CWE-201
Insertion of Sensitive Information Into Sent Data
Description
The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-12 · CAPEC-217 · CAPEC-612 · CAPEC-613 · CAPEC-618 · CAPEC-619 · CAPEC-621 · CAPEC-622 · CAPEC-623
CVEs mapped to this weakness (240)
page 1 of 12| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-49408 | Cri | 0.65 | 10.0 | 0.00 | Aug 20, 2025 | Insertion of Sensitive Information Into Sent Data vulnerability in WPDeveloper Templately allows Retrieve Embedded Sensitive Data. This issue affects Templately: from n/a through 3.2.7. | ||
| CVE-2024-7205 | Cri | 0.61 | — | 0.01 | Jul 31, 2024 | When the device is shared, the homepage module are before 2.19.0 in eWeLink Cloud Service allows Secondary user to take over devices as primary user via sharing unnecessary device-sensitive information. | ||
| CVE-2025-11500 | Hig | 0.57 | — | 0.00 | Mar 16, 2026 | Tinycontrol devices such as tcPDU and LAN Controllers LK3.5, LK3.9 and LK4 have two separate authentication mechanisms - one solely for interface management and one for protecting all other server resources. When the latter is turned off (which is a default setting), an… | ||
| CVE-2025-48045 | Hig | 0.57 | — | 0.01 | May 29, 2025 | An unauthenticated HTTP GET request to the /client.php endpoint will disclose the default administrator user credentials. | ||
| CVE-2026-5483 | Hig | 0.55 | 8.5 | 0.00 | Apr 10, 2026 | A flaw was found in odh-dashboard in Red Hat Openshift AI. This vulnerability in the `odh-dashboard` component of Red Hat OpenShift AI (RHOAI) allows for the disclosure of Kubernetes Service Account tokens through a NodeJS endpoint. This could enable an attacker to gain… | ||
| CVE-2025-24858 | Hig | 0.54 | — | 0.00 | Jan 26, 2025 | Develocity (formerly Gradle Enterprise) before 2024.3.1 allows an attacker who has network access to a Develocity server to obtain the hashed password of the system user. The hash algorithm used by Develocity was chosen according to best practices for password storage and… | ||
| CVE-2026-39912 | Cri | 0.52 | 9.1 | 0.01 | Apr 9, 2026 | V2Board 1.6.1 through 1.7.4 and Xboard through 0.1.9 expose authentication tokens in HTTP response bodies of the loginWithMailLink endpoint when the login_with_mail_link_enable feature is active. Unauthenticated attackers can POST to the loginWithMailLink endpoint with a known… | ||
| CVE-2024-32825 | Hig | 0.51 | 7.5 | 0.02 | Apr 24, 2024 | Insertion of Sensitive Information Into Sent Data vulnerability in Simply Static Simply Static simply-static.This issue affects Simply Static: from n/a through <= 3.1.3. | ||
| CVE-2026-42379 | Hig | 0.50 | 7.7 | 0.00 | Apr 27, 2026 | Insertion of Sensitive Information Into Sent Data vulnerability in WPDeveloper Templately allows Retrieve Embedded Sensitive Data.This issue affects Templately: from n/a through 3.6.1. | ||
| CVE-2024-23506 | Hig | 0.50 | 7.7 | 0.01 | Jan 27, 2024 | Insertion of Sensitive Information Into Sent Data vulnerability in InstaWP InstaWP Connect instawp-connect.This issue affects InstaWP Connect: from n/a through <= 0.1.0.9. | ||
| CVE-2026-52695 | Hig | 0.49 | 7.5 | 0.00 | Jun 15, 2026 | Unauthenticated Sensitive Data Exposure in ABC Crypto Checkout <= 1.8.2 versions. | ||
| CVE-2026-52692 | Hig | 0.49 | 7.5 | 0.00 | Jun 15, 2026 | Unauthenticated Sensitive Data Exposure in Affiliates Manager <= 2.9.50 versions. | ||
| CVE-2026-42667 | Hig | 0.49 | 7.5 | 0.00 | Jun 15, 2026 | Unauthenticated Sensitive Data Exposure in Bookly <= 27.4 versions. | ||
| CVE-2026-40789 | Hig | 0.49 | 7.5 | 0.00 | Jun 15, 2026 | Unauthenticated Sensitive Data Exposure in Amelia <= 2.2 versions. | ||
| CVE-2026-39480 | Hig | 0.49 | 7.5 | 0.00 | Jun 15, 2026 | Unauthenticated Sensitive Data Exposure in Backup Migration <= 2.1.1 versions. | ||
| CVE-2026-42673 | Hig | 0.49 | 7.5 | 0.00 | Jun 1, 2026 | Insertion of Sensitive Information Into Sent Data vulnerability in Logtivity Activity Logs Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity allows Retrieve Embedded Sensitive Data. This issue affects Activity Logs, User Activity Tracking, Multisite… | ||
| CVE-2026-32538 | — | Hig | 0.49 | 7.5 | 0.00 | Mar 25, 2026 | Insertion of Sensitive Information Into Sent Data vulnerability in Noor Alam SMTP Mailer smtp-mailer allows Retrieve Embedded Sensitive Data.This issue affects SMTP Mailer: from n/a through <= 1.1.24. | |
| CVE-2026-27406 | Hig | 0.49 | 7.5 | 0.00 | Mar 5, 2026 | Insertion of Sensitive Information Into Sent Data vulnerability in Joe Dolson My Tickets my-tickets allows Retrieve Embedded Sensitive Data.This issue affects My Tickets: from n/a through <= 2.1.0. | ||
| CVE-2026-27370 | Hig | 0.49 | 7.5 | 0.00 | Mar 5, 2026 | Insertion of Sensitive Information Into Sent Data vulnerability in Premio Chaty chaty allows Retrieve Embedded Sensitive Data.This issue affects Chaty: from n/a through <= 3.5.1. | ||
| CVE-2020-37093 | Hig | 0.49 | 7.5 | 0.00 | Feb 3, 2026 | Netis E1+ 1.2.32533 contains an information disclosure vulnerability that allows unauthenticated attackers to retrieve WiFi passwords through the netcore_get.cgi endpoint. Attackers can send a GET request to the endpoint to extract sensitive network credentials including SSID… |
- risk 0.65cvss 10.0epss 0.00
Insertion of Sensitive Information Into Sent Data vulnerability in WPDeveloper Templately allows Retrieve Embedded Sensitive Data. This issue affects Templately: from n/a through 3.2.7.
- risk 0.61cvss —epss 0.01
When the device is shared, the homepage module are before 2.19.0 in eWeLink Cloud Service allows Secondary user to take over devices as primary user via sharing unnecessary device-sensitive information.
- risk 0.57cvss —epss 0.00
Tinycontrol devices such as tcPDU and LAN Controllers LK3.5, LK3.9 and LK4 have two separate authentication mechanisms - one solely for interface management and one for protecting all other server resources. When the latter is turned off (which is a default setting), an…
- risk 0.57cvss —epss 0.01
An unauthenticated HTTP GET request to the /client.php endpoint will disclose the default administrator user credentials.
- risk 0.55cvss 8.5epss 0.00
A flaw was found in odh-dashboard in Red Hat Openshift AI. This vulnerability in the `odh-dashboard` component of Red Hat OpenShift AI (RHOAI) allows for the disclosure of Kubernetes Service Account tokens through a NodeJS endpoint. This could enable an attacker to gain…
- risk 0.54cvss —epss 0.00
Develocity (formerly Gradle Enterprise) before 2024.3.1 allows an attacker who has network access to a Develocity server to obtain the hashed password of the system user. The hash algorithm used by Develocity was chosen according to best practices for password storage and…
- risk 0.52cvss 9.1epss 0.01
V2Board 1.6.1 through 1.7.4 and Xboard through 0.1.9 expose authentication tokens in HTTP response bodies of the loginWithMailLink endpoint when the login_with_mail_link_enable feature is active. Unauthenticated attackers can POST to the loginWithMailLink endpoint with a known…
- risk 0.51cvss 7.5epss 0.02
Insertion of Sensitive Information Into Sent Data vulnerability in Simply Static Simply Static simply-static.This issue affects Simply Static: from n/a through <= 3.1.3.
- risk 0.50cvss 7.7epss 0.00
Insertion of Sensitive Information Into Sent Data vulnerability in WPDeveloper Templately allows Retrieve Embedded Sensitive Data.This issue affects Templately: from n/a through 3.6.1.
- risk 0.50cvss 7.7epss 0.01
Insertion of Sensitive Information Into Sent Data vulnerability in InstaWP InstaWP Connect instawp-connect.This issue affects InstaWP Connect: from n/a through <= 0.1.0.9.
- risk 0.49cvss 7.5epss 0.00
Unauthenticated Sensitive Data Exposure in ABC Crypto Checkout <= 1.8.2 versions.
- risk 0.49cvss 7.5epss 0.00
Unauthenticated Sensitive Data Exposure in Affiliates Manager <= 2.9.50 versions.
- risk 0.49cvss 7.5epss 0.00
Unauthenticated Sensitive Data Exposure in Bookly <= 27.4 versions.
- risk 0.49cvss 7.5epss 0.00
Unauthenticated Sensitive Data Exposure in Amelia <= 2.2 versions.
- risk 0.49cvss 7.5epss 0.00
Unauthenticated Sensitive Data Exposure in Backup Migration <= 2.1.1 versions.
- risk 0.49cvss 7.5epss 0.00
Insertion of Sensitive Information Into Sent Data vulnerability in Logtivity Activity Logs Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity allows Retrieve Embedded Sensitive Data. This issue affects Activity Logs, User Activity Tracking, Multisite…
- risk 0.49cvss 7.5epss 0.00
Insertion of Sensitive Information Into Sent Data vulnerability in Noor Alam SMTP Mailer smtp-mailer allows Retrieve Embedded Sensitive Data.This issue affects SMTP Mailer: from n/a through <= 1.1.24.
- risk 0.49cvss 7.5epss 0.00
Insertion of Sensitive Information Into Sent Data vulnerability in Joe Dolson My Tickets my-tickets allows Retrieve Embedded Sensitive Data.This issue affects My Tickets: from n/a through <= 2.1.0.
- risk 0.49cvss 7.5epss 0.00
Insertion of Sensitive Information Into Sent Data vulnerability in Premio Chaty chaty allows Retrieve Embedded Sensitive Data.This issue affects Chaty: from n/a through <= 3.5.1.
- risk 0.49cvss 7.5epss 0.00
Netis E1+ 1.2.32533 contains an information disclosure vulnerability that allows unauthenticated attackers to retrieve WiFi passwords through the netcore_get.cgi endpoint. Attackers can send a GET request to the endpoint to extract sensitive network credentials including SSID…