CWE-201
Insertion of Sensitive Information Into Sent Data
Description
The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-12 · CAPEC-217 · CAPEC-612 · CAPEC-613 · CAPEC-618 · CAPEC-619 · CAPEC-621 · CAPEC-622 · CAPEC-623
CVEs mapped to this weakness (240)
page 4 of 12| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-42384 | Hig | 0.42 | 7.5 | 0.00 | Jun 15, 2026 | Unauthenticated Sensitive Data Exposure in Simply Schedule Appointments < 1.6.11.2 versions. | ||
| CVE-2026-49064 | Hig | 0.42 | 7.5 | 0.00 | Jun 15, 2026 | Insertion of Sensitive Information Into Sent Data vulnerability in Stiofan GetPaid allows Retrieve Embedded Sensitive Data. This issue affects GetPaid: from n/a through 2.8.49. | ||
| CVE-2026-44487 | Hig | 0.42 | 7.5 | 0.00 | Jun 11, 2026 | Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios’s Node.js HTTP adapter may forward a Proxy-Authorization header to a redirected origin during specific proxy-to-direct redirect flows. This affects Node.js usage, where an… | ||
| CVE-2026-42539 | Med | 0.42 | 6.5 | 0.00 | Jun 4, 2026 | IRIS is a web collaborative platform that helps incident responders share technical details during investigations. Versions prior to 2.4.28 return sensitive data to the user which are not required for the client’s operation. Version 2.4.28 contains a patch. | ||
| CVE-2026-48877 | Med | 0.42 | 6.5 | 0.00 | May 27, 2026 | Insertion of Sensitive Information Into Sent Data vulnerability in Tom GenerateBlocks allows Retrieve Embedded Sensitive Data. This issue affects GenerateBlocks: from n/a through 2.1.0. | ||
| CVE-2026-4525 | Hig | 0.42 | 7.5 | 0.00 | Apr 17, 2026 | If a Vault auth mount is configured to pass through the "Authorization" header, and the "Authorization" header is used to authenticate to Vault, Vault forwarded the Vault token to the auth plugin backend. Fixed in 2.0.0, 1.21.5, 1.20.10, and 1.19.16. | ||
| CVE-2026-4927 | Med | 0.42 | 6.5 | 0.00 | Apr 1, 2026 | Exposure of sensitive information in the users MFA feature in Devolutions Server allows users with user management privileges to obtain other users OTP keys via an authenticated API request. This issue affects Server: from 2026.1.6 through 2026.1.11. | ||
| CVE-2026-34226 | Hig | 0.42 | 7.5 | 0.00 | Mar 27, 2026 | Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Versions prior to 20.8.9 may attach cookies from the current page origin (`window.location`) instead of the request target URL when `fetch(..., { credentials: "include" })` is used.… | ||
| CVE-2026-25339 | Med | 0.42 | 6.5 | 0.00 | Mar 25, 2026 | Insertion of Sensitive Information Into Sent Data vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows Retrieve Embedded Sensitive Data.This issue affects Contact Form by WPForms: from n/a through <= 1.9.8.7. | ||
| CVE-2026-23546 | Med | 0.42 | 6.5 | 0.00 | Mar 5, 2026 | Insertion of Sensitive Information Into Sent Data vulnerability in RadiusTheme Classified Listing classified-listing allows Retrieve Embedded Sensitive Data.This issue affects Classified Listing: from n/a through <= 5.3.4. | ||
| CVE-2026-28131 | Med | 0.42 | 6.5 | 0.00 | Feb 26, 2026 | Insertion of Sensitive Information Into Sent Data vulnerability in WPVibes Elementor Addon Elements addon-elements-for-elementor-page-builder allows Retrieve Embedded Sensitive Data.This issue affects Elementor Addon Elements: from n/a through <= 1.14.4. | ||
| CVE-2025-68006 | Med | 0.42 | 6.5 | 0.00 | Jan 22, 2026 | Insertion of Sensitive Information Into Sent Data vulnerability in Deetronix Booking Ultra Pro booking-ultra-pro allows Retrieve Embedded Sensitive Data.This issue affects Booking Ultra Pro: from n/a through <= 1.1.23. | ||
| CVE-2025-68014 | Med | 0.42 | 6.5 | 0.00 | Jan 5, 2026 | Insertion of Sensitive Information Into Sent Data vulnerability in awethemes AweBooking awebooking allows Retrieve Embedded Sensitive Data.This issue affects AweBooking: from n/a through <= 3.2.26. | ||
| CVE-2025-68040 | Med | 0.42 | 6.5 | 0.00 | Dec 30, 2025 | Insertion of Sensitive Information Into Sent Data vulnerability in weDevs WP Project Manager wedevs-project-manager allows Retrieve Embedded Sensitive Data.This issue affects WP Project Manager: from n/a through <= 3.0.1. | ||
| CVE-2025-64295 | Med | 0.42 | 6.5 | 0.00 | Dec 18, 2025 | Insertion of Sensitive Information Into Sent Data vulnerability in Syed Balkhi All In One SEO Pack all-in-one-seo-pack allows Retrieve Embedded Sensitive Data.This issue affects All In One SEO Pack: from n/a through <= 4.8.6.1. | ||
| CVE-2025-62038 | Med | 0.42 | 6.5 | 0.00 | Nov 6, 2025 | Insertion of Sensitive Information Into Sent Data vulnerability in Sovlix MeetingHub meetinghub allows Retrieve Embedded Sensitive Data.This issue affects MeetingHub: from n/a through <= 1.23.9. | ||
| CVE-2025-5519 | Med | 0.42 | 6.5 | 0.00 | Sep 16, 2025 | Insertion of Sensitive Information Into Sent Data vulnerability in ArgusTech BILGER allows Choosing Message Identifier. This issue affects BILGER: before 2.4.6. | ||
| CVE-2025-58872 | Med | 0.42 | 6.5 | 0.00 | Sep 5, 2025 | Insertion of Sensitive Information Into Sent Data vulnerability in premiumbizthemes Simple Price Calculator simple-price-calculator-basic allows Retrieve Embedded Sensitive Data.This issue affects Simple Price Calculator: from n/a through <= 1.3. | ||
| CVE-2025-41415 | — | Med | 0.42 | 6.5 | 0.00 | Aug 21, 2025 | The vulnerability, if exploited, could allow an authenticated miscreant (with privileges to access publication targets) to retrieve sensitive information that could then be used to gain additional access to downstream resources. | |
| CVE-2025-54008 | Med | 0.42 | 6.5 | 0.00 | Aug 20, 2025 | Insertion of Sensitive Information Into Sent Data vulnerability in Crocoblock JetSmartFilters jet-smart-filters allows Retrieve Embedded Sensitive Data.This issue affects JetSmartFilters: from n/a through <= 3.6.7. |
- risk 0.42cvss 7.5epss 0.00
Unauthenticated Sensitive Data Exposure in Simply Schedule Appointments < 1.6.11.2 versions.
- risk 0.42cvss 7.5epss 0.00
Insertion of Sensitive Information Into Sent Data vulnerability in Stiofan GetPaid allows Retrieve Embedded Sensitive Data. This issue affects GetPaid: from n/a through 2.8.49.
- risk 0.42cvss 7.5epss 0.00
Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios’s Node.js HTTP adapter may forward a Proxy-Authorization header to a redirected origin during specific proxy-to-direct redirect flows. This affects Node.js usage, where an…
- risk 0.42cvss 6.5epss 0.00
IRIS is a web collaborative platform that helps incident responders share technical details during investigations. Versions prior to 2.4.28 return sensitive data to the user which are not required for the client’s operation. Version 2.4.28 contains a patch.
- risk 0.42cvss 6.5epss 0.00
Insertion of Sensitive Information Into Sent Data vulnerability in Tom GenerateBlocks allows Retrieve Embedded Sensitive Data. This issue affects GenerateBlocks: from n/a through 2.1.0.
- risk 0.42cvss 7.5epss 0.00
If a Vault auth mount is configured to pass through the "Authorization" header, and the "Authorization" header is used to authenticate to Vault, Vault forwarded the Vault token to the auth plugin backend. Fixed in 2.0.0, 1.21.5, 1.20.10, and 1.19.16.
- risk 0.42cvss 6.5epss 0.00
Exposure of sensitive information in the users MFA feature in Devolutions Server allows users with user management privileges to obtain other users OTP keys via an authenticated API request. This issue affects Server: from 2026.1.6 through 2026.1.11.
- risk 0.42cvss 7.5epss 0.00
Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Versions prior to 20.8.9 may attach cookies from the current page origin (`window.location`) instead of the request target URL when `fetch(..., { credentials: "include" })` is used.…
- risk 0.42cvss 6.5epss 0.00
Insertion of Sensitive Information Into Sent Data vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows Retrieve Embedded Sensitive Data.This issue affects Contact Form by WPForms: from n/a through <= 1.9.8.7.
- risk 0.42cvss 6.5epss 0.00
Insertion of Sensitive Information Into Sent Data vulnerability in RadiusTheme Classified Listing classified-listing allows Retrieve Embedded Sensitive Data.This issue affects Classified Listing: from n/a through <= 5.3.4.
- risk 0.42cvss 6.5epss 0.00
Insertion of Sensitive Information Into Sent Data vulnerability in WPVibes Elementor Addon Elements addon-elements-for-elementor-page-builder allows Retrieve Embedded Sensitive Data.This issue affects Elementor Addon Elements: from n/a through <= 1.14.4.
- risk 0.42cvss 6.5epss 0.00
Insertion of Sensitive Information Into Sent Data vulnerability in Deetronix Booking Ultra Pro booking-ultra-pro allows Retrieve Embedded Sensitive Data.This issue affects Booking Ultra Pro: from n/a through <= 1.1.23.
- risk 0.42cvss 6.5epss 0.00
Insertion of Sensitive Information Into Sent Data vulnerability in awethemes AweBooking awebooking allows Retrieve Embedded Sensitive Data.This issue affects AweBooking: from n/a through <= 3.2.26.
- risk 0.42cvss 6.5epss 0.00
Insertion of Sensitive Information Into Sent Data vulnerability in weDevs WP Project Manager wedevs-project-manager allows Retrieve Embedded Sensitive Data.This issue affects WP Project Manager: from n/a through <= 3.0.1.
- risk 0.42cvss 6.5epss 0.00
Insertion of Sensitive Information Into Sent Data vulnerability in Syed Balkhi All In One SEO Pack all-in-one-seo-pack allows Retrieve Embedded Sensitive Data.This issue affects All In One SEO Pack: from n/a through <= 4.8.6.1.
- risk 0.42cvss 6.5epss 0.00
Insertion of Sensitive Information Into Sent Data vulnerability in Sovlix MeetingHub meetinghub allows Retrieve Embedded Sensitive Data.This issue affects MeetingHub: from n/a through <= 1.23.9.
- risk 0.42cvss 6.5epss 0.00
Insertion of Sensitive Information Into Sent Data vulnerability in ArgusTech BILGER allows Choosing Message Identifier. This issue affects BILGER: before 2.4.6.
- risk 0.42cvss 6.5epss 0.00
Insertion of Sensitive Information Into Sent Data vulnerability in premiumbizthemes Simple Price Calculator simple-price-calculator-basic allows Retrieve Embedded Sensitive Data.This issue affects Simple Price Calculator: from n/a through <= 1.3.
- risk 0.42cvss 6.5epss 0.00
The vulnerability, if exploited, could allow an authenticated miscreant (with privileges to access publication targets) to retrieve sensitive information that could then be used to gain additional access to downstream resources.
- risk 0.42cvss 6.5epss 0.00
Insertion of Sensitive Information Into Sent Data vulnerability in Crocoblock JetSmartFilters jet-smart-filters allows Retrieve Embedded Sensitive Data.This issue affects JetSmartFilters: from n/a through <= 3.6.7.