VYPR

CWE-538

Insertion of Sensitive Information into Externally-Accessible File or Directory

BaseDraft

Description

The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-95

CVEs mapped to this weakness (59)

page 2 of 3
  • CVE-2025-68429HigDec 17, 2025
    risk 0.40cvss 7.3epss 0.00

    Storybook is a frontend workshop for building user interface components and pages in isolation. A vulnerability present starting in versions 7.0.0 and prior to versions 7.6.21, 8.6.15, 9.1.17, and 10.1.10 relates to Storybook’s handling of environment variables defined in a…

  • CVE-2025-46820HigMay 6, 2025
    risk 0.39cvss 7.1epss 0.00

    phpgt/Dom provides access to modern DOM APIs. Versions of phpgt/Dom prior to 4.1.8 expose the GITHUB_TOKEN in the Dom workflow run artifact. The ci.yml workflow file uses actions/upload-artifact@v4 to upload the build artifact. This artifact is a zip of the current directory,…

  • CVE-2025-31421MedApr 4, 2025
    risk 0.38cvss 5.8epss 0.00

    Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in Oblak Studio Srbtranslatin srbtranslatin allows Retrieve Embedded Sensitive Data.This issue affects Srbtranslatin: from n/a through <= 3.2.0.

  • CVE-2025-31558MedApr 3, 2025
    risk 0.38cvss 5.8epss 0.00

    Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in Greg TailPress tailpress allows Retrieve Embedded Sensitive Data.This issue affects TailPress: from n/a through <= 0.4.4.

  • CVE-2025-31550MedApr 1, 2025
    risk 0.38cvss 5.8epss 0.00

    Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in thom4 WP-LESS wp-less allows Retrieve Embedded Sensitive Data.This issue affects WP-LESS: from n/a through <= 1.9.6.

  • CVE-2025-22633MedFeb 23, 2025
    risk 0.38cvss 5.8epss 0.00

    Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in StellarWP Give – Divi Donation Modules give-donation-modules-for-divi allows Retrieve Embedded Sensitive Data.This issue affects Give – Divi Donation Modules: from n/a through <=…

  • CVE-2025-24689MedJan 27, 2025
    risk 0.38cvss 5.9epss 0.00

    Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in Javier Carazo Import and export users and customers import-users-from-csv-with-meta allows Retrieve Embedded Sensitive Data.This issue affects Import and export users and customers:…

  • CVE-2025-12699MedFeb 10, 2026
    risk 0.36cvss 5.5epss 0.00

    The ZOLL ePCR IOS application reflects unsanitized user input into a WebView. Attacker-controlled strings placed into PCR fields (run number, incident, call sign, notes) are interpreted as HTML/JS when the app prints or renders that content. In the proof of concept (POC),…

  • CVE-2017-9947MedOct 23, 2017
    risk 0.35cvss 5.3epss 0.07

    A vulnerability has been identified in Siemens APOGEE PXC and TALON TC BACnet Automation Controllers in all versions <V3.5. A directory traversal vulnerability could allow a remote attacker with network access to the integrated web server (80/tcp and 443/tcp) to obtain…

  • CVE-2026-10254MedJun 1, 2026
    risk 0.34cvss 5.3epss 0.00

    A flaw has been found in SourceCodester Pet Grooming Management Software 1.0. Affected is an unknown function of the file /admin/. This manipulation causes file and directory information exposure. The attack can be initiated remotely. The exploit has been published and may be…

  • CVE-2026-7071MedApr 27, 2026
    risk 0.34cvss 5.3epss 0.00

    A security vulnerability has been detected in CodeAstro Online Job Portal 1.0. Affected by this vulnerability is an unknown functionality of the file /users/user-cvs/. The manipulation leads to file and directory information exposure. Remote exploitation of the attack is…

  • CVE-2026-6160MedApr 13, 2026
    risk 0.34cvss 5.3epss 0.00

    A vulnerability was found in code-projects Simple ChatBox 1.0. Affected by this issue is the function SimpleChatbox_PHP of the file chatbox.sql of the component Endpoint. Performing a manipulation results in file and directory information exposure. It is possible to initiate the…

  • CVE-2025-11891MedNov 11, 2025
    risk 0.34cvss 5.3epss 0.00

    The Shelf Planner plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.8.1 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the…

  • CVE-2025-22773MedJan 15, 2025
    risk 0.34cvss 5.3epss 0.00

    Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in WP Chill Htaccess File Editor htaccess-file-editor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Htaccess File Editor: from n/a through…

  • CVE-2025-22306MedJan 7, 2025
    risk 0.34cvss 5.3epss 0.00

    Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in Spencer Haws Link Whisper Free link-whisper.This issue affects Link Whisper Free: from n/a through <= 0.7.7.

  • CVE-2026-50099MedJun 12, 2026
    risk 0.30cvss 4.6epss 0.00

    During WiFi association, Naxclow device firmware prints the host network’s SSID, PSK, and negotiated WPA keys in cleartext to an exposed UART console on production hardware. The UART pads are labeled, run with default serial settings, and drop to an interactive RT-Thread shell…

  • CVE-2018-4847MedApr 23, 2018
    risk 0.30cvss 4.6epss 0.00

    A vulnerability has been identified in SIMATIC WinCC OA Operator iOS App (All versions < V1.4). Insufficient protection of sensitive information (e.g. session key for accessing server) in Siemens WinCC OA Operator iOS app could allow an attacker with physical access to the…

  • CVE-2026-2817MedFeb 19, 2026
    risk 0.29cvss 4.4epss 0.00

    Use of insecure directory in Spring Data Geode snapshot import extracts archives into predictable, permissive directories under the system temp location. On shared hosts, a local user with basic privileges can access another user’s extracted snapshot contents, leading to…

  • CVE-2019-25717MedJun 2, 2026
    risk 0.28cvss 4.3epss 0.00

    Dräger Infinity Delta, Delta XL, and Kappa patient monitors contain an information disclosure vulnerability that allows unauthenticated network attackers to access log files over a network connection. Attackers can retrieve device internals, location information, and wired…

  • CVE-2025-8452MedAug 12, 2025
    risk 0.28cvss 4.3epss 0.00

    By using the "uscan" protocol provided by the eSCL specification, an attacker can discover the serial number of multi-function printers that implement the Brother-provided firmware. This serial number can, in turn, can be leveraged by the flaw described by CVE-2024-51978 to…