CWE-209
Generation of Error Message Containing Sensitive Information
BaseDraftLikelihood: High
Description
The product generates an error message that includes sensitive information about its environment, users, or associated data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-215 · CAPEC-463 · CAPEC-54 · CAPEC-7
CVEs mapped to this weakness (65)
page 2 of 4| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-40760 | Med | 0.36 | 5.5 | 0.00 | Nov 11, 2025 | A vulnerability has been identified in Altair Grid Engine (All versions < V2026.0.0). Affected products do not properly handle error messages and discloses sensitive password hash information when processing user authentication requests. This could allow a local attacker to extract password hashes for privileged accounts, which can then be subjected to offline brute-force attacks. | |
| CVE-2025-9977 | Med | 0.35 | — | 0.03 | Nov 18, 2025 | Value provided in one of POST parameters sent during the process of logging in to Times Software E-Payroll is not sanitized properly, which allows an unauthenticated attacker to perform DoS attacks. SQL injection attacks might also be feasible, although so far creating a working exploit has been prevented probably by backend filtering mechanisms. Additionally, command injection attempts cause the application to return extensive error messages disclosing some information about the internal infrastructure. Patching status is unknown because the vendor has not replied to messages sent by the CNA. | |
| CVE-2024-13535 | Med | 0.35 | 5.3 | 0.01 | Feb 18, 2025 | The Actionwear products sync plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 2.3.2. This is due the composer-setup.php file being publicly accessible with 'display_errors' set to true. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website. | |
| CVE-2026-44226 | Med | 0.34 | 5.3 | 0.00 | May 11, 2026 | pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, pyload-ng WebUI returns full Python traceback details to clients on unhandled exceptions. Because /web/<path:filename> is reachable without authentication and renders attacker-controlled template names, an unauthenticated user can reliably trigger a server exception (for example by requesting a non-existent template) and receive internal stack traces in the HTTP response. This vulnerability is fixed in 0.5.0b3.dev100. | |
| CVE-2026-41931 | Med | 0.34 | 5.3 | 0.00 | May 6, 2026 | Vvveb before version 1.0.8.2 contains an information disclosure vulnerability that allows unauthenticated attackers to obtain sensitive server information by triggering unhandled exceptions in the password-reset module. Attackers can access the admin password-reset endpoint to trigger a fatal error caused by a missing namespace import, which exposes the absolute server file path, internal class namespaces, line numbers, and source code excerpts through the debug exception handler rendered to unauthenticated requests. | |
| CVE-2025-31960 | Med | 0.34 | 5.3 | 0.00 | May 6, 2026 | HCL BigFix Service Management (SM) is vulnerable to information exposure due to improper error handling within its reporting module. It was observed that supplying an invalid or out-of-range value to the consumer_company parameter during a report-viewing request causes the application to trigger an unhandled exception. | |
| CVE-2025-14243 | Med | 0.34 | 5.3 | 0.00 | Apr 8, 2026 | A flaw was found in the OpenShift Mirror Registry. This vulnerability allows an unauthenticated, remote attacker to enumerate valid usernames and email addresses via different error messages during authentication failures and account creation. | |
| CVE-2025-15526 | Med | 0.34 | 5.3 | 0.00 | Jan 16, 2026 | The Fancy Product Designer plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 6.4.8. This is due to improper error handling in the PDF upload functionality that exposes server filesystem paths and stack traces in error messages. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website. | |
| CVE-2025-9122 | Med | 0.34 | 5.3 | 0.00 | Dec 15, 2025 | Hitachi Vantara Pentaho Data Integration and Analytics Community Dashboard Framework prior to versions 10.2.0.4, including 9.3.0.x and 8.3.x display the full server stack trace when encountering an error within the GetCdfResource servlet. | |
| CVE-2025-9229 | Med | 0.34 | 5.3 | 0.00 | Aug 20, 2025 | Information disclosure vulnerability in error handling in MiR software prior to version 3.0.0 allows unauthenticated attackers to view detailed error information, such as file paths and other data, via access to verbose error pages. | |
| CVE-2025-2239 | Med | 0.34 | 5.3 | 0.00 | Mar 12, 2025 | Generation of Error Message Containing Sensitive Information vulnerability in Hillstone Networks Hillstone Next Generation FireWall.This issue affects Hillstone Next Generation FireWall: from 5.5R8P1 before 5.5R8P23. | |
| CVE-2025-20002 | Med | 0.34 | 5.3 | 0.00 | Mar 5, 2025 | After attempting to upload a file that does not meet prerequisites, GMOD Apollo will respond with local path information disclosure | |
| CVE-2024-13540 | Med | 0.34 | 5.3 | 0.00 | Feb 18, 2025 | The WooODT Lite – Delivery & pickup date time location for WooCommerce plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 2.5.1. This is due the /inc/bycwooodt_get_all_orders.php file being publicly accessible and generating a publicly visible error message. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website. | |
| CVE-2024-13538 | Med | 0.34 | 5.3 | 0.01 | Feb 18, 2025 | The BigBuy Dropshipping Connector for WooCommerce plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 2.0.0. This is due the /vendor/cocur/slugify/bin/generate-default.php file being directly accessible and triggering an error. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website. | |
| CVE-2025-24552 | Med | 0.34 | 5.3 | 0.00 | Jan 24, 2025 | Generation of Error Message Containing Sensitive Information vulnerability in paytiumsupport Paytium paytium allows Retrieve Embedded Sensitive Data.This issue affects Paytium: from n/a through <= 4.4.11. | |
| CVE-2024-13536 | Med | 0.34 | 5.3 | 0.00 | Jan 21, 2025 | The 1003 Mortgage Application plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 1.87. This is due the /inc/class/fnm/export.php file being publicly accessible with error logging enabled. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website. | |
| CVE-2024-54366 | Med | 0.34 | 5.3 | 0.00 | Dec 16, 2024 | Generation of Error Message Containing Sensitive Information vulnerability in videogallery Vimeography vimeography allows Retrieve Embedded Sensitive Data.This issue affects Vimeography: from n/a through <= 2.4.4. | |
| CVE-2024-50512 | Med | 0.34 | 5.3 | 0.00 | Oct 30, 2024 | Generation of Error Message Containing Sensitive Information vulnerability in Posti Posti Shipping posti-shipping allows Retrieve Embedded Sensitive Data.This issue affects Posti Shipping: from n/a through <= 3.10.2. | |
| CVE-2024-7426 | Med | 0.34 | 5.3 | 0.01 | Sep 25, 2024 | The Community by PeepSo – Social Network, Membership, Registration, User Profiles plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 6.4.6.0. This is due to the plugin displaying errors and allowing direct access to the sse.php file. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website. | |
| CVE-2017-1370 | Med | 0.32 | 4.9 | 0.00 | Jul 31, 2017 | IBM Jazz Reporting Service (JRS) 5.0 and 6.0 could disclose sensitive information, including user credentials, through an error message from the Report Builder administrator configuration page. IBM X-Force ID: 126863. |