CWE-524
Use of Cache Containing Sensitive Information
Description
The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-204
CVEs mapped to this weakness (29)
page 2 of 2| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-24472 | 0.00 | — | 0.00 | Jan 27, 2026 | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, Cache Middleware contains an information disclosure vulnerability caused by improper handling of HTTP cache control directives. The middleware does not respect standard… | |||
| CVE-2025-69202 | 0.00 | — | 0.00 | Dec 29, 2025 | Axios Cache Interceptor is a cache interceptor for axios. Prior to version 1.11.1, when a server calls an upstream service using different auth tokens, axios-cache-interceptor returns incorrect cached responses, leading to authorization bypass. The cache key is generated only… | |||
| CVE-2025-64762 | — | 0.00 | — | 0.00 | Nov 21, 2025 | The AuthKit library for Next.js provides convenient helpers for authentication and session management using WorkOS & AuthKit with Next.js. In authkit-nextjs version 2.11.0 and below, authenticated responses do not defensively apply anti-caching headers. In environments where CDN… | ||
| CVE-2025-57752 | 0.00 | — | 0.00 | Aug 29, 2025 | Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization API routes are affected by cache key confusion. When images returned from API routes vary based on request headers (such… | |||
| CVE-2024-49580 | 0.00 | — | 0.00 | Oct 17, 2024 | In JetBrains Ktor before 2.3.13 improper caching in HttpCache Plugin could lead to response information disclosure | |||
| CVE-2024-45596 | 0.00 | — | 0.01 | Sep 10, 2024 | Directus is a real-time API and App dashboard for managing SQL database content. An unauthenticated user can access credentials of last authenticated user via OpenID or OAuth2 where the authentication URL did not include redirect query string. This happens because on that… | |||
| CVE-2024-27917 | 0.00 | — | 0.01 | Mar 6, 2024 | Shopware is an open commerce platform based on Symfony Framework and Vue. The Symfony Session Handler pops the Session Cookie and assigns it to the Response. Since Shopware 6.5.8.0, the 404 pages are cached to improve the performance of 404 pages. So the cached Response which… | |||
| CVE-2022-3292 | — | 0.00 | — | 0.00 | Sep 28, 2022 | Use of Cache Containing Sensitive Information in GitHub repository ikus060/rdiffweb prior to 2.4.8. | ||
| CVE-2019-11244 | 0.00 | — | 0.00 | Apr 22, 2019 | In Kubernetes v1.8.x-v1.14.x, schema info is cached by kubectl in the location specified by --cache-dir (defaulting to $HOME/.kube/http-cache), written with world-writeable permissions (rw-rw-rw-). If --cache-dir is specified and pointed at a different location accessible to… |
- CVE-2026-24472Jan 27, 2026risk 0.00cvss —epss 0.00
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, Cache Middleware contains an information disclosure vulnerability caused by improper handling of HTTP cache control directives. The middleware does not respect standard…
- CVE-2025-69202Dec 29, 2025risk 0.00cvss —epss 0.00
Axios Cache Interceptor is a cache interceptor for axios. Prior to version 1.11.1, when a server calls an upstream service using different auth tokens, axios-cache-interceptor returns incorrect cached responses, leading to authorization bypass. The cache key is generated only…
- CVE-2025-64762Nov 21, 2025risk 0.00cvss —epss 0.00
The AuthKit library for Next.js provides convenient helpers for authentication and session management using WorkOS & AuthKit with Next.js. In authkit-nextjs version 2.11.0 and below, authenticated responses do not defensively apply anti-caching headers. In environments where CDN…
- CVE-2025-57752Aug 29, 2025risk 0.00cvss —epss 0.00
Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization API routes are affected by cache key confusion. When images returned from API routes vary based on request headers (such…
- CVE-2024-49580Oct 17, 2024risk 0.00cvss —epss 0.00
In JetBrains Ktor before 2.3.13 improper caching in HttpCache Plugin could lead to response information disclosure
- CVE-2024-45596Sep 10, 2024risk 0.00cvss —epss 0.01
Directus is a real-time API and App dashboard for managing SQL database content. An unauthenticated user can access credentials of last authenticated user via OpenID or OAuth2 where the authentication URL did not include redirect query string. This happens because on that…
- CVE-2024-27917Mar 6, 2024risk 0.00cvss —epss 0.01
Shopware is an open commerce platform based on Symfony Framework and Vue. The Symfony Session Handler pops the Session Cookie and assigns it to the Response. Since Shopware 6.5.8.0, the 404 pages are cached to improve the performance of 404 pages. So the cached Response which…
- CVE-2022-3292Sep 28, 2022risk 0.00cvss —epss 0.00
Use of Cache Containing Sensitive Information in GitHub repository ikus060/rdiffweb prior to 2.4.8.
- CVE-2019-11244Apr 22, 2019risk 0.00cvss —epss 0.00
In Kubernetes v1.8.x-v1.14.x, schema info is cached by kubectl in the location specified by --cache-dir (defaulting to $HOME/.kube/http-cache), written with world-writeable permissions (rw-rw-rw-). If --cache-dir is specified and pointed at a different location accessible to…