CWE-209
Generation of Error Message Containing Sensitive Information
Description
The product generates an error message that includes sensitive information about its environment, users, or associated data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-215 · CAPEC-463 · CAPEC-54 · CAPEC-7
CVEs mapped to this weakness (189)
page 6 of 10| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-65995 | 0.00 | — | 0.01 | Feb 21, 2026 | When a DAG failed during parsing, Airflow’s error-reporting in the UI could include the full kwargs passed to the operators. If those kwargs contained sensitive values (such as secrets), they might be exposed in the UI tracebacks to authenticated users who had permission to… | |||
| CVE-2026-26957 | 0.00 | — | 0.00 | Feb 20, 2026 | Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: Upon further research, the maintainer determined that the behavior described by the CVE record is intended behavior. Per the GitHub Security Advisory: "Libredesk is a single-tenant,… | |||
| CVE-2026-27004 | 0.00 | — | 0.00 | Feb 19, 2026 | OpenClaw is a personal AI assistant. Prior to version 2026.2.15, in some shared-agent deployments, OpenClaw session tools (`sessions_list`, `sessions_history`, `sessions_send`) allowed broader session targeting than some operators intended. This is primarily a… | |||
| CVE-2025-64749 | 0.00 | — | 0.00 | Nov 13, 2025 | Directus is a real-time API and App dashboard for managing SQL database content. An observable difference in error messaging was found in the Directus REST API in versions of Directus prior to version 11.13.0. The `/items/{collection}` API returns different error messages for… | |||
| CVE-2025-54291 | 0.00 | — | 0.00 | Oct 2, 2025 | Information disclosure in images API in Canonical LXD before 6.5 and 5.21.4 on all platforms allows unauthenticated remote attackers to determine project existence via differing HTTP status code responses. | |||
| CVE-2025-43776 | 0.00 | — | 0.00 | Sep 9, 2025 | A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through… | |||
| CVE-2025-59016 | 0.00 | — | 0.00 | Sep 9, 2025 | Error messages containing sensitive information in the File Abstraction Layer in TYPO3 CMS versions 9.0.0-9.5.54, 10.0.0-10.4.53, 11.0.0-11.5.47, 12.0.0-12.4.36, and 13.0.0-13.4.17 allow backend users to disclose full file paths via failed low-level file-system operations. | |||
| CVE-2025-43777 | 0.00 | — | 0.00 | Sep 9, 2025 | Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.19 exposes "Internal Server Error" in the… | |||
| CVE-2025-54791 | 0.00 | — | 0.00 | Aug 13, 2025 | OMERO.web provides a web based client and plugin infrastructure. Prior to version 5.29.2, if an error occurred when resetting a user's password using the Forgot Password option in OMERO.web, the error message displayed on the Web page can disclose information about the user.… | |||
| CVE-2025-5731 | 0.00 | — | 0.00 | Jun 26, 2025 | A flaw was found in Infinispan CLI. A sensitive password, decoded from a Base64-encoded Kubernetes secret, is processed in plaintext and included in a command string that may expose the data in an error message when a command is not found. | |||
| CVE-2025-4166 | 0.00 | — | 0.00 | May 2, 2025 | Vault Community and Vault Enterprise Key/Value (kv) Version 2 plugin may unintentionally expose sensitive information in server and audit logs when users submit malformed payloads during secret creation or update operations via the Vault REST API. This vulnerability, identified… | |||
| CVE-2025-23216 | 0.00 | — | 0.00 | Jan 30, 2025 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository. The vulnerability assumes… | |||
| CVE-2024-23945 | 0.00 | — | 0.01 | Dec 23, 2024 | Signing cookies is an application security feature that adds a digital signature to cookie data to verify its authenticity and integrity. The signature helps prevent malicious actors from modifying the cookie value, which can lead to security vulnerabilities and exploitation.… | |||
| CVE-2024-53948 | 0.00 | — | 0.01 | Dec 9, 2024 | Generation of Error Message Containing analytics metadata Information in Apache Superset. This issue affects Apache Superset: before 4.1.0. Users are recommended to upgrade to version 4.1.0, which fixes the issue. | |||
| CVE-2024-54141 | 0.00 | — | 0.00 | Dec 6, 2024 | phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Prior to 4.0.0, phpMyFAQ exposes the database (ie postgreSQL) server's credential when connection to DB fails. This vulnerability is fixed in 4.0.0. | |||
| CVE-2024-53253 | 0.00 | — | 0.01 | Nov 22, 2024 | Sentry is an error tracking and performance monitoring platform. Version 24.11.0, and only version 24.11.0, is vulnerable to a scenario where a specific error message generated by the Sentry platform could include a plaintext Client ID and Client Secret for an application… | |||
| CVE-2024-48896 | 0.00 | — | 0.00 | Nov 18, 2024 | A vulnerability was found in Moodle. It is possible for users with the "send message" capability to view other users' names that they may not otherwise have access to via an error message in Messaging. Note: The name returned follows the full name format configured on the site. | |||
| CVE-2021-3986 | 0.00 | — | 0.00 | Nov 15, 2024 | A vulnerability in janeczku/calibre-web allows unauthorized users to view the names of private shelves belonging to other users. This issue occurs in the file shelf.py at line 221, where the name of the shelf is exposed in an error message when a user attempts to remove a book… | |||
| CVE-2023-40457 | 0.00 | — | 0.00 | Nov 11, 2024 | The BGP daemon in Extreme Networks ExtremeXOS (aka EXOS) 30.7.1.1 allows an attacker (who is not on a directly connected network) to cause a denial of service (BGP session reset) because of BGP attribute error mishandling (for attribute 21 and 25). NOTE: the vendor disputes this… | |||
| CVE-2024-7038 | 0.00 | — | 0.00 | Oct 9, 2024 | An information disclosure vulnerability exists in open-webui version 0.3.8. The vulnerability is related to the embedding model update feature under admin settings. When a user updates the model path, the system checks if the file exists and provides different error messages… |
- CVE-2025-65995Feb 21, 2026risk 0.00cvss —epss 0.01
When a DAG failed during parsing, Airflow’s error-reporting in the UI could include the full kwargs passed to the operators. If those kwargs contained sensitive values (such as secrets), they might be exposed in the UI tracebacks to authenticated users who had permission to…
- CVE-2026-26957Feb 20, 2026risk 0.00cvss —epss 0.00
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: Upon further research, the maintainer determined that the behavior described by the CVE record is intended behavior. Per the GitHub Security Advisory: "Libredesk is a single-tenant,…
- CVE-2026-27004Feb 19, 2026risk 0.00cvss —epss 0.00
OpenClaw is a personal AI assistant. Prior to version 2026.2.15, in some shared-agent deployments, OpenClaw session tools (`sessions_list`, `sessions_history`, `sessions_send`) allowed broader session targeting than some operators intended. This is primarily a…
- CVE-2025-64749Nov 13, 2025risk 0.00cvss —epss 0.00
Directus is a real-time API and App dashboard for managing SQL database content. An observable difference in error messaging was found in the Directus REST API in versions of Directus prior to version 11.13.0. The `/items/{collection}` API returns different error messages for…
- CVE-2025-54291Oct 2, 2025risk 0.00cvss —epss 0.00
Information disclosure in images API in Canonical LXD before 6.5 and 5.21.4 on all platforms allows unauthenticated remote attackers to determine project existence via differing HTTP status code responses.
- CVE-2025-43776Sep 9, 2025risk 0.00cvss —epss 0.00
A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through…
- CVE-2025-59016Sep 9, 2025risk 0.00cvss —epss 0.00
Error messages containing sensitive information in the File Abstraction Layer in TYPO3 CMS versions 9.0.0-9.5.54, 10.0.0-10.4.53, 11.0.0-11.5.47, 12.0.0-12.4.36, and 13.0.0-13.4.17 allow backend users to disclose full file paths via failed low-level file-system operations.
- CVE-2025-43777Sep 9, 2025risk 0.00cvss —epss 0.00
Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.19 exposes "Internal Server Error" in the…
- CVE-2025-54791Aug 13, 2025risk 0.00cvss —epss 0.00
OMERO.web provides a web based client and plugin infrastructure. Prior to version 5.29.2, if an error occurred when resetting a user's password using the Forgot Password option in OMERO.web, the error message displayed on the Web page can disclose information about the user.…
- CVE-2025-5731Jun 26, 2025risk 0.00cvss —epss 0.00
A flaw was found in Infinispan CLI. A sensitive password, decoded from a Base64-encoded Kubernetes secret, is processed in plaintext and included in a command string that may expose the data in an error message when a command is not found.
- CVE-2025-4166May 2, 2025risk 0.00cvss —epss 0.00
Vault Community and Vault Enterprise Key/Value (kv) Version 2 plugin may unintentionally expose sensitive information in server and audit logs when users submit malformed payloads during secret creation or update operations via the Vault REST API. This vulnerability, identified…
- CVE-2025-23216Jan 30, 2025risk 0.00cvss —epss 0.00
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository. The vulnerability assumes…
- CVE-2024-23945Dec 23, 2024risk 0.00cvss —epss 0.01
Signing cookies is an application security feature that adds a digital signature to cookie data to verify its authenticity and integrity. The signature helps prevent malicious actors from modifying the cookie value, which can lead to security vulnerabilities and exploitation.…
- CVE-2024-53948Dec 9, 2024risk 0.00cvss —epss 0.01
Generation of Error Message Containing analytics metadata Information in Apache Superset. This issue affects Apache Superset: before 4.1.0. Users are recommended to upgrade to version 4.1.0, which fixes the issue.
- CVE-2024-54141Dec 6, 2024risk 0.00cvss —epss 0.00
phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Prior to 4.0.0, phpMyFAQ exposes the database (ie postgreSQL) server's credential when connection to DB fails. This vulnerability is fixed in 4.0.0.
- CVE-2024-53253Nov 22, 2024risk 0.00cvss —epss 0.01
Sentry is an error tracking and performance monitoring platform. Version 24.11.0, and only version 24.11.0, is vulnerable to a scenario where a specific error message generated by the Sentry platform could include a plaintext Client ID and Client Secret for an application…
- CVE-2024-48896Nov 18, 2024risk 0.00cvss —epss 0.00
A vulnerability was found in Moodle. It is possible for users with the "send message" capability to view other users' names that they may not otherwise have access to via an error message in Messaging. Note: The name returned follows the full name format configured on the site.
- CVE-2021-3986Nov 15, 2024risk 0.00cvss —epss 0.00
A vulnerability in janeczku/calibre-web allows unauthorized users to view the names of private shelves belonging to other users. This issue occurs in the file shelf.py at line 221, where the name of the shelf is exposed in an error message when a user attempts to remove a book…
- CVE-2023-40457Nov 11, 2024risk 0.00cvss —epss 0.00
The BGP daemon in Extreme Networks ExtremeXOS (aka EXOS) 30.7.1.1 allows an attacker (who is not on a directly connected network) to cause a denial of service (BGP session reset) because of BGP attribute error mishandling (for attribute 21 and 25). NOTE: the vendor disputes this…
- CVE-2024-7038Oct 9, 2024risk 0.00cvss —epss 0.00
An information disclosure vulnerability exists in open-webui version 0.3.8. The vulnerability is related to the embedding model update feature under admin settings. When a user updates the model path, the system checks if the file exists and provides different error messages…