CWE-201— Insertion of Sensitive Information Into Sent Data
The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.— MITRE CWE catalog
346 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-201page 7 of 7
- CVE-2026-40293MEDIUMCVSS 6.5EG 6.52026-04-17
OpenFGA is an authorization/permission engine built for developers. In versions 0.1.4 through 1.13.1, when OpenFGA is configured to use preshared-key authentication with the built-in playground enabled, the local server includes the presha…
- CVE-2026-4035HIGHCVSS 7.7EG 9.12026-06-03
A vulnerability in mlflow/mlflow versions prior to 3.11.0 allows for the resolution of environment variables in AI Gateway secrets, which can be exploited to exfiltrate sensitive server-side environment credentials to an attacker-controlle…
- CVE-2026-40789HIGHCVSS 7.5EG 7.52026-06-15
Unauthenticated Sensitive Data Exposure in Amelia <= 2.2 versions.
- CVE-2026-41181MEDIUMCVSS 5.8EG 5.82026-05-15
Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.44, 3.6.15, and 3.7.0-rc.3, there is an information disclosure vulnerability in Traefik's errors (custom error pages) middleware. When the backend returns a response matchin…
- CVE-2026-42042MEDIUMCVSS 5.4EG 5.42026-04-24
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the Axios library's XSRF token protection logic uses JavaScript truthy/falsy semantics instead of strict boolean comparison for the withXSRFToken…
- CVE-2026-42379HIGHCVSS 7.7EG 7.72026-04-27
Insertion of Sensitive Information Into Sent Data vulnerability in WPDeveloper Templately allows Retrieve Embedded Sensitive Data.This issue affects Templately: from n/a through 3.6.1.
- CVE-2026-42384HIGHCVSS 7.5EG 7.52026-06-15
Unauthenticated Sensitive Data Exposure in Simply Schedule Appointments < 1.6.11.2 versions.
- CVE-2026-42505MEDIUMCVSS 5.3EG 5.32026-07-08
Handshakes which used Encrypted Client Hello could be de-anonymized by a passive network observer due to a disclosure of pre-shared key identities in the unencrypted client hello.
- CVE-2026-42539MEDIUMCVSS 6.5EG 6.52026-06-04
IRIS is a web collaborative platform that helps incident responders share technical details during investigations. Versions prior to 2.4.28 return sensitive data to the user which are not required for the client’s operation. Version 2.4.…
- CVE-2026-42667HIGHCVSS 7.5EG 7.52026-06-15
Unauthenticated Sensitive Data Exposure in Bookly <= 27.4 versions.
- CVE-2026-42673HIGHCVSS 7.5EG 7.52026-06-01
Insertion of Sensitive Information Into Sent Data vulnerability in Logtivity Activity Logs... Insertion of Sensitive Information Into Sent Data vulnerability in Logtivity Activity Logs Activity Logs, User Activity Tracking, Multisite Acti…
- CVE-2026-42746HIGHCVSS 7.3EG 7.32026-05-27
Insertion of Sensitive Information Into Sent Data vulnerability in ZAYTECH Smart Online Order for Clover clover-online-orders allows Retrieve Embedded Sensitive Data.This issue affects Smart Online Order for Clover: from n/a through <= 1.6…
- CVE-2026-42880CRITICALCVSS 9.6EG 9.62026-05-07
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From versions 3.2.0 to before 3.2.11 and 3.3.0 to before 3.3.9, there is a missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint that allow…
- CVE-2026-42997HIGHCVSS 7.7EG 7.72026-05-05
An issue was discovered in idrac in OpenStack Ironic before 35.0.1. During import, a user invoking molds can request authorization to be sent to a remote endpoint. The credential forwarded is a time-limited Keystone token (which provides a…
- CVE-2026-44486HIGHCVSS 7.5EG 7.52026-06-04
Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios’ Node.js HTTP adapter can leak proxy credentials to a redirect target in affected versions. When a request is sent through an authenticat…
- CVE-2026-44487HIGHCVSS 7.5EG 7.52026-06-04
Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios’s Node.js HTTP adapter may forward a Proxy-Authorization header to a redirected origin during specific proxy-to-direct redirect flows. Th…
- CVE-2026-44653MEDIUMCVSS 6.5EG 6.52026-06-02
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.8.3, users with only `VIEW` access to an MCP server can retrieve the server's decrypted admin-managed secrets through `GET /api/m…
- CVE-2026-45215MEDIUMCVSS 5.3EG 5.32026-05-12
Insertion of Sensitive Information Into Sent Data vulnerability in Saad Iqbal WP EasyPay wp-easy-pay allows Retrieve Embedded Sensitive Data.This issue affects WP EasyPay: from n/a through <= 4.3.0.
- CVE-2026-4525HIGHCVSS 8.8EG 7.52026-04-17
If a Vault auth mount is configured to pass through the "Authorization" header, and the "Authorization" header is used to authenticate to Vault, Vault forwarded the Vault token to the auth plugin backend. Fixed in 2.0.0, 1.21.5, 1.20.10, a…
- CVE-2026-45582MEDIUMCVSS 6.5EG 6.52026-05-18
n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. Prior to 2.51.3, the workflow telemetry sanitizer could retain partial fragments of URL-shaped node parameters before sendin…
- CVE-2026-45739MEDIUMCVSS 4.3EG 4.32026-05-19
Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.288.4 through 0.315.3, Strawberry's bundled GraphiQL template wrote values from the GraphiQL headers editor into the browser URL query string. If a user entered a sen…
- CVE-2026-46481HIGHCVSS 8.3EG 8.32026-05-21
OpenMetadata is a unified metadata platform. Prior to version 1.12.4, a non-admin SSO user can trigger a TEST_CONNECTION workflow for a Database Service and receive, in the HTTP 201 response of POST /api/v1/automations/workflows, both the …
- CVE-2026-48877MEDIUMCVSS 6.5EG 6.52026-05-27
Insertion of Sensitive Information Into Sent Data vulnerability in Tom GenerateBlocks allows Retrieve Embedded Sensitive Data. This issue affects GenerateBlocks: from n/a through 2.1.0.
- CVE-2026-48965MEDIUMCVSS 6.5EG 6.52026-06-15
Subscriber Sensitive Data Exposure in XCloner <= 4.8.6 versions.
- CVE-2026-49064HIGHCVSS 7.5EG 7.52026-06-15
Insertion of Sensitive Information Into Sent Data vulnerability in Stiofan GetPaid allows Retrieve Embedded Sensitive Data. This issue affects GetPaid: from n/a through 2.8.49.
- CVE-2026-49082HIGHCVSS 7.4EG 7.42026-06-15
Subscriber Sensitive Data Exposure in Chatway Live Chat – AI Chatbot, Customer Support, FAQ & Helpdesk Customer Service & Chat Buttons <= 1.4.8 versions.
- CVE-2026-4927MEDIUMCVSS 6.5EG 6.52026-04-01
Exposure of sensitive information in the users MFA feature in Devolutions Server allows users with user management privileges to obtain other users OTP keys via an authenticated API request. This issue affects Server: from 2026.1.6 thro…
- CVE-2026-49370LOWCVSS 3.4EG 3.42026-05-29
In JetBrains YouTrack before 2026.1.13162 information disclosure was possible on fetchApp requests
- CVE-2026-52692HIGHCVSS 7.5EG 7.52026-06-15
Unauthenticated Sensitive Data Exposure in Affiliates Manager <= 2.9.50 versions.
- CVE-2026-52695HIGHCVSS 7.5EG 7.52026-06-15
Unauthenticated Sensitive Data Exposure in ABC Crypto Checkout <= 1.8.2 versions.
- CVE-2026-52698HIGHCVSS 7.4EG 7.42026-06-17
Subscriber Sensitive Data Exposure in PushEngage – Web Push Notifications, eCommerce Automation & Chat Widget <= 4.2.3 versions.
- CVE-2026-54197MEDIUMCVSS 6.5EG 6.52026-06-16
Unauthenticated Sensitive Data Exposure in GetGenie <= 4.4.1 versions.
- CVE-2026-54821HIGHCVSS 7.4EG 7.42026-06-25
Subscriber Sensitive Data Exposure in Visual Link Preview <= 2.3.1 versions.
- CVE-2026-5483CRITICALCVSS 9.9EG 8.52026-04-10
A flaw was found in odh-dashboard in Red Hat Openshift AI. This vulnerability in the `odh-dashboard` component of Red Hat OpenShift AI (RHOAI) allows for the disclosure of Kubernetes Service Account tokens through a NodeJS endpoint. This c…
- CVE-2026-54834HIGHCVSS 7.5EG 7.52026-06-26
Unauthenticated Sensitive Data Exposure in Object Cache 4 everyone <= 2.3.2 versions.
- CVE-2026-54841HIGHCVSS 7.5EG 7.52026-06-25
Unauthenticated Sensitive Data Exposure in Vitepos <= 3.4.2 versions.
- CVE-2026-54848HIGHCVSS 8.3EG 8.32026-06-25
Insertion of Sensitive Information Into Sent Data vulnerability in Saad Iqbal APIExperts Square... Insertion of Sensitive Information Into Sent Data vulnerability in Saad Iqbal APIExperts Square for WooCommerce allows Retrieve Embedded Se…
- CVE-2026-5512MEDIUMCVSS 4.3EG 4.32026-04-21
An improper authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated attacker to determine the names of private repositories by their numeric ID. The mobile upload policy API endpoint did not per…
- CVE-2026-55180MEDIUMCVSS 6.5EG 6.52026-06-25
pnpm is a package manager. Prior to 10.34.2 and 11.5.3, pnpm and pacquet expanded ${ENV_VAR} placeholders from repository-controlled .npmrc and pnpm-workspace.yaml into registry request destinations and registry credentials. A malicious re…
- CVE-2026-56460MEDIUMCVSS 6.5EG 6.52026-07-09
HCL DevOps Deploy / HCL Launch could disclose sensitive configurations and secrets to authenticated users in API responses that could be used in further attacks against the system.
- CVE-2026-57318MEDIUMCVSS 6.5EG 6.52026-06-26
Subscriber Sensitive Data Exposure in Site Reviews <= 8.0.11 versions.
- CVE-2026-57347MEDIUMCVSS 6.5EG 6.52026-07-02
Subscriber Sensitive Data Exposure in Hotel Booking Lite <= 6.0.3 versions.
- CVE-2026-57736HIGHCVSS 7.4EG 7.42026-07-01
Insertion of Sensitive Information Into Sent Data vulnerability in HubSpot allows Retrieve Embedded Sensitive Data. This issue affects HubSpot: from n/a through 11.3.51.
- CVE-2026-59511MEDIUMCVSS 5.3EG 5.32026-07-05
Insertion of Sensitive Information Into Sent Data vulnerability in Tim Strifler Exclusive Addons Elementor allows Retrieve Embedded Sensitive Data. This issue affects Exclusive Addons Elementor: from n/a through 2.7.9.9.
- CVE-2026-59519MEDIUMCVSS 5.3EG 5.32026-07-05
Insertion of Sensitive Information Into Sent Data vulnerability in Softaculous FormLayer allows Retrieve Embedded Sensitive Data. This issue affects FormLayer: from n/a through 1.0.6.
- CVE-2026-7184MEDIUMCVSS 6.5EG 6.52026-06-12
Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15 fail to sanitize the Remote Cluster API response on PATCH operations, which allows authenticated users with the {{manage_secure_connections}} permission to obtain …
Map vulnerabilities like CWE-201 to your infrastructure
EchelonGraph correlates every CVE — across CWE-201 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →