Total
174 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-38103 | 1 Microsoft | 2 Edge, Edge Chromium | 2025-12-09 | 5.9 Medium |
| Microsoft Edge (Chromium-based) Information Disclosure Vulnerability | ||||
| CVE-2025-66027 | 1 Rallly | 1 Rallly | 2025-12-03 | 6.5 Medium |
| Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.6, an information disclosure vulnerability exposes participant details, including names and email addresses through the /api/trpc/polls.get,polls.participants.list endpoint, even when Pro privacy features are enabled. This bypasses intended privacy controls that should prevent participants from viewing other users’ personal information. This issue has been patched in version 4.5.6. | ||||
| CVE-2025-66035 | 1 Angular | 1 Angular | 2025-12-01 | 7.1 High |
| Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.16, 20.3.14, and 21.0.1, there is a XSRF token leakage via protocol-relative URLs in angular HTTP clients. The vulnerability is a Credential Leak by App Logic that leads to the unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token to an attacker-controlled domain. Angular's HttpClient has a built-in XSRF protection mechanism that works by checking if a request URL starts with a protocol (http:// or https://) to determine if it is cross-origin. If the URL starts with protocol-relative URL (//), it is incorrectly treated as a same-origin request, and the XSRF token is automatically added to the X-XSRF-TOKEN header. This issue has been patched in versions 19.2.16, 20.3.14, and 21.0.1. A workaround for this issue involves avoiding using protocol-relative URLs (URLs starting with //) in HttpClient requests. All backend communication URLs should be hardcoded as relative paths (starting with a single /) or fully qualified, trusted absolute URLs. | ||||
| CVE-2025-6017 | 1 Redhat | 2 Acm, Advanced Cluster Management For Kubernetes | 2025-11-20 | 5.5 Medium |
| A flaw was found in Red Hat Advanced Cluster Management through versions 2.10, before 2.10.7, 2.11, before 2.11.4, and 2.12, before 2.12.4. This vulnerability allows an unprivileged user to view confidential managed cluster credentials through the UI. This information should only be accessible to authorized users and may result in the loss of confidentiality of administrative information, which could be leaked to unauthorized actors. | ||||
| CVE-2025-36131 | 1 Ibm | 1 Db2 | 2025-11-19 | 4.6 Medium |
| IBM Db2 11.1.0 through 11.1.4.7, 11.5.0 through 11.5.9, and 12.1.0 through 12.1.3 for Linux, UNIX and Windows (includes Db2 Connect Server) clpplus command exposes user credentials to the terminal which could be obtained by a third party with physical access to the system. | ||||
| CVE-2023-45720 | 1 Hcltech | 1 Hcl Leap | 2025-11-17 | 5.3 Medium |
| Insufficient default configuration in HCL Leap allows anonymous access to directory information. | ||||
| CVE-2024-7697 | 2 Tecno, Transsion | 2 Com.transsion.carlcare, Carlcare | 2025-11-13 | 7.5 High |
| Logical vulnerability in the mobile application (com.transsion.carlcare) may lead to user information leakage risks. | ||||
| CVE-2025-11959 | 1 Premierturk | 1 Excavation Management Information System | 2025-11-12 | 8.1 High |
| Files or Directories Accessible to External Parties, Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Premierturk Information Technologies Inc. Excavation Management Information System allows Footprinting, Functionality Misuse.This issue affects Excavation Management Information System: before v.10.2025.01. | ||||
| CVE-2025-52602 | 1 Hcltech | 1 Bigfix Query | 2025-11-12 | 4.2 Medium |
| HCL BigFix Query is affected by a sensitive information disclosure in the WebUI Query application. An HTTP GET endpoint request returns discoverable responses that may disclose: group names, active user names (or IDs). An attacker can use that information to target individuals with phishing or other social-engineering attacks. | ||||
| CVE-2023-45721 | 1 Hcltech | 1 Domino Leap | 2025-11-04 | 5.3 Medium |
| Insufficient default configuration in HCL Leap allows anonymous access to directory information. | ||||
| CVE-2024-42325 | 1 Zabbix | 1 Zabbix | 2025-11-03 | 3.5 Low |
| Zabbix API user.get returns all users that share common group with the calling user. This includes media and other information, such as login attempts, etc. | ||||
| CVE-2025-62644 | 2 Rbi, Restaurant Brands International | 2 Restaurant Brands International Assistant, Assistant Platform | 2025-10-31 | 5 Medium |
| The Restaurant Brands International (RBI) assistant platform through 2025-09-06 has a Global Store Directory that shares personal information among authenticated users. | ||||
| CVE-2025-10859 | 2 Apple, Mozilla | 3 Ios, Firefox, Firefox For Ios | 2025-10-30 | 4 Medium |
| Cookie storage for non-HTML temporary documents was being shared incorrectly with normal browsing content, allowing information from private tabs to escape Incognito mode even after the user closed all tabs This vulnerability affects Firefox for iOS < 143.1. | ||||
| CVE-2025-11145 | 1 Cbk Soft | 1 Envision | 2025-10-29 | 7.5 High |
| Observable Discrepancy, Exposure of Sensitive Information to an Unauthorized Actor, Exposure of Private Personal Information to an Unauthorized Actor vulnerability in CBK Soft Software Hardware Electronic Computer Systems Industry and Trade Inc. EnVision allows Account Footprinting.This issue affects enVision: before 250566. | ||||
| CVE-2025-35981 | 1 Gallagher | 1 Command Centre | 2025-10-27 | 5.5 Medium |
| Exposure of Private Personal Information to an Unauthorized Actor (CWE-359) in the Command Centre Server allows a privileged Operator to view limited personal data about a Cardholder they would not normally have permissions to view. This issue affects Command Centre Server: 9.30.1874 (MR1), 9.20.2337 (MR3), 9.10.3194 (MR6). | ||||
| CVE-2025-62362 | 2025-10-14 | N/A | ||
| gpp-burgerportaal is a Dutch government citizen portal application. In versions before 2.0.3, 3.0.2, and 4.0.1, the name and email address of employees who publish content are exposed in network responses and can be discovered by viewing the browser's developer tools network tab. This information disclosure may violate employee privacy expectations and could be used for targeted attacks or unwanted contact. This issue has been patched in versions 2.0.3, 3.0.2, and 4.0.1. No known workarounds exist. | ||||
| CVE-2023-36018 | 1 Microsoft | 1 Jupyter | 2025-10-09 | 7.8 High |
| Visual Studio Code Jupyter Extension Spoofing Vulnerability | ||||
| CVE-2023-36052 | 1 Microsoft | 1 Azure Command-line Interface | 2025-10-08 | 8.6 High |
| Azure CLI REST Command Information Disclosure Vulnerability | ||||
| CVE-2025-1939 | 1 Mozilla | 1 Firefox | 2025-09-29 | 3.9 Low |
| Android apps can load web pages using the Custom Tabs feature. This feature supports a transition animation that could have been used to trick a user into granting sensitive permissions by hiding what the user was actually clicking. This vulnerability affects Firefox < 136. | ||||
| CVE-2025-53374 | 1 Dokploy | 1 Dokploy | 2025-09-29 | 4.3 Medium |
| Dokploy is a self-hostable Platform as a Service (PaaS) that simplifies the deployment and management of applications and databases. An authenticated low-privileged account can retrieve detailed profile information about another users in the same organization by directly invoking user.one. The response discloses personally-identifiable information (PII) such as e-mail address, role, two-factor status, organization ID, and various account flags. The fix will be available in the v0.23.7. | ||||