VYPR

CWE-214

Invocation of Process Using Visible Sensitive Information

BaseIncomplete

Description

A process is invoked with sensitive command-line arguments, environment variables, or other elements that can be seen by other processes on the operating system.

Many operating systems allow a user to list information about processes that are owned by other users. Other users could see information such as command line arguments or environment variable settings. When this data contains sensitive information such as credentials, it might allow other users to launch an attack against the product or related resources.

Hierarchy (View 1000)

Parents

Children

none

CVEs mapped to this weakness (6)

  • CVE-2025-32987MedApr 15, 2025
    risk 0.39cvss 6.0epss 0.00

    Arctera eDiscovery Platform before 10.3.2, when Enterprise Vault Collection Module is used, places a cleartext password on a command line in EVSearcher.

  • CVE-2026-40159MedApr 10, 2026
    risk 0.29cvss 5.5epss 0.00

    PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI’s MCP (Model Context Protocol) integration allows spawning background servers via stdio using user-supplied command strings (e.g., MCP("npx -y @smithery/cli ...")). These commands are executed through…

  • CVE-2024-39314MedJul 1, 2024
    risk 0.24cvss 4.7epss 0.00

    toy-blog is a headless content management system implementation. Starting in version 0.4.3 and prior to version 0.5.0, the administrative password was leaked through the command line parameter. The problem was patched in version 0.5.0. As a workaround, pass…

  • CVE-2026-41357LowApr 23, 2026
    risk 0.14cvss 3.3epss 0.00

    OpenClaw before 2026.3.31 contains an environment variable leakage vulnerability in SSH-based sandbox backends that pass unsanitized process.env to child processes. Attackers can exploit this by leveraging non-default SSH environment forwarding configurations to leak sensitive…

  • CVE-2023-25722Mar 28, 2023
    risk 0.00cvss epss 0.00

    A credential-leak issue was discovered in related Veracode products before 2023-03-27. Veracode Scan Jenkins Plugin before 23.3.19.0, when configured for remote agent jobs, invokes the Veracode Java API Wrapper in a manner that allows local users (with OS-level access of the…

  • CVE-2021-3859Aug 26, 2022
    risk 0.00cvss epss 0.01

    A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2. This flaw allows an attacker to carry out denial of service attacks.