VYPR

CWE-212

Improper Removal of Sensitive Information Before Storage or Transfer

BaseIncomplete

Description

The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors.

Hierarchy (View 1000)

Parents

Related attack patterns (CAPEC)

CAPEC-168

CVEs mapped to this weakness (55)

page 1 of 3
  • CVE-2026-39937HigApr 7, 2026
    risk 0.57cvss epss 0.00

    Improper removal of sensitive information before storage or transfer vulnerability in The Wikimedia Foundation Mediawiki - CentralAuth Extension allows Resource Leak Exposure. The issue has been remediated on the `master` branch, and in the release branches for MediaWiki…

  • CVE-2026-42880CriMay 7, 2026
    risk 0.55cvss 9.6epss 0.00

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From versions 3.2.0 to before 3.2.11 and 3.3.0 to before 3.3.9, there is a missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint that allows an attacker with read-only access to…

  • CVE-2024-43384HigMay 7, 2026
    risk 0.52cvss 8.0epss 0.00

    A low privileged remote attacker can gain the root password due to improper removal of sensitive information before storage or transfer.

  • CVE-2024-49997HigOct 21, 2024
    risk 0.49cvss 7.5epss 0.01

    In the Linux kernel, the following vulnerability has been resolved: net: ethernet: lantiq_etop: fix memory disclosure When applying padding, the buffer is not zeroed, which results in memory disclosure. The mentioned data is observed on the wire. This patch uses…

  • CVE-2002-0704HigJul 26, 2002
    risk 0.49cvss 7.5epss 0.03

    The Network Address Translation (NAT) capability for Netfilter ("iptables") 1.2.6a and earlier leaks translated IP addresses in ICMP error messages.

  • CVE-2017-15113HigJul 27, 2018
    risk 0.47cvss 7.2epss 0.01

    ovirt-engine before version 4.1.7.6 with log level set to DEBUG includes passwords in the log file without masking. Only administrators can change the log level and only administrators can access the logs. This presents a risk when debug-level logs are shared with vendors or…

  • CVE-2025-65965HigNov 25, 2025
    risk 0.46cvss epss 0.00

    Grype is a vulnerability scanner for container images and filesystems. A credential disclosure vulnerability was found in Grype, affecting versions 0.68.0 through 0.104.0. If registry credentials are defined and the output of grype is written using the --file or --output…

  • CVE-2026-54421MedJun 14, 2026
    risk 0.44cvss 6.8epss 0.00

    In OpenStack Ironic through 35.0.1, when applying a PATCH to update fields in volume properties the user is authorized for, Ironic can return unredacted sensitive information (such as iSCSI credentials). The PATCH outcome is a security issue; the POST outcome is not a security…

  • CVE-2026-43824HigMay 2, 2026
    risk 0.43cvss 7.7epss 0.00

    In Argo CD 3.2.0 before 3.2.11 and 3.3.0 before 3.3.9, ServerSideDiff allows reading cleartext Kubernetes Secret data.

  • CVE-2026-34214HigMar 31, 2026
    risk 0.43cvss 7.7epss 0.00

    Trino is a distributed SQL query engine for big data analytics. From version 439 to before version 480, Iceberg connector REST catalog static credentials (access key) or vended credentials (temporary access key) are accessible to users that have write privilege on SQL level.…

  • CVE-2026-42186HigMay 14, 2026
    risk 0.42cvss 7.5epss 0.00

    OpenBao is an open source identity-based secrets management system. Prior to 2.5.3, when OpenBao's initial namespace deletion fails, subsequent retries fail to properly remove all data before marking the namespace as deleted. This can affect any outstanding leases as well as…

  • CVE-2025-61594HigDec 30, 2025
    risk 0.42cvss 7.5epss 0.01

    URI is a module providing classes to handle Uniform Resource Identifiers. In versions 0.12.4 and earlier (bundled in Ruby 3.2 series) 0.13.2 and earlier (bundled in Ruby 3.3 series), 1.0.3 and earlier (bundled in Ruby 3.4 series), when using the + operator to combine URIs,…

  • CVE-2026-46657HigJun 8, 2026
    risk 0.39cvss 7.1epss 0.00

    Bludit is a content management system. Versions prior to 3.22.0 have a vulnerability in the user management logic that allows deactivated accounts to maintain access via persistent authentication tokens. When an administrator disables a user account, the application fails to…

  • CVE-2005-0406MedFeb 14, 2005
    risk 0.36cvss 5.5epss 0.00

    A design flaw in image processing software that modifies JPEG images might not modify the original EXIF thumbnail, which could lead to an information leak of potentially sensitive visual information that had been removed from the main JPEG image.

  • CVE-2026-27892MedMay 18, 2026
    risk 0.35cvss 6.5epss 0.00

    FacturaScripts is an open source accounting and invoicing software. In versions prior to 2026, the Library module stores and serves uploaded images byte-for-byte, without stripping EXIF/XMP/IPTC metadata. Any authenticated user who downloaded an image could extract the…

  • CVE-2026-43528MedMay 5, 2026
    risk 0.35cvss 6.5epss 0.00

    OpenClaw before 2026.4.14 contains a redaction bypass vulnerability that allows authenticated gateway clients to receive unredacted secrets through sourceConfig and runtimeConfig alias fields. Attackers with config read access can exploit this to obtain provider API keys,…

  • CVE-2018-1062MedMar 6, 2018
    risk 0.35cvss 5.3epss 0.01

    A vulnerability was discovered in oVirt 4.1.x before 4.1.9, where the combination of Enable Discard and Wipe After Delete flags for VM disks managed by oVirt, could cause a disk to be incompletely zeroed when removed from a VM. If the same storage blocks happen to be later…

  • CVE-2026-36178MedJun 4, 2026
    risk 0.30cvss 4.6epss 0.00

    The factory reset functionality in GNCC GP5 v7.1.76 fails to clear sensitive cryptographic material in the JFFS2 configuration partition, possibly allowing attackers to recover and obtain sensitive user data.

  • CVE-2026-20928MedApr 14, 2026
    risk 0.30cvss 4.6epss 0.00

    Improper removal of sensitive information before storage or transfer in Windows Recovery Environment Agent allows an unauthorized attacker to bypass a security feature with a physical attack.

  • CVE-2026-45046MedMay 27, 2026
    risk 0.29cvss 5.5epss 0.00

    Gryph provides a security layer for AI coding agents. Prior to 0.7.0, Gryph implements logging levels that determine what content is logged to a local sqlite database. The README incorrectly mentions that the default log level is minimal while it is standard. Source code review…