VYPR

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

ClassDraftLikelihood: High

Description

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-116 · CAPEC-13 · CAPEC-169 · CAPEC-22 · CAPEC-224 · CAPEC-285 · CAPEC-287 · CAPEC-290 · CAPEC-291 · CAPEC-292 · CAPEC-293 · CAPEC-294 · CAPEC-295 · CAPEC-296 · CAPEC-297 · CAPEC-298 · CAPEC-299 · CAPEC-300 · CAPEC-301 · CAPEC-302 · CAPEC-303 · CAPEC-304 · CAPEC-305 · CAPEC-306 · CAPEC-307 · CAPEC-308 · CAPEC-309 · CAPEC-310 · CAPEC-312 · CAPEC-313 · CAPEC-317 · CAPEC-318 · CAPEC-319 · CAPEC-320 · CAPEC-321 · CAPEC-322 · CAPEC-323 · CAPEC-324 · CAPEC-325 · CAPEC-326 · CAPEC-327 · CAPEC-328 · CAPEC-329 · CAPEC-330 · CAPEC-472 · CAPEC-497 · CAPEC-508 · CAPEC-573 · CAPEC-574 · CAPEC-575 · CAPEC-576 · CAPEC-577 · CAPEC-59 · CAPEC-60 · CAPEC-616 · CAPEC-643 · CAPEC-646 · CAPEC-651 · CAPEC-79

CVEs mapped to this weakness (7,319)

page 22 of 366
  • CVE-2016-3765HigJul 11, 2016
    risk 0.50cvss 7.7epss 0.00

    decoder/impeg2d_bitstream.c in mediaserver in Android 6.x before 2016-07-01 allows attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read) via a crafted application, aka internal bug 28168413.

  • CVE-2016-0267HigJun 29, 2016
    risk 0.50cvss 7.7epss 0.01

    IBM UrbanCode Deploy 6.0.x before 6.0.1.13, 6.1.x before 6.1.3.3, and 6.2.x before 6.2.1.1 allows remote authenticated users to obtain sensitive cleartext secure-property information via (1) the server UI or (2) a database request.

  • CVE-2016-1079HigMay 11, 2016
    risk 0.50cvss 7.5epss 0.10

    Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC Classic before 15.006.30172, and Acrobat and Acrobat Reader DC Continuous before 15.016.20039 on Windows and OS X allow attackers to obtain sensitive information from process memory via unspecified vectors, a…

  • CVE-2016-0047HigFeb 10, 2016
    risk 0.50cvss 7.5epss 0.21

    WinForms in Microsoft .NET Framework 2.0 SP2, 3.5, 3.5.1, 4.5.2, 4.6, and 4.6.1 allows remote attackers to obtain sensitive information from process memory via crafted icon data, aka "Windows Forms Information Disclosure Vulnerability."

  • CVE-2026-50870HigJun 15, 2026
    risk 0.49cvss 7.5epss 0.00

    An information disclosure vulnerability in the configuration endpoint of Ben Busby whoogle-search v1.2.3 allows attackers to obtain sensitive information via a crafted GET request.

  • CVE-2026-39007HigJun 15, 2026
    risk 0.49cvss 7.5epss 0.00

    An issue in Observeinc's Observe v.2026-01-28 and before allows a remote attacker to obtain sensitive information via the CSV Log export component.

  • CVE-2026-36719HigJun 9, 2026
    risk 0.49cvss 7.5epss 0.00

    An information disclosure vulnerability in the /api/v1/user/info endpoint of AgentChat v2.3.0 allows unauthenticated attackers to obtain sensitive information, including SHA256 password hashes, via enumerating user IDs.

  • CVE-2026-50210HigJun 4, 2026
    risk 0.49cvss 7.5epss 0.00

    The device encrypts data using AES-CBC with static zero-filled Initialization Vectors (IVs), making it susceptible to replay attacks and known-plaintext decryption.

  • CVE-2026-49193HigJun 4, 2026
    risk 0.49cvss 7.5epss 0.00

    Overly permissive configuration settings on cloud storage containers expose active telemetry information publicly to the internet.

  • CVE-2026-49187HigJun 4, 2026
    risk 0.49cvss 7.5epss 0.00

    The hard-coded APK resource files never expire, and the shared scepter leads to information leaks and potential misuse.

  • CVE-2026-41032HigJun 3, 2026
    risk 0.49cvss 7.5epss 0.00

    It is possible for an unauthenticated adjacent attacker to download log files of the controller, which may disclose some restricted information.

  • CVE-2026-45332HigMay 28, 2026
    risk 0.49cvss 7.5epss 0.00

    Automad is a flat-file content management system and template engine. From 2.0.0-alpha.1 to 2.0.0-beta.27, a Broken Access Control vulnerability allows an unauthenticated attacker to retrieve the bcrypt password hash of every administrator account with a single POST request. The…

  • CVE-2026-8967HigMay 19, 2026
    risk 0.49cvss 7.5epss 0.00

    Information disclosure in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 151 and Thunderbird 151.

  • CVE-2026-8966HigMay 19, 2026
    risk 0.49cvss 7.5epss 0.00

    Information disclosure in the IP Protection component. This vulnerability was fixed in Firefox 151 and Thunderbird 151.

  • CVE-2026-8965HigMay 19, 2026
    risk 0.49cvss 7.5epss 0.00

    Information disclosure in the DOM: Security component. This vulnerability was fixed in Firefox 151 and Thunderbird 151.

  • CVE-2026-31909HigMay 19, 2026
    risk 0.49cvss 7.5epss 0.00

    Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.

  • CVE-2026-39079HigMay 18, 2026
    risk 0.49cvss 7.5epss 0.00

    An issue in prestashop upsshipping all versions through at least 2.4.0 allows a remote attacker to obtain sensitive information via the /modules/upsshipping/logs/, and /modules/upsshipping/lib/UPSBaseApi.php components

  • CVE-2026-28976HigMay 11, 2026
    risk 0.49cvss 7.5epss 0.00

    An information leakage was addressed with additional validation. This issue is fixed in macOS Tahoe 26.5. An app may be able to gain root privileges.

  • CVE-2026-28962HigMay 11, 2026
    risk 0.49cvss 7.5epss 0.00

    This issue was addressed with improved access restrictions. This issue is fixed in Safari 26.5, iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, visionOS 26.5. Processing maliciously crafted web content may disclose sensitive user information.

  • CVE-2026-34091HigMay 11, 2026
    risk 0.49cvss 7.5epss 0.00

    Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2.