CVE-2026-50657
Exposure of private personal information to an unauthorized actor in Microsoft Defender allows an authorized attacker to disclose informatio
CVSS
4.7
Medio
EPSS
0.4%
p33
KEV
—
Exploit Today
10
0-100
Publicado: 14 jul 2026 · Última mod.: 15 jul 2026 · CWE-359
0.4%EPSS · 30 días0.4%
2026-07-152026-07-17
Exposure of private personal information to an unauthorized actor in Microsoft Defender allows an authorized attacker to disclose information locally.
CVECVSSEPSSKEVRExplotTítuloVis.
CVE-2026-342267.5 ALT36.9%
——11Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Versions prior to 20.8.9 may attach cookies from the current page origin (`window.location`) instead of the request target URL when `fetch(..., { credentials: "include" })` is used. This can leak cookies from origin A to destination B. Version 20.8.9 fixes the issue.3dCVE-2025-658577.5 ALT29.6%
——9An issue was discovered in Xiongmai XM530 IP cameras on firmware V5.00.R02.000807D8.10010.346624.S.ONVIF 21.06. The GetStreamUri exposes RTSP URIs containing hardcoded credentials enabling direct unauthorized video stream access.13dCVE-2026-623287.5 ALT29.3%
——99Router through version 0.4.41 contain an unauthenticated information disclosure vulnerability that allows remote attackers to access sensitive user data by sending requests to unprotected API endpoints. Attackers can enumerate paginated request logs and retrieve complete AI conversation histories including system prompts, user messages, assistant responses, tool calls, and user email addresses by querying the request-logs and request-details API routes which lack authentication middleware.2dCVE-2026-561247.5 ALT28.8%
——9phpUploader before 2.0.2 contains an unauthenticated information disclosure vulnerability that allows remote attackers to access the full contents of the uploaded-files database table by visiting any page of the application. The index model executes an unbounded SELECT query and embeds the complete JSON-encoded result set in an inline script block, exposing uploader IP addresses, Argon2ID key hashes, internal filenames, and SHA-256 fingerprints.3dCVE-2026-579606.5 MED26.1%
——8Hi.Events through 1.9.0 public check-in list endpoints use short_id as sole access control, allowing unauthenticated access to retrieve full attendee lists including emails and personal information. Attackers with knowledge of the short_id can call GET /api/public/check-in-lists/{short_id}/attendees to read attendee data and create or delete check-in records without authentication.3dCVE-2026-582977.1 ALT22.9%
——7Exposure of private personal information to an unauthorized actor in Microsoft Edge for Android allows an unauthorized attacker to disclose information over a network.11d