VYPR

CWE-497

Exposure of Sensitive System Information to an Unauthorized Control Sphere

BaseIncomplete

Description

The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.

Hierarchy (View 1000)

Parents

Related attack patterns (CAPEC)

CAPEC-170 · CAPEC-694

CVEs mapped to this weakness (213)

page 10 of 11
  • CVE-2026-41928MedMay 7, 2026
    risk 0.27cvss 5.3epss 0.00

    Vvveb before 1.0.8.2 contains an information disclosure vulnerability in the cron controller that allows unauthenticated attackers to retrieve the application's secret cron key. Attackers can access the cron controller without authentication and retrieve the exposed secret key…

  • CVE-2026-41335MedApr 23, 2026
    risk 0.27cvss 5.3epss 0.00

    OpenClaw before 2026.3.31 contains an information disclosure vulnerability in the Control Interface bootstrap JSON that exposes version and assistant agent identifiers. Attackers can extract sensitive fingerprinting information from the Control UI bootstrap payload to identify…

  • CVE-2026-41459MedApr 22, 2026
    risk 0.27cvss 5.3epss 0.01

    Xerte Online Toolkits versions 3.15 and earlier contain an information disclosure vulnerability that allows unauthenticated attackers to retrieve the full server-side filesystem path of the application root. Attackers can send a GET request to the /setup page to access the…

  • CVE-2025-36373MedApr 1, 2026
    risk 0.27cvss 4.1epss 0.00

    IBM DataPower Gateway 10.6CD 10.6.1.0 through 10.6.5.0 and IBM DataPower Gateway 10.5.0 10.5.0.0 through 10.5.0.20 and IBM DataPower Gateway 10.6.0 10.6.0.0 through 10.6.0.8 IBM DataPower Gateway could disclose sensitive system information from other domains to an administrative…

  • CVE-2024-10940MedMar 20, 2025
    risk 0.27cvss 5.3epss 0.00

    A vulnerability in langchain-core versions >=0.1.17,<0.1.53, >=0.2.0,<0.2.43, and >=0.3.0,<0.3.15 allows unauthorized users to read arbitrary files from the host file system. The issue arises from the ability to create langchain_core.prompts.ImagePromptTemplate's (and by…

  • CVE-2025-48024MedMay 15, 2025
    risk 0.26cvss 5.0epss 0.00

    In BlueWave Checkmate before 2.1, an authenticated regular user can access sensitive application secrets via the /api/v1/settings endpoint.

  • CVE-2026-44743LowJun 9, 2026
    risk 0.24cvss 3.7epss 0.00

    Under certain conditions, when an unauthorized attacker accesses a specific endpoint, SAP Business Objects application leaks sensitive information .This has a low impact on the confidentiality of the data. There is no impact on integrity and availability of the application.

  • CVE-2024-52582MedNov 19, 2024
    risk 0.24cvss 4.7epss 0.00

    Cachi2 is a command-line interface tool that pre-fetches a project's dependencies to aid in making the project's build process network-isolated. Prior to version 0.14.0, secrets may be shown in logs when an unhandled exception is triggered because the tool is logging locals of…

  • CVE-2024-47799LowNov 12, 2024
    risk 0.23cvss 3.5epss 0.00

    Exposure of sensitive system information to an unauthorized control sphere issue exists in Mesh Wi-Fi router RP562B firmware version v1.0.2 and earlier. If this vulnerability is exploited, a network-adjacent authenticated attacker may obtain information of the other devices…

  • CVE-2026-41339MedApr 23, 2026
    risk 0.21cvss 4.3epss 0.00

    OpenClaw before 2026.4.2 exposes configPath and stateDir metadata in Gateway connect success snapshots to non-admin authenticated clients. Non-admin clients can recover host-specific filesystem paths and deployment details, enabling host fingerprinting and facilitating chained…

  • CVE-2025-23288LowAug 2, 2025
    risk 0.21cvss 3.3epss 0.00

    NVIDIA GPU Display Driver for Windows contains a vulnerability  where an attacker may cause an exposure of sensitive system information with local unprivileged system access. A successful exploit of this vulnerability may lead to Information disclosure.

  • CVE-2025-23287LowAug 2, 2025
    risk 0.21cvss 3.3epss 0.00

    NVIDIA GPU Display Driver for Windows contains a vulnerability where an attacker may access sensitive system-level information. A successful exploit of this vulnerability may lead to Information disclosure.

  • CVE-2025-24334LowJul 2, 2025
    risk 0.21cvss 3.3epss 0.00

    The Nokia Single RAN baseband software earlier than 23R2-SR 1.0 MP can be made to reveal the exact software release version by sending a specific HTTP POST request through the Mobile Network Operator (MNO) internal RAN management network.

  • CVE-2025-0036LowJun 10, 2025
    risk 0.21cvss 3.2epss 0.00

    In AMD Versal Adaptive SoC devices, the incorrect configuration of the SSS during runtime (post-boot) cryptographic operations could cause data to be incorrectly written to and read from invalid locations as well as returning incorrect cryptographic data.

  • CVE-2024-53867MedDec 3, 2024
    risk 0.21cvss 4.3epss 0.00

    Synapse is an open-source Matrix homeserver. The Sliding Sync feature on Synapse versions between 1.113.0rc1 and 1.120.0 can leak partial room state changes to users no longer in a room. Non-state events, like messages, are unaffected. This vulnerability is fixed in 1.120.1.

  • CVE-2025-58866LowSep 5, 2025
    risk 0.18cvss 2.7epss 0.00

    Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Rami Yushuvaev Site Info site-info-dashboard-widget allows Retrieve Embedded Sensitive Data.This issue affects Site Info: from n/a through <= 1.1.

  • CVE-2025-31003LowApr 9, 2025
    risk 0.18cvss 2.7epss 0.00

    Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Bogdan Bendziukov Squeeze squeeze allows Retrieve Embedded Sensitive Data.This issue affects Squeeze: from n/a through <= 1.6.

  • CVE-2025-32026LowApr 8, 2025
    risk 0.18cvss 3.8epss 0.00

    Element Web is a Matrix web client built using the Matrix React SDK. Element Web, starting from version 1.11.16 up to version 1.11.96, can be configured to load Element Call from an external URL. Under certain conditions, the external page is able to get access to the media…

  • CVE-2024-11035LowMar 5, 2025
    risk 0.16cvss 2.5epss 0.00

    Carbon Black Cloud Windows Sensor, prior to 4.0.3, may be susceptible to an Information Leak vulnerability, which s a type of issue whereby sensitive information may b exposed due to a vulnerability in software.

  • CVE-2025-59447LowOct 6, 2025
    risk 0.14cvss 2.2epss 0.00

    The YoSmart YoLink Smart Hub device 0382 exposes a UART debug interface. An attacker with direct physical access can leverage this interface to read a boot log, which includes network access credentials.