CVSS: -EPSS: %CPEs: -EXPL: 0CVE-2025-66434
https://notcve.org/view.php?id=CVE-2025-66434
15 Dec 2025 — This can leak database information. • https://iamanc.github.io/post/erpnext-ssti-bug-1 •
CVSS: -EPSS: %CPEs: -EXPL: 0CVE-2025-66435
https://notcve.org/view.php?id=CVE-2025-66435
15 Dec 2025 — This vulnerability can be used to leak database information. • https://iamanc.github.io/post/erpnext-ssti-bug-2 •
CVSS: -EPSS: %CPEs: -EXPL: 0CVE-2025-66436
https://notcve.org/view.php?id=CVE-2025-66436
15 Dec 2025 — This vulnerability can be used to leak database information. • https://iamanc.github.io/post/erpnext-ssti-bug-3 •
CVSS: -EPSS: %CPEs: -EXPL: 0CVE-2025-66437
https://notcve.org/view.php?id=CVE-2025-66437
15 Dec 2025 — This leads to server-side code execution or database information disclosure. • https://iamanc.github.io/post/erpnext-ssti-bug-4 •
CVSS: -EPSS: %CPEs: -EXPL: 0CVE-2025-66438
https://notcve.org/view.php?id=CVE-2025-66438
15 Dec 2025 — This leads to information disclosure from the database, such as database version, schema details, or sensitive values, depending on the injected payload. Exploitation flow: Create a Print Format with SSTI payload in the html field; call the get_html_and_style() API; triggers frappe.render_template(template, doc) inside get_rendered_template(); leaks database information via frappe.db.sql or other exposed globals. • https://iamanc.github.io/post/erpnext-ssti-bug-5 •
CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-13281 – Portworx Half-Blind SSRF in kube-controller-manager
https://notcve.org/view.php?id=CVE-2025-13281
14 Dec 2025 — This vulnerability allows authorized users to leak arbitrary information from unprotected endpoints in the control plane’s host network (including link-local or loopback services). • https://github.com/kubernetes/kubernetes/issues/135525 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-67721 – Aircompressor's Snappy and LZ4 Java-based decompressor implementation can leak information from reused output buffer
https://notcve.org/view.php?id=CVE-2025-67721
12 Dec 2025 — Aircompressor is a library with ports of the Snappy, LZO, LZ4, and Zstandard compression algorithms to Java. In versions 3.3 and below, incorrect handling of malformed data in Java-based decompressor implementations for Snappy and LZ4 allow remote attackers to read previous buffer contents via crafted compressed input. With certain crafted compressed inputs, elements from the output buffer can end up in the uncompressed output, potentially leaking sensitive data. This is relevant for applications that reuse... • https://github.com/airlift/aircompressor/commit/f2b489b398779b40c1ee29ddb11d7edef54ddc15 • CWE-125: Out-of-bounds Read CWE-201: Insertion of Sensitive Information Into Sent Data •
CVSS: 3.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-43437
https://notcve.org/view.php?id=CVE-2025-43437
12 Dec 2025 — An information disclosure issue was addressed with improved privacy controls. • https://support.apple.com/en-us/125632 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-46276
https://notcve.org/view.php?id=CVE-2025-46276
12 Dec 2025 — An information disclosure issue was addressed with improved privacy controls. • https://support.apple.com/en-us/125887 •
CVSS: 3.7EPSS: 0%CPEs: 1EXPL: 0CVE-2025-9218 – rtMedia for WordPress, BuddyPress and bbPress 4.7.0 - 4.7.3 - Missing Authorization to Unauthenticated Information Disclosure via handle_rest_pre_dispatch Function
https://notcve.org/view.php?id=CVE-2025-9218
12 Dec 2025 — The rtMedia for WordPress, BuddyPress and bbPress plugin for WordPress is vulnerable to to Information Disclosure due to missing authorization in the handle_rest_pre_dispatch() function when the Godam plugin is active, in versions 4.7.0 to 4.7.3. • https://plugins.trac.wordpress.org/changeset/3386907/buddypress-media/tags/4.7.4/app/main/controllers/api/RTMediaJsonApi.php • CWE-862: Missing Authorization •