CWE-201— Insertion of Sensitive Information Into Sent Data
The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.— MITRE CWE catalog
346 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-201page 6 of 7
- CVE-2025-7204MEDIUMCVSS 6.5EG 6.52025-07-09
In ConnectWise PSA versions older than 2025.9, a vulnerability exists where authenticated users could gain access to sensitive user information. Specific API requests were found to return an overly verbose user object, which included encry…
- CVE-2025-7708MEDIUMCVSS 6.8EG 6.82026-02-09
Insertion of Sensitive Information Into Sent Data vulnerability in Atlas Educational Software Industry Ltd. Co. K12net allows Communication Channel Manipulation. This issue affects k12net: through 09022026. NOTE: The vendor was contacted…
- CVE-2025-8862HIGHCVSS 7.0EG 7.02025-08-11
YugabyteDB has been collecting diagnostics information from YugabyteDB servers, which may include sensitive gflag configurations. To mitigate this, we recommend upgrading the database to a version where this information is properly redacte…
- CVE-2025-9958HIGHCVSS 7.7EG 6.52025-09-26
An issue has been discovered in GitLab CE/EE affecting all versions from 14.10 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1, that could have allowed Guest users to access sensitive information stored in virtual registry config…
- CVE-2026-10101MEDIUMCVSS 6.3EG 6.32026-05-29
ACM/MCE assisted-service writes raw referenced pull-secret contents into `InfraEnv.status.conditions[].message` when pull-secret validation fails. A namespace principal with the stock `view` ClusterRole cannot directly read Secrets, but ca…
- CVE-2026-12085MEDIUMCVSS 6.5EG 6.52026-06-30
IBM UCD - IBM UrbanCode Deploy 7.3 through 7.3.2.18 and IBM UCD - IBM DevOps Deploy 8.0 through 8.0.1.13, 8.1 through 8.1.2.6, and 8.2 through 8.2.1.0 IBM DevOps Deploy could disclose sensitive configurations and secrets to authenticated u…
- CVE-2026-13211MEDIUMCVSS 4.3EG 4.32026-07-01
The genucenter web interface before version 8.0p11 unnecessarily exposes sensitive SNMP authentication and encryption keys in its HTTP responses to users with the “Service” or “Admin” role.
- CVE-2026-13437MEDIUMCVSS 6.5EG 6.52026-06-29
Insertion of sensitive information into sent data in the AI Agent job API in Devolutions PowerShell Universal 2026.2.0 allows an authenticated user with AI Agent read access to obtain reusable, potentially higher-privileged authentication …
- CVE-2026-1365MEDIUMCVSS 6.5EG 6.52026-07-09
Insertion of sensitive information into sent data vulnerability in Sayax Energy Technologies Inc. OSOS allows Authentication Bypass. This issue affects OSOS: through 09072026. NOTE: The vendor was contacted early about this disclosure bu…
- CVE-2026-1539MEDIUMCVSS 5.8EG 5.82026-01-28
A flaw was found in the libsoup HTTP library that can cause proxy authentication credentials to be sent to unintended destinations. When handling HTTP redirects, libsoup removes the Authorization header but does not remove the Proxy-Author…
- CVE-2026-1694MEDIUMCVSS 4.3EG 4.32026-02-26
HTTP headers are added by the default configuration of IIS and ASP.net, and are not removed at the deployment phase of the webservices used by the WebVue, WebScheduler, TouchVue and SnapVue features of PcVue in version 12.0.0 through 16.3.…
- CVE-2026-20151HIGHCVSS 7.3EG 7.32026-04-01
A vulnerability in the web interface of Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an authenticated, remote attacker to elevate privileges on an affected system. This vulnerability is due to the improper transmission…
- CVE-2026-22246MEDIUMCVSS 6.5EG 6.52026-01-08
Mastodon is a free, open-source social network server based on ActivityPub. Mastodon 4.3 added notifications of severed relationships, allowing end-users to inspect the relationships they lost as the result of a moderation action. The code…
- CVE-2026-22539MEDIUMCVSS 5.3EG 5.32026-01-07
As the service interaction is performed without authentication, an attacker with some knowledge of the protocol could obtain information about the charger via OCPP v1.6.
- CVE-2026-22551MEDIUMCVSS 6.5EG 6.52026-06-18
In Eclipse Theia versions prior to 1.71.0, the AI chat rendered Markdown image tags from AI responses, triggering HTTP requests to arbitrary external URLs without restriction. Combined with prompt injection in a malicious workspace, an att…
- CVE-2026-23546MEDIUMCVSS 6.5EG 6.52026-03-05
Insertion of Sensitive Information Into Sent Data vulnerability in RadiusTheme Classified Listing classified-listing allows Retrieve Embedded Sensitive Data.This issue affects Classified Listing: from n/a through <= 5.3.4.
- CVE-2026-23878MEDIUMCVSS 6.5EG 6.52026-01-19
HotCRP is conference review software. Starting in commit aa20ef288828b04550950cf67c831af8a525f508 and prior to commit ceacd5f1476458792c44c6a993670f02c984b4a0, authors with at least one submission on a HotCRP site could use the document AP…
- CVE-2026-24427MEDIUMCVSS 6.8EG 5.52026-02-03
Shenzhen Tenda AC7 firmware version V03.03.03.01_cn and prior expose sensitive information in web management responses. Administrative credentials, including the router and/or admin panel password, are included in plaintext within configur…
- CVE-2026-24430HIGHCVSS 7.5EG 7.52026-01-26
Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) disclose sensitive account credentials in cleartext within HTTP responses generated by the maintenance interface. Because the management interface is accessible…
- CVE-2026-24477HIGHCVSS 7.5EG 7.52026-01-27
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. If AnythingLLM prior to version 1.10.0 is configured to use Qdrant as the vector database with an API key, this Qdr…
- CVE-2026-24557MEDIUMCVSS 5.3EG 5.32026-01-23
Insertion of Sensitive Information Into Sent Data vulnerability in WEN Solutions Contact Form 7 GetResponse Extension contact-form-7-getresponse-extension allows Retrieve Embedded Sensitive Data.This issue affects Contact Form 7 GetRespons…
- CVE-2026-24559MEDIUMCVSS 5.3EG 5.42026-01-23
Insertion of Sensitive Information Into Sent Data vulnerability in CRM Perks Integration for Contact Form 7 HubSpot cf7-hubspot allows Retrieve Embedded Sensitive Data.This issue affects Integration for Contact Form 7 HubSpot: from n/a thr…
- CVE-2026-24565MEDIUMCVSS 6.5EG 6.52026-01-23
Insertion of Sensitive Information Into Sent Data vulnerability in bPlugins B Accordion b-accordion allows Retrieve Embedded Sensitive Data.This issue affects B Accordion: from n/a through <= 2.0.2.
- CVE-2026-24589MEDIUMCVSS 5.3EG 5.32026-01-23
Insertion of Sensitive Information Into Sent Data vulnerability in Cargus eCommerce Cargus cargus allows Retrieve Embedded Sensitive Data.This issue affects Cargus: from n/a through <= 1.5.8.
- CVE-2026-24992MEDIUMCVSS 5.3EG 5.32026-02-03
Insertion of Sensitive Information Into Sent Data vulnerability in WPFactory Advanced WooCommerce Product Sales Reporting webd-woocommerce-advanced-reporting-statistics allows Retrieve Embedded Sensitive Data.This issue affects Advanced Wo…
- CVE-2026-25008MEDIUMCVSS 4.3EG 4.32026-02-19
Insertion of Sensitive Information Into Sent Data vulnerability in Shahjahan Jewel Ninja Tables ninja-tables allows Retrieve Embedded Sensitive Data.This issue affects Ninja Tables: from n/a through <= 5.2.5.
- CVE-2026-25339MEDIUMCVSS 6.5EG 6.52026-03-25
Insertion of Sensitive Information Into Sent Data vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows Retrieve Embedded Sensitive Data.This issue affects Contact Form by WPForms: from n/a through <= 1.9.8.7.
- CVE-2026-27370HIGHCVSS 7.5EG 7.52026-03-05
Insertion of Sensitive Information Into Sent Data vulnerability in Premio Chaty chaty allows Retrieve Embedded Sensitive Data.This issue affects Chaty: from n/a through <= 3.5.1.
- CVE-2026-27406HIGHCVSS 7.5EG 7.52026-03-05
Insertion of Sensitive Information Into Sent Data vulnerability in Joe Dolson My Tickets my-tickets allows Retrieve Embedded Sensitive Data.This issue affects My Tickets: from n/a through <= 2.1.0.
- CVE-2026-27868MEDIUMCVSS 6.9EG 6.92026-06-17
An attacker with access via network to the Regesta Smart HD-PLC of the provider Teldat (in this case, NO registration action is required) who has the vulnerable software could obtain privilege information by using the command Version via t…
- CVE-2026-27877MEDIUMCVSS 6.5EG 6.52026-03-27
When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards. No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be conver…
- CVE-2026-28131MEDIUMCVSS 6.5EG 6.52026-02-26
Insertion of Sensitive Information Into Sent Data vulnerability in WPVibes Elementor Addon Elements addon-elements-for-elementor-page-builder allows Retrieve Embedded Sensitive Data.This issue affects Elementor Addon Elements: from n/a thr…
- CVE-2026-28481MEDIUMCVSS 6.5EG 6.52026-03-05
OpenClaw versions 2026.1.30 and earlier, contain an information disclosure vulnerability, patched in 2026.2.1, in the MS Teams attachment downloader (optional extension must be enabled) that leaks bearer tokens to allowlisted suffix domain…
- CVE-2026-32354MEDIUMCVSS 5.3EG 5.32026-03-13
Insertion of Sensitive Information Into Sent Data vulnerability in magepeopleteam WpEvently mage-eventpress allows Retrieve Embedded Sensitive Data.This issue affects WpEvently: from n/a through < 5.1.9.
- CVE-2026-32538HIGHCVSS 7.5EG 7.52026-03-25
Insertion of Sensitive Information Into Sent Data vulnerability in Noor Alam SMTP Mailer smtp-mailer allows Retrieve Embedded Sensitive Data.This issue affects SMTP Mailer: from n/a through <= 1.1.24.
- CVE-2026-32829HIGHCVSS 7.5EG 7.52026-03-20
lz4_flex is a pure Rust implementation of LZ4 compression/decompression. In versions 0.11.5 and below, and 0.12.0, decompressing invalid LZ4 data can leak sensitive information from uninitialized memory or from previous decompression oper…
- CVE-2026-33180HIGHCVSS 7.5EG 7.52026-03-20
HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.0, when setting headers in HTTP requests, the internal HTTP client sends headers first to the host in the initial…
- CVE-2026-34226HIGHCVSS 7.5EG 7.52026-03-27
Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Versions prior to 20.8.9 may attach cookies from the current page origin (`window.location`) instead of the request target URL when `fetch(...,…
- CVE-2026-34888HIGHCVSS 7.5EG 7.52026-06-17
Unauthenticated Sensitive Data Exposure in Bricksforge <= 3.1.8.4 versions.
- CVE-2026-35447MEDIUMCVSS 5.3EG 5.32026-06-02
NamelessMC is website software for Minecraft servers. In version 2.2.4, the profile page (modules/Core/pages/profile.php) processes wall post submissions and replies before verifying whether the viewer is authorized to access the profile. …
- CVE-2026-39473MEDIUMCVSS 5.3EG 5.32026-04-08
Insertion of Sensitive Information Into Sent Data vulnerability in Pär Thernström Simple History simple-history allows Retrieve Embedded Sensitive Data.This issue affects Simple History: from n/a through <= 5.24.0.
- CVE-2026-39480HIGHCVSS 7.5EG 7.52026-06-15
Unauthenticated Sensitive Data Exposure in Backup Migration <= 2.1.1 versions.
- CVE-2026-39542MEDIUMCVSS 5.3EG 5.32026-04-08
Insertion of Sensitive Information Into Sent Data vulnerability in Doofinder Doofinder for WooCommerce doofinder-for-woocommerce allows Retrieve Embedded Sensitive Data.This issue affects Doofinder for WooCommerce: from n/a through <= 2.10…
- CVE-2026-39564MEDIUMCVSS 5.3EG 5.32026-04-08
Insertion of Sensitive Information Into Sent Data vulnerability in sunshinephotocart Sunshine Photo Cart sunshine-photo-cart allows Retrieve Embedded Sensitive Data.This issue affects Sunshine Photo Cart: from n/a through < 3.6.2.
- CVE-2026-39570MEDIUMCVSS 5.3EG 5.32026-04-08
Insertion of Sensitive Information Into Sent Data vulnerability in AA Web Servant 12 Step Meeting List 12-step-meeting-list allows Retrieve Embedded Sensitive Data.This issue affects 12 Step Meeting List: from n/a through <= 3.19.9.
- CVE-2026-39586MEDIUMCVSS 5.3EG 5.32026-04-08
Insertion of Sensitive Information Into Sent Data vulnerability in Ateeq Rafeeq RepairBuddy computer-repair-shop allows Retrieve Embedded Sensitive Data.This issue affects RepairBuddy: from n/a through <= 4.1132.
- CVE-2026-39709MEDIUMCVSS 5.3EG 5.32026-04-08
Insertion of Sensitive Information Into Sent Data vulnerability in thetechtribe The Tribal the-tech-tribe allows Retrieve Embedded Sensitive Data.This issue affects The Tribal: from n/a through <= 1.3.4.
- CVE-2026-39711MEDIUMCVSS 5.3EG 5.32026-04-08
Insertion of Sensitive Information Into Sent Data vulnerability in stmcan RT-Theme 18 | Extensions rt18-extensions allows Retrieve Embedded Sensitive Data.This issue affects RT-Theme 18 | Extensions: from n/a through <= 2.5.
- CVE-2026-39912CRITICALCVSS 9.1EG 9.12026-04-09
V2Board 1.6.1 through 1.7.4 and Xboard through 0.1.9 expose authentication tokens in HTTP response bodies of the loginWithMailLink endpoint when the login_with_mail_link_enable feature is active. Unauthenticated attackers can POST to the l…
- CVE-2026-40161HIGHCVSS 7.7EG 7.72026-04-21
Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1, the Tekton Pipelines git resolver in API mode sends the syst…
Map vulnerabilities like CWE-201 to your infrastructure
EchelonGraph correlates every CVE — across CWE-201 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →