CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2026-35644 – OpenClaw < 2026.3.22 - Credential Exposure via baseUrl Fields in Gateway Snapshots
https://notcve.org/view.php?id=CVE-2026-35644
09 Apr 2026 — OpenClaw before 2026.3.22 contains an information disclosure vulnerability that allows attackers with operator.read scope to expose credentials embedded in channel baseUrl and httpUrl fields. • https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87 • CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 2.3EPSS: 0%CPEs: 3EXPL: 0CVE-2026-34988 – Wasmtime leaks data between pooling allocator instances
https://notcve.org/view.php?id=CVE-2026-34988
09 Apr 2026 — This represents a data leakage vulnerability between guest WebAssembly instances which breaks WebAssembly's semantics and additionally breaks the sandbox that Wasmtime provides. • https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-6wgr-89rj-399p • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 9.0EPSS: 0%CPEs: 3EXPL: 0CVE-2026-34987 – Wasmtime with Winch compiler backend on aarch64 may allow a sandbox-escaping memory access
https://notcve.org/view.php?id=CVE-2026-34987
09 Apr 2026 — This could result in a host process segmentation fault (DoS), an arbitrary data leak from the host process, or with a write, potentially an arbitrary RCE. • https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-xx5w-cvp6-jv83 • CWE-125: Out-of-bounds Read CWE-787: Out-of-bounds Write •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2026-5960 – code-projects Patient Record Management System SQL Database Backup File hcpms.sql information disclosure
https://notcve.org/view.php?id=CVE-2026-5960
09 Apr 2026 — Executing a manipulation can lead to information disclosure. • https://code-projects.org • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-284: Improper Access Control •
CVSS: 2.7EPSS: 0%CPEs: 3EXPL: 0CVE-2025-14551 – Senstive information disclosure was affecting subiquity
https://notcve.org/view.php?id=CVE-2025-14551
09 Apr 2026 — In Ubuntu, Subiquity version 24.04.4 could leak sensitive user credentials during crash reporting. Upon installation failure, if a user submitted a bug report to Launchpad, Subiquity could include certain user credentials, such as the user's plaintext Wi-Fi password, in the attached logs. • https://github.com/canonical/subiquity/pull/2357 • CWE-1258: Exposure of Sensitive System Information Due to Uncleared Debug Information •
CVSS: 2.7EPSS: 0%CPEs: 3EXPL: 0CVE-2025-15480 – Senstive information disclosure was affecting ubuntu-desktop-provision
https://notcve.org/view.php?id=CVE-2025-15480
09 Apr 2026 — In Ubuntu, ubuntu-desktop-provision version 24.04.4 could leak sensitive user credentials during crash reporting. Upon installation failure, if a user submitted a bug report to Launchpad, ubuntu-desktop-provision could include the user's password hash in the attached logs. • https://github.com/canonical/ubuntu-desktop-provision/pull/1399 • CWE-1258: Exposure of Sensitive System Information Due to Uncleared Debug Information •
CVSS: 5.1EPSS: 0%CPEs: 1EXPL: 0CVE-2026-34757 – LIBPNG has a yse-after-free in png_set_PLTE, png_set_tRNS and png_set_hIST leading to corrupted chunk data and potential heap information disclosure
https://notcve.org/view.php?id=CVE-2026-34757
09 Apr 2026 — LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.0.9 to before 1.6.57, passing a pointer obtained from png_get_PLTE, png_get_tRNS, or png_get_hIST back into the corresponding setter on the same png_struct/png_info pair causes the setter to read from freed memory and copy its contents into the replacement buffer. The setter frees the internal buffer before copying from the caller-supplied pointer, which now dang... • https://github.com/pnggroup/libpng/commit/398cbe3df03f4e11bb031e07f416dfdde3684e8a • CWE-416: Use After Free •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2026-5847 – code-projects Movie Ticketing System SQL Database Backup File moviedb.sql information disclosure
https://notcve.org/view.php?id=CVE-2026-5847
09 Apr 2026 — Such manipulation leads to information disclosure. • https://code-projects.org • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-284: Improper Access Control •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2026-40028 – Hayabusa < 3.8.0 XSS via JSON Log Import
https://notcve.org/view.php?id=CVE-2026-40028
08 Apr 2026 — An attacker can inject JavaScript into the Computer field of JSON logs that executes in the forensic examiner's browser session when viewing the generated HTML report, leading to information disclosure or code execution. • https://github.com/Yamato-Security/hayabusa/releases/tag/v3.8.0 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2026-40025 – Sleuth Kit APFS Keybag Parser Out-of-Bounds Read
https://notcve.org/view.php?id=CVE-2026-40025
08 Apr 2026 — An attacker can craft a malicious APFS disk image that triggers information disclosure or crashes when processed by any Sleuth Kit tool that parses APFS volumes. • https://github.com/sleuthkit/sleuthkit/commit/8b9c9e7d493bd68624f3b1a3963edd45c3ff7611 • CWE-125: Out-of-bounds Read •