CVSS: 6.9EPSS: %CPEs: 3EXPL: 0CVE-2026-41181 – Traefik: Errors middleware forwards Authorization and Cookie headers to separate error page service
https://notcve.org/view.php?id=CVE-2026-41181
15 May 2026 — Prior to 2.11.44, 3.6.15, and 3.7.0-rc.3, there is an information disclosure vulnerability in Traefik's errors (custom error pages) middleware. • https://github.com/traefik/traefik/security/advisories/GHSA-p6hg-qh38-555r • CWE-201: Insertion of Sensitive Information Into Sent Data •
CVSS: 10.0EPSS: %CPEs: -EXPL: 0CVE-2026-2031 – Google Cloud Application Integration: Exposed internal APIs allow Information Disclosure and Remote Code Execution.
https://notcve.org/view.php?id=CVE-2026-2031
15 May 2026 — An Improper Access Control vulnerability in several internal API endpoints for Google Cloud Application Integration prior to 2026-01-23 allows a remote, unauthenticated attacker to disclose sensitive internal information and execute arbitrary code using specially crafted HTTP requests to inadvertently exposed internal API endpoints. • https://docs.cloud.google.com/gemini/enterprise/docs/release-notes#May_07_2026 • CWE-862: Missing Authorization •
CVSS: 8.5EPSS: 0%CPEs: -EXPL: 0CVE-2026-28761
https://notcve.org/view.php?id=CVE-2026-28761
15 May 2026 — Cross-site request forgery vulnerability exists in Musetheque V4 Information Disclosure for IPKNOWLEDGE V4L1 rev2203.0 and earlier. • https://jvn.jp/en/jp/JVN69128376 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.4EPSS: 0%CPEs: -EXPL: 0CVE-2026-24662
https://notcve.org/view.php?id=CVE-2026-24662
15 May 2026 — Cross-site scripting vulnerability exists in Musetheque V4 Information Disclosure for IPKNOWLEDGE V4L1 rev2203.0 and earlier. • https://jvn.jp/en/jp/JVN69128376 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.9EPSS: 0%CPEs: -EXPL: 0CVE-2025-48520
https://notcve.org/view.php?id=CVE-2025-48520
15 May 2026 — An improper input validation vulnerability within the AMD Platform Management Framework (PMF) driver can allow a local attacker to read Out-of-Bounds potentially resulting in information disclosure or a crash • https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-4015.html • CWE-125: Out-of-bounds Read •
CVSS: 6.9EPSS: 0%CPEs: 1EXPL: 0CVE-2026-45248 – Hedera Guardian Authentication Bypass Information Disclosure
https://notcve.org/view.php?id=CVE-2026-45248
14 May 2026 — Hedera Guardian through 3.5.1 contains an authentication bypass vulnerability in the GET /api/v1/demo/registered-users endpoint that allows unauthenticated attackers to retrieve sensitive user information. Attackers can access the endpoint without providing authentication credentials to obtain usernames, Hedera DIDs, parent registry DIDs, system roles, and policy role assignments for all registered users in the system. • https://www.vulncheck.com/advisories/hedera-guardian-authentication-bypass-information-disclosure • CWE-306: Missing Authentication for Critical Function •
CVSS: 9.6EPSS: 0%CPEs: 2EXPL: 0CVE-2026-41615 – Microsoft Authenticator Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2026-41615
14 May 2026 — Exposure of sensitive information to an unauthorized actor in Microsoft Authenticator allows an unauthorized attacker to disclose information over a network. • https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41615 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2026-42572 – Hatchet: Cross-tenant information disclosure in `listTasksByDAGIds`
https://notcve.org/view.php?id=CVE-2026-42572
14 May 2026 — Hatchet is a platform for orchestrating background tasks, AI agents, and durable workflows at scale. Prior to 0.83.39, a missing authorization directive on the GET /api/v1/stable/dags/tasks endpoint caused Hatchet's tenant-membership check to be skipped for this route. A user authenticated to any tenant on the same Hatchet instance could query the endpoint with another tenant's UUID and a DAG UUID belonging to that tenant, and receive task metadata for that DAG. This vulnerability is fixed in 0.83.39. • https://github.com/hatchet-dev/hatchet/security/advisories/GHSA-55gc-6fmc-fpx9 • CWE-639: Authorization Bypass Through User-Controlled Key CWE-863: Incorrect Authorization •
CVSS: 7.6EPSS: 0%CPEs: 4EXPL: 0CVE-2026-44516 – Valtimo: Sensitive data exposure through HTTP request/response logging in LoggingRestClientCustomizer
https://notcve.org/view.php?id=CVE-2026-44516
14 May 2026 — Valtimo is an open-source business process automation platform. From 12.4.0 to 12.33.0 and 13.26.0, the LoggingRestClientCustomizer in the web module automatically intercepts all outgoing HTTP calls made via Spring's RestClient and logs the full request body, response body, and response headers. When an error response is received, this information is included in the thrown HttpClientErrorException message, which is logged at ERROR level by Spring's default exception handling — regardless of the application'... • https://github.com/valtimo-platform/valtimo/security/advisories/GHSA-3jh5-rr2q-xfv7 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 2.6EPSS: 0%CPEs: 1EXPL: 0CVE-2025-62317 – HCL AION is affected by a vulnerability where sensitive information may be included in URL parameters.
https://notcve.org/view.php?id=CVE-2025-62317
14 May 2026 — Passing sensitive data in URLs may expose it through browser history, logs, or intermediary systems, potentially leading to unintended information disclosure under certain conditions. • https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130636 • CWE-598: Use of GET Request Method With Sensitive Query Strings •