ReportizFlow
Filtered by vendor
Subscriptions
Total
1118 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-43937 | 1 Dell | 1 Powerscale Onefs | 2026-04-21 | 6.6 Medium |
| Dell PowerScale OneFS, versions prior to 9.12.0.0, contains an insertion of sensitive information into log file vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account. | ||||
| CVE-2026-23775 | 1 Dell | 2 Data Domain Operating System, Powerprotect Data Domain Appliances | 2026-04-20 | 7.6 High |
| Dell PowerProtect Data Domain appliances with Data Domain Operating System (DD OS) of Feature Release versions 8.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.10 contain an insertion of sensitive information into log file vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to credential exposures. Authentication attempts as the compromised user would need to be authorized by a high privileged DD user. This vulnerability only affects systems with retention lock enabled. | ||||
| CVE-2025-4090 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-04-20 | 5.3 Medium |
| A vulnerability existed in Thunderbird for Android where potentially sensitive library locations were logged via Logcat. This vulnerability was fixed in Firefox 138 and Thunderbird 138. | ||||
| CVE-2026-4901 | 2 Hydrosystem, Hydrosystem.poznan | 2 Control System, Control System | 2026-04-20 | 6.5 Medium |
| Hydrosystem Control System saves sensitive information into a log file. Critically, user credentials are logged allowing the attacker to obtain further authorized access into the system. Combined with vulnerability CVE-2026-34184, these sensitive information could be accessed by an unauthorized user.This issue was fixed in Hydrosystem Control System version 9.8.5 | ||||
| CVE-2026-31987 | 1 Apache | 1 Airflow | 2026-04-20 | 7.5 High |
| JWT Tokens used by tasks were exposed in logs. This could allow UI users to act as Dag Authors. Users are advised to upgrade to Airflow version that contains fix. Users are recommended to upgrade to version 3.2.0, which fixes this issue. | ||||
| CVE-2026-23493 | 1 Pimcore | 1 Pimcore | 2026-04-18 | 8.6 High |
| Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the http_error_log file stores the $_COOKIE and $_SERVER variables, which means sensitive information such as database passwords, cookie session data, and other details can be accessed or recovered through the Pimcore backend. This vulnerability is fixed in 12.3.1 and 11.5.14. | ||||
| CVE-2026-1495 | 1 Aveva | 1 Pi To Connect Agent | 2026-04-18 | 6.5 Medium |
| The vulnerability, if exploited, could allow an attacker with Event Log Reader (S-1-5-32-573) privileges to obtain proxy details, including URL and proxy credentials, from the PI to CONNECT event log files. This could enable unauthorized access to the proxy server. | ||||
| CVE-2026-22782 | 1 Rustfs | 1 Rustfs | 2026-04-18 | 7.5 High |
| RustFS is a distributed object storage system built in Rust. From >= 1.0.0-alpha.1 to 1.0.0-alpha.79, invalid RPC signatures cause the server to log the shared HMAC secret (and expected signature), which exposes the secret to log readers and enables forged RPC calls. In crates/ecstore/src/rpc/http_auth.rs, the invalid signature branch logs sensitive data. This log line includes secret and expected_signature, both derived from the shared HMAC key. Any invalidly signed request triggers this path. The function is reachable from RPC and admin request handlers. This vulnerability is fixed in 1.0.0-alpha.80. | ||||
| CVE-2026-25211 | 1 Llamastack | 1 Llama Stack | 2026-04-18 | 3.2 Low |
| Llama Stack (aka llama-stack) before 0.4.0rc3 does not censor the pgvector password in the initialization log. | ||||
| CVE-2026-1622 | 1 Neo4j | 2 Community Edition, Enterprise Edition | 2026-04-18 | 5.5 Medium |
| Neo4j Enterprise and Community editions versions prior to 2026.01.3 and 5.26.21 are vulnerable to a potential information disclosure by a user who has ability to access the local log files. The "obfuscate_literals" option in the query logs does not redact error information, exposing unredacted data in the query log when a customer writes a query that fails. It can allow a user with legitimate access to the local log files to obtain information they are not authorised to see. If this user is also in a position to run queries and trigger errors, this vulnerability can potentially help them to infer information they are not authorised to see through their intended database access. We recommend upgrading to versions 2026.01.3 (or 5.26.21) where the issue is fixed, and reviewing query log files permissions to ensure restricted access. If your configuration had db.logs.query.obfuscate_literals enabled, and you wish the obfuscation to cover the error messages as well, you need to enable the new configuration setting db.logs.query.obfuscate_errors once you have upgraded Neo4j. | ||||
| CVE-2026-20142 | 1 Splunk | 2 Splunk, Splunk Enterprise | 2026-04-18 | 6.8 Medium |
| In Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.7, 9.3.9, and 9.2.11, a user of a Splunk Search Head Cluster (SHC) deployment who holds a role with access to the Splunk `_internal` index could view the RSA `accessKey` value from the [<u>Authentication.conf</u> ](https://help.splunk.com/en/splunk-enterprise/administer/admin-manual/10.2/configuration-file-reference/10.2.0-configuration-file-reference/authentication.conf)file, in plain text. | ||||
| CVE-2026-2605 | 1 Tanium | 1 Tanos | 2026-04-18 | 5.3 Medium |
| Tanium addressed an insertion of sensitive information into log file vulnerability in TanOS. | ||||
| CVE-2026-22798 | 2 Software-metadata.pub, Softwarepub | 2 Hermes, Hermes | 2026-04-18 | 5.9 Medium |
| hermes is an implementation of the HERMES workflow to automatize software publication with rich metadata. From 0.8.1 to before 0.9.1, hermes subcommands take arbitrary options under the -O argument. These have been logged in raw form. If users provide sensitive data such as API tokens (e.g., via hermes deposit -O invenio_rdm.auth_token SECRET), these are written to the log file in plain text, making them available to whoever can access the log file. This vulnerability is fixed in 0.9.1. | ||||
| CVE-2026-20818 | 1 Microsoft | 6 Windows Server 2016, Windows Server 2019, Windows Server 2022 and 3 more | 2026-04-18 | 6.2 Medium |
| Insertion of sensitive information into log file in Windows Kernel allows an unauthorized attacker to disclose information locally. | ||||
| CVE-2026-0519 | 1 Absolute | 1 Secure Access | 2026-04-18 | 3.4 Low |
| In Secure Access 12.70 and prior to 14.20, the logging subsystem may write an unredacted authentication token to logs under certain configurations. Any party with access to those logs could read the token and reuse it to access an integrated system. | ||||
| CVE-2026-34164 | 1 Valtimo-platform | 1 Valtimo | 2026-04-18 | 4.9 Medium |
| Valtimo is an open-source business process automation platform. In versions 13.0.0 through 13.21.0, the InboxHandlingService logs the full content of every incoming inbox message at INFO level. Inbox messages can contain highly sensitive information including personal data (PII), citizen identifiers (BSN), and case details. This data is exposed to anyone with access to application logs or any Valtimo user with the admin role through the Admin UI logging module. This issue has been fixed in version 13.22.0. If developers are unable to upgrade immediately, they can restrict access to application logs and adjust the log level for com.ritense.inbox to WARN or higher in their application configuration as a workaround. | ||||
| CVE-2026-0936 | 1 Br-automation | 1 Process Visualization Interface | 2026-04-18 | 5 Medium |
| An Insertion of Sensitive Information into Log File vulnerability in B&R PVI client versions prior to 6.5 may be abused by an authenticated local attacker to gather credential information which is processed by the PVI client application. The logging function of the PVI client application is disabled by default and must be explicitly enabled by the user. | ||||
| CVE-2026-22778 | 2 Vllm, Vllm-project | 2 Vllm, Vllm | 2026-04-18 | 9.8 Critical |
| vLLM is an inference and serving engine for large language models (LLMs). From 0.8.3 to before 0.14.1, when an invalid image is sent to vLLM's multimodal endpoint, PIL throws an error. vLLM returns this error to the client, leaking a heap address. With this leak, we reduce ASLR from 4 billion guesses to ~8 guesses. This vulnerability can be chained a heap overflow with JPEG2000 decoder in OpenCV/FFmpeg to achieve remote code execution. This vulnerability is fixed in 0.14.1. | ||||
| CVE-2026-24762 | 1 Rustfs | 1 Rustfs | 2026-04-18 | 7.5 High |
| RustFS is a distributed object storage system built in Rust. From versions alpha.13 to alpha.81, RustFS logs sensitive credential material (access key, secret key, session token) to application logs at INFO level. This results in credentials being recorded in plaintext in log output, which may be accessible to internal or external log consumers and could lead to compromise of sensitive credentials. This issue has been patched in version alpha.82. | ||||
| CVE-2026-22038 | 2 Agpt, Significant-gravitas | 2 Autogpt Platform, Autogpt | 2026-04-18 | 8.1 High |
| AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to autogpt-platform-beta-v0.6.46, the AutoGPT platform's Stagehand integration blocks log API keys and authentication secrets in plaintext using logger.info() statements. This occurs in three separate block implementations (StagehandObserveBlock, StagehandActBlock, and StagehandExtractBlock) where the code explicitly calls api_key.get_secret_value() and logs the result. This issue has been patched in autogpt-platform-beta-v0.6.46. | ||||