VYPR

CWE-209

Generation of Error Message Containing Sensitive Information

BaseDraftLikelihood: High

Description

The product generates an error message that includes sensitive information about its environment, users, or associated data.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-215 · CAPEC-463 · CAPEC-54 · CAPEC-7

CVEs mapped to this weakness (189)

page 1 of 10
  • CVE-2024-28285CriMay 14, 2024
    risk 0.64cvss 9.8epss 0.01

    A Fault Injection vulnerability in the SymmetricDecrypt function in cryptopp/elgamal.h of Cryptopp Crypto++ 8.9, allows an attacker to co-reside in the same system with a victim process to disclose information and escalate privileges.

  • CVE-2018-14925CriAug 3, 2018
    risk 0.64cvss 9.8epss 0.02

    Matera Banco 1.0.0 mishandles Java errors in the backend, as demonstrated by a stack trace revealing use of net.sf.acegisecurity components.

  • CVE-2018-11325CriMay 22, 2018
    risk 0.64cvss 9.8epss 0.04

    An issue was discovered in Joomla! Core before 3.8.8. The web install application would autofill password fields after either a form validation error or navigating to a previous install step, and display the plaintext password for the administrator account at the confirmation…

  • CVE-2017-7551CriAug 16, 2017
    risk 0.64cvss 9.8epss 0.01

    389-ds-base version before 1.3.5.19 and 1.3.6.7 are vulnerable to password brute-force attacks during account lockout due to different return codes returned on password attempts.

  • CVE-2017-7945CriApr 29, 2017
    risk 0.64cvss 9.8epss 0.02

    The GlobalProtect external interface in Palo Alto Networks PAN-OS before 6.1.17, 7.x before 7.0.15, 7.1.x before 7.1.9, and 8.x before 8.0.2 provides different error messages for failed login attempts depending on whether the username exists, which allows remote attackers to…

  • CVE-2013-7331MedKEVFeb 26, 2014
    risk 0.62cvss 6.5epss 0.58

    The Microsoft.XMLDOM ActiveX control in Microsoft Windows 8.1 and earlier allows remote attackers to determine the existence of local pathnames, UNC share pathnames, intranet hostnames, and intranet IP addresses by examining error codes, as demonstrated by a res:// URL, and…

  • CVE-2025-1395HigJan 30, 2026
    risk 0.53cvss 8.2epss 0.00

    Generation of Error Message Containing Sensitive Information vulnerability in Codriapp Innovation and Software Technologies Inc. HeyGarson allows Fuzzing for application mapping. This issue affects HeyGarson: through 30012026. NOTE: The vendor was contacted several times to…

  • CVE-2018-8042HigJul 18, 2018
    risk 0.53cvss 8.1epss 0.02

    Apache Ambari, version 2.5.0 to 2.6.2, passwords for Hadoop credential stores are exposed in Ambari Agent informational log messages when the credential store feature is enabled for eligible services. For example, Hive and Oozie.

  • CVE-2026-48039criJun 11, 2026
    risk 0.52cvss epss 0.00

    # Unauthenticated HTTP MCP Tool Execution Leaks Operator Meta Access Token | Field | Value | | ---------------- | ----- | | Repository | pipeboard-co/meta-ads-mcp | | Affected version | ≤ 1.0.101 (commit 496c988 ~ 7d14226); Versions 1.0.102–1.0.105 lack git…

  • CVE-2025-71282HigApr 1, 2026
    risk 0.49cvss 7.5epss 0.00

    XenForo before 2.3.7 discloses filesystem paths through exception messages triggered by open_basedir restrictions. This allows an attacker to obtain information about the server's directory structure.

  • CVE-2026-3259HigApr 23, 2026
    risk 0.46cvss epss 0.00

    A Generation of Error Message Containing Sensitive Information vulnerability in the Materialized View Refresh mechanism in Google BigQuery on Google Cloud Platform allows an authenticated user to potentially disclose sensitive data using a crafted materialized view that triggers…

  • CVE-2026-34045HigApr 7, 2026
    risk 0.46cvss 8.2epss 0.00

    Podman Desktop is a graphical tool for developing on containers and Kubernetes. Prior to 1.26.2, an unauthenticated HTTP server exposed by Podman Desktop allows any network attacker to remotely trigger denial-of-service conditions and extract sensitive information. By abusing…

  • CVE-2025-40653MedMay 26, 2025
    risk 0.45cvss epss 0.00

    User enumeration vulnerability in M3M Printer Server Web. This issue occurs during user authentication, where a difference in error messages could allow an attacker to determine whether a username is valid or not, allowing a brute force attack on valid usernames.

  • CVE-2026-42459HigMay 27, 2026
    risk 0.42cvss 7.5epss 0.00

    free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, the free5GC UDM component fails to validate the supi path parameter in six GET handlers of the nudm-sdm (Subscriber Data Management) service. An unauthenticated attacker can inject control…

  • CVE-2026-45728HigMay 26, 2026
    risk 0.42cvss 7.5epss 0.00

    Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, when Algernon is invoked with a single file path instead of a directory, singleFileMode is set to true and debugMode is forcibly enabled. debugMode activates the PrettyError renderer, which on any Lua or…

  • CVE-2026-42552HigMay 13, 2026
    risk 0.42cvss 7.5epss 0.00

    Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the default error handler Engine::_error() writes the full exception message, exception code, and stack trace (including absolute filesystem paths) directly into the HTTP 500 response, with no debug gating.…

  • CVE-2026-43873HigMay 11, 2026
    risk 0.42cvss 7.5epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/CloneSite/cloneClient.json.php echoes the local CloneSite shared secret ($objClone->myKey, a constant md5($global['systemRootPath'] . $global['salt'])) into the HTTP response body on every…

  • CVE-2026-40245HigApr 16, 2026
    risk 0.42cvss 7.5epss 0.01

    Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks. Versions 4.2.1 and below contain an information disclosure vulnerability in the UDR (Unified Data Repository) service. The handler for GET /nudr-dr/v2/application-data/influenceData/s…

  • CVE-2026-29146HigApr 9, 2026
    risk 0.42cvss 7.5epss 0.04

    Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through…

  • CVE-2018-10913MedSep 4, 2018
    risk 0.42cvss 6.5epss 0.02

    An information disclosure vulnerability was discovered in glusterfs server. An attacker could issue a xattr request via glusterfs FUSE to determine the existence of any file.