CWE-202
Exposure of Sensitive Information Through Data Queries
When trying to keep information confidential, an attacker can often infer some of the information by using statistics.
CVE-2025-59352 (GCVE-0-2025-59352)
Vulnerability from cvelistv5 – Published: 2025-09-17 19:50 – Updated: 2025-09-18 17:43
VLAI
Title
Dragonfly allows arbitrary file read and write on a peer machine
Summary
Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the gRPC API and HTTP APIs allow peers to send requests that force the recipient peer to create files in arbitrary file system locations, and to read arbitrary files. This allows peers to steal other peers’ secret data and to gain remote code execution (RCE) capabilities on the peer’s machine.This vulnerability is fixed in 2.1.0.
Severity
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/dragonflyoss/dragonfly/securit… | x_refsource_CONFIRM |
| https://github.com/dragonflyoss/dragonfly/blob/ma… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| dragonflyoss | dragonfly |
Affected:
< 2.1.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59352",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-18T17:43:09.569641Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-18T17:43:17.540Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dragonfly",
"vendor": "dragonflyoss",
"versions": [
{
"status": "affected",
"version": "\u003c 2.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the gRPC API and HTTP APIs allow peers to send requests that force the recipient peer to create files in arbitrary file system locations, and to read arbitrary files. This allows peers to steal other peers\u2019 secret data and to gain remote code execution (RCE) capabilities on the peer\u2019s machine.This vulnerability is fixed in 2.1.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-202",
"description": "CWE-202: Exposure of Sensitive Information Through Data Queries",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T19:50:52.067Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-79hx-3fp8-hj66",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-79hx-3fp8-hj66"
},
{
"name": "https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf"
}
],
"source": {
"advisory": "GHSA-79hx-3fp8-hj66",
"discovery": "UNKNOWN"
},
"title": "Dragonfly allows arbitrary file read and write on a peer machine"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59352",
"datePublished": "2025-09-17T19:50:38.914Z",
"dateReserved": "2025-09-12T12:36:24.637Z",
"dateUpdated": "2025-09-18T17:43:17.540Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-64504 (GCVE-0-2025-64504)
Vulnerability from cvelistv5 – Published: 2025-11-10 21:51 – Updated: 2025-11-12 20:13
VLAI
Title
Langfuse vulnerable to cross‑organization enumeration of member & invitation lists via project membership APIs
Summary
Langfuse is an open source large language model engineering platform. Starting in version 2.70.0 and prior to versions 2.95.11 and 3.124.1, in certain project membership APIs, the server trusted a user‑controlled orgId and used it in authorization checks. As a result, any authenticated user on the same Langfuse instance could enumerate names and email addresses of users in another organization if they knew the target organization’s ID. Disclosure is limited to names and email addresses of members/invitees. No customer data such as traces, prompts, or evaluations is exposed or accessible. For Langfuse Cloud, the maintainers ran a thorough investigation of access logs of the last 30 days and could not find any evidence that this vulnerability was exploited. For most self-hosting deployments, the attack surface is significantly reduced given an SSO provider is configured and email/password sign-up is disabled. In these cases, only users who authenticate via the Enterprise SSO IdP (e.g. Okta) would be able to exploit this vulnerability to access the member list, i.e. internal users getting access to a list of other internal users. In order to exploit the vulnerability, the actor must have a valid Langfuse user account within the same instance, know the target orgId, and use the request made to the API that powers the frontend membership tables, including their project/user authentication token, while changing the orgId to the target organization. Langfuse Cloud (EU, US, HIPAA) were affected until fix deployment on November 1, 2025. The maintainers reviewed the Langfuse Cloud access logs from the past 30 days and found no evidence that this vulnerability was exploited. Self-Hosted versions which contain patches include v2.95.11 for major version 2 and v3.124.1 for major version 3. There are no known workarounds. Upgrading is required to fully mitigate this issue.
Severity
5 (Medium)
CWE
- CWE-202 - Exposure of Sensitive Information Through Data Queries
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://github.com/langfuse/langfuse/security/adv… | x_refsource_CONFIRM |
| https://github.com/langfuse/langfuse/commit/67990… | x_refsource_MISC |
| https://github.com/langfuse/langfuse/commit/6c252… | x_refsource_MISC |
| https://github.com/langfuse/langfuse/releases/tag… | x_refsource_MISC |
| https://github.com/langfuse/langfuse/releases/tag… | x_refsource_MISC |
| https://github.com/langfuse/langfuse/releases/tag… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64504",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-12T17:35:25.499140Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T20:13:56.630Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "langfuse",
"vendor": "langfuse",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.70.0, \u003c 2.95.11"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.124.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Langfuse is an open source large language model engineering platform. Starting in version 2.70.0 and prior to versions 2.95.11 and 3.124.1, in certain project membership APIs, the server trusted a user\u2011controlled orgId and used it in authorization checks. As a result, any authenticated user on the same Langfuse instance could enumerate names and email addresses of users in another organization if they knew the target organization\u2019s ID. Disclosure is limited to names and email addresses of members/invitees. No customer data such as traces, prompts, or evaluations is exposed or accessible. For Langfuse Cloud, the maintainers ran a thorough investigation of access logs of the last 30 days and could not find any evidence that this vulnerability was exploited. For most self-hosting deployments, the attack surface is significantly reduced given an SSO provider is configured and email/password sign-up is disabled. In these cases, only users who authenticate via the Enterprise SSO IdP (e.g. Okta) would be able to exploit this vulnerability to access the member list, i.e. internal users getting access to a list of other internal users. In order to exploit the vulnerability, the actor must have a valid Langfuse user account within the same instance, know the target orgId, and use the request made to the API that powers the frontend membership tables, including their project/user authentication token, while changing the orgId to the target organization. Langfuse Cloud (EU, US, HIPAA) were affected until fix deployment on November 1, 2025. The maintainers reviewed the Langfuse Cloud access logs from the past 30 days and found no evidence that this vulnerability was exploited. Self-Hosted versions which contain patches include v2.95.11 for major version 2 and v3.124.1 for major version 3. There are no known workarounds. Upgrading is required to fully mitigate this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-202",
"description": "CWE-202: Exposure of Sensitive Information Through Data Queries",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-10T21:51:36.603Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/langfuse/langfuse/security/advisories/GHSA-94hf-6gqq-pj69",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/langfuse/langfuse/security/advisories/GHSA-94hf-6gqq-pj69"
},
{
"name": "https://github.com/langfuse/langfuse/commit/67990ebfdcf0f0c32a6710efa7ddbda073812ab4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/langfuse/langfuse/commit/67990ebfdcf0f0c32a6710efa7ddbda073812ab4"
},
{
"name": "https://github.com/langfuse/langfuse/commit/6c2529049a4c962928c435984c81a547a497e3e5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/langfuse/langfuse/commit/6c2529049a4c962928c435984c81a547a497e3e5"
},
{
"name": "https://github.com/langfuse/langfuse/releases/tag/v2.70.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/langfuse/langfuse/releases/tag/v2.70.0"
},
{
"name": "https://github.com/langfuse/langfuse/releases/tag/v2.95.11",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/langfuse/langfuse/releases/tag/v2.95.11"
},
{
"name": "https://github.com/langfuse/langfuse/releases/tag/v3.124.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/langfuse/langfuse/releases/tag/v3.124.1"
}
],
"source": {
"advisory": "GHSA-94hf-6gqq-pj69",
"discovery": "UNKNOWN"
},
"title": "Langfuse vulnerable to cross\u2011organization enumeration of member \u0026 invitation lists via project membership APIs"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64504",
"datePublished": "2025-11-10T21:51:36.603Z",
"dateReserved": "2025-11-05T19:12:25.104Z",
"dateUpdated": "2025-11-12T20:13:56.630Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64528 (GCVE-0-2025-64528)
Vulnerability from cvelistv5 – Published: 2025-12-30 16:04 – Updated: 2025-12-30 18:11
VLAI
Title
Users are able to find users by name even when `enable_names` is off
Summary
Discourse is an open source discussion platform. Prior to versions 3.5.3, 2025.11.1, and 2025.12.0, an attacker who knows part of a username can find the user and their full name via UI or API, even when `enable_names` is disabled. Versions 3.5.3, 2025.11.1, and 2025.12.0 contain a fix.
Severity
CWE
- CWE-202 - Exposure of Sensitive Information Through Data Queries
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/discourse/discourse/security/a… | x_refsource_CONFIRM |
| https://github.com/discourse/discourse/commit/1cb… | x_refsource_MISC |
| https://github.com/discourse/discourse/commit/619… | x_refsource_MISC |
| https://github.com/discourse/discourse/commit/e93… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64528",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-30T18:10:27.701529Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T18:11:53.787Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003c 3.5.3"
},
{
"status": "affected",
"version": "\u003e= 2025.11.0-latest, \u003c 2025.11.1"
},
{
"status": "affected",
"version": "\u003e= 2025.12.0-latest, \u003c 2025.12.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open source discussion platform. Prior to versions 3.5.3, 2025.11.1, and 2025.12.0, an attacker who knows part of a username can find the user and their full name via UI or API, even when `enable_names` is disabled. Versions 3.5.3, 2025.11.1, and 2025.12.0 contain a fix."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-202",
"description": "CWE-202: Exposure of Sensitive Information Through Data Queries",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T16:04:10.093Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-c59w-jwx7-34v4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-c59w-jwx7-34v4"
},
{
"name": "https://github.com/discourse/discourse/commit/1cb45b8b287597085e3514596ffb1d9b41938f81",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/1cb45b8b287597085e3514596ffb1d9b41938f81"
},
{
"name": "https://github.com/discourse/discourse/commit/6192f55629624925595dae14364fd86cac0f09df",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/6192f55629624925595dae14364fd86cac0f09df"
},
{
"name": "https://github.com/discourse/discourse/commit/e936a523b5900a9d866d23ea3da904ba12bb0fb2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/e936a523b5900a9d866d23ea3da904ba12bb0fb2"
}
],
"source": {
"advisory": "GHSA-c59w-jwx7-34v4",
"discovery": "UNKNOWN"
},
"title": "Users are able to find users by name even when `enable_names` is off"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64528",
"datePublished": "2025-12-30T16:04:10.093Z",
"dateReserved": "2025-11-05T21:15:39.401Z",
"dateUpdated": "2025-12-30T18:11:53.787Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68456 (GCVE-0-2025-68456)
Vulnerability from cvelistv5 – Published: 2026-01-05 22:03 – Updated: 2026-01-06 19:03
VLAI
Title
Unauthenticated Craft CMS users can trigger a database backup
Summary
Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16, unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. Craft 3 users should update to the latest Craft 4 and 5 releases, which include the fixes.
Severity
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/craftcms/cms/security/advisori… | x_refsource_CONFIRM |
| https://github.com/craftcms/cms/commit/f83d4e0c6b… | x_refsource_MISC |
| https://github.com/craftcms/cms/blob/5.x/CHANGELO… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68456",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-06T14:26:08.082464Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-06T19:03:45.923Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-v64r-7wg9-23pr"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cms",
"vendor": "craftcms",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.0.0-RC1, \u003c 5.8.21"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 4.16.17"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16, unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. Craft 3 users should update to the latest Craft 4 and 5 releases, which include the fixes."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-202",
"description": "CWE-202: Exposure of Sensitive Information Through Data Queries",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T22:03:11.155Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/craftcms/cms/security/advisories/GHSA-v64r-7wg9-23pr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-v64r-7wg9-23pr"
},
{
"name": "https://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39"
},
{
"name": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04"
}
],
"source": {
"advisory": "GHSA-v64r-7wg9-23pr",
"discovery": "UNKNOWN"
},
"title": "Unauthenticated Craft CMS users can trigger a database backup"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-68456",
"datePublished": "2026-01-05T22:03:11.155Z",
"dateReserved": "2025-12-17T20:22:35.081Z",
"dateUpdated": "2026-01-06T19:03:45.923Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-69200 (GCVE-0-2025-69200)
Vulnerability from cvelistv5 – Published: 2025-12-29 15:24 – Updated: 2025-12-29 16:14
VLAI
Title
phpMyFAQ has unauthenticated config backup download via /api/setup/backup
Summary
phpMyFAQ is an open source FAQ web application. In versions prior to 4.0.16, an unauthenticated remote attacker can trigger generation of a configuration backup ZIP via `POST /api/setup/backup` and then download the generated ZIP from a web-accessible location. The ZIP contains sensitive configuration files (e.g., `database.php` with database credentials), leading to high-impact information disclosure and potential follow-on compromise. Version 4.0.16 fixes the issue.
Severity
7.5 (High)
CWE
- CWE-202 - Exposure of Sensitive Information Through Data Queries
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/thorsten/phpMyFAQ/security/adv… | x_refsource_CONFIRM |
| https://github.com/thorsten/phpMyFAQ/commit/b0e99… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-69200",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-29T16:14:22.791625Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-29T16:14:32.476Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "phpMyFAQ",
"vendor": "thorsten",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.16"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "phpMyFAQ is an open source FAQ web application. In versions prior to 4.0.16, an unauthenticated remote attacker can trigger generation of a configuration backup ZIP via `POST /api/setup/backup` and then download the generated ZIP from a web-accessible location. The ZIP contains sensitive configuration files (e.g., `database.php` with database credentials), leading to high-impact information disclosure and potential follow-on compromise. Version 4.0.16 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-202",
"description": "CWE-202: Exposure of Sensitive Information Through Data Queries",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-29T15:24:51.844Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-9cg9-4h4f-j6fg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-9cg9-4h4f-j6fg"
},
{
"name": "https://github.com/thorsten/phpMyFAQ/commit/b0e99ee3695152115841cb546d8dce64ceb8c29a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/thorsten/phpMyFAQ/commit/b0e99ee3695152115841cb546d8dce64ceb8c29a"
}
],
"source": {
"advisory": "GHSA-9cg9-4h4f-j6fg",
"discovery": "UNKNOWN"
},
"title": "phpMyFAQ has unauthenticated config backup download via /api/setup/backup"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-69200",
"datePublished": "2025-12-29T15:24:51.844Z",
"dateReserved": "2025-12-29T14:37:07.300Z",
"dateUpdated": "2025-12-29T16:14:32.476Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25050 (GCVE-0-2026-25050)
Vulnerability from cvelistv5 – Published: 2026-01-30 15:11 – Updated: 2026-01-30 15:45
VLAI
Title
Vendure vulnerable to timing attack that enables user enumeration in NativeAuthenticationStrategy
Summary
Vendure is an open-source headless commerce platform. Prior to version 3.5.3, the `NativeAuthenticationStrategy.authenticate()` method is vulnerable to a timing attack that allows attackers to enumerate valid usernames (email addresses). In `packages/core/src/config/auth/native-authentication-strategy.ts`, the authenticate method returns immediately if a user is not found. The significant timing difference (~200-400ms for bcrypt vs ~1-5ms for DB miss) allows attackers to reliably distinguish between existing and non-existing accounts. Version 3.5.3 fixes the issue.
Severity
CWE
- CWE-202 - Exposure of Sensitive Information Through Data Queries
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/vendurehq/vendure/security/adv… | x_refsource_CONFIRM |
| https://github.com/vendurehq/vendure/releases/tag… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25050",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-30T15:45:23.480440Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-30T15:45:50.463Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "vendure",
"vendor": "vendurehq",
"versions": [
{
"status": "affected",
"version": "\u003c 3.5.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vendure is an open-source headless commerce platform. Prior to version 3.5.3, the `NativeAuthenticationStrategy.authenticate()` method is vulnerable to a timing attack that allows attackers to enumerate valid usernames (email addresses). In `packages/core/src/config/auth/native-authentication-strategy.ts`, the authenticate method returns immediately if a user is not found. The significant timing difference (~200-400ms for bcrypt vs ~1-5ms for DB miss) allows attackers to reliably distinguish between existing and non-existing accounts. Version 3.5.3 fixes the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 2.7,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-202",
"description": "CWE-202: Exposure of Sensitive Information Through Data Queries",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-30T15:11:40.296Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/vendurehq/vendure/security/advisories/GHSA-6f65-4fv2-wwch",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vendurehq/vendure/security/advisories/GHSA-6f65-4fv2-wwch"
},
{
"name": "https://github.com/vendurehq/vendure/releases/tag/v3.5.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vendurehq/vendure/releases/tag/v3.5.3"
}
],
"source": {
"advisory": "GHSA-6f65-4fv2-wwch",
"discovery": "UNKNOWN"
},
"title": "Vendure vulnerable to timing attack that enables user enumeration in NativeAuthenticationStrategy"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25050",
"datePublished": "2026-01-30T15:11:40.296Z",
"dateReserved": "2026-01-28T14:50:47.888Z",
"dateUpdated": "2026-01-30T15:45:50.463Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-30778 (GCVE-0-2026-30778)
Vulnerability from cvelistv5 – Published: 2026-04-15 10:54 – Updated: 2026-04-16 12:05
VLAI
Title
Apache SkyWalking: The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL.
Summary
The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL.
This issue affects Apache SkyWalking: from 9.7.0 through 10.3.0.
Users are recommended to upgrade to version 10.4.0, which fixes the issue.
Severity
No CVSS data available.
CWE
- CWE-202 - Exposure of Sensitive Information Through Data Queries
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://lists.apache.org/thread/pvf35o3tp1rqhmrhz… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache SkyWalking |
Affected:
9.7.0 , ≤ 10.3.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-04-15T11:25:13.874Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/15/2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-30778",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-16T12:00:29.322586Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-16T12:05:25.254Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache SkyWalking",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "10.3.0",
"status": "affected",
"version": "9.7.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "shuiboye@gmail.com"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL.\u003c/p\u003e\u003cp\u003eThis issue affects Apache SkyWalking: from 9.7.0 through 10.3.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 10.4.0, which fixes the issue.\u003c/p\u003e"
}
],
"value": "The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL.\n\nThis issue affects Apache SkyWalking: from 9.7.0 through 10.3.0.\n\nUsers are recommended to upgrade to version 10.4.0, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-202",
"description": "CWE-202 Exposure of Sensitive Information Through Data Queries",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-15T10:54:25.212Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/pvf35o3tp1rqhmrhzj6fg31gvqrqcvn3"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache SkyWalking: The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL.",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2026-30778",
"datePublished": "2026-04-15T10:54:25.212Z",
"dateReserved": "2026-03-05T01:06:13.446Z",
"dateUpdated": "2026-04-16T12:05:25.254Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33530 (GCVE-0-2026-33530)
Vulnerability from cvelistv5 – Published: 2026-03-26 19:34 – Updated: 2026-03-30 11:24
VLAI
Title
InvenTree Vulnerable to ORM Filter Injection
Summary
InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, certain API endpoints associated with bulk data operations can be hijacked to exfiltrate sensitive information from the database. The bulk operation API endpoints (e.g. `/api/part/`, `/api/stock/`, `/api/order/so/allocation/`, and others) accept a filters parameter that is passed directly to Django's ORM queryset.filter(**filters) without any field allowlisting. This enables any authenticated user to traverse model relationships using Django's __ lookup syntax and perform blind boolean-based data extraction. This issue is patched in version 1.2.6, and 1.3.0 (or above). Users should update to the patched versions. No known workarounds are available.
Severity
7.7 (High)
CWE
- CWE-202 - Exposure of Sensitive Information Through Data Queries
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/inventree/InvenTree/security/a… | x_refsource_CONFIRM |
| https://github.com/inventree/InvenTree/pull/11581 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33530",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-30T11:24:21.708647Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-30T11:24:37.542Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "InvenTree",
"vendor": "inventree",
"versions": [
{
"status": "affected",
"version": "\u003c 1.2.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, certain API endpoints associated with bulk data operations can be hijacked to exfiltrate sensitive information from the database. The bulk operation API endpoints (e.g. `/api/part/`, `/api/stock/`, `/api/order/so/allocation/`, and others) accept a filters parameter that is passed directly to Django\u0027s ORM queryset.filter(**filters) without any field allowlisting. This enables any authenticated user to traverse model relationships using Django\u0027s __ lookup syntax and perform blind boolean-based data extraction. This issue is patched in version 1.2.6, and 1.3.0 (or above). Users should update to the patched versions. No known workarounds are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-202",
"description": "CWE-202: Exposure of Sensitive Information Through Data Queries",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T19:34:51.294Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/inventree/InvenTree/security/advisories/GHSA-m8j2-vfmq-p6qg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/inventree/InvenTree/security/advisories/GHSA-m8j2-vfmq-p6qg"
},
{
"name": "https://github.com/inventree/InvenTree/pull/11581",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/inventree/InvenTree/pull/11581"
}
],
"source": {
"advisory": "GHSA-m8j2-vfmq-p6qg",
"discovery": "UNKNOWN"
},
"title": "InvenTree Vulnerable to ORM Filter Injection"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33530",
"datePublished": "2026-03-26T19:34:51.294Z",
"dateReserved": "2026-03-20T18:05:11.830Z",
"dateUpdated": "2026-03-30T11:24:37.542Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3546 (GCVE-0-2026-3546)
Vulnerability from cvelistv5 – Published: 2026-03-21 03:26 – Updated: 2026-04-08 17:10
VLAI
Title
e-shot <= 1.0.2 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure via API Token via 'eshot_form_builder_get_account_data' AJAX Action
Summary
The e-shot form builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.2. The eshot_form_builder_get_account_data() function is registered as a wp_ajax_ AJAX handler accessible to all authenticated users. The function lacks any capability check (e.g., current_user_can('manage_options')) and does not verify a nonce. It directly queries the database for the e-shot API token stored in the eshotformbuilder_control table and returns it along with all subaccount data as a JSON response. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract the e-shot API token and subaccount information, which could then be used to access the victim's e-shot platform account.
Severity
5.3 (Medium)
CWE
- CWE-202 - Exposure of Sensitive Information Through Data Queries
Assigner
References
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3546",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-24T13:53:11.893222Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-24T13:53:55.424Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "e-shot",
"vendor": "forfront",
"versions": [
{
"lessThanOrEqual": "1.0.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Phong Nguyen"
}
],
"descriptions": [
{
"lang": "en",
"value": "The e-shot form builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.2. The eshot_form_builder_get_account_data() function is registered as a wp_ajax_ AJAX handler accessible to all authenticated users. The function lacks any capability check (e.g., current_user_can(\u0027manage_options\u0027)) and does not verify a nonce. It directly queries the database for the e-shot API token stored in the eshotformbuilder_control table and returns it along with all subaccount data as a JSON response. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract the e-shot API token and subaccount information, which could then be used to access the victim\u0027s e-shot platform account."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-202",
"description": "CWE-202 Exposure of Sensitive Information Through Data Queries",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:10:13.518Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/965bb642-4472-491f-8378-f4331ba4ab7c?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/e-shot-form-builder/trunk/admin/class-eshotformbuilder-admin.php#L567"
},
{
"url": "https://plugins.trac.wordpress.org/browser/e-shot-form-builder/tags/1.0.2/admin/class-eshotformbuilder-admin.php#L567"
},
{
"url": "https://plugins.trac.wordpress.org/browser/e-shot-form-builder/trunk/includes/class-eshotformbuilder.php#L163"
},
{
"url": "https://plugins.trac.wordpress.org/browser/e-shot-form-builder/tags/1.0.2/includes/class-eshotformbuilder.php#L163"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-20T15:09:33.000Z",
"value": "Disclosed"
}
],
"title": "e-shot \u003c= 1.0.2 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure via API Token via \u0027eshot_form_builder_get_account_data\u0027 AJAX Action"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-3546",
"datePublished": "2026-03-21T03:26:56.419Z",
"dateReserved": "2026-03-04T18:26:18.273Z",
"dateUpdated": "2026-04-08T17:10:13.518Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40245 (GCVE-0-2026-40245)
Vulnerability from cvelistv5 – Published: 2026-04-15 23:25 – Updated: 2026-04-16 12:04
VLAI
Title
Free5GC: UDR nudr-dr influenceData/subs-to-notify leaks SUPI in error response body without authentication
Summary
Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks. Versions 4.2.1 and below contain an information disclosure vulnerability in the UDR (Unified Data Repository) service. The handler for GET /nudr-dr/v2/application-data/influenceData/subs-to-notify sends an HTTP 400 error response when required query parameters are missing but does not return afterward. Execution continues into the processor function, which queries the data repository and appends the full list of Traffic Influence Subscriptions, including SUPI/IMSI values, to the response body. An unauthenticated attacker with network access to the 5G Service Based Interface can retrieve stored subscriber identifiers with a single parameterless HTTP GET request. The SUPI is the most sensitive subscriber identifier in 5G networks, and its exposure undermines the privacy guarantees of the 3GPP SUCI concealment mechanism at the core network level. A similar bypass exists when sending a malformed snssai parameter due to the same missing return pattern.
Severity
7.5 (High)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/free5gc/free5gc/security/advis… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40245",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-16T11:13:15.842291Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-16T12:04:46.694Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-wrwh-rpq4-87hf"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "free5gc",
"vendor": "free5gc",
"versions": [
{
"status": "affected",
"version": "\u003c= 1.4.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks. Versions 4.2.1 and below contain an information disclosure vulnerability in the UDR (Unified Data Repository) service. The handler for GET /nudr-dr/v2/application-data/influenceData/subs-to-notify sends an HTTP 400 error response when required query parameters are missing but does not return afterward. Execution continues into the processor function, which queries the data repository and appends the full list of Traffic Influence Subscriptions, including SUPI/IMSI values, to the response body. An unauthenticated attacker with network access to the 5G Service Based Interface can retrieve stored subscriber identifiers with a single parameterless HTTP GET request. The SUPI is the most sensitive subscriber identifier in 5G networks, and its exposure undermines the privacy guarantees of the 3GPP SUCI concealment mechanism at the core network level. A similar bypass exists when sending a malformed snssai parameter due to the same missing return pattern."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-202",
"description": "CWE-202: Exposure of Sensitive Information Through Data Queries",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-209",
"description": "CWE-209: Generation of Error Message Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-15T23:25:11.589Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/free5gc/free5gc/security/advisories/GHSA-wrwh-rpq4-87hf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-wrwh-rpq4-87hf"
}
],
"source": {
"advisory": "GHSA-wrwh-rpq4-87hf",
"discovery": "UNKNOWN"
},
"title": "Free5GC: UDR nudr-dr influenceData/subs-to-notify leaks SUPI in error response body without authentication"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40245",
"datePublished": "2026-04-15T23:25:11.589Z",
"dateReserved": "2026-04-10T17:31:45.786Z",
"dateUpdated": "2026-04-16T12:04:46.694Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phase: Architecture and Design
Description:
- This is a complex topic. See the [REF-1492] for a good discussion of best practices.
No CAPEC attack patterns related to this CWE.