CVE-2026-56171
Exposure of private personal information to an unauthorized actor in Windows RDP allows an unauthorized attacker to disclose information ove
CVSS
7.1
High
EPSS
—
KEV
—
Exploit Today
—
0-100
Published: Jul 17, 2026 · Last modified: Jul 17, 2026 · CWE-359
Not enough EPSS history yet.
Exposure of private personal information to an unauthorized actor in Windows RDP allows an unauthorized attacker to disclose information over a network.
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2026-342267.5 HIG36.9%
——11Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Versions prior to 20.8.9 may attach cookies from the current page origin (`window.location`) instead of the request target URL when `fetch(..., { credentials: "include" })` is used. This can leak cookies from origin A to destination B. Version 20.8.9 fixes the issue.3dCVE-2026-506574.7 MED33.4%
——10Exposure of private personal information to an unauthorized actor in Microsoft Defender allows an authorized attacker to disclose information locally.3dCVE-2025-658577.5 HIG29.6%
——9An issue was discovered in Xiongmai XM530 IP cameras on firmware V5.00.R02.000807D8.10010.346624.S.ONVIF 21.06. The GetStreamUri exposes RTSP URIs containing hardcoded credentials enabling direct unauthorized video stream access.12dCVE-2026-623287.5 HIG29.3%
——99Router through version 0.4.41 contain an unauthenticated information disclosure vulnerability that allows remote attackers to access sensitive user data by sending requests to unprotected API endpoints. Attackers can enumerate paginated request logs and retrieve complete AI conversation histories including system prompts, user messages, assistant responses, tool calls, and user email addresses by querying the request-logs and request-details API routes which lack authentication middleware.2dCVE-2026-561247.5 HIG28.8%
——9phpUploader before 2.0.2 contains an unauthenticated information disclosure vulnerability that allows remote attackers to access the full contents of the uploaded-files database table by visiting any page of the application. The index model executes an unbounded SELECT query and embeds the complete JSON-encoded result set in an inline script block, exposing uploader IP addresses, Argon2ID key hashes, internal filenames, and SHA-256 fingerprints.3dCVE-2026-579606.5 MED26.1%
——8Hi.Events through 1.9.0 public check-in list endpoints use short_id as sole access control, allowing unauthenticated access to retrieve full attendee lists including emails and personal information. Attackers with knowledge of the short_id can call GET /api/public/check-in-lists/{short_id}/attendees to read attendee data and create or delete check-in records without authentication.3d