Total
723 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-39665 | 1 Nagvis | 1 Nagvis | 2025-12-19 | 5.3 Medium |
| User enumeration in Nagvis' Checkmk MultisiteAuth before version 1.9.48 allows an unauthenticated attacker to enumerate Checkmk usernames. | ||||
| CVE-2023-53943 | 1 Glpi-project | 1 Glpi | 2025-12-19 | 5.3 Medium |
| GLPI 9.5.7 contains a username enumeration vulnerability in the lost password recovery mechanism that allows attackers to validate email addresses. Attackers can systematically test email addresses by submitting requests to the password reset endpoint and analyzing response differences to identify valid user accounts. | ||||
| CVE-2025-43739 | 1 Liferay | 4 Digital Experience Platform, Dxp, Liferay Portal and 1 more | 2025-12-19 | 4.3 Medium |
| Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.6, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 GA through update 92 allow any authenticated user to modify the content of emails sent through the calendar portlet, allowing an attacker to send phishing emails to any other user in the same organization. | ||||
| CVE-2025-63094 | 1 Openxiangshan | 1 Xiangshan | 2025-12-18 | 7.5 High |
| XiangShan Nanhu V2 and XiangShan Kunmighu V3 were discovered to use speculative execution and indirect branch prediction, allowing attackers to access sensitive information via side-channel analysis of the data cache. | ||||
| CVE-2025-68164 | 1 Jetbrains | 1 Teamcity | 2025-12-18 | 2.7 Low |
| In JetBrains TeamCity before 2025.11 port enumeration was possible via the Perforce connection test | ||||
| CVE-2024-10929 | 1 Arm | 8 Cortex-a57, Cortex-a57 Firmware, Cortex-a72 and 5 more | 2025-12-18 | 5.1 Medium |
| In certain circumstances, an issue in Arm Cortex-A57, Cortex-A72 (revisions before r1p0), Cortex-A73 and Cortex-A75 may allow an adversary to gain a weak form of control over the victim's branch history. | ||||
| CVE-2024-7881 | 1 Arm | 18 C1-premium, C1-premium Firmware, C1-pro and 15 more | 2025-12-18 | 5.1 Medium |
| An unprivileged context can trigger a data memory-dependent prefetch engine to fetch the contents of a privileged location and consume those contents as an address that is also dereferenced. | ||||
| CVE-2020-14145 | 3 Netapp, Openbsd, Redhat | 11 Active Iq Unified Manager, Aff A700s, Aff A700s Firmware and 8 more | 2025-12-18 | 5.9 Medium |
| The client side in OpenSSH 5.7 through 8.4 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client). NOTE: some reports state that 8.5 and 8.6 are also affected. | ||||
| CVE-2025-65185 | 1 Entrinsik | 1 Informer | 2025-12-18 | 2.8 Low |
| There is a username enumeration via local user login in Entrinsik Informer v5.10.1 which allows malicious users to enumerate users by entering an OTP code and new password then reviewing application responses. | ||||
| CVE-2025-43751 | 1 Liferay | 4 Digital Experience Platform, Dxp, Liferay Portal and 1 more | 2025-12-18 | 5.3 Medium |
| User enumeration vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10 and 7.4 GA through update 92 allows remote attackers to determine if an account exist in the application via the create account page. | ||||
| CVE-2020-36888 | 1 Spinetix | 1 Fusion Digital Signage | 2025-12-17 | 5.3 Medium |
| SpinetiX Fusion Digital Signage 3.4.8 contains a username enumeration vulnerability in its login script that allows attackers to identify valid user accounts. Attackers can send crafted login requests with different usernames to distinguish between existing and non-existing accounts by analyzing the server's error responses. | ||||
| CVE-2025-43786 | 1 Liferay | 4 Digital Experience Platform, Dxp, Liferay Portal and 1 more | 2025-12-16 | 5.3 Medium |
| Enumeration of ERC from object entry in Liferay Portal 7.4.0 through 7.4.3.128, and Liferay DXP 2024.Q3.0 through 2024.Q3.1, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 and 7.4 GA through update 92 allow attackers to determine existent ERC in the application by exploit the time response. | ||||
| CVE-2025-43743 | 1 Liferay | 4 Digital Experience Platform, Dxp, Liferay Portal and 1 more | 2025-12-15 | 4.3 Medium |
| Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.5, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15 and 7.4 GA through update 92 allows any authenticated remote user to view other calendars by allowing them to enumerate the names of other users, given an attacker the possibility to send phishing to these users. | ||||
| CVE-2025-13912 | 1 Wolfssl | 1 Wolfssl | 2025-12-12 | N/A |
| Multiple constant-time implementations in wolfSSL before version 5.8.4 may be transformed into non-constant-time binary by LLVM optimizations, which can potentially result in observable timing discrepancies and lead to information disclosure through timing side-channel attacks. | ||||
| CVE-2025-59702 | 1 Entrust | 11 Nshield 5c, Nshield 5c Firmware, Nshield Connect Xc and 8 more | 2025-12-08 | 7.2 High |
| Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a physically proximate attacker with elevated privileges to falsify tamper events by accessing internal components. | ||||
| CVE-2025-12888 | 1 Wolfssl | 1 Wolfssl | 2025-12-08 | 7.5 High |
| Vulnerability in X25519 constant-time cryptographic implementations due to timing side channels introduced by compiler optimizations and CPU architecture limitations, specifically with the Xtensa-based ESP32 chips. If targeting Xtensa it is recommended to use the low memory implementations of X25519, which is now turned on as the default for Xtensa. | ||||
| CVE-2025-11932 | 1 Wolfssl | 1 Wolfssl | 2025-12-08 | 4.3 Medium |
| The server previously verified the TLS 1.3 PSK binder using a non-constant time method which could potentially leak information about the PSK binder | ||||
| CVE-2025-64749 | 2 Directus, Monospace | 2 Directus, Directus | 2025-12-08 | 4.3 Medium |
| Directus is a real-time API and App dashboard for managing SQL database content. An observable difference in error messaging was found in the Directus REST API in versions of Directus prior to version 11.13.0. The `/items/{collection}` API returns different error messages for two cases: when a user tries to access an existing collection which they are not authorized to access, and when user tries to access a non-existing collection. The two differing error messages leak the existence of collections to users which are not authorized to access these collections. Version 11.13.0 fixes the issue. | ||||
| CVE-2024-1544 | 1 Wolfssl | 1 Wolfssl | 2025-12-06 | 4.1 Medium |
| Generating the ECDSA nonce k samples a random number r and then truncates this randomness with a modular reduction mod n where n is the order of the elliptic curve. Meaning k = r mod n. The division used during the reduction estimates a factor q_e by dividing the upper two digits (a digit having e.g. a size of 8 byte) of r by the upper digit of n and then decrements q_e in a loop until it has the correct size. Observing the number of times q_e is decremented through a control-flow revealing side-channel reveals a bias in the most significant bits of k. Depending on the curve this is either a negligible bias or a significant bias large enough to reconstruct k with lattice reduction methods. For SECP160R1, e.g., we find a bias of 15 bits. | ||||
| CVE-2020-36421 | 2 Arm, Debian | 2 Mbed Tls, Debian Linux | 2025-12-03 | 5.3 Medium |
| An issue was discovered in Arm Mbed TLS before 2.23.0. Because of a side channel in modular exponentiation, an RSA private key used in a secure enclave could be disclosed. | ||||