CVSS: 1.8EPSS: %CPEs: 1EXPL: 0CVE-2025-55250 – HCL AION is affected by a Technical Error Disclosure vulnerability
https://notcve.org/view.php?id=CVE-2025-55250
19 Jan 2026 — This can expose sensitive technical details, potentially resulting in information disclosure or aiding further attacks. • https://support.hcl-software.com/kb_view.do?sys_kb_id=4b92474633de7ad4159a05273e5c7b4b&searchTerm=kb0127995# • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 2.8EPSS: %CPEs: 1EXPL: 0CVE-2025-52659 – HCL AION is affected by a Cacheable HTTP Response vulnerability
https://notcve.org/view.php?id=CVE-2025-52659
19 Jan 2026 — This may lead to unintended storage of sensitive or dynamic content, potentially resulting in unauthorized access or information disclosure. • https://support.hcl-software.com/kb_view.do?sys_kb_id=4b92474633de7ad4159a05273e5c7b4b&searchTerm=kb0127995# • CWE-525: Use of Web Browser Cache Containing Sensitive Information •
CVSS: 5.3EPSS: %CPEs: 1EXPL: 0CVE-2025-14348 – weMail <= 2.0.7 - Insufficient Authorization via x-wemail-user Header to Sensitive Information Disclosure
https://notcve.org/view.php?id=CVE-2025-14348
19 Jan 2026 — The weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.7. This is due to the plugin's REST API trusting the `x-wemail-user` HTTP header to identify users without verifying the request originates from an authenticated WordPress session. This makes it possible for unauthenticated attackers who know or can guess an admin email (easily enumerable via `/wp-json/... • https://plugins.trac.wordpress.org/browser/wemail/tags/2.0.6/includes/Rest/Csv.php#L79 • CWE-285: Improper Authorization •
CVSS: 8.1EPSS: %CPEs: 1EXPL: 0CVE-2025-14977 – Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy <= 4.2.4 - Insecure Direct Object Reference to PayPal Account Takeover and Sensitive Information Disclosure
https://notcve.org/view.php?id=CVE-2025-14977
19 Jan 2026 — The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 4.2.4 via the `/wp-json/dokan/v1/settings` REST API endpoint due to missing validation on a user-controlled key. This makes it possible for authenticated attackers, with customer-level permissions and above, to read or modify other vendors' store settings including sensitive payment information (PayPal ... • https://plugins.trac.wordpress.org/browser/dokan-lite/trunk/includes/REST/StoreSettingController.php#L109 • CWE-284: Improper Access Control •
CVSS: 5.3EPSS: %CPEs: 1EXPL: 0CVE-2025-14798 – LearnPress – WordPress LMS Plugin <= 4.3.2.4 - Missing Authorization to Unauthenticated Sensitive User Information Disclosure via REST API
https://notcve.org/view.php?id=CVE-2025-14798
19 Jan 2026 — The LearnPress – WordPress LMS Plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.3.2.4 via the get_item_permissions_check function. This makes it possible for unauthenticated attackers to extract sensitive data including user first names and last names. Other information such as social profile links and enrollment are also included. • https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.1/inc/jwt/rest-api/version1/class-lp-rest-users-v1-controller.php#L134 • CWE-862: Missing Authorization •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2026-0519 – Information Disclosure in Secure Access Between 12.70 and 14.20
https://notcve.org/view.php?id=CVE-2026-0519
17 Jan 2026 — In Secure Access 12.70 and prior to 14.20, the logging subsystem may write an unredacted authentication token to logs under certain configurations. Any party with access to those logs could read the token and reuse it to access an integrated system. • https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-0519 •
CVSS: 7.6EPSS: 0%CPEs: -EXPL: 0CVE-2025-64769 – AVEVA Process Optimization Cleartext Transmission of Sensitive Information
https://notcve.org/view.php?id=CVE-2025-64769
16 Jan 2026 — The Process Optimization application suite leverages connection channels/protocols that by-default are not encrypted and could become subject to hijacking or data leakage in certain man-in-the-middle or passive inspection scenarios. • https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-015-01.json • CWE-319: Cleartext Transmission of Sensitive Information •
CVSS: 7.8EPSS: 0%CPEs: -EXPL: 1CVE-2025-69581 – Chamillo LMS 1.11.2 Missing Cache Header
https://notcve.org/view.php?id=CVE-2025-69581
16 Jan 2026 — Chamillo LMS version 1.11.2 is missing a cache header that leads to information disclosure. • https://packetstorm.news/files/id/214047 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.8EPSS: 0%CPEs: -EXPL: 1CVE-2020-36926 – SmarterTools SmarterTrack 7922 -Information Disclosure
https://notcve.org/view.php?id=CVE-2020-36926
15 Jan 2026 — SmarterTrack 7922 contains an information disclosure vulnerability in the Chat Management search form that reveals agent identification details. • https://www.vulncheck.com/advisories/smartertools-smartertrack-information-disclosure • CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-36911
https://notcve.org/view.php?id=CVE-2025-36911
15 Jan 2026 — This could lead to remote (proximal/adjacent) information disclosure of user's conversations and location with no additional execution privileges needed. • https://source.android.com/security/bulletin/pixel/2026-01-01 •