Information Disclosure

Multiple vulnerabilities in GNU InetUtils allow a remote attacker to execute arbitrary code and disclose sensitive information.

Multiple vulnerabilities in Grafana allow a remote, anonymous attacker to conduct a Cross-Site Scripting attack or disclose information.

Multiple vulnerabilities in Rapid7 Velociraptor could allow an attacker to disclose information or cause a denial of service.

A flaw in GnuTLS DTLS handshake parsing allows malformed fragments with zero length and non-zero offset, leading to an integer underflow during reassembly and resulting in an out-of-bounds read, potentially causing information disclosure or denial of service.

Multiple vulnerabilities in Absolute Secure Access could allow an attacker to escalate privileges, conduct a denial-of-service attack, and disclose sensitive information.

Multiple vulnerabilities in Google Chrome could allow an attacker to execute arbitrary code, bypass security mechanisms, disclose and manipulate data, and cause a denial-of-service condition.

Multiple vulnerabilities exist in Xen and Citrix Systems XenServer that could allow an attacker to escalate privileges, bypass security measures, modify and disclose data, or cause a denial-of-service condition.

Multiple vulnerabilities in Exim versions prior to 4.99.2 allow an attacker to cause a remote denial of service, a breach of data confidentiality, and an unspecified security problem.

Multiple vulnerabilities in Flowise allow an attacker to execute arbitrary code, bypass security measures, disclose information, and manipulate files.

A local attacker can exploit a vulnerability in util-linux to perform a denial of service attack and disclose sensitive information.

Remote, anonymous attackers can exploit vulnerabilities in Red Hat Hardened Images RPMs to bypass security measures, cause denial of service, disclose sensitive information, or potentially execute code.

Multiple vulnerabilities in Microsoft Visual Studio, .NET Framework, .NET, PowerShell, and Visual Studio Code can be exploited by an attacker to disclose sensitive information, conduct spoofing attacks, cause a denial of service, or bypass security measures, potentially leading to arbitrary code execution.

Multiple vulnerabilities in libarchive can be exploited by a remote attacker to disclose information or cause a denial-of-service condition.

Multiple vulnerabilities in Langflow allow an attacker to manipulate files, disclose sensitive information, or conduct cross-site scripting attacks.

Multiple defense-in-depth gaps exist in Meridian versions prior to 2.1.1, including high severity issues related to bypassing safety caps on collection mapping that can lead to resource exhaustion, along with medium and low severity issues affecting constructor selection, telemetry, retry mechanisms, and exception handling.

A remote, authenticated attacker can exploit a vulnerability in Grafana to manipulate files and disclose sensitive information, potentially leading to persistence, unauthorized access, and significant impact.

An out-of-bounds read vulnerability in Microsoft Office Excel (CVE-2026-32188) allows a local attacker to potentially disclose sensitive information through a maliciously crafted Excel file.

An improper path validation vulnerability exists in the free5gc UDR service, allowing unauthenticated attackers with access to the 5G Service Based Interface (SBI) to read Traffic Influence Subscriptions.

HashiCorp's go-getter library up to v1.8.5 is vulnerable to arbitrary file reads on the file system during certain git operations through a maliciously crafted URL (CVE-2026-4660), potentially allowing attackers to access sensitive information.

PraisonAI versions prior to 4.5.115 expose agent activity without authentication due to improperly secured A2U event stream endpoints, potentially allowing unauthorized access to sensitive agent information.

IBM Tivoli Netcool Impact 7.1.0.0 through 7.1.0.37 stores sensitive information in log files, potentially exposing it to unauthorized local users, tracked as CVE-2026-4788.

Podman Desktop versions prior to 1.26.2 expose an unauthenticated HTTP server, allowing remote attackers to trigger denial-of-service conditions by exhausting resources and extract sensitive information through verbose error responses.

A memory corruption vulnerability due to an out-of-bounds read in NI LabVIEW's `sentry_transaction_context_set_operation()` function could lead to information disclosure or arbitrary code execution by opening a specially crafted VI file.

A heap-buffer-overflow read vulnerability exists in openFPGALoader 1.1.1 and earlier, allowing out-of-bounds heap memory access via a crafted .pof file, potentially leading to denial of service or information disclosure.

Piwigo versions prior to 16.3.0 expose the full browsing history of gallery visitors to unauthenticated users via the pwg.history.search API method due to a missing authorization check.

An improper authentication vulnerability (CVE-2026-32173) in the Azure SRE Agent allows an unauthorized attacker to disclose sensitive information over the network, potentially leading to data breaches or further compromise.

CVE-2026-32211 is a critical vulnerability in Azure MCP Server due to missing authentication for a critical function, allowing an unauthorized attacker to disclose information over the network.

Rack versions prior to 2.2.23, 3.1.21, and 3.2.6 are vulnerable to information disclosure due to improper static file serving via a prefix matching issue in Rack::Static.

V-SFT versions 6.2.10.0 and prior contain an out-of-bounds read vulnerability (CVE-2026-32929) in VS6ComFile!get_macro_mem_COM, where opening a crafted V7 file may lead to information disclosure.

V-SFT versions 6.2.10.0 and prior contain an out-of-bounds read vulnerability in the VS6ComFile!load_link_inf function, allowing for potential information disclosure when opening a crafted V7 file.

CVE-2026-34162 in FastGPT allows unauthenticated attackers to exfiltrate API keys and gain complete access to internal services managed by Docker Compose by sending arbitrary HTTP requests, leading to potential compromise of the internal network.

Multiple vulnerabilities in PowerDNS could be exploited by an attacker to disclose information, bypass security measures, cause a denial of service, and potentially execute code.

A remote, authenticated attacker can exploit multiple vulnerabilities in Django to perform SQL injections, disclose confidential information, or cause a denial-of-service condition.

UXGROUP LLC Cast to TV Screen Mirroring v2.2.77 is vulnerable to arbitrary file overwrite (CVE-2026-30282) via the file import process, allowing attackers to overwrite critical internal files and potentially achieve arbitrary code execution or information exposure.

CVE-2026-24148 is a vulnerability in NVIDIA Jetson for JetPack's system initialization logic, where an unprivileged attacker can cause the initialization of a resource with an insecure default, potentially leading to information disclosure, data tampering, and denial of service.

OpenClaw before version 2026.3.13 exposes Telegram bot tokens in error messages due to the fetchRemoteMedia function embedding these tokens in MediaFetchError strings when media downloads fail.

Threat actors are actively exploiting CVE-2026-3055, a critical memory overread vulnerability in Citrix NetScaler ADC and NetScaler Gateway appliances configured as a SAML identity provider (IDP), to extract sensitive information, including authenticated administrative session IDs, potentially leading to full system takeover.

The Glances XML-RPC server exposes sensitive system information due to a permissive CORS policy and missing Content-Type validation, enabling attackers to bypass CORS restrictions and steal data like hostnames, OS details, IP addresses, and process lists.

An anonymous remote attacker can exploit multiple vulnerabilities in Red Hat Undertow to bypass security measures, manipulate data, and disclose sensitive information.

Multiple vulnerabilities in Grafana allow a remote attacker to conduct a denial-of-service attack, execute code, or disclose information.

CVE-2026-5128 exposes sensitive Steam account data via the /users API endpoint and logs in ArthurFiorette steam-trader 2.1.1, allowing account takeover.

Cisco Talos disclosed multiple vulnerabilities in Canva Affinity, TP-Link Archer AX53, and HikVision Ultra Face Recognition Terminal products which could lead to sensitive information disclosure, arbitrary code execution, or credentials leak if exploited.

An anonymous remote attacker can exploit a vulnerability in Apache CXF to perform a denial of service attack and disclose sensitive information.

A remote, authenticated attacker can exploit multiple vulnerabilities in IBM WebSphere Application Server Liberty to escalate privileges, bypass security measures, and disclose information.

A remote, authenticated attacker can exploit a vulnerability in TIBCO ActiveMatrix and TIBCO Administrator to disclose information and manipulate data, potentially leading to unauthorized access and control.

An authenticated remote attacker can exploit vulnerabilities in Asterisk and Digium Certified Asterisk to achieve arbitrary code execution, denial of service, or information disclosure.

Multiple vulnerabilities in Langflow could be exploited by an attacker to execute arbitrary program code, disclose information, and potentially manipulate data, leading to potential system compromise.

A vulnerability in Froxlor allows an attacker to manipulate files and disclose sensitive information, potentially leading to data breaches or system compromise.

Census CSWeb 8.0.1 is vulnerable to unauthenticated remote configuration file disclosure via HTTP requests to the `/app/config` path, potentially exposing sensitive secrets; fixed in 8.1.0 alpha.

An anonymous or authenticated remote attacker can exploit multiple vulnerabilities in Citrix Systems NetScaler to disclose information and take over a user session.

A remote attacker can exploit multiple vulnerabilities in Apache CXF to disclose information and perform Server-Side Request Forgery (SSRF) attacks.

Citrix has released a security advisory addressing multiple vulnerabilities in NetScaler ADC and NetScaler Gateway that could lead to sensitive information disclosure and user session mix-up under specific configurations.

Multiple network-based intrusion attempts were detected on 2026-03-14, targeting PHP information exposure, Fortigate VPN exploitation, sensitive file access, and credential exposure.

OpenMRS Core versions 2.7.8 and earlier, as well as versions 2.8.0 through 2.8.5, contain a path traversal vulnerability in the ModuleResourcesServlet, allowing an unauthenticated attacker to read arbitrary files from the server filesystem by manipulating the URL.

A vulnerability in Cisco ACI Multi-Site CloudSec encryption allows a remote attacker to read or modify intersite encrypted traffic due to a flaw in cipher implementation.

Arcane versions before 1.18.0 are vulnerable to an unauthenticated information disclosure on four GET endpoints under `/api/templates*`, allowing unauthorized access to Compose YAML and `.env` content including sensitive secrets.