CWE-532
Insertion of Sensitive Information into Log File
BaseIncompleteLikelihood: Medium
Description
The product writes sensitive information to a log file.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-215
CVEs mapped to this weakness (243)
page 8 of 13| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-51490 | Med | 0.35 | 5.3 | 0.01 | Jan 8, 2024 | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in WPMU DEV Defender Security – Malware Scanner, Login Security & Firewall.This issue affects Defender Security – Malware Scanner, Login Security & Firewall: from n/a through 4.1.0. | |
| CVE-2023-51408 | Med | 0.35 | 5.3 | 0.01 | Jan 8, 2024 | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in StudioWombat WP Optin Wheel – Gamified Optin Email Marketing Tool for WordPress and WooCommerce.This issue affects WP Optin Wheel – Gamified Optin Email Marketing Tool for WordPress and WooCommerce: from n/a through 1.4.3. | |
| CVE-2026-41495 | Med | 0.34 | 5.3 | 0.00 | May 8, 2026 | n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. Prior to version 2.47.11, when n8n-mcp runs in HTTP transport mode, incoming requests to the POST /mcp endpoint had their request metadata written to server logs regardless of the authentication outcome. In deployments where logs are collected, forwarded to external systems, or viewable outside the request trust boundary (shared log storage, SIEM pipelines, support/ops access), this can result in disclosure of: bearer tokens from the Authorization header, per-tenant API keys from the, x-n8n-key header in multi-tenant setups, JSON-RPC request payloads sent to the MCP endpoint. Access control itself was not bypassed — unauthenticated requests were correctly rejected with 401 Unauthorized — but sensitive values from those rejected requests could still be persisted in logs. This issue has been patched in version 2.47.11. | |
| CVE-2026-41182 | Med | 0.34 | 5.3 | 0.00 | Apr 23, 2026 | LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. Prior to version 0.5.19 of the JavaScript SDK and version 0.7.31 of the Python SDK, the LangSmith SDK's output redaction controls (hideOutputs in JS, hide_outputs in Python) do not apply to streaming token events. When an LLM run produces streaming output, each chunk is recorded as a new_token event containing the raw token value. These events bypass the redaction pipeline entirely — prepareRunCreateOrUpdateInputs (JS) and _hide_run_outputs (Python) only process the inputs and outputs fields on a run, never the events array. As a result, applications relying on output redaction to prevent sensitive LLM output from being stored in LangSmith will still leak the full streamed content via run events. Version 0.5.19 of the JavaScript SDK and version 0.7.31 of the Python SDK fix the issue. | |
| CVE-2025-10486 | Med | 0.34 | 5.3 | 0.00 | Oct 15, 2025 | The Content Writer plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.6.8 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log files. | |
| CVE-2025-10645 | Med | 0.34 | 5.3 | 0.00 | Oct 7, 2025 | The WP Reset plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.05 via the WF_Licensing::log() method when debugging is enabled (default). This makes it possible for unauthenticated attackers to extract sensitive license key and site data. | |
| CVE-2025-6587 | Med | 0.34 | — | 0.00 | Jul 3, 2025 | System environment variables are recorded in Docker Desktop diagnostic logs, when using shell auto-completion. This leads to unintentional disclosure of sensitive information such as api keys, passwords, etc. A malicious actor with read access to these logs could obtain secrets and further use them to gain unauthorized access to other systems. Starting with version 4.43.0 Docker Desktop no longer logs system environment variables as part of diagnostics log collection. | |
| CVE-2025-3911 | Med | 0.34 | — | 0.00 | Apr 29, 2025 | Recording of environment variables, configured for running containers, in Docker Desktop application logs could lead to unintentional disclosure of sensitive information such as api keys, passwords, etc. A malicious actor with read access to these logs could obtain sensitive credentials information and further use it to gain unauthorized access to other systems. Starting with version 4.41.0, Docker Desktop no longer logs environment variables set by the user. | |
| CVE-2025-4090 | Med | 0.34 | 5.3 | 0.00 | Apr 29, 2025 | A vulnerability existed in Thunderbird for Android where potentially sensitive library locations were logged via Logcat. This vulnerability was fixed in Firefox 138 and Thunderbird 138. | |
| CVE-2025-31788 | Med | 0.34 | 5.3 | 0.01 | Apr 1, 2025 | Insertion of Sensitive Information into Log File vulnerability in Smackcoders Inc., AIO Performance Profiler, Monitor, Optimize, Compress & Debug all-in-one-performance-accelerator allows Retrieve Embedded Sensitive Data.This issue affects AIO Performance Profiler, Monitor, Optimize, Compress & Debug: from n/a through <= 1.3. | |
| CVE-2025-1696 | Med | 0.34 | — | 0.00 | Mar 6, 2025 | A vulnerability exists in Docker Desktop prior to version 4.39.0 that could lead to the unintentional disclosure of sensitive information via application logs. In affected versions, proxy configuration data—potentially including sensitive details—was written to log files in clear text whenever an HTTP GET request was made through a proxy. An attacker with read access to these logs could obtain the proxy information and leverage it for further attacks or unauthorized access. Starting with version 4.39.0, Docker Desktop no longer logs the proxy string, thereby mitigating this risk. | |
| CVE-2024-13818 | Med | 0.34 | 5.3 | 0.00 | Feb 21, 2025 | The Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.8.4 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information about users contained in the exposed log files. | |
| CVE-2024-10544 | Med | 0.34 | 5.3 | 0.00 | Oct 31, 2024 | The Woo Manage Fraud Orders plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6.1 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information about users contained in the exposed log files. | |
| CVE-2024-43990 | Med | 0.34 | 5.3 | 0.00 | Sep 25, 2024 | Insertion of Sensitive Information into Log File vulnerability in StylemixThemes Masterstudy LMS Starter.This issue affects Masterstudy LMS Starter: from n/a through 1.1.8. | |
| CVE-2024-37270 | Med | 0.34 | 5.3 | 0.00 | Jul 10, 2024 | Insertion of Sensitive Information into Log File vulnerability in TrustedLogin TrustedLogin Vendor.This issue affects TrustedLogin Vendor: from n/a before 1.1.1. | |
| CVE-2024-37205 | Med | 0.34 | 5.3 | 0.00 | Jul 10, 2024 | Insertion of Sensitive Information into Log File vulnerability in SERVIT Software Solutions.This issue affects affiliate-toolkit: from n/a through 3.4.4. | |
| CVE-2024-22276 | Med | 0.34 | 5.3 | 0.00 | Jun 27, 2024 | VMware Cloud Director Object Storage Extension contains an Insertion of Sensitive Information vulnerability. A malicious actor with adjacent access to web/proxy server logging may be able to obtain sensitive information from URLs that are logged. | |
| CVE-2024-32811 | Med | 0.34 | 5.3 | 0.00 | Jun 9, 2024 | Insertion of Sensitive Information into Log File vulnerability in Octolize USPS Shipping for WooCommerce – Live Rates.This issue affects USPS Shipping for WooCommerce – Live Rates: from n/a through 1.9.4. | |
| CVE-2024-34798 | Med | 0.34 | 5.3 | 0.00 | Jun 3, 2024 | Insertion of Sensitive Information into Log File vulnerability in Lukman Nakib Debug Log – Manger Tool.This issue affects Debug Log – Manger Tool: from n/a through 1.4.5. | |
| CVE-2024-34550 | Med | 0.34 | 5.3 | 0.00 | May 14, 2024 | Insertion of Sensitive Information into Log File vulnerability in AlexaCRM Dynamics 365 Integration.This issue affects Dynamics 365 Integration: from n/a through 1.3.17. |