Search Results (10767 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-26604 2026-04-15 8.3 High
Discord-Bot-Framework-Kernel is a Discord bot framework built with interactions.py, featuring modular extension management and secure execution. Because of the nature of arbitrary user-submited code execution, this allows user to execute potentially malicious code to perform damage or extract sensitive information. By loading the module containing the following code and run the command, the bot token can be extracted. Then the attacker can load a blocking module to sabotage the bot (DDoS attack) and the token can be used to make the fake bot act as the real one. If the bot has very high privilege, the attacker basically has full control before the user kicks the bot. Any Discord user that hosts Discord-Bot-Framework-Kernel before commit f0d9e70841a0e3170b88c4f8d562018ccd8e8b14 is affected. Users are advised to upgrade. Users unable to upgrade may attempt to limit their discord bot's access via configuration options.
CVE-2025-26485 2026-04-15 5.8 Medium
A vulnerability in Beta80 Life 1st enables the retrieval of different error messages for failed authentication attempts (in case of the usage of a wrong password or a non existent user). The difference in the returned error messages could be used by attackers to understand whether a certain user is registered in the Identity Manager. This issue affects Life 1st: 1.5.2.14234.
CVE-2025-25370 2026-04-15 4.6 Medium
An issue in realme GT 2 (RMX3311) running Android 14 with realme UI 5.0 allows a physically proximate attacker to obtain sensitive information via the show app only setting function.
CVE-2025-25209 1 Redhat 1 Connectivity Link 2026-04-15 5.7 Medium
The AuthPolicy metadata on Red Hat Connectivity Link contains an object which stores secretes, however it assumes those secretes are already in the kuadrant-system instead of copying it to the referred namespace. This creates space for a malicious actor with a developer persona access to leak those secrets over HTTP connection, as long the attacker knows the name of the targeted secrets and those secrets are limited to one line only.
CVE-2025-54468 2 Rancher, Suse 2 Rancher, Rancher 2026-04-15 4.7 Medium
A vulnerability has been identified within Rancher Manager whereby `Impersonate-Extra-*` headers are being sent to an external entity, for example `amazonaws.com`, via the `/meta/proxy` Rancher endpoint. These headers may contain identifiable and/or sensitive information e.g. email addresses.
CVE-2025-54548 1 Arista 1 Danz Monitoring Fabric 2026-04-15 4.3 Medium
On affected platforms, restricted users could view sensitive portions of the config database via a debug API (e.g., user password hashes)
CVE-2025-55052 2026-04-15 4.3 Medium
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CVE-2025-55165 1 Autocaliweb Project 1 Autocaliweb 2026-04-15 8.3 High
Autocaliweb is a web app that offers an interface for browsing, reading, and downloading eBooks using a valid Calibre database. Prior to version 0.8.3, the debug pack generated by Autocaliweb can expose sensitive configuration data, including API keys. This occurs because the to_dict() method, used to serialize configuration for the debug pack, doesn't adequately filter out sensitive fields such as API tokens. Users, unaware of the full contents, might share these debug packs, inadvertently leaking their private API keys. This issue has been patched in version 0.8.3.
CVE-2025-1595 2026-04-15 5.3 Medium
A vulnerability has been found in Anhui Xufan Information Technology EasyCVR up to 2.7.0 and classified as problematic. This vulnerability affects unknown code of the file /api/v1/getbaseconfig. The manipulation leads to information disclosure. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-12074 2 Postmagthemes, Wordpress 2 Context Blog, Wordpress 2026-04-15 5.3 Medium
The Context Blog theme for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.2.5 via the 'context_blog_modal_popup' due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
CVE-2025-23387 1 Suse 1 Rancher 2026-04-15 5.3 Medium
A Exposure of Sensitive Information to an Unauthorized Actor vulnerability in SUSE rancher allowed unauthenticated users to list all CLI authentication tokens and delete them before the CLI is able to get the token value.This issue affects rancher: from 2.8.0 before 2.8.13, from 2.9.0 before 2.9.7, from 2.10.0 before 2.10.3.
CVE-2025-56406 2 Neo4j, Neo4j-contrib 2 Neo4j, Mcp-neo4j 2026-04-15 7.5 High
An issue was discovered in mcp-neo4j 0.3.0 allowing attackers to obtain sensitive information or execute arbitrary commands via the SSE service. NOTE: the Supplier's position is that authentication is not mandatory for MCP servers, and the mcp-neo4j MCP server is only intended for use in a local environment where authentication realistically would not be needed. Also, the Supplier provides middleware to help isolate the MCP server from external access (if needed).
CVE-2025-22918 2026-04-15 7.5 High
Polycom RealPresence Group 500 <=20 has Insecure Permissions due to automatically loaded cookies. This allows for the use of administrator functions, resulting in the leakage of sensitive user information.
CVE-2025-22895 2026-04-15 5.5 Medium
Exposure of sensitive information to an unauthorized actor for some Edge Orchestrator software for Intel(R) Tiberâ„¢ Edge Platform may allow an authenticated user to potentially enable information disclosure via local access.
CVE-2025-56467 2 Axis, Google 2 Axis Mobile App, Android 2026-04-15 6.5 Medium
An issue was discovered in AXIS BANK LIMITED Axis Mobile App 9.9 that allows attackers to obtain sensitive information without a UPI PIN, such as account information, balances, transaction history, and unspecified other information. NOTE: the Supplier's perspective is that this is an intended feature and "does not reveal much sensitive information."
CVE-2025-57837 1 Honor 2 Fcp-an10, Tileservice 2026-04-15 2.9 Low
Tileservice module is affected by information leak vulnerability, successful exploitation of this vulnerability may affect service confidentiality.
CVE-2025-57838 1 Honor 1 Magicos 2026-04-15 4 Medium
Some Honor products are affected by information leak vulnerability, successful exploitation of this vulnerability may affect service confidentiality.
CVE-2025-57839 1 Honor 1 Magicos 2026-04-15 4 Medium
Photo module is affected by information leak vulnerability, successful exploitation of this vulnerability may affect service confidentiality.
CVE-2025-22866 1 Redhat 7 Acm, Apache Camel Hawtio, Ceph Storage and 4 more 2026-04-15 4 Medium
Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recovery of the private key when P-256 is used in any well known protocols.
CVE-2025-22138 2026-04-15 N/A
@codidact/qpixel is a Q&A-based community knowledge-sharing software. In affected versions when a category is set to private or limited-visibility within QPixel's admin tools, suggested edits within this category can still be viewed by unprivileged or anonymous users via the suggested edit queue. This issue has not yet been patched and no workarounds are available. Users are advised to follow the development repo for updates. ### Patches Not yet patched. ### Workarounds None available. Private or limited-visibility categories should not be considered ways to store sensitive information. ### References Internal: [SUPPORT-114](https://codidact.atlassian.net/issues/SUPPORT-114)