The affected/fixed version details are: Ironic: <21.4.3, >=22.0.0 <23.0.2, >=23.1.0 <24.1.2, >=25.0.0 <26.0.1; Ironic-python-agent: <9.4.2, >=9.5.0 <9.7.1, >=9.8.0 <9.11.1, >=9.12.0 <9.13.1.
CVE-2025-56406 2 Neo4j, Neo4j-contrib 2 Neo4j, Mcp-neo4j 2026-04-15 7.5 High
An issue was discovered in mcp-neo4j 0.3.0 allowing attackers to obtain sensitive information or execute arbitrary commands via the SSE service. NOTE: the Supplier's position is that authentication is not mandatory for MCP servers, and the mcp-neo4j MCP server is only intended for use in a local environment where authentication realistically would not be needed. Also, the Supplier provides middleware to help isolate the MCP server from external access (if needed).
CVE-2024-41696 2026-04-15 7.5 High
Priority PRI WEB Portal Add-On for Priority ERP on prem - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CVE-2024-3928 2026-04-15 4.3 Medium
A vulnerability was found in Dromara open-capacity-platform 2.0.1. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /actuator/heapdump of the component auth-server. The manipulation leads to information disclosure. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-261367.