CWE-201
Insertion of Sensitive Information Into Sent Data
BaseDraft
Description
The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-12 · CAPEC-217 · CAPEC-612 · CAPEC-613 · CAPEC-618 · CAPEC-619 · CAPEC-621 · CAPEC-622 · CAPEC-623
CVEs mapped to this weakness (166)
page 1 of 9| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-49408 | Cri | 0.65 | 10.0 | 0.00 | Aug 20, 2025 | Insertion of Sensitive Information Into Sent Data vulnerability in WPDeveloper Templately allows Retrieve Embedded Sensitive Data. This issue affects Templately: from n/a through 3.2.7. | |
| CVE-2024-7205 | Cri | 0.61 | — | 0.00 | Jul 31, 2024 | When the device is shared, the homepage module are before 2.19.0 in eWeLink Cloud Service allows Secondary user to take over devices as primary user via sharing unnecessary device-sensitive information. | |
| CVE-2026-39912 | Cri | 0.59 | 9.1 | 0.00 | Apr 9, 2026 | V2Board 1.6.1 through 1.7.4 and Xboard through 0.1.9 expose authentication tokens in HTTP response bodies of the loginWithMailLink endpoint when the login_with_mail_link_enable feature is active. Unauthenticated attackers can POST to the loginWithMailLink endpoint with a known email address to receive the full authentication URL in the response, then exchange the token at the token2Login endpoint to obtain a valid bearer token with complete account access including admin privileges. | |
| CVE-2025-48045 | Hig | 0.57 | — | 0.01 | May 29, 2025 | An unauthenticated HTTP GET request to the /client.php endpoint will disclose the default administrator user credentials. | |
| CVE-2026-5483 | Hig | 0.55 | 8.5 | 0.00 | Apr 10, 2026 | A flaw was found in odh-dashboard in Red Hat Openshift AI. This vulnerability in the `odh-dashboard` component of Red Hat OpenShift AI (RHOAI) allows for the disclosure of Kubernetes Service Account tokens through a NodeJS endpoint. This could enable an attacker to gain unauthorized access to Kubernetes resources. | |
| CVE-2025-24858 | Hig | 0.54 | — | 0.00 | Jan 26, 2025 | Develocity (formerly Gradle Enterprise) before 2024.3.1 allows an attacker who has network access to a Develocity server to obtain the hashed password of the system user. The hash algorithm used by Develocity was chosen according to best practices for password storage and provides some protection against brute-force attempts. The applicable severity of this vulnerability depends on whether a Develocity server is accessible by external or unauthorized users, and the complexity of the System User password. | |
| CVE-2025-3529 | Hig | 0.53 | 8.2 | 0.01 | Apr 23, 2025 | The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.1.2 via the 'file_url' parameter. This makes it possible for unauthenticated attackers to view potentially sensitive information and download a digital product without paying for it. | |
| CVE-2024-32825 | Hig | 0.51 | 7.5 | 0.26 | Apr 24, 2024 | Insertion of Sensitive Information Into Sent Data vulnerability in Simply Static Simply Static simply-static.This issue affects Simply Static: from n/a through <= 3.1.3. | |
| CVE-2026-42379 | Hig | 0.50 | 7.7 | 0.00 | Apr 27, 2026 | Insertion of Sensitive Information Into Sent Data vulnerability in WPDeveloper Templately allows Retrieve Embedded Sensitive Data.This issue affects Templately: from n/a through 3.6.1. | |
| CVE-2026-40161 | Hig | 0.50 | 7.7 | 0.00 | Apr 21, 2026 | Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. From 1.0.0 to 1.10.0, the Tekton Pipelines git resolver in API mode sends the system-configured Git API token to a user-controlled serverURL when the user omits the token parameter. A tenant with TaskRun or PipelineRun create permission can exfiltrate the shared API token (GitHub PAT, GitLab token, etc.) by pointing serverURL to an attacker-controlled endpoint. | |
| CVE-2024-23506 | Hig | 0.50 | 7.7 | 0.00 | Jan 27, 2024 | Insertion of Sensitive Information Into Sent Data vulnerability in InstaWP InstaWP Connect instawp-connect.This issue affects InstaWP Connect: from n/a through <= 0.1.0.9. | |
| CVE-2026-4525 | Hig | 0.49 | 7.5 | 0.00 | Apr 17, 2026 | If a Vault auth mount is configured to pass through the "Authorization" header, and the "Authorization" header is used to authenticate to Vault, Vault forwarded the Vault token to the auth plugin backend. Fixed in 2.0.0, 1.21.5, 1.20.10, and 1.19.16. | |
| CVE-2026-32538 | Hig | 0.49 | 7.5 | 0.00 | Mar 25, 2026 | Insertion of Sensitive Information Into Sent Data vulnerability in Noor Alam SMTP Mailer smtp-mailer allows Retrieve Embedded Sensitive Data.This issue affects SMTP Mailer: from n/a through <= 1.1.24. | |
| CVE-2026-27406 | Hig | 0.49 | 7.5 | 0.00 | Mar 5, 2026 | Insertion of Sensitive Information Into Sent Data vulnerability in Joe Dolson My Tickets my-tickets allows Retrieve Embedded Sensitive Data.This issue affects My Tickets: from n/a through <= 2.1.0. | |
| CVE-2026-27370 | Hig | 0.49 | 7.5 | 0.00 | Mar 5, 2026 | Insertion of Sensitive Information Into Sent Data vulnerability in Premio Chaty chaty allows Retrieve Embedded Sensitive Data.This issue affects Chaty: from n/a through <= 3.5.1. | |
| CVE-2020-37093 | Hig | 0.49 | 7.5 | 0.00 | Feb 3, 2026 | Netis E1+ 1.2.32533 contains an information disclosure vulnerability that allows unauthenticated attackers to retrieve WiFi passwords through the netcore_get.cgi endpoint. Attackers can send a GET request to the endpoint to extract sensitive network credentials including SSID and WiFi passwords in plain text. | |
| CVE-2025-68035 | Hig | 0.49 | 7.5 | 0.00 | Jan 22, 2026 | Insertion of Sensitive Information Into Sent Data vulnerability in tabbyai Tabby Checkout tabby-checkout allows Retrieve Embedded Sensitive Data.This issue affects Tabby Checkout: from n/a through <= 5.8.4. | |
| CVE-2025-67931 | Hig | 0.49 | 7.5 | 0.00 | Jan 8, 2026 | Insertion of Sensitive Information Into Sent Data vulnerability in AITpro BulletProof Security bulletproof-security allows Retrieve Embedded Sensitive Data.This issue affects BulletProof Security: from n/a through <= 6.9. | |
| CVE-2025-68033 | Hig | 0.49 | 7.5 | 0.00 | Jan 5, 2026 | Insertion of Sensitive Information Into Sent Data vulnerability in Brecht Custom Related Posts custom-related-posts allows Retrieve Embedded Sensitive Data.This issue affects Custom Related Posts: from n/a through <= 1.8.0. | |
| CVE-2025-66116 | Hig | 0.49 | 7.5 | 0.00 | Dec 18, 2025 | Insertion of Sensitive Information Into Sent Data vulnerability in UserElements Ultimate Member Widgets for Elementor ultimate-member-widgets-for-elementor allows Retrieve Embedded Sensitive Data.This issue affects Ultimate Member Widgets for Elementor: from n/a through <= 2.3. |