VYPR

CWE-525

Use of Web Browser Cache Containing Sensitive Information

VariantIncomplete

Description

The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-37

CVEs mapped to this weakness (13)

  • CVE-2025-15554HigMar 16, 2026
    risk 0.51cvss 7.8epss 0.00

    Browser caching of LAPS passwords in Truesec’s LAPSWebUI before version 2.4 allows an attacker with access to a workstation to escalate their privileges via disclosure of local admin passwords.

  • CVE-2025-48947HigJun 4, 2025
    risk 0.43cvss epss 0.00

    The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. In Auth0 Next.js SDK versions 4.0.1 through 4.6.0, `__session` cookies set by auth0.middleware may be cached by CDNs due to missing Cache-Control headers. Three preconditions must be…

  • CVE-2026-41918MedJun 2, 2026
    risk 0.37cvss 5.7epss 0.00

    A vulnerability has been identified in RUGGEDCOM RST2428P (6GK6242-6PA00) (All versions < V4.0). The affected applications stores sensitive information in the browser cache when an authenticated user modify specific configurations. This could allow an authenticated attacker to…

  • CVE-2026-41322MedApr 24, 2026
    risk 0.34cvss 5.3epss 0.00

    @astrojs/node allows Astro to deploy your SSR site to Node targets. Prior to 10.0.5, requesting a static js/css resources from _astro path with an incorrect/malformed if-match header returns a 500 error with a one year cache lifetime instead of 412 in some cases. This has the…

  • CVE-2025-27525LowMay 15, 2025
    risk 0.25cvss 3.9epss 0.00

    Information Exposure vulnerability in Hitachi JP1/IT Desktop Management 2 - Smart Device Manager on Windows.This issue affects JP1/IT Desktop Management 2 - Smart Device Manager: from 12-00 before 12-00-08, from 11-10 through 11-10-08, from 11-00 through 11-00-05, from 10-50…

  • CVE-2025-52625LowOct 10, 2025
    risk 0.24cvss 3.7epss 0.00

    A vulnerability  Cacheable SSL Page Found vulnerability has been identified in HCL AION.  Cached data may expose credentials, system identifiers, or internal file paths to attackers with access to the device or browser This issue affects AION: 2.0.

  • CVE-2025-52659LowJan 19, 2026
    risk 0.18cvss 2.8epss 0.00

    HCL AION version 2 is affected by a Cacheable HTTP Response vulnerability. This may lead to unintended storage of sensitive or dynamic content, potentially resulting in unauthorized access or information disclosure.

  • CVE-2025-13083Nov 18, 2025
    risk 0.00cvss epss 0.00

    Use of Web Browser Cache Containing Sensitive Information vulnerability in Drupal Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9,…

  • CVE-2025-62276Oct 31, 2025
    risk 0.00cvss epss 0.00

    The Document Library and the Adaptive Media modules in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions uses an incorrect…

  • CVE-2024-45314Sep 4, 2024
    risk 0.00cvss epss 0.00

    Flask-AppBuilder is an application development framework. Prior to version 4.5.1, the auth DB login form default cache directives allows browser to locally store sensitive data. This can be an issue on environments using shared computer resources. Version 4.5.1 contains a patch…

  • CVE-2024-25142Jun 14, 2024
    risk 0.00cvss epss 0.00

    Use of Web Browser Cache Containing Sensitive Information vulnerability in Apache Airflow.  Airflow did not return "Cache-Control" header for dynamic content, which in case of some browsers could result in potentially storing sensitive data in local cache of the browser. This…

  • CVE-2020-17522Jan 26, 2021
    risk 0.00cvss epss 0.04

    When ORT (now via atstccfg) generates ip_allow.config files in Apache Traffic Control 3.0.0 to 3.1.0 and 4.0.0 to 4.1.0, those files include permissions that allow bad actors to push arbitrary content into and remove arbitrary content from CDN cache servers. Additionally, these…

  • CVE-2012-2671Jun 17, 2012
    risk 0.00cvss epss 0.02

    The Rack::Cache rubygem 0.3.0 through 1.1 caches Set-Cookie and other sensitive headers, which allows attackers to obtain sensitive cookie information, hijack web sessions, or have other unspecified impact by accessing the cache.