Export limit exceeded: 10641 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (10641 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-6552 | 1 Tms-outsource | 1 Amelia | 2026-04-15 | 5.3 Medium |
| The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 1.2. This is due to the plugin utilizing Symfony and leaving display_errors on within test files. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website. | ||||
| CVE-2024-13498 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 5.3 Medium |
| The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 8.8.1 via file uploads due to insufficient directory listing prevention and lack of randomization of file names. This makes it possible for unauthenticated attackers to extract sensitive data including files uploaded via a form. | ||||
| CVE-2025-55052 | 2026-04-15 | 4.3 Medium | ||
| CWE-200 Exposure of Sensitive Information to an Unauthorized Actor | ||||
| CVE-2025-12147 | 1 Search-guard | 1 Search Guard | 2026-04-15 | N/A |
| In Search Guard FLX versions 3.1.1 and earlier, Field-Level Security (FLS) rules are improperly enforced on object-valued fields. When an FLS exclusion rule (e.g., ~field) is applied to a field which contains an object as its value, the object is correctly removed from the _source returned by search operations. However, the object members (i.e., child attributes) remain accessible to search queries. This exposure allows adversaries to infer or reconstruct the original contents of the excluded object. Workaround - If you cannot upgrade immediately and FLS exclusion rules are used for object valued attributes (like ~object), add an additional exclusion rule for the members of the object (like ~object.*). | ||||
| CVE-2021-44534 | 2026-04-15 | 6.5 Medium | ||
| Insufficient user input filtering leads to arbitrary file read by non-authenticated attacker, which results in sensitive information disclosure. | ||||
| CVE-2025-32958 | 2026-04-15 | 9.8 Critical | ||
| Adept is a language for general purpose programming. Prior to commit a1a41b7, the remoteBuild.yml workflow file uses actions/upload-artifact@v4 to upload the mac-standalone artifact. This artifact is a zip of the current directory, which includes the automatically generated .git/config file containing the run's GITHUB_TOKEN. Seeing as the artifact can be downloaded prior to the end of the workflow, there is a few seconds where an attacker can extract the token from the artifact and use it with the Github API to push malicious code or rewrite release commits in the AdeptLanguage/Adept repository. This issue has been patched in commit a1a41b7. | ||||
| CVE-2025-65951 | 1 Mescuwa | 1 Entropy-derby | 2026-04-15 | 8.7 High |
| Inside Track / Entropy Derby is a research-grade horse-racing betting engine. Prior to commit 2d38d2f, the VDF-based timelock encryption system fails to enforce sequential delay against the betting operator. Bettors pre-compute the entire Wesolowski VDF and include vdfOutputHex in their encrypted bet ticket, allowing the house to decrypt immediately using fast proof verification instead of expensive VDF evaluation. This issue has been patched via commit 2d38d2f. | ||||
| CVE-2025-7573 | 2026-04-15 | 5.3 Medium | ||
| A vulnerability, which was classified as critical, has been found in LB-LINK BL-AC1900, BL-AC2100_AZ3, BL-AC3600, BL-AX1800, BL-AX5400P and BL-WR9000 up to 20250702. This issue affects the function bs_GetManPwd in the library libblinkapi.so of the file /cgi-bin/lighttpd.cgi. The manipulation leads to information disclosure. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-55008 | 1 Workos | 1 Authkit | 2026-04-15 | 7.1 High |
| The AuthKit library for React Router 7+ provides helpers for authentication and session management using WorkOS & AuthKit with React Router. In versions 0.6.1 and below, @workos-inc/authkit-react-router exposed sensitive authentication artifacts — specifically sealedSession and accessToken by returning them from the authkitLoader. This caused them to be rendered into the browser HTML. This issue is fixed in version 0.7.0. | ||||
| CVE-2024-12538 | 2026-04-15 | 4.3 Medium | ||
| The Duplicate Post, Page and Any Custom Post plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.5.5 via the 'dpp_duplicate_as_draft' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract potentially sensitive data from draft, scheduled (future), private, and password protected posts. | ||||
| CVE-2023-49748 | 2 Wordpress, Wpserveur | 2 Wordpress, Wps Hide Login | 2026-04-15 | 3.7 Low |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in WPServeur, NicolasKulka, wpformation WPS Hide Login allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WPS Hide Login: from n/a through 1.9.11. | ||||
| CVE-2023-29114 | 2026-04-15 | 5.7 Medium | ||
| System logs could be accessed through web management application due to a lack of access control. An attacker can obtain the following sensitive information: • Wi-Fi access point credentials to which the EV charger can connect. • APN web address and credentials. • IPSEC credentials. • Web interface access credentials for user and admin accounts. • JuiceBox system components (software installed, model, firmware version, etc.). • C2G configuration details. • Internal IP addresses. • OTA firmware update configurations (DNS servers). All the credentials are stored in logs in an unencrypted plaintext format. | ||||
| CVE-2025-26604 | 2026-04-15 | 8.3 High | ||
| Discord-Bot-Framework-Kernel is a Discord bot framework built with interactions.py, featuring modular extension management and secure execution. Because of the nature of arbitrary user-submited code execution, this allows user to execute potentially malicious code to perform damage or extract sensitive information. By loading the module containing the following code and run the command, the bot token can be extracted. Then the attacker can load a blocking module to sabotage the bot (DDoS attack) and the token can be used to make the fake bot act as the real one. If the bot has very high privilege, the attacker basically has full control before the user kicks the bot. Any Discord user that hosts Discord-Bot-Framework-Kernel before commit f0d9e70841a0e3170b88c4f8d562018ccd8e8b14 is affected. Users are advised to upgrade. Users unable to upgrade may attempt to limit their discord bot's access via configuration options. | ||||
| CVE-2025-46388 | 2026-04-15 | 4.3 Medium | ||
| CWE-200 Exposure of Sensitive Information to an Unauthorized Actor | ||||
| CVE-2025-11998 | 1 Hp | 1 Card Readers B Model | 2026-04-15 | N/A |
| The following HP Card Readers B Models (X3D03B & Y7C05B) are potentially vulnerable to information disclosure, allowing prior user identity to be inherited under certain conditions —e.g., when an NFC device (such as a smartphone/smartwatches) is in proximity during a card swipe event. | ||||
| CVE-2024-10357 | 2026-04-15 | 4.3 Medium | ||
| The Clever Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.1 via the getTemplateContent function in src/widgets/class-clever-widget-base.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft template data. | ||||
| CVE-2024-5880 | 2026-04-15 | 4.3 Medium | ||
| The Hide My Site plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2 due to the plugin not restricting access to the REST API when password protection is enabled. This makes it possible for unauthenticated attackers to gain unauthorized access to the site. | ||||
| CVE-2023-38296 | 1 Tcl | 1 30z Firmware | 2026-04-15 | 8 High |
| Various software builds for the following TCL 30Z and TCL A3X devices leak the ICCID to a system property that can be accessed by any local app on the device without any permissions or special privileges. Google restricted third-party apps from directly obtaining non-resettable device identifiers in Android 10 and higher, but in these instances they are leaked by a high-privilege process and can be obtained indirectly. The software build fingerprints for each confirmed vulnerable device are as follows: TCL 30Z (TCL/4188R/Jetta_ATT:12/SP1A.210812.016/LV8E:user/release-keys, TCL/T602DL/Jetta_TF:12/SP1A.210812.016/vU5P:user/release-keys, TCL/T602DL/Jetta_TF:12/SP1A.210812.016/vU61:user/release-keys, TCL/T602DL/Jetta_TF:12/SP1A.210812.016/vU66:user/release-keys, TCL/T602DL/Jetta_TF:12/SP1A.210812.016/vU68:user/release-keys, TCL/T602DL/Jetta_TF:12/SP1A.210812.016/vU6P:user/release-keys, and TCL/T602DL/Jetta_TF:12/SP1A.210812.016/vU6X:user/release-keys) and TCL A3X (TCL/A600DL/Delhi_TF:11/RKQ1.201202.002/vAAZ:user/release-keys, TCL/A600DL/Delhi_TF:11/RKQ1.201202.002/vAB3:user/release-keys, TCL/A600DL/Delhi_TF:11/RKQ1.201202.002/vAB7:user/release-keys, TCL/A600DL/Delhi_TF:11/RKQ1.201202.002/vABA:user/release-keys, TCL/A600DL/Delhi_TF:11/RKQ1.201202.002/vABM:user/release-keys, TCL/A600DL/Delhi_TF:11/RKQ1.201202.002/vABP:user/release-keys, and TCL/A600DL/Delhi_TF:11/RKQ1.201202.002/vABS:user/release-keys). This malicious app reads from the "persist.sys.tctPowerIccid" system property to indirectly obtain the ICCID. | ||||
| CVE-2024-22435 | 2026-04-15 | 8.3 High | ||
| A potential security vulnerability has been identified in Web ViewPoint Enterprise software. This vulnerability could be exploited to allow unauthorized users to access some resources on a NonStop system. | ||||
| CVE-2025-25370 | 2026-04-15 | 4.6 Medium | ||
| An issue in realme GT 2 (RMX3311) running Android 14 with realme UI 5.0 allows a physically proximate attacker to obtain sensitive information via the show app only setting function. | ||||