GDIT
Company Details
Linkedin ID:
gdit
Website:
Employees number:
26,279
Number of followers:
314,641
NAICS:
5415
Industry Type:
Homepage:
gdit.com
IP Addresses:
0
Company ID:
GEN_2314700
Scan Status:
In-progress
Internal validation & live display
Multiple badges & continuous verification
Faster underwriting decisions
General Dynamics Information Technology Vendor Cyber Rating & Cyber Score
gdit.comGDIT is a global technology and professional services company that delivers solutions, technology and mission services to every major agency across the U.S. government, defense and intelligence community. Our 30,000 experts extract the power of technology to create immediate value and deliver solutions at the edge of innovation. We operate across 50+ countries worldwide, offering leading capabilities in digital modernization, AI/ML, Cloud, Cyber and application development. GDIT is part of General Dynamics, a global aerospace and defense company. We have shared our clients’ sense of purpose for over half a century and have a unique understanding of their missions, complex environments, and a rapidly changing world. Together with our clients, we strive to create a safer, smarter world by harnessing the power of deep expertise and advanced technology.
General Dynamics Information Technology A.I CyberSecurity Scoring
GDIT Risk Score (AI oriented)Between 750 and 799
GDIT
Updated:
- Powered by our proprietary A.I cyber incident model
- Insurance preferes TPRM score to calculate premium
GDIT Global Score (TPRM)XXXX
GDIT
- Instant access to detailed risk factors
- Benchmark vs. industry & size peers
- Vulnerabilities
- Findings
GDIT Company CyberSecurity News & History
Past Incidents
1
Attack Types
1
General Dynamics Information Technology: Beyond DSPM Dashboards: Why Data Movement Remains an Underrated Risk
Vulnerability
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: The Critical Gap in Data Security: Governing Data in Motion Organizations have made significant progress in mapping their data landscapes, leveraging Data Security Posture Management (DSPM) tools to identify sensitive information, regulated records, and high-risk data concentrations. While visibility into data at rest has improved, a persistent blind spot remains: data in motion. Once information leaves secure repositories via email, file-sharing platforms, APIs, or web forms governance often becomes fragmented. This disconnect stems from legacy architectures where storage and transmission systems evolved independently, each with distinct security models and workflows. ### The Core Challenge: Decentralized Movement and Fragmented Policies Three key factors exacerbate this gap: 1. Decentralized Movement – Data flows through disparate channels (email, collaboration tools, automated workflows) without a unified control layer. 2. System-Centric Policies – Organizations enforce separate rules for email, file transfers, and partner access, but sensitive data doesn’t adhere to these boundaries. 3. Fractured Auditability – Tracking data movement requires piecing together logs from multiple systems, each with varying retention and detail levels. ### A Shift Toward Data-Centric Governance A promising solution lies in treating data labels as actionable policy signals. Traditionally, classification (via MIP labels, custom taxonomies, or DSPM insights) has been confined to storage systems. However, for labels to mitigate risk, they must travel with the data and influence decisions across transmission platforms. Recent integrations, such as the collaboration between BigID and Kiteworks, exemplify this shift. By connecting DSPM-driven classification with enforcement frameworks spanning email, file transfers, APIs, and web forms, organizations can enforce consistent policies regardless of how data moves. ### Impact on Managed Security Service Providers (MSSPs) For MSSPs, this evolution presents opportunities to: - Transform assessments into continuous programs by leveraging classification-driven enforcement for ongoing policy orchestration. - Reduce policy sprawl by defining data-centric rules (e.g., "encryption required for external sharing of sensitive data") that apply uniformly across channels. - Enhance third-party oversight with controls that persist beyond enterprise boundaries, improving supply-chain security. - Accelerate incident response by providing immutable logs tied to data classifications, reducing investigation time and regulatory uncertainty. ### Real-World Applications Connecting classification with enforcement addresses critical scenarios: - Outbound sharing of regulated data – Applying consistent controls (encryption, watermarking, or blocking) when sensitive data leaves via email or file-sharing. - Secure collaboration with partners – Retaining predictable controls for intellectual property, legal documents, or engineering files crossing organizational boundaries. - High-risk data intake – Routing web form submissions through governed channels to enforce access, encryption, and audit requirements. - Post-incident reconstruction – Using immutable logs to clarify data movement, reducing notification costs and regulatory friction. ### The Path Forward Data governance is transitioning from a system-centric model ("protect the repository") to a data-centric approach ("protect the information wherever it goes"). While DSPM has advanced visibility, the next phase involves integrating classification with enforcement across communication, transfer, and collaboration channels. The BigID-Kiteworks partnership reflects this broader industry trend, demonstrating how discovery and enforcement can work together to create a more coherent, auditable, and scalable approach to data movement governance.
GDIT Company Scoring based on AI Models
Cyber Incidents Likelihood 3 - 6 - 9 months
A.I Risk Score Likelihood 3 - 6 - 9 months
Underwriter Stats for GDIT
Incidents vs IT Services and IT Consulting Industry Average (This Year)
No incidents recorded for General Dynamics Information Technology in 2026.
Incidents vs All-Companies Average (This Year)
No incidents recorded for General Dynamics Information Technology in 2026.
Incident Types GDIT vs IT Services and IT Consulting Industry Avg (This Year)
No incidents recorded for General Dynamics Information Technology in 2026.
Incident History — GDIT (X = Date, Y = Severity)
GDIT cyber incidents detection timeline including parent company and subsidiaries
GDIT Company Subsidiaries
GDIT is a global technology and professional services company that delivers solutions, technology and mission services to every major agency across the U.S. government, defense and intelligence community. Our 30,000 experts extract the power of technology to create immediate value and deliver solutions at the edge of innovation. We operate across 50+ countries worldwide, offering leading capabilities in digital modernization, AI/ML, Cloud, Cyber and application development. GDIT is part of General Dynamics, a global aerospace and defense company. We have shared our clients’ sense of purpose for over half a century and have a unique understanding of their missions, complex environments, and a rapidly changing world. Together with our clients, we strive to create a safer, smarter world by harnessing the power of deep expertise and advanced technology.
Loading...
GDIT Similar Companies
Birlasoft
Navigating Change. Powering Progress. | Reimagining the Future with Birlasoft Birlasoft, a powerhouse where domain expertise, enterprise solutions, and digital technologies converge to redefine business processes. We take pride in our consultative and design thinking approach, driving societal pro
UST
UST is a global digital transformation solutions provider. For more than 20 years, UST has worked side by side with the world’s best companies to make a real impact through transformation. Powered by technology, inspired by people and led by purpose, UST partners with their clients from design to
Infosys BPM
Infosys BPM Ltd., the business process management subsidiary of Infosys Ltd. (NYSE: INFY), was set up in April 2002. Infosys BPM focuses on integrated end-to-end outsourcing and delivers transformational benefits to its clients through reduced costs, ongoing productivity improvements, and process re
In the era of AI, your data is your advantage. Yet too often it remains untapped: disconnected from systems, underutilized, untrained, and exposed to risk. Iron Mountain is the trusted partner for organizations of all sizes to unlock what’s possible, transforming information into intelligence and as
HCLTech
HCLTech is a global technology company, home to more than 226,300 people across 60 countries, delivering industry-leading capabilities centered around AI, digital, engineering, cloud and software, powered by a broad portfolio of technology services and products. We work with clients across all major
Indra Group (https://www.indragroup.com/) is the foremost Spanish multinational and one of the leading European companies that focus on defence and advanced technologies. It stands at the forefront of the defence, space, air traffic management, mobility, and Information Technology businesses through
Amazon Web Services (AWS)
Launched in 2006, Amazon Web Services (AWS) began exposing key infrastructure services to businesses in the form of web services -- now widely known as cloud computing. The ultimate benefit of cloud computing, and AWS, is the ability to leverage a new business model and turn capital infrastructure e
NTT DATA North America
NTT DATA, Inc. is a trusted global innovator of business and technology services. We're committed to helping clients innovate, optimize and transform for long-term success. Our R&D investments help organizations and society move confidently and sustainably into the digital future. As a Global Top Em
Sopra Steria
Sopra Steria, a major Tech player in Europe with 51,000 employees in nearly 30 countries, is recognised for its consulting, digital services and solutions. It helps its clients drive their digital transformation and obtain tangible and sustainable benefits. The Group provides end-to-end solutions to
.png)
GDIT CyberSecurity News
March 25, 2026 12:00 PM
AppGate Partners with GDIT to Provide Zero Trust Network Access for U.S. Air Force Next Generation Gateway Program
Industry-Leading ZTNA Solution is Part of GDIT's $120M NGG Task Order, Securing Over a Million Users Across 187 Air Force Bases Worldwide.
February 20, 2026 08:00 AM
GSA reveals first round of awards for Alliant 3 contract
After a series of protests that led to a protracted evaluation period, the General Services Administration is moving forward with the...
January 19, 2026 08:00 AM
General Dynamics to Deploy AI Cybersecurity Across 187 US Air Force Bases
General Dynamics Information Technology (GDIT) will deploy a new AI-powered cybersecurity system across 187 US Air Force bases worldwide.
January 16, 2026 08:00 AM
USAF selects GDIT for zero trust cybersecurity implementation
USAF selects GDIT for zero trust cybersecurity implementation. GDIT will use its Everest Zero Trust Digital Accelerator to deliver cybersecurity...
January 14, 2026 08:00 AM
GDIT Wins $120M Air Force Task Order to Deliver Zero Trust Cybersecurity
GDIT Wins $120M Air Force Task Order to Deliver Zero Trust Cybersecurity ... General Dynamics Information Technology has secured a $120 million...
January 06, 2026 08:00 AM
GDIT Secures $131M Task Order for Pacific Air Force Network Upgrades
Brian Sheridan, GDIT General Dynamics Information Technology has won the first task order under the U.S. Air Force's $8.75 billion Base...
December 18, 2025 08:00 AM
General Dynamics Wins a $285M Deal to Provide Cybersecurity Services
General Dynamics Corp.'s GD business unit, General Dynamics Information Technology (“GDIT”), recently won a $285 million contract to deliver...
December 18, 2025 08:00 AM
General Dynamics IT Wins $285M Cybersecurity Contract From Virginia
General Dynamics Information Technology said it has won a $285 million contract from the Commonwealth of Virginia to overhaul the state's...
December 17, 2025 08:00 AM
GDIT wins $285M state cybersecurity contract
GDIT wins $285M state cybersecurity contract ... General Dynamics Information Technology, a business unit of Reston-based Fortune 100 aerospace...
Frequently Asked Questions
Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.
GDIT CyberSecurity History Information
Official Website of General Dynamics Information Technology
The official website of General Dynamics Information Technology is https://www.gdit.com.
General Dynamics Information Technology’s AI-Generated Cybersecurity Score
According to Rankiteo, General Dynamics Information Technology’s AI-generated cybersecurity score is 786, reflecting their Fair security posture.
How many security badges does General Dynamics Information Technology’ have ?
According to Rankiteo, General Dynamics Information Technology currently holds 0 security badges, indicating that no recognized compliance certifications are currently verified for the organization.
Has General Dynamics Information Technology been affected by any supply chain cyber incidents ?
According to Rankiteo, General Dynamics Information Technology has not been affected by any supply chain cyber incidents, and no incident IDs are currently listed for the organization.
Does General Dynamics Information Technology have SOC 2 Type 1 certification ?
According to Rankiteo, General Dynamics Information Technology is not certified under SOC 2 Type 1.
Does General Dynamics Information Technology have SOC 2 Type 2 certification ?
According to Rankiteo, General Dynamics Information Technology does not hold a SOC 2 Type 2 certification.
Does General Dynamics Information Technology comply with GDPR ?
According to Rankiteo, General Dynamics Information Technology is not listed as GDPR compliant.
Does General Dynamics Information Technology have PCI DSS certification ?
According to Rankiteo, General Dynamics Information Technology does not currently maintain PCI DSS compliance.
Does General Dynamics Information Technology comply with HIPAA ?
According to Rankiteo, General Dynamics Information Technology is not compliant with HIPAA regulations.
Does General Dynamics Information Technology have ISO 27001 certification ?
According to Rankiteo,General Dynamics Information Technology is not certified under ISO 27001, indicating the absence of a formally recognized information security management framework.
Industry Classification of General Dynamics Information Technology
General Dynamics Information Technology operates primarily in the IT Services and IT Consulting industry.
Number of Employees at General Dynamics Information Technology
General Dynamics Information Technology employs approximately 26,279 people worldwide.
Subsidiaries Owned by General Dynamics Information Technology
General Dynamics Information Technology presently has no subsidiaries across any sectors.
General Dynamics Information Technology’s LinkedIn Followers
General Dynamics Information Technology’s official LinkedIn profile has approximately 314,641 followers.
NAICS Classification of General Dynamics Information Technology
General Dynamics Information Technology is classified under the NAICS code 5415, which corresponds to Computer Systems Design and Related Services.
General Dynamics Information Technology’s Presence on Crunchbase
No, General Dynamics Information Technology does not have a profile on Crunchbase.
General Dynamics Information Technology’s Presence on LinkedIn
Yes, General Dynamics Information Technology maintains an official LinkedIn profile, which is actively utilized for branding and talent engagement, which can be accessed here: https://www.linkedin.com/company/gdit.
Cybersecurity Incidents Involving General Dynamics Information Technology
As of March 28, 2026, Rankiteo reports that General Dynamics Information Technology has experienced 1 cybersecurity incidents.
Number of Peer and Competitor Companies
General Dynamics Information Technology has an estimated 39,819 peer or competitor companies worldwide.
What types of cybersecurity incidents have occurred at General Dynamics Information Technology ?
Incident Types: The types of cybersecurity incidents that have occurred include Vulnerability.
How does General Dynamics Information Technology detect and respond to cybersecurity incidents ?
Detection and Response: The company detects and responds to cybersecurity incidents through an third party assistance with integration of dspm tools (e.g., bigid) with enforcement frameworks (e.g., kiteworks), and containment measures with connecting classification engines with transmission platforms, containment measures with applying consistent controls across email, file transfer, apis, and forms, and remediation measures with unified data-centric policies for data in motion, remediation measures with enhanced auditability of data movement, remediation measures with persistent controls beyond enterprise boundaries, and enhanced monitoring with immutable logs tied to data classifications for post-incident reconstruction..
Incident Details
Can you provide details on each incident ?
Title: None
Description: Organizations face a structural gap in data governance where visibility into data at rest outpaces governance of data in motion. This blind spot arises from decentralized data movement systems, fragmented policies, and fractured auditability, leading to risks in email, file sharing, APIs, and web forms. The incident highlights the need for integrating data classification with enforcement frameworks to govern data movement consistently.
Type: Data Governance Blind Spot
Vulnerability Exploited: Decentralized data movement systemsFragmented policies for data in motionFractured auditability across communication channels
What are the most common types of attacks the company has faced ?
Common Attack Types: The most common types of attacks the company has faced is Vulnerability.
Impact of the Incidents
What was the impact of each incident ?
Incident : Data Governance Blind Spot GDI1765641604
Data Compromised: Sensitive, regulated, or personal/financial data
Systems Affected: EmailFile sharing platformsManaged file transfer systemsAPIsWeb forms
Operational Impact: Increased risk of data breaches, regulatory violations, and incident response challenges
Brand Reputation Impact: Potential erosion due to regulatory scrutiny or data breaches
Legal Liabilities: Increased risk of fines and legal actions due to non-compliance
Identity Theft Risk: Elevated due to exposure of personally identifiable information
Payment Information Risk: Elevated due to exposure of financial data
What types of data are most commonly compromised in incidents ?
Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Regulated Data (E.G., Financial, Health Records), Personal Data, Intellectual Property, Engineering Files and .
Which entities were affected by each incident ?
Incident : Data Governance Blind Spot GDI1765641604
Entity Type: Organizations with fragmented data governance
Response to the Incidents
What measures were taken in response to each incident ?
Incident : Data Governance Blind Spot GDI1765641604
Third Party Assistance: Integration of DSPM tools (e.g., BigID) with enforcement frameworks (e.g., Kiteworks)
Containment Measures: Connecting classification engines with transmission platformsApplying consistent controls across email, file transfer, APIs, and forms
Remediation Measures: Unified data-centric policies for data in motionEnhanced auditability of data movementPersistent controls beyond enterprise boundaries
Enhanced Monitoring: Immutable logs tied to data classifications for post-incident reconstruction
How does the company involve third-party assistance in incident response ?
Third-Party Assistance: The company involves third-party assistance in incident response through Integration of DSPM tools (e.g., BigID) with enforcement frameworks (e.g., Kiteworks).
Data Breach Information
What type of data was compromised in each breach ?
Incident : Data Governance Blind Spot GDI1765641604
Type of Data Compromised: Regulated data (e.g., financial, health records), Personal data, Intellectual property, Engineering files
Sensitivity of Data: High
Data Exfiltration: Potential via email, file sharing, or APIs
Data Encryption: Recommended but not consistently applied
Personally Identifiable Information: Yes
What measures does the company take to prevent data exfiltration ?
Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Unified data-centric policies for data in motion, Enhanced auditability of data movement, Persistent controls beyond enterprise boundaries, .
How does the company handle incidents involving personally identifiable information (PII) ?
Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by connecting classification engines with transmission platforms, applying consistent controls across email, file transfer, apis, and forms and .
Regulatory Compliance
Were there any regulatory violations and fines imposed for each incident ?
Incident : Data Governance Blind Spot GDI1765641604
Regulations Violated: Potential violations of privacy regulations (e.g., GDPR, CCPA, HIPAA),
Lessons Learned and Recommendations
What lessons were learned from each incident ?
Incident : Data Governance Blind Spot GDI1765641604
Lessons Learned: Data governance must extend beyond storage to include data in motion, Fragmented policies increase risk and complicate compliance, Auditability of data movement is critical for incident response and regulatory disclosures, Labels and classifications should be actionable signals for enforcement
What recommendations were made to prevent future incidents ?
Incident : Data Governance Blind Spot GDI1765641604
Recommendations: Integrate DSPM insights with enforcement frameworks for data movement, Define data-centric policies that apply consistently across communication channels, Improve third-party oversight with persistent controls beyond enterprise boundaries, Enhance incident response with immutable logs tied to data classificationsIntegrate DSPM insights with enforcement frameworks for data movement, Define data-centric policies that apply consistently across communication channels, Improve third-party oversight with persistent controls beyond enterprise boundaries, Enhance incident response with immutable logs tied to data classificationsIntegrate DSPM insights with enforcement frameworks for data movement, Define data-centric policies that apply consistently across communication channels, Improve third-party oversight with persistent controls beyond enterprise boundaries, Enhance incident response with immutable logs tied to data classificationsIntegrate DSPM insights with enforcement frameworks for data movement, Define data-centric policies that apply consistently across communication channels, Improve third-party oversight with persistent controls beyond enterprise boundaries, Enhance incident response with immutable logs tied to data classifications
What are the key lessons learned from past incidents ?
Key Lessons Learned: The key lessons learned from past incidents are Data governance must extend beyond storage to include data in motion,Fragmented policies increase risk and complicate compliance,Auditability of data movement is critical for incident response and regulatory disclosures,Labels and classifications should be actionable signals for enforcement.
What recommendations has the company implemented to improve cybersecurity ?
Implemented Recommendations: The company has implemented the following recommendations to improve cybersecurity: Integrate DSPM insights with enforcement frameworks for data movement, Enhance incident response with immutable logs tied to data classifications, Improve third-party oversight with persistent controls beyond enterprise boundaries and Define data-centric policies that apply consistently across communication channels.
References
Where can I find more information about each incident ?
Incident : Data Governance Blind Spot GDI1765641604
Source: BigID and Kiteworks Integration
Where can stakeholders find additional resources on cybersecurity best practices ?
Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: BigID and Kiteworks Integration.
Post-Incident Analysis
What were the root causes and corrective actions taken for each incident ?
Incident : Data Governance Blind Spot GDI1765641604
Root Causes: Decentralized Data Movement Systems, Policies Written For Systems Rather Than Information, Fractured Auditability Across Platforms,
Corrective Actions: Unified Data Movement Governance, Consistent Enforcement Of Data-Centric Policies, Integration Of Classification And Enforcement Frameworks,
What is the company's process for conducting post-incident analysis ?
Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Integration of DSPM tools (e.g., BigID) with enforcement frameworks (e.g., Kiteworks), Immutable logs tied to data classifications for post-incident reconstruction.
What corrective actions has the company taken based on post-incident analysis ?
Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Unified Data Movement Governance, Consistent Enforcement Of Data-Centric Policies, Integration Of Classification And Enforcement Frameworks, .
Additional Questions
Impact of the Incidents
What was the most significant data compromised in an incident ?
Most Significant Data Compromised: The most significant data compromised in an incident were Sensitive, regulated and or personal/financial data.
What was the most significant system affected in an incident ?
Most Significant System Affected: The most significant system affected in an incident was EmailFile sharing platformsManaged file transfer systemsAPIsWeb forms.
Response to the Incidents
What third-party assistance was involved in the most recent incident ?
Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was Integration of DSPM tools (e.g., BigID) with enforcement frameworks (e.g., Kiteworks).
What containment measures were taken in the most recent incident ?
Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident were Connecting classification engines with transmission platformsApplying consistent controls across email, file transfer, APIs and and forms.
Data Breach Information
What was the most sensitive data compromised in a breach ?
Most Sensitive Data Compromised: The most sensitive data compromised in a breach were Sensitive, regulated and or personal/financial data.
Lessons Learned and Recommendations
What was the most significant lesson learned from past incidents ?
Most Significant Lesson Learned: The most significant lesson learned from past incidents was Labels and classifications should be actionable signals for enforcement.
What was the most significant recommendation implemented to improve cybersecurity ?
Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Integrate DSPM insights with enforcement frameworks for data movement, Enhance incident response with immutable logs tied to data classifications, Improve third-party oversight with persistent controls beyond enterprise boundaries and Define data-centric policies that apply consistently across communication channels.
References
What is the most recent source of information about an incident ?
Most Recent Source: The most recent source of information about an incident is BigID and Kiteworks Integration.
.png)
Latest Global CVEs (Not Company-Specific)
Description
A flaw has been found in wandb OpenUI up to 1.0. This affects the function create_share/get_share of the file backend/openui/server.py of the component HTMLAnnotator Component. Executing a manipulation of the argument ID can lead to HTML injection. The attack may be performed from remote. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Risk Information
cvss2
Base: 5.0
Severity: LOW
AV:N/AC:L/Au:N/C:N/I:P/A:N
cvss3
Base: 4.3
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
cvss4
Base: 5.3
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
A vulnerability was detected in QDOCS Smart School Management System up to 7.2. The impacted element is an unknown function of the file /admin/enquiry of the component Admission Enquiry Module. Performing a manipulation of the argument Note results in cross site scripting. The attack is possible to be carried out remotely.
Risk Information
cvss2
Base: 4.0
Severity: LOW
AV:N/AC:L/Au:S/C:N/I:P/A:N
cvss3
Base: 3.5
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
cvss4
Base: 5.1
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
The Ultimate Member plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.11.2. This is due to the '{usermeta:password_reset_link}' template tag being processed within post content via the '[um_loggedin]' shortcode, which generates a valid password reset token for the currently logged-in user viewing the page. This makes it possible for authenticated attackers, with Contributor-level access and above, to craft a malicious pending post that, when previewed by an Administrator, generates a password reset token for the Administrator and exfiltrates it to an attacker-controlled server, leading to full account takeover.
Risk Information
cvss3
Base: 8.0
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
References
- https://github.com/ultimatemember/ultimatemember/pull/1799
- https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.11.2/includes/um-short-functions.php#L205
- https://plugins.trac.wordpress.org/changeset/3492178/ultimate-member/trunk/includes/um-short-functions.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/baafd001-144d-4ee4-b7e6-28c0931e6e10?source=cve
Description
LibJWT is a C JSON Web Token Library. Starting in version 3.0.0 and prior to version 3.3.0, the JWK parsing for RSA-PSS did not protect against a NULL value when expecting to parse JSON string values. A specially crafted JWK file could exploit this behavior by using integers in places where the code expected a string. This was fixed in v3.3.0. A workaround is available. Users importing keys through a JWK file should not do so from untrusted sources. Use the `jwk2key` tool to check for validity of a JWK file. Likewise, if possible, do not use JWK files with RSA-PSS keys.
Risk Information
cvss4
Base: 5.8
Severity: HIGH
CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:A/VC:L/VI:L/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Starting in version 2.0.39 and prior to version 3.0.25, a prototype pollution vulnerability exists in the `parse_str` function of the npm package locutus. An attacker can pollute `Object.prototype` by overriding `RegExp.prototype.test` and then passing a crafted query string to `parse_str`, bypassing the prototype pollution guard. This vulnerability stems from an incomplete fix for CVE-2026-25521. The CVE-2026-25521 patch replaced the `String.prototype.includes()`-based guard with a `RegExp.prototype.test()`-based guard. However, `RegExp.prototype.test` is itself a writable prototype method that can be overridden, making the new guard bypassable in the same way as the original — trading one hijackable built-in for another. Version 3.0.25 contains an updated fix.
Risk Information
cvss4
Base: 6.3
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
References
- https://github.com/locutusjs/locutus/commit/345a6211e1e6f939f96a7090bfeff642c9fcf9e4
- https://github.com/locutusjs/locutus/pull/597
- https://github.com/locutusjs/locutus/releases/tag/v3.0.25
- https://github.com/locutusjs/locutus/security/advisories/GHSA-vc8f-x9pp-wf5p
- https://github.com/locutusjs/locutus/security/advisories/GHSA-vc8f-x9pp-wf5p
Access Data Using Our API
Get company history
curl -i -X GET 'https://api.rankiteo.com/underwriter-getcompany-history?linkedin_id=gdit' -H 'apikey: YOUR_API_KEY_HERE'
RapidWhat Do We Measure ?
Incident
Finding
Grade
Digital Assets
Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.
These are some of the factors we use to calculate the overall score:
Network Security
Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.
SBOM (Software Bill of Materials)
Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.
CMDB (Configuration Management Database)
Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.
Threat Intelligence
Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.
Rankiteo is a unified scoring and risk platform that analyzes billions of signals weekly to help organizations gain faster, more actionable insights into emerging threats. Empowering teams to outpace adversaries and reduce exposure.
