ReportizFlow
Filtered by vendor
Subscriptions
Total
329 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-34171 | 1 Icewhale | 1 Casaos | 2026-03-05 | 5.3 Medium |
| CasaOS versions up to and including 0.4.15 expose multiple unauthenticated endpoints that allow remote attackers to retrieve sensitive configuration files and system debug information. The /v1/users/image endpoint can be abused with a user-controlled path parameter to access files under /var/lib/casaos/1/, which reveals installed applications and configuration details. Additionally, /v1/sys/debug discloses host operating system, kernel, hardware, and storage information. The endpoints also return distinct error messages, enabling file existence enumeration of arbitrary paths on the underlying host filesystem. This information disclosure can be used for reconnaissance and to facilitate targeted follow-up attacks against services deployed on the host. | ||||
| CVE-2025-13616 | 1 Ibm | 1 Datastage On Cloud Pak For Data | 2026-03-05 | 6.5 Medium |
| IBM DataStage on Cloud Pak for Data 5.1.2 through 5.3.0 returns sensitive information in an HTTP response that could be used in further attacks against the system. | ||||
| CVE-2025-13691 | 1 Ibm | 1 Datastage On Cloud Pak For Data | 2026-02-26 | 8.1 High |
| IBM DataStage on Cloud Pak for Data 5.1.2 through 5.3.0 returns sensitive information in an HTTP response that could be used to impersonate other users in the system. | ||||
| CVE-2023-4237 | 1 Redhat | 3 Ansible Automation Platform, Ansible Automation Platform Cloud Billing, Ansible Collection | 2026-02-25 | 7.3 High |
| A flaw was found in the Ansible Automation Platform. When creating a new keypair, the ec2_key module prints out the private key directly to the standard output. This flaw allows an attacker to fetch those keys from the log files, compromising the system's confidentiality, integrity, and availability. | ||||
| CVE-2023-0342 | 1 Mongodb | 1 Ops Manager Server | 2026-02-25 | 3.1 Low |
| MongoDB Ops Manager Diagnostics Archive may not redact sensitive PEM key file password app settings. Archives do not include the PEM files themselves. This issue affects MongoDB Ops Manager v5.0 prior to 5.0.21 and MongoDB Ops Manager v6.0 prior to 6.0.12 | ||||
| CVE-2025-27550 | 1 Ibm | 1 Jazz Reporting Service | 2026-02-23 | 3.5 Low |
| IBM Jazz Reporting Service could allow an authenticated user on the host network to obtain sensitive information about other projects that reside on the server. | ||||
| CVE-2025-36238 | 1 Ibm | 1 Powervm Hypervisor | 2026-02-19 | 6 Medium |
| IBM PowerVM Hypervisor FW1110.00 through FW1110.03, FW1060.00 through FW1060.51, and FW950.00 through FW950.F0 could allow a local user with administration privileges to obtain sensitive information from a Virtual TPM through a series of PowerVM service procedures. | ||||
| CVE-2023-37525 | 1 Hcltech | 1 Bigfix Compliance | 2026-02-12 | 5.3 Medium |
| A sensitive information disclosure in HCL BigFix Compliance allows a remote attacker to access files under the WEB-INF directory, which may contain Java class files and configuration information, leading to unauthorized access to application internals. | ||||
| CVE-2025-4614 | 2 Palo Alto Networks, Paloaltonetworks | 2 Pan-os, Pan-os | 2026-02-06 | 2.7 Low |
| An information disclosure vulnerability in Palo Alto Networks PAN-OS® software enables an authenticated administrator to view session tokens of users authenticated to the firewall web UI. This may allow impersonation of users whose session tokens are leaked. The security risk posed by this issue is significantly minimized when CLI access is restricted to a limited group of administrators. Cloud NGFW and Prisma® Access are not affected by this vulnerability. | ||||
| CVE-2025-67717 | 1 Zitadel | 1 Zitadel | 2026-02-02 | 4.3 Medium |
| ZITADEL is an open-source identity infrastructure tool. Versions 2.44.0 through 3.4.4 and 4.0.0-rc.1 through 4.7.1 disclose the total number of instance users to authenticated users, regardless of their specific permissions. While this does not leak individual user data or PII, disclosing the total user count via the totalResult field constitutes an information disclosure vulnerability that may be sensitive in certain contexts. This issue is fixed in versions 3.4.5 and 4.7.2. | ||||
| CVE-2025-43024 | 1 Hp | 1 Thinpro | 2026-01-29 | 7.5 High |
| A GUI dialog of an application allows to view what files are in the file system without proper authorization. | ||||
| CVE-2025-47319 | 1 Qualcomm | 237 Ar8035, Ar8035 Firmware, Fastconnect 6200 and 234 more | 2026-01-28 | 6.7 Medium |
| Information disclosure while exposing internal TA-to-TA communication APIs to HLOS | ||||
| CVE-2025-58585 | 1 Sick | 4 Baggage Analytics, Logistic Diagnostic Analytics, Package Analytics and 1 more | 2026-01-27 | 5.3 Medium |
| Multiple endpoints with sensitive information do not require authentication, making the application susceptible to information gathering. | ||||
| CVE-2025-58579 | 1 Sick | 5 Baggage Analytics, Enterprise Analytics, Logistic Diagnostic Analytics and 2 more | 2026-01-27 | 5.3 Medium |
| Due to a lack of authentication, it is possible for an unauthenticated user to request data from this endpoint, making the application vulnerable for user enumeration. | ||||
| CVE-2025-58583 | 1 Sick | 1 Enterprise Analytics | 2026-01-27 | 5.3 Medium |
| The application provides access to a login protected H2 database for caching purposes. The username is prefilled. | ||||
| CVE-2020-36922 | 1 Sony | 3 Bravia, Bravia Signage, Bravia Tv | 2026-01-23 | 7.5 High |
| Sony BRAVIA Digital Signage 1.7.8 contains an information disclosure vulnerability that allows unauthenticated attackers to access sensitive system details through API endpoints. Attackers can retrieve network interface information, server configurations, and system metadata by sending requests to the exposed system API. | ||||
| CVE-2025-24473 | 1 Fortinet | 2 Forticlient, Forticlientwindows | 2026-01-14 | 4.8 Medium |
| A exposure of sensitive system information to an unauthorized control sphere vulnerability in Fortinet FortiClientWindows 7.2.0 through 7.2.1, FortiClientWindows 7.0.13 through 7.0.14 may allow an unauthorized remote attacker to view application information via navigation to a hosted webpage, if Windows is configured to accept incoming connections to port 8053 (non-default setup) | ||||
| CVE-2025-55183 | 2 Facebook, Vercel | 5 React, React-server-dom-parcel, React-server-dom-turbopack and 2 more | 2026-01-07 | 5.3 Medium |
| An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. A specifically crafted HTTP request sent to a vulnerable Server Function may unsafely return the source code of any Server Function. Exploitation requires the existence of a Server Function which explicitly or implicitly exposes a stringified argument. | ||||
| CVE-2025-9110 | 2 Qnap, Qnap Systems Inc. | 4 Qts, Quts Hero, Qts and 1 more | 2026-01-06 | 7.5 High |
| An exposure of sensitive system information to an unauthorized control sphere vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to read application data. We have already fixed the vulnerability in the following versions: QTS 5.2.8.3332 build 20251128 and later QuTS hero h5.2.8.3321 build 20251117 and later QuTS hero h5.3.1.3250 build 20250912 and later | ||||
| CVE-2025-68943 | 1 Gitea | 1 Gitea | 2026-01-01 | 5.3 Medium |
| Gitea before 1.21.8 inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order. | ||||