VYPR

CWE-209

Generation of Error Message Containing Sensitive Information

BaseDraftLikelihood: High

Description

The product generates an error message that includes sensitive information about its environment, users, or associated data.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-215 · CAPEC-463 · CAPEC-54 · CAPEC-7

CVEs mapped to this weakness (189)

page 6 of 10
  • CVE-2025-65995Feb 21, 2026
    risk 0.00cvss epss 0.01

    When a DAG failed during parsing, Airflow’s error-reporting in the UI could include the full kwargs passed to the operators. If those kwargs contained sensitive values (such as secrets), they might be exposed in the UI tracebacks to authenticated users who had permission to…

  • CVE-2026-26957Feb 20, 2026
    risk 0.00cvss epss 0.00

    Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: Upon further research, the maintainer determined that the behavior described by the CVE record is intended behavior. Per the GitHub Security Advisory: "Libredesk is a single-tenant,…

  • CVE-2026-27004Feb 19, 2026
    risk 0.00cvss epss 0.00

    OpenClaw is a personal AI assistant. Prior to version 2026.2.15, in some shared-agent deployments, OpenClaw session tools (`sessions_list`, `sessions_history`, `sessions_send`) allowed broader session targeting than some operators intended. This is primarily a…

  • CVE-2025-64749Nov 13, 2025
    risk 0.00cvss epss 0.00

    Directus is a real-time API and App dashboard for managing SQL database content. An observable difference in error messaging was found in the Directus REST API in versions of Directus prior to version 11.13.0. The `/items/{collection}` API returns different error messages for…

  • CVE-2025-54291Oct 2, 2025
    risk 0.00cvss epss 0.00

    Information disclosure in images API in Canonical LXD before 6.5 and 5.21.4 on all platforms allows unauthenticated remote attackers to determine project existence via differing HTTP status code responses.

  • CVE-2025-43776Sep 9, 2025
    risk 0.00cvss epss 0.00

    A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through…

  • CVE-2025-59016Sep 9, 2025
    risk 0.00cvss epss 0.00

    Error messages containing sensitive information in the File Abstraction Layer in TYPO3 CMS versions 9.0.0-9.5.54, 10.0.0-10.4.53, 11.0.0-11.5.47, 12.0.0-12.4.36, and 13.0.0-13.4.17 allow backend users to disclose full file paths via failed low-level file-system operations.

  • CVE-2025-43777Sep 9, 2025
    risk 0.00cvss epss 0.00

    Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.19 exposes "Internal Server Error" in the…

  • CVE-2025-54791Aug 13, 2025
    risk 0.00cvss epss 0.00

    OMERO.web provides a web based client and plugin infrastructure. Prior to version 5.29.2, if an error occurred when resetting a user's password using the Forgot Password option in OMERO.web, the error message displayed on the Web page can disclose information about the user.…

  • CVE-2025-5731Jun 26, 2025
    risk 0.00cvss epss 0.00

    A flaw was found in Infinispan CLI. A sensitive password, decoded from a Base64-encoded Kubernetes secret, is processed in plaintext and included in a command string that may expose the data in an error message when a command is not found.

  • CVE-2025-4166May 2, 2025
    risk 0.00cvss epss 0.00

    Vault Community and Vault Enterprise Key/Value (kv) Version 2 plugin may unintentionally expose sensitive information in server and audit logs when users submit malformed payloads during secret creation or update operations via the Vault REST API. This vulnerability, identified…

  • CVE-2025-23216Jan 30, 2025
    risk 0.00cvss epss 0.00

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository. The vulnerability assumes…

  • CVE-2024-23945Dec 23, 2024
    risk 0.00cvss epss 0.01

    Signing cookies is an application security feature that adds a digital signature to cookie data to verify its authenticity and integrity. The signature helps prevent malicious actors from modifying the cookie value, which can lead to security vulnerabilities and exploitation.…

  • CVE-2024-53948Dec 9, 2024
    risk 0.00cvss epss 0.01

    Generation of Error Message Containing analytics metadata Information in Apache Superset. This issue affects Apache Superset: before 4.1.0. Users are recommended to upgrade to version 4.1.0, which fixes the issue.

  • CVE-2024-54141Dec 6, 2024
    risk 0.00cvss epss 0.00

    phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Prior to 4.0.0, phpMyFAQ exposes the database (ie postgreSQL) server's credential when connection to DB fails. This vulnerability is fixed in 4.0.0.

  • CVE-2024-53253Nov 22, 2024
    risk 0.00cvss epss 0.01

    Sentry is an error tracking and performance monitoring platform. Version 24.11.0, and only version 24.11.0, is vulnerable to a scenario where a specific error message generated by the Sentry platform could include a plaintext Client ID and Client Secret for an application…

  • CVE-2024-48896Nov 18, 2024
    risk 0.00cvss epss 0.00

    A vulnerability was found in Moodle. It is possible for users with the "send message" capability to view other users' names that they may not otherwise have access to via an error message in Messaging. Note: The name returned follows the full name format configured on the site.

  • CVE-2021-3986Nov 15, 2024
    risk 0.00cvss epss 0.00

    A vulnerability in janeczku/calibre-web allows unauthorized users to view the names of private shelves belonging to other users. This issue occurs in the file shelf.py at line 221, where the name of the shelf is exposed in an error message when a user attempts to remove a book…

  • CVE-2023-40457Nov 11, 2024
    risk 0.00cvss epss 0.00

    The BGP daemon in Extreme Networks ExtremeXOS (aka EXOS) 30.7.1.1 allows an attacker (who is not on a directly connected network) to cause a denial of service (BGP session reset) because of BGP attribute error mishandling (for attribute 21 and 25). NOTE: the vendor disputes this…

  • CVE-2024-7038Oct 9, 2024
    risk 0.00cvss epss 0.00

    An information disclosure vulnerability exists in open-webui version 0.3.8. The vulnerability is related to the embedding model update feature under admin settings. When a user updates the model path, the system checks if the file exists and provides different error messages…