VYPR

CWE-201

Insertion of Sensitive Information Into Sent Data

BaseDraft

Description

The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-12 · CAPEC-217 · CAPEC-612 · CAPEC-613 · CAPEC-618 · CAPEC-619 · CAPEC-621 · CAPEC-622 · CAPEC-623

CVEs mapped to this weakness (240)

page 11 of 12
  • CVE-2025-49300LowDec 16, 2025
    risk 0.18cvss 2.7epss 0.00

    Insertion of Sensitive Information Into Sent Data vulnerability in shinetheme Traveler Option Tree custom-option-tree allows Retrieve Embedded Sensitive Data.This issue affects Traveler Option Tree: from n/a through <= 2.8.

  • CVE-2025-62309LowMay 14, 2026
    risk 0.17cvss 2.6epss 0.00

    HCL AION is affected by a vulnerability where auto-complete functionality is enabled for certain input fields. This may allow sensitive information to be stored in the browser, potentially leading to unintended exposure under specific conditions.

  • CVE-2026-45739LowJun 4, 2026
    risk 0.13cvss 3.1epss 0.00

    Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.288.4 through 0.315.3, Strawberry's bundled GraphiQL template wrote values from the GraphiQL headers editor into the browser URL query string. If a user entered a sensitive header, such as `Authorization:…

  • CVE-2026-44970lowMay 14, 2026
    risk 0.07cvss epss 0.00

    *Discovered through manual source code review. Verified by PoC execution against a local dbt-mcp v1.15.1 installation.* ### Summary `DefaultUsageTracker.emit_tool_called_event()` in `src/dbt_mcp/tracking/tracking.py` serializes the complete `arguments` dictionary of every MCP…

  • CVE-2024-38372LowJul 8, 2024
    risk 0.06cvss 2.0epss 0.00

    Undici is an HTTP/1.1 client, written from scratch for Node.js. Depending on network and process conditions of a `fetch()` request, `response.arrayBuffer()` might include portion of memory from the Node.js process. This has been patched in v6.19.2.

  • CVE-2024-50633Jan 16, 2025
    risk 0.01cvss epss 0.01

    A Broken Object Level Authorization (BOLA) vulnerability in Indico through 3.3.5 allows attackers to read information by sending a crafted POST request to the component /api/principals. NOTE: this is disputed by the Supplier because the product intentionally lets all users…

  • CVE-2026-22551Jun 18, 2026
    risk 0.00cvss epss 0.00

    In Eclipse Theia versions prior to 1.71.0, the AI chat rendered Markdown image tags from AI responses, triggering HTTP requests to arbitrary external URLs without restriction. Combined with prompt injection in a malicious workspace, an attacker could induce the AI agent to…

  • CVE-2026-32829Mar 20, 2026
    risk 0.00cvss epss 0.00

    lz4_flex is a pure Rust implementation of LZ4 compression/decompression. In versions 0.11.5 and below, and 0.12.0, decompressing invalid LZ4 data can leak sensitive information from uninitialized memory or from previous decompression operations. The library fails to properly…

  • CVE-2026-2578Mar 16, 2026
    risk 0.00cvss epss 0.00

    Mattermost versions 11.3.x <= 11.3.0 fail to preserve the redacted state of burn-on-read posts during deletion which allows channel members to access unrevealed burn-on-read message contents via the WebSocket post deletion event.. Mattermost Advisory ID: MMSA-2026-00579

  • CVE-2026-28481Mar 5, 2026
    risk 0.00cvss epss 0.00

    OpenClaw versions 2026.1.30 and earlier, contain an information disclosure vulnerability, patched in 2026.2.1, in the MS Teams attachment downloader (optional extension must be enabled) that leaks bearer tokens to allowlisted suffix domains. When retrying downloads after…

  • CVE-2026-27465Feb 26, 2026
    risk 0.00cvss epss 0.00

    Fleet is open source device management software. In versions prior to 4.80.1, a vulnerability in Fleet’s configuration API could expose Google Calendar service account credentials to authenticated users with low-privilege roles. This may allow unauthorized access to Google…

  • CVE-2025-27555Feb 24, 2026
    risk 0.00cvss epss 0.00

    Airflow versions before 2.11.1 have a vulnerability that allows authenticated users with audit log access to see sensitive values in audit logs which they should not see. When sensitive connection parameters were set via airflow CLI, values of those variables appeared in the…

  • CVE-2025-67857Feb 3, 2026
    risk 0.00cvss epss 0.00

    A flaw was found in moodle. During anonymous assignment submissions, user identifiers were inadvertently exposed in URLs. This data exposure allows unauthorized viewers to see internal user IDs, compromising the intended anonymity and potentially leading to information…

  • CVE-2025-66388Dec 15, 2025
    risk 0.00cvss epss 0.00

    A vulnerability in Apache Airflow allowed authenticated UI users to view secret values in rendered templates due to secrets not being properly redacted, potentially exposing secrets to users without the appropriate authorization. Users are recommended to upgrade to version…

  • CVE-2025-67721Dec 12, 2025
    risk 0.00cvss epss 0.00

    Aircompressor is a library with ports of the Snappy, LZO, LZ4, and Zstandard compression algorithms to Java. In versions 3.3 and below, incorrect handling of malformed data in Java-based decompressor implementations for Snappy and LZ4 allow remote attackers to read previous…

  • CVE-2025-66304Dec 1, 2025
    risk 0.00cvss epss 0.00

    Grav is a file-based Web platform. Prior to 1.8.0-beta.27, users with read access on the user account management section of the admin panel can view the password hashes of all users, including the admin user. This exposure can potentially lead to privilege escalation if an…

  • CVE-2025-64748Nov 13, 2025
    risk 0.00cvss epss 0.00

    Directus is a real-time API and App dashboard for managing SQL database content. A vulnerability in versions prior to 11.13.0 allows authenticated users to search concealed/sensitive fields when they have read permissions. While actual values remain masked (`****`), successful…

  • CVE-2025-55155Nov 4, 2025
    risk 0.00cvss epss 0.00

    Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions 2.27.1 and below, when a user edits their profile to change their e-mail address, the system saves it without validating that it actually belongs to the user. This could result in storing an invalid email…

  • CVE-2025-43825Oct 3, 2025
    risk 0.00cvss epss 0.00

    A vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.4, 2024.Q4.0 through 2024.Q4.5, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through…

  • CVE-2025-43814Sep 22, 2025
    risk 0.00cvss epss 0.00

    In Liferay Portal 7.4.0 through 7.4.3.112, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions the audit events records a user’s password reminder answer, which…