Search Results (10717 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2005-3498 1 Ibm 1 Websphere Application Server 2026-04-16 N/A
IBM WebSphere Application Server 5.0.x before 5.02.15, 5.1.x before 5.1.1.8, and 6.x before fixpack V6.0.2.5, when session trace is enabled, records a full URL including the queryString in the trace logs when an application encodes a URL, which could allow attackers to obtain sensitive information.
CVE-2003-1486 1 Phorum 1 Phorum 2026-04-16 N/A
Phorum 3.4 through 3.4.2 allows remote attackers to obtain the full path of the web server via an incorrect HTTP request to (1) smileys.php, (2) quick_listrss.php, (3) purge.php, (4) news.php, (5) memberlist.php, (6) forum_listrss.php, (7) forum_list_rdf.php, (8) forum_list.php, or (9) move.php, which leaks the information in an error message.
CVE-2003-1468 1 Francisco Burzi 1 Php-nuke 2026-04-16 N/A
The Web_Links module in PHP-Nuke 6.0 through 6.5 final allows remote attackers to obtain the full web server path via an invalid cid parameter that is non-numeric or null, which leaks the pathname in an error message.
CVE-2026-1371 2 Themeum, Wordpress 2 Tutor Lms, Wordpress 2026-04-15 5.3 Medium
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.9.5. This is due to missing authorization checks in the `ajax_coupon_details()` function, which only validates nonces but does not verify user capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive coupon information including coupon codes, discount amounts, usage statistics, and course/bundle applications.
CVE-2019-8921 3 Bluez, Debian, Linux 3 Bluez, Debian Linux, Linux Kernel 2026-04-15 6.5 Medium
An issue was discovered in bluetoothd in BlueZ through 5.48. The vulnerability lies in the handling of a SVC_ATTR_REQ by the SDP implementation. By crafting a malicious CSTATE, it is possible to trick the server into returning more bytes than the buffer actually holds, resulting in leaking arbitrary heap data. The root cause can be found in the function service_attr_req of sdpd-request.c. The server does not check whether the CSTATE data is the same in consecutive requests, and instead simply trusts that it is the same.
CVE-2026-20606 1 Apple 4 Ios And Ipados, Ipados, Iphone Os and 1 more 2026-04-15 7.1 High
This issue was addressed by removing the vulnerable code. This issue is fixed in iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3, macOS Sequoia 15.7.4, macOS Sonoma 14.8.4, macOS Tahoe 26.3. An app may be able to bypass certain Privacy preferences.
CVE-2026-20647 1 Apple 1 Macos 2026-04-15 5.5 Medium
This issue was addressed with improved data protection. This issue is fixed in macOS Tahoe 26.3. An app may be able to access sensitive user data.
CVE-2026-20641 1 Apple 7 Ios And Ipados, Ipados, Iphone Os and 4 more 2026-04-15 7.1 High
A privacy issue was addressed with improved checks. This issue is fixed in iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3, macOS Sequoia 15.7.4, macOS Sonoma 14.8.4, macOS Tahoe 26.3, tvOS 26.3, visionOS 26.3, watchOS 26.3. An app may be able to identify what other apps a user has installed.
CVE-2026-20682 1 Apple 3 Ios And Ipados, Ipados, Iphone Os 2026-04-15 5.3 Medium
A logic issue was addressed with improved state management. This issue is fixed in iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3. An attacker may be able to discover a user’s deleted notes.
CVE-2026-20680 1 Apple 4 Ios And Ipados, Ipados, Iphone Os and 1 more 2026-04-15 5.5 Medium
The issue was addressed with additional restrictions on the observability of app states. This issue is fixed in iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3, macOS Sequoia 15.7.4, macOS Sonoma 14.8.4, macOS Tahoe 26.3. A sandboxed app may be able to access sensitive user data.
CVE-2026-20681 1 Apple 1 Macos 2026-04-15 3.3 Low
A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Tahoe 26.3. An app may be able to access information about a user's contacts.
CVE-2026-20678 1 Apple 3 Ios And Ipados, Ipados, Iphone Os 2026-04-15 5.5 Medium
An authorization issue was addressed with improved state management. This issue is fixed in iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3. An app may be able to access sensitive user data.
CVE-2026-20619 1 Apple 1 Macos 2026-04-15 5.5 Medium
A logging issue was addressed with improved data redaction. This issue is fixed in macOS Sequoia 15.7.4, macOS Tahoe 26.3. An app may be able to access sensitive user data.
CVE-2026-20662 1 Apple 1 Macos 2026-04-15 4.6 Medium
An authorization issue was addressed with improved state management. This issue is fixed in macOS Sequoia 15.7.4, macOS Tahoe 26.3. An attacker with physical access to a locked device may be able to view sensitive user information.
CVE-2026-20623 1 Apple 1 Macos 2026-04-15 5.5 Medium
A permissions issue was addressed by removing the vulnerable code. This issue is fixed in macOS Tahoe 26.3. An app may be able to access protected user data.
CVE-2026-20674 1 Apple 3 Ios And Ipados, Ipados, Iphone Os 2026-04-15 4.6 Medium
A privacy issue was addressed by removing sensitive data. This issue is fixed in iOS 26.3 and iPadOS 26.3. An attacker with physical access to a locked device may be able to view sensitive user information.
CVE-2026-20612 1 Apple 1 Macos 2026-04-15 5.5 Medium
A privacy issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.7.4, macOS Sonoma 14.8.4, macOS Tahoe 26.3. An app may be able to access sensitive user data.
CVE-2026-20648 1 Apple 1 Macos 2026-04-15 5.5 Medium
A privacy issue was addressed by moving sensitive data to a protected location. This issue is fixed in macOS Tahoe 26.3. A malicious app may be able to access notifications from other iCloud devices.
CVE-2026-1060 1 Wordpress 1 Wordpress 2026-04-15 5.3 Medium
The WP Adminify plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.7.7 via the /wp-json/adminify/v1/get-addons-list REST API endpoint. The endpoint is registered with permission_callback set to __return_true, allowing unauthenticated attackers to retrieve the complete list of available addons, their installation status, version numbers, and download URLs.
CVE-2026-0950 2 Brainstormforce, Wordpress 2 Spectra, Wordpress 2026-04-15 5.3 Medium
The Spectra Gutenberg Blocks – Website Builder for the Block Editor plugin for WordPress is vulnerable to Information Disclosure in all versions up to, and including, 2.19.17. This is due to the plugin failing to check `post_password_required()` before rendering post excerpts in the `render_excerpt()` function and the `uagb_get_excerpt()` helper function. This makes it possible for unauthenticated attackers to read excerpts of password-protected posts by simply viewing any page that contains a Spectra Post Grid, Post Masonry, Post Carousel, or Post Timeline block.