VYPR

CWE-532

Insertion of Sensitive Information into Log File

BaseIncompleteLikelihood: Medium

Description

The product writes sensitive information to a log file.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-215

CVEs mapped to this weakness (485)

page 17 of 25
  • CVE-2024-51753LowNov 5, 2024
    risk 0.07cvss epss 0.00

    The AuthKit library for Remix provides convenient helpers for authentication and session management using WorkOS & AuthKit with Remix. In affected versions refresh tokens are logged to the console when the disabled by default `debug` flag, is enabled. This issue has been patched…

  • CVE-2023-22649Oct 16, 2024
    risk 0.07cvss epss 0.02

    A vulnerability has been identified which may lead to sensitive data being leaked into Rancher's audit logs. [Rancher Audit Logging](https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/enable-api-audit-log) is an opt-in feature, only deployments that have…

  • CVE-2024-35196LowMay 31, 2024
    risk 0.06cvss 2.0epss 0.01

    Sentry is a developer-first error tracking and performance monitoring platform. Sentry's Slack integration incorrectly records the incoming request body in logs. This request data can contain sensitive information, including the deprecated Slack verification token. With this…

  • CVE-2025-32382LowApr 10, 2025
    risk 0.05cvss epss 0.00

    Metabase is an open source Business Intelligence and Embedded Analytics tool. When admins change Snowflake connection details in Metabase (either updating a password or changing password to private key or vice versa), Metabase would not always purge older Snowflake connection…

  • CVE-2026-54711lowJun 18, 2026
    risk 0.00cvss epss

    ### Impact When using .pgpass, database connection information including the username and password will be logged at the debug level. ### Patches Upgrade to version 2.7.1 or greater. ### Workarounds Filter out debug-level logs. ### References This issue was discovered by…

  • CVE-2026-54236Jun 17, 2026
    risk 0.00cvss epss 0.01

    # vLLM: incomplete CVE-2026-22778 fix leaks PIL repr addresses via the Anthropic API router **Researcher:** Kai Aizen — SnailSploit (@SnailSploit), Adversarial & Offensive Security Research **Severity:** CVSS 3.1 5.3 (Medium) `AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N` **Target:**…

  • CVE-2026-47768Jun 10, 2026
    risk 0.00cvss epss 0.00

    `internal/web/operators.go:251` — after `handleOperatorCreateAPIKey` mints a fresh 32-byte bearer token, the redirect points the operator's browser at: /ui/operators/?new_key=&key_name= The raw API key ends up: - in the browser's URL history - in the…

  • CVE-2026-47234May 29, 2026
    risk 0.00cvss epss 0.00

    ## Summary When debug logging is enabled, `Session::setCookie()` logs full cookie values and `Session::start()` logs the current session ID. In a real Admidio deployment this includes both the active session cookie and the persistent auto-login cookie. Anyone with access to the…

  • CVE-2026-46358May 28, 2026
    risk 0.00cvss epss 0.00

    ### Impact OpenBao's inline auth functionality incorrectly redacted audit log entries, resulting in non-auth headers being removed and auth-related headers being retained in cleartext. This requires an attacker to compromise access to the audit device. Operators should review…

  • CVE-2026-32598Mar 12, 2026
    risk 0.00cvss epss 0.00

    OneUptime is a solution for monitoring and managing online services. Prior to 10.0.24, the password reset flow logs the complete password reset URL — containing the plaintext reset token — at INFO log level, which is enabled by default in production. Anyone with access to…

  • CVE-2026-24308Mar 7, 2026
    risk 0.00cvss epss 0.01

    Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 and 3.9.4 on all platforms allows an attacker to expose sensitive information stored in client configuration in the client's logfile. Configuration values are exposed at INFO level logging rendering…

  • CVE-2025-62879Mar 4, 2026
    risk 0.00cvss epss 0.00

    A vulnerability has been identified within the Rancher Backup Operator, resulting in the leakage of S3 tokens (both accessKey and secretKey) into the rancher-backup-operator pod's logs.

  • CVE-2026-27900Feb 26, 2026
    risk 0.00cvss epss 0.00

    The Terraform Provider for Linode versions prior to v3.9.0 logged sensitive information including some passwords, StackScript content, and object storage data in debug logs without redaction. Provider debug logging is not enabled by default. This issue is exposed when…

  • CVE-2025-27555Feb 24, 2026
    risk 0.00cvss epss 0.00

    Airflow versions before 2.11.1 have a vulnerability that allows authenticated users with audit log access to see sensitive values in audit logs which they should not see. When sensitive connection parameters were set via airflow CLI, values of those variables appeared in the…

  • CVE-2026-25918Feb 9, 2026
    risk 0.00cvss epss 0.00

    unity-cli is a command line utility for the Unity Game Engine. Prior to 1.8.2 , the sign-package command in @rage-against-the-pixel/unity-cli logs sensitive credentials in plaintext when the --verbose flag is used. Command-line arguments including --email and --password are…

  • CVE-2026-24762Feb 3, 2026
    risk 0.00cvss epss 0.00

    RustFS is a distributed object storage system built in Rust. From versions alpha.13 to alpha.81, RustFS logs sensitive credential material (access key, secret key, session token) to application logs at INFO level. This results in credentials being recorded in plaintext in log…

  • CVE-2026-22778Feb 2, 2026
    risk 0.00cvss epss 0.04

    vLLM is an inference and serving engine for large language models (LLMs). From 0.8.3 to before 0.14.1, when an invalid image is sent to vLLM's multimodal endpoint, PIL throws an error. vLLM returns this error to the client, leaking a heap address. With this leak, we reduce ASLR…

  • CVE-2025-59355Jan 19, 2026
    risk 0.00cvss epss 0.00

    A vulnerability. When org.apache.linkis.metadata.util.HiveUtils.decode() fails to perform Base64 decoding, it records the complete input parameter string in the log via logger.error(str + "decode failed", e). If the input parameter contains sensitive information such as Hive…

  • CVE-2026-22782Jan 16, 2026
    risk 0.00cvss epss 0.00

    RustFS is a distributed object storage system built in Rust. From >= 1.0.0-alpha.1 to 1.0.0-alpha.79, invalid RPC signatures cause the server to log the shared HMAC secret (and expected signature), which exposes the secret to log readers and enables forged RPC calls. In…

  • CVE-2025-68675Jan 16, 2026
    risk 0.00cvss epss 0.02

    In Apache Airflow versions before 3.1.6, and 2.11.1 the proxies and proxy fields within a Connection may include proxy URLs containing embedded authentication information. These fields were not treated as sensitive by default and therefore were not automatically masked in log…