CVSS: 5.3EPSS: 0%CPEs: 10EXPL: 0CVE-2026-0883 – Information disclosure in the Networking component
https://notcve.org/view.php?id=CVE-2026-0883
13 Jan 2026 — Information disclosure in the Networking component. • https://bugzilla.mozilla.org/show_bug.cgi?id=1989340 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 0CVE-2026-0494 – Information Disclosure vulnerability in SAP Fiori App (Intercompany Balance Reconciliation)
https://notcve.org/view.php?id=CVE-2026-0494
13 Jan 2026 — Under certain conditions SAP Fiori App Intercompany Balance Reconciliation application allows an attacker to access information which would otherwise be restricted. This has low impact on confidentiality of the application, integrity and availability are not impacted. • https://me.sap.com/notes/3655227 • CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere •
CVSS: 9.3EPSS: 0%CPEs: 1EXPL: 0CVE-2026-22799 – emlog Arbitrary File Upload Vulnerability
https://notcve.org/view.php?id=CVE-2026-22799
12 Jan 2026 — An attacker can obtain the API key either by gaining administrator access to enable the REST API setting, or via information disclosure vulnerabilities in the application. • https://github.com/emlog/emlog/commit/429b02fda842254b9b9b39303e9161999c180560 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-68472 – MindsDB has improper sanitation of filepath that leads to information disclosure and DOS
https://notcve.org/view.php?id=CVE-2025-68472
12 Jan 2026 — MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 25.11.1, an unauthenticated path traversal in the file upload API lets any caller read arbitrary files from the server filesystem and move them into MindsDB’s storage, exposing sensitive data. The PUT handler in file.py directly joins user-controlled data into a filesystem path when the request body is JSON and source_type is not "url". Only multipart uploads and URL-sourced uploads receive sanitization; JSON u... • https://github.com/mindsdb/mindsdb/security/advisories/GHSA-qqhf-pm3j-96g7 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-23: Relative Path Traversal CWE-36: Absolute Path Traversal •
CVSS: 6.9EPSS: 0%CPEs: 8EXPL: 0CVE-2026-0853 – A-Plus Video Technologies|NVR - Sensitive Data Exposure
https://notcve.org/view.php?id=CVE-2026-0853
12 Jan 2026 — Certain NVR models developed by A-Plus Video Technologies has a Sensitive Data Exposure vulnerability, allowing unauthenticated remote attackers to access the debug page and obtain device status information. • https://www.twcert.org.tw/en/cp-139-10621-55584-2.html • CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-65090 – XWiki Full Calendar Macro vulnerable to data leak through Calendar.JSONService
https://notcve.org/view.php?id=CVE-2025-65090
10 Jan 2026 — Prior to version 2.4.6, users with the rights to view the Calendar.JSONService page (including guest users) can exploit the data leak vulnerability by accessing database info, with the exception of passwords. • https://github.com/xwiki-contrib/macro-fullcalendar/commit/25bc14c181c9a92f493b20ac264388c7ba171884 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 3.3EPSS: 0%CPEs: 4EXPL: 0CVE-2025-46676
https://notcve.org/view.php?id=CVE-2025-46676
09 Jan 2026 — A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure. • https://www.dell.com/support/kbdoc/en-us/000405813/dsa-2025-415-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.7EPSS: 0%CPEs: -EXPL: 0CVE-2025-66049 – Unprotected RTSP stream in Vivotek IP7137 cameras
https://notcve.org/view.php?id=CVE-2025-66049
09 Jan 2026 — Vivotek IP7137 camera with firmware version 0200a is vulnerable to an information disclosure issue where live camera footage can be accessed through the RTSP protocol on port 8554 without requiring authentication. ... Vivotek IP7137 camera with firmware version 0200a is vulnerable to an information disclosure issue where live camera footage can be accessed through the RTSP protocol on port 8554 without requiring authentication. • https://cert.pl/posts/2026/01/CVE-2025-66049 • CWE-306: Missing Authentication for Critical Function •
CVSS: 6.5EPSS: 0%CPEs: -EXPL: 0CVE-2025-67004
https://notcve.org/view.php?id=CVE-2025-67004
09 Jan 2026 — An Information Disclosure vulnerability in CouchCMS 2.4 allow an Admin user to read arbitrary files via traversing directories back after back. • https://gist.github.com/thepiyushkumarshukla/d01f8004c43692f18c75548f4739955a • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.3EPSS: 0%CPEs: -EXPL: 0CVE-2026-0767 – Open WebUI Cleartext Transmission of Credentials Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2026-0767
09 Jan 2026 — This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of Open WebUI. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of credentials provided to the endpoint. The issue results from transmitting sensitive information in plaintext. An attacker can leverage this vulnerability to disclose transmitted credentials, leading to further compromise. •