Total
9909 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-59294 | 1 Microsoft | 25 Windows, Windows 10, Windows 10 1507 and 22 more | 2026-01-02 | 2.1 Low |
| Exposure of sensitive information to an unauthorized actor in Windows Taskbar Live allows an unauthorized attacker to disclose information with a physical attack. | ||||
| CVE-2025-59284 | 1 Microsoft | 12 Windows, Windows 11, Windows 11 22h2 and 9 more | 2026-01-02 | 3.3 Low |
| Exposure of sensitive information to an unauthorized actor in Windows NTLM allows an unauthorized attacker to perform spoofing locally. | ||||
| CVE-2025-59211 | 1 Microsoft | 23 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 20 more | 2026-01-02 | 5.5 Medium |
| Exposure of sensitive information to an unauthorized actor in Windows Push Notification Core allows an authorized attacker to disclose information locally. | ||||
| CVE-2025-59186 | 1 Microsoft | 6 Windows Server 2016, Windows Server 2019, Windows Server 2022 and 3 more | 2026-01-02 | 5.5 Medium |
| Exposure of sensitive information to an unauthorized actor in Windows Kernel allows an authorized attacker to disclose information locally. | ||||
| CVE-2025-55336 | 1 Microsoft | 22 Windows, Windows 10, Windows 10 1809 and 19 more | 2026-01-02 | 5.5 Medium |
| Exposure of sensitive information to an unauthorized actor in Windows Cloud Files Mini Filter Driver allows an authorized attacker to disclose information locally. | ||||
| CVE-2025-59240 | 1 Microsoft | 9 365, 365 Apps, Excel and 6 more | 2026-01-02 | 5.5 Medium |
| Exposure of sensitive information to an unauthorized actor in Microsoft Office Excel allows an unauthorized attacker to disclose information locally. | ||||
| CVE-2025-62206 | 1 Microsoft | 2 365, Dynamics 365 | 2026-01-02 | 6.5 Medium |
| Exposure of sensitive information to an unauthorized actor in Microsoft Dynamics 365 (on-premises) allows an unauthorized attacker to disclose information over a network. | ||||
| CVE-2025-68279 | 1 Weblate | 1 Weblate | 2026-01-02 | 7.7 High |
| Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to read arbitrary files from the server file system using crafted symbolic links in the repository. Version 5.15.1 fixes the issue. | ||||
| CVE-2025-52493 | 1 Pagerduty | 2 Runbook, Runbook Automation | 2026-01-02 | 6.5 Medium |
| PagerDuty Runbook through 2025-06-12 exposes stored secrets directly in the webpage DOM at the configuration page. Although these secrets appear masked as password fields, the actual secret values are present in the page source and can be revealed by simply modifying the input field type from "password" to "text" using browser developer tools. This vulnerability is exploitable by administrative users who have access to the configuration page. | ||||
| CVE-2024-29883 | 1 Miraheze | 1 Createwiki | 2026-01-02 | 4.9 Medium |
| CreateWiki is Miraheze's MediaWiki extension for requesting & creating wikis. Suppression of wiki requests does not work as intended, and always restricts visibility to those with the `(createwiki)` user right regardless of the settings one sets on a given wiki request. This may expose information to users who are not supposed to be able to access it. | ||||
| CVE-2025-15065 | 2025-12-31 | 6.3 Medium | ||
| Exposure of Sensitive Information to an Unauthorized Actor, Missing Encryption of Sensitive Data, Files or Directories Accessible to External Parties vulnerability in Kings Information & Network Co. KESS Enterprise on Windows allows Privilege Escalation, Modify Existing Service, Modify Shared File.This issue affects KESS Enterprise: before *.25.9.19.exe | ||||
| CVE-2025-15121 | 1 Jeecg | 2 Jeecg Boot, Jeecgboot | 2025-12-30 | 2.4 Low |
| A vulnerability has been found in JeecgBoot up to 3.9.0. The affected element is the function getDeptRoleByUserId of the file /sys/sysDepartRole/getDeptRoleByUserId. Such manipulation of the argument departId leads to information disclosure. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-63958 | 1 Millensys | 1 Vision Tools Workspace | 2025-12-30 | 9.8 Critical |
| MILLENSYS Vision Tools Workspace 6.5.0.2585 exposes a sensitive configuration endpoint (/MILLENSYS/settings) that is accessible without authentication. This page leaks plaintext database credentials, file share paths, internal license server configuration, and software update parameters. An unauthenticated attacker can retrieve this information by accessing the endpoint directly, potentially leading to full system compromise. The vulnerability is due to missing access controls on a privileged administrative function. | ||||
| CVE-2025-63729 | 1 Syrotech | 2 Sy-gpon-1110-wdont, Sy-gpon-1110-wdont Firmware | 2025-12-30 | 9 Critical |
| An issue was discovered in Syrotech SY-GPON-1110-WDONT SYRO_3.7L_3.1.02-240517 allowing attackers to exctract the SSL Private Key, CA Certificate, SSL Certificate, and Client Certificates in .pem format in firmware in etc folder. | ||||
| CVE-2025-60739 | 1 Ilevia | 2 Eve X1 Server, Eve X1 Server Firmware | 2025-12-30 | 9.6 Critical |
| Cross Site Request Forgery (CSRF) vulnerability in Ilevia EVE X1 Server Firmware Version v4.7.18.0.eden and before, Logic Version v6.00 - 2025_07_21 allows a remote attacker to execute arbitrary code via the /bh_web_backend component | ||||
| CVE-2025-43530 | 1 Apple | 3 Macos, Macos Sequoia, Macos Sonoma | 2025-12-30 | 5.5 Medium |
| This issue was addressed with improved checks. This issue is fixed in macOS Tahoe 26.2, macOS Sonoma 14.8.3, macOS Sequoia 15.7.3, iOS 18.7.3 and iPadOS 18.7.3. An app may be able to access sensitive user data. | ||||
| CVE-2025-65278 | 2 Grocerymart Project, Komal97 | 2 Grocerymart, Grocerymart | 2025-12-30 | 7.5 High |
| An issue was discovered in file users.json in GroceryMart commit 21934e6 (2020-10-23) allowing unauthenticated attackers to gain sensitive information including plaintext usernames and passwords. | ||||
| CVE-2025-15082 | 1 Tozed | 1 Zlt M30s | 2025-12-29 | 5.3 Medium |
| A vulnerability was found in TOZED ZLT M30s up to 1.47. Impacted is an unknown function of the file /reqproc/proc_post of the component Web Management Interface. Performing manipulation of the argument goformId results in information disclosure. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-15141 | 1 Halo | 1 Halo | 2025-12-29 | 3.1 Low |
| A vulnerability was determined in Halo up to 2.21.10. This issue affects some unknown processing of the file /actuator of the component Configuration Handler. Executing manipulation can lead to information disclosure. The attack may be performed from remote. This attack is characterized by high complexity. The exploitability is assessed as difficult. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-12491 | 1 Senstar | 1 Symphony | 2025-12-29 | N/A |
| Senstar Symphony FetchStoredLicense Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Senstar Symphony. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of FetchStoredLicense method. The issue results from the exposure of sensitive information. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-26908. | ||||