CVSS: -EPSS: %CPEs: -EXPL: 0CVE-2025-20789
https://notcve.org/view.php?id=CVE-2025-20789
02 Dec 2025 — In GPU pdma, there is a possible information disclosure due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. • https://corp.mediatek.com/product-security-bulletin/December-2025 • CWE-201: Insertion of Sensitive Information Into Sent Data •
CVSS: 4.3EPSS: %CPEs: 1EXPL: 0CVE-2025-66306 – Grav vulnerable to Information Disclosure via IDOR in Grav Admin Panel
https://notcve.org/view.php?id=CVE-2025-66306
01 Dec 2025 — Grav is a file-based Web platform. Prior to 1.8.0-beta.27, there is an IDOR (Insecure Direct Object Reference) vulnerability in the Grav CMS Admin Panel which allows low-privilege users to access sensitive information from other accounts. Although direct account takeover is not possible, admin email addresses and other metadata can be exposed, increasing the risk of phishing, credential stuffing, and social engineering. This vulnerability is fixed in 1.8.0-beta.27. • https://github.com/getgrav/grav/commit/b7e1958a6e807ac14919447b60e5204a2ea77f62 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 5.3EPSS: 0%CPEs: -EXPL: 1CVE-2025-13807 – orionsec orion-ops API MachineKeyController.java MachineKeyController improper authorization
https://notcve.org/view.php?id=CVE-2025-13807
01 Dec 2025 — A vulnerability was detected in orionsec orion-ops up to 5925824997a3109651bbde07460958a7be249ed1. Affected is the function MachineKeyController of the file orion-ops-api/orion-ops-web/src/main/java/cn/orionsec/ops/controller/MachineKeyController.java of the component API. The manipulation results in improper authorization. The attack can be executed remotely. The exploit is now public and may be used. • https://github.com/Xzzz111/exps/blob/main/archives/orion-ops-information-disclosure-1/report.md • CWE-266: Incorrect Privilege Assignment CWE-285: Improper Authorization •
CVSS: 5.3EPSS: 0%CPEs: -EXPL: 1CVE-2025-13804 – nutzam NutzBoot Ethereum Wallet EthModule.java information disclosure
https://notcve.org/view.php?id=CVE-2025-13804
01 Dec 2025 — Performing manipulation results in information disclosure. • https://github.com/Xzzz111/exps/blob/main/archives/nutzboot-InfoLeak-1/report.md • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-284: Improper Access Control •
CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 1CVE-2025-13785 – yungifez Skuul School Management System Image profile information disclosure
https://notcve.org/view.php?id=CVE-2025-13785
30 Nov 2025 — Such manipulation leads to information disclosure. • https://gist.github.com/thezeekhan/02f5255506080849fc732eea07008634 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-284: Improper Access Control •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-66027 – Rallly Information Disclosure Vulnerability in Participant API Leaks Names and Emails Despite Pro Privacy Settings
https://notcve.org/view.php?id=CVE-2025-66027
29 Nov 2025 — Prior to version 4.5.6, an information disclosure vulnerability exposes participant details, including names and email addresses through the /api/trpc/polls.get,polls.participants.list endpoint, even when Pro privacy features are enabled. • https://github.com/lukevella/rallly/commit/59738c04f9a8ec25f0af5ce20ad0eab6cf134963 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-284: Improper Access Control CWE-359: Exposure of Private Personal Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2025-12559 – Information Disclosure in Common Teams API
https://notcve.org/view.php?id=CVE-2025-12559
27 Nov 2025 — Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to sanitize team email addresses to be visible only to Team Admins, which allows any authenticated user to view team email addresses via the GET /api/v4/channels/{channel_id}/common_teams endpoint • https://mattermost.com/security-updates • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2025-59454 – Apache CloudStack: Lack of user permission validation leading to data leak for few APIs
https://notcve.org/view.php?id=CVE-2025-59454
27 Nov 2025 — In Apache CloudStack, a gap in access control checks affected the APIs - createNetworkACL - listNetworkACLs - listResourceDetails - listVirtualMachinesUsageHistory - listVolumesUsageHistory While these APIs were accessible only to authorized users, insufficient permission validation meant that users could occasionally access information beyond their intended scope. Users are recommended to upgrade to Apache CloudStack 4.20.2.0 or 4.22.0.0, which fixes the issue. In Apache CloudStack, a gap in access control... • https://lists.apache.org/thread/0hlklvlwhzsfw39nocmyxb6svjbs9xbc • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-3784 – Information Disclosure Vulnerability in GX Works2
https://notcve.org/view.php?id=CVE-2025-3784
27 Nov 2025 — Cleartext Storage of Sensitive Information Vulnerability in GX Works2 all versions allows an attacker to disclose credential information stored in plaintext from project files. As a result, the attacker may be able to open project files protected by user authentication using disclosed credential information, and obtain or modify project information. • https://jvn.jp/vu/JVNVU95288056 • CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 3.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-20373 – Sensitive Information Disclosure in “_internal“ index through Splunk Add-On for Palo Alto Networks
https://notcve.org/view.php?id=CVE-2025-20373
26 Nov 2025 — In Splunk Add-on for Palo Alto Networks versions below 2.0.2, the add-on exposes client secrets in plain text in the _internal index during the addition of new “Data Security Accounts“. The vulnerability would require either local access to the log files or administrative access to internal indexes, which by default only the admin role receives. Review roles and capabilities on your instance and restrict internal index access to administrator-level roles. See [Define roles on the Splunk platform with capabi... • https://advisory.splunk.com/advisories/SVD-2025-1105 • CWE-532: Insertion of Sensitive Information into Log File •