CVSS: 6.9EPSS: 0%CPEs: 3EXPL: 0CVE-2026-24748 – Kargo's `GetConfig()` and `RefreshResource()` API endpoints allow unauthenticated access
https://notcve.org/view.php?id=CVE-2026-24748
27 Jan 2026 — This endpoint does not lead to any information disclosure, but could be used by an unauthenticated attacker to perform a denial-of-service style attack against the Kargo API. • https://github.com/akuity/kargo/commit/23646eaefb449a6cc2e76a8033e8a57f71369772 • CWE-863: Incorrect Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2026-24473 – Hono has an Arbitrary Key Read in Serve static Middleware (Cloudflare Workers Adapter)
https://notcve.org/view.php?id=CVE-2026-24473
27 Jan 2026 — Prior to version 4.11.7, Serve static Middleware for the Cloudflare Workers adapter contains an information disclosure vulnerability that may allow attackers to read arbitrary keys from the Workers environment. • https://github.com/honojs/hono/commit/cf9a78db4d0a19b117aee399cbe9d3a6d9bfd817 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-284: Improper Access Control CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2026-24472 – Hono cache middleware ignores "Cache-Control: private" leading to Web Cache Deception
https://notcve.org/view.php?id=CVE-2026-24472
27 Jan 2026 — Prior to version 4.11.7, Cache Middleware contains an information disclosure vulnerability caused by improper handling of HTTP cache control directives. • https://github.com/honojs/hono/commit/12c511745b3f1e7a3f863a23ce5f921c7fa805d1 • CWE-524: Use of Cache Containing Sensitive Information CWE-613: Insufficient Session Expiration •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-33234
https://notcve.org/view.php?id=CVE-2025-33234
27 Jan 2026 — A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering. • https://nvd.nist.gov/vuln/detail/CVE-2025-33234 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2026-0832 – New User Approve <= 3.2.2 - Missing Authorization to Unauthenticated Arbitrary User Approval, Denial, and Information Disclosure
https://notcve.org/view.php?id=CVE-2026-0832
27 Jan 2026 — The New User Approve plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on multiple REST API endpoints in all versions up to, and including, 3.2.2. This makes it possible for unauthenticated attackers to approve or deny user accounts, retrieve sensitive user information including emails and roles, and force logout of privileged users. • https://plugins.trac.wordpress.org/browser/new-user-approve/tags/3.2.1/includes/end-points/mobile-api.php#L24 • CWE-862: Missing Authorization •
CVSS: 3.7EPSS: 0%CPEs: 1EXPL: 0CVE-2026-24870 – Information disclosure in ixray-1.6-stcop
https://notcve.org/view.php?id=CVE-2026-24870
27 Jan 2026 — Exposure of Sensitive Information to an Unauthorized Actor vulnerability in ixray-team ixray-1.6-stcop.This issue affects ixray-1.6-stcop: before 1.3. • https://github.com/ixray-team/ixray-1.6-stcop/pull/258 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2025-41728 – Beckhoff: Information leak via Beckhoff Device Manager
https://notcve.org/view.php?id=CVE-2025-41728
27 Jan 2026 — A low privileged remote attacker may be able to disclose confidential information from the memory of a privileged process by sending specially crafted calls to the Device Manager web service that cause an out-of-bounds read operation under certain circumstances due to ASLR and thereby potentially copy confidential information into a response. • https://certvde.com/de/advisories/VDE-2025-092 • CWE-125: Out-of-bounds Read •
CVSS: 5.9EPSS: 0%CPEs: 4EXPL: 0CVE-2025-66199 – TLS 1.3 CompressedCertificate excessive memory allocation
https://notcve.org/view.php?id=CVE-2025-66199
27 Jan 2026 — No memory corruption or information disclosure occurs. ... No memory corruption or information disclosure occurs. • https://github.com/openssl/openssl/commit/3ed1f75249932b155eef993a8e66a99cb98bfef4 • CWE-789: Memory Allocation with Excessive Size Value •
CVSS: 2.0EPSS: 0%CPEs: 1EXPL: 1CVE-2026-1407 – Beetel 777VR1 UART information disclosure
https://notcve.org/view.php?id=CVE-2026-1407
25 Jan 2026 — Performing a manipulation results in information disclosure. • https://gist.github.com/raghav20232023/253c041842f622d9c2cb6ee4111c2227 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-284: Improper Access Control •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2026-24422 – phpMyFAQ: Public API endpoints expose emails and invisible questions
https://notcve.org/view.php?id=CVE-2026-24422
24 Jan 2026 — This information disclosure vulnerability could enable attackers to harvest email addresses for phishing campaigns or access content that was explicitly marked as private. • https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-j4rc-96xj-gvqc • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •