CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2026-44374 – Backstage: Catalog unprocessed read endpoints allow authenticated cross-owner data access without permission checks
https://notcve.org/view.php?id=CVE-2026-44374
14 May 2026 — This is an information disclosure vulnerability affecting Backstage installations using this module. • https://github.com/backstage/backstage/security/advisories/GHSA-p7g9-rp3g-mgfg • CWE-863: Incorrect Authorization •
CVSS: 6.9EPSS: 0%CPEs: 1EXPL: 0CVE-2026-41933 – Vvveb < 1.0.8.3 Directory Listing Information Disclosure
https://notcve.org/view.php?id=CVE-2026-41933
14 May 2026 — Vvveb before 1.0.8.3 contains a directory listing information disclosure vulnerability that allows unauthenticated attackers to enumerate files and directories by accessing multiple paths lacking proper index directives in .htaccess files. • https://www.vulncheck.com/advisories/vvveb-directory-listing-information-disclosure • CWE-548: Exposure of Information Through Directory Listing •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2026-6206 – MW WP Form <= 5.1.2 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Disclosure via 'post_id' Query Parameter
https://notcve.org/view.php?id=CVE-2026-6206
14 May 2026 — The MW WP Form plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 5.1.2 via the _get_post_property_from_querystring() function due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to. • https://github.com/web-soudan/mw-wp-form/commit/77aed98f56fdddc19bddf21c8f12faa5086d9202 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 6.3EPSS: 0%CPEs: -EXPL: 0CVE-2026-41281
https://notcve.org/view.php?id=CVE-2026-41281
13 May 2026 — A man-in-the-middle attacker may access and modify communications transmitted in plaintext, potentially resulting in information disclosure or data tampering. • https://jvn.jp/en/jp/JVN24167657 • CWE-319: Cleartext Transmission of Sensitive Information •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2026-44377 – CubeCart: Server-Side Template Injection (SSTI) in Smarty Templates leading to RCE
https://notcve.org/view.php?id=CVE-2026-44377
13 May 2026 — By leveraging this, an authenticated attacker with administrative privileges can bypass current restrictions and call native PHP functions within the templates, such as readgzfile() to read sensitive configuration files, or error_log() to write a malicious PHP web shell, ultimately achieving Information Disclosure and full Remote Code Execution (RCE). • https://github.com/cubecart/v6/commit/76d783c8c4d87a8a90dbfef1344a2733e7c6434c • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2026-42552 – Flight: Sensitive information disclosure via default error handler in flightphp/core
https://notcve.org/view.php?id=CVE-2026-42552
13 May 2026 — Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the default error handler Engine::_error() writes the full exception message, exception code, and stack trace (including absolute filesystem paths) directly into the HTTP 500 response, with no debug gating. Production deployments leak internal paths, any secret interpolated into an exception message, and full module structure — giving attackers primitives for chaining other weaknesses (LFI, path traversal). This vulnerability is fixed in 3.18... • https://github.com/flightphp/core/security/advisories/GHSA-qrch-52m5-vv85 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2026-0245 – Prisma Access Agent: Information Disclosure Vulnerabilities
https://notcve.org/view.php?id=CVE-2026-0245
13 May 2026 — Multiple information disclosure vulnerabilities in Prisma Access Agent® allow a local user to access sensitive configuration data and credentials. • https://security.paloaltonetworks.com/CVE-2026-0245 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.5EPSS: 0%CPEs: 4EXPL: 0CVE-2026-0240 – Trust Protection Foundation: Sensitive Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2026-0240
13 May 2026 — An information disclosure vulnerability in Trust Protection Foundation enables an authenticated attacker to obtain sensitive information from the server's vault. • https://security.paloaltonetworks.com/CVE-2026-0240 • CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere •
CVSS: 4.9EPSS: 0%CPEs: -EXPL: 0CVE-2026-0239 – Chronosphere Chronocollector Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2026-0239
13 May 2026 — An information disclosure vulnerability in the Chronosphere Chronocollector enables an unauthenticated attacker with network access to the collector service to retrieve sensitive information. • https://security.paloaltonetworks.com/CVE-2026-0239 • CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere •
CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 1CVE-2026-44002 – vm2: Host File Path Disclosure via Stack Trace Information Leak
https://notcve.org/view.php?id=CVE-2026-44002
13 May 2026 — vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, vm2's CallSite wrapper class (intended as a safe wrapper for V8's native CallSite) blocks getThis() and getFunction() to prevent host object leakage, but allows getFileName() to return unsanitized host absolute paths. Any sandboxed code can extract the full directory structure, library paths, and framework versions of the host server. This vulnerability is fixed in 3.11.0. • https://github.com/patriksimek/vm2/security/advisories/GHSA-v27g-jcqj-v8rw • CWE-209: Generation of Error Message Containing Sensitive Information •