CWE-209— Generation of Error Message Containing Sensitive Information
The product generates an error message that includes sensitive information about its environment, users, or associated data.— MITRE CWE catalog
550 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-209page 11 of 11
- CVE-2025-61959MEDIUMCVSS 5.3EG 5.32025-10-29
Prior to September 19, 2025, the Hospital Manager Backend Services returned verbose ASP.NET error pages for invalid WebResource.axd requests, disclosing framework and ASP.NET version information, stack traces, internal paths, and the insec…
- CVE-2025-62168HIGHCVSS 7.5EG 10.02025-10-17
Squid is a caching proxy for the Web. In Squid versions prior to 7.2, a failure to redact HTTP authentication credentials in error handling allows information disclosure. The vulnerability allows a script to bypass browser security protect…
- CVE-2025-62397MEDIUMCVSS 5.3EG 5.32025-10-23
The router’s inconsistent response to invalid course IDs allowed attackers to infer which course IDs exist, potentially aiding reconnaissance.
- CVE-2025-62840LOWCVSS 3.3EG 3.32026-01-02
A generation of error message containing sensitive information vulnerability has been reported to affect HBS 3 Hybrid Backup Sync. If an attacker gains local network access, they can then exploit the vulnerability to read application data.…
- CVE-2025-64749MEDIUMCVSS 4.3EG 4.32025-11-13
Directus is a real-time API and App dashboard for managing SQL database content. An observable difference in error messaging was found in the Directus REST API in versions of Directus prior to version 11.13.0. The `/items/{collection}` API…
- CVE-2025-66549LOWCVSS 2.7EG 2.42025-12-05
Nextcloud Desktop is the desktop sync client for Nextcloud. Prior to 3.16.5, when trying to manually lock a file inside an end-to-end encrypted directory, the path of the file was sent to the server unencrypted, making it possible for admi…
- CVE-2025-66594MEDIUMCVSS 5.3EG 5.32026-02-09
A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corporation. Detailed messages are displayed on the error page. This information could be exploited by an attacker for other attacks. The affected products and …
- CVE-2025-68110CRITICALCVSS 9.9EG 9.92025-12-17
ChurchCRM is an open-source church management system. Versions prior to 6.5.3 may disclose database information in an error message including the host, ip, username, and password. Version 6.5.3 fixes the issue.
- CVE-2025-71282HIGHCVSS 7.5EG 7.52026-04-01
XenForo before 2.3.7 discloses filesystem paths through exception messages triggered by open_basedir restrictions. This allows an attacker to obtain information about the server's directory structure.
- CVE-2025-8548LOWCVSS 3.7EG 3.72025-08-05
A vulnerability was found in atjiu pybbs up to 6.0.0 and classified as problematic. This issue affects the function sendEmailCode of the file src/main/java/co/yiiu/pybbs/controller/api/SettingsApiController.java of the component Registered…
- CVE-2025-8852MEDIUMCVSS 4.3EG 4.32025-08-11
A vulnerability was identified in WuKongOpenSource WukongCRM 11.0. This affects an unknown part of the file /adminFile/upload of the component API Response Handler. The manipulation leads to information exposure through error message. It i…
- CVE-2025-9005LOWCVSS 3.7EG 3.72025-08-15
A vulnerability was determined in mtons mblog up to 3.5.0. Affected is an unknown function of the file /register. The manipulation leads to information exposure through error message. It is possible to launch the attack remotely. The compl…
- CVE-2025-9122MEDIUMCVSS 5.3EG 5.32025-12-15
Hitachi Vantara Pentaho Data Integration and Analytics Community Dashboard Framework prior to versions 10.2.0.4, including 9.3.0.x and 8.3.x display the full server stack trace when encountering an error within the GetCdfResource servlet.
- CVE-2025-9229MEDIUMCVSS 5.3EG 5.32025-08-20
Information disclosure vulnerability in error handling in MiR software prior to version 3.0.0 allows unauthenticated attackers to view detailed error information, such as file paths and other data, via access to verbose error pages.
- CVE-2025-9977MEDIUMCVSS 5.3EG 5.32025-11-18
Value provided in one of POST parameters sent during the process of logging in to Times Software E-Payroll is not sanitized properly, which allows an unauthenticated attacker to perform DoS attacks. SQL injection attacks might also be feas…
- CVE-2026-1175MEDIUMCVSS 5.3EG 5.32026-01-19
A vulnerability was identified in birkir prime up to 0.4.0.beta.0. This impacts an unknown function of the file /graphql of the component GraphQL Directive Handler. Such manipulation leads to information exposure through error message. The…
- CVE-2026-1248MEDIUMCVSS 4.3EG 4.32026-05-27
IBM Business Automation Workflow containers and traditional may leak information about its database structure in error messages.
- CVE-2026-20838MEDIUMCVSS 5.5EG 5.52026-01-13
Generation of error message containing sensitive information in Windows Kernel allows an authorized attacker to disclose information locally.
- CVE-2026-22646MEDIUMCVSS 4.3EG 4.32026-01-15
Certain error messages returned by the application expose internal system details that should not be visible to end users, providing attackers with valuable reconnaissance information (like file paths, database errors, or software versions…
- CVE-2026-22778CRITICALCVSS 9.8EG 9.82026-02-02
vLLM is an inference and serving engine for large language models (LLMs). From 0.8.3 to before 0.14.1, when an invalid image is sent to vLLM's multimodal endpoint, PIL throws an error. vLLM returns this error to the client, leaking a heap …
- CVE-2026-24130MEDIUMCVSS 5.3EG 5.32026-01-22
Moonraker is a Python web server providing API access to Klipper 3D printing firmware. In versions 0.9.3 and below, instances configured with the "ldap" component enabled are vulnerable to LDAP search filter injection techniques via the lo…
- CVE-2026-24511MEDIUMCVSS 4.4EG 4.42026-04-08
Dell PowerScale OneFS, versions 9.5.0.0 through 9.10.1.6 and versions 9.11.0.0 through 9.13.0.0, contains a generation of error message containing sensitive information vulnerability. A high privileged attacker with local access could p…
- CVE-2026-2752MEDIUMCVSS 5.3EG 5.32026-03-06
Navtor NavBox allows information disclosure via the /api/ais-data endpoint. A remote, unauthenticated attacker can send crafted requests to trigger an unhandled exception, causing the server to return verbose .NET stack traces. These error…
- CVE-2026-29146HIGHCVSS 7.5EG 7.52026-04-09
Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 throu…
- CVE-2026-3259HIGHCVSS 7.1EG 7.12026-04-23
A Generation of Error Message Containing Sensitive Information vulnerability in the Materialized View Refresh mechanism in Google BigQuery on Google Cloud Platform allows an authenticated user to potentially disclose sensitive data using a…
- CVE-2026-34045CRITICALCVSS 9.1EG 8.22026-04-07
Podman Desktop is a graphical tool for developing on containers and Kubernetes. Prior to 1.26.2, an unauthenticated HTTP server exposed by Podman Desktop allows any network attacker to remotely trigger denial-of-service conditions and extr…
- CVE-2026-40245HIGHCVSS 7.5EG 7.52026-04-16
Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks. Versions 4.2.1 and below contain an information disclosure vulnerability in the UDR (Unified Data Repository) service. The handler for GET /nu…
- CVE-2026-40969LOWCVSS 3.7EG 3.72026-04-28
The raw message of every server-side AuthenticationException is returned to the unauthenticated remote caller in the gRPC status description. This allows an attacker to obtain information about the authentication failure, which may be usef…
- CVE-2026-40997MEDIUMCVSS 5.3EG 5.32026-06-11
Several Spring WS integration paths with Spring Security could surface detailed account state (for example locked or disabled user semantics) to remote SOAP clients through exception messages or callback outcomes, instead of failing with g…
- CVE-2026-41644HIGHCVSS 7.1EG 7.12026-05-07
monetr is a budgeting application for recurring expenses. Prior to version 1.12.5, a server-side request forgery (SSRF) vulnerability in monetr's Lunch Flow integration allowed any authenticated user on a self-hosted instance to cause the …
- CVE-2026-41730MEDIUMCVSS 5.3EG 5.32026-06-10
Spring Data REST serializes the full exception cause chain into HTTP error response bodies, potentially exposing persistence-layer internals to HTTP clients. Affected versions: Spring Data REST 3.7.0 through 3.7.19; 4.3.0 through 4.3.16; …
- CVE-2026-41931MEDIUMCVSS 5.3EG 5.32026-05-06
Vvveb before version 1.0.8.2 contains an information disclosure vulnerability that allows unauthenticated attackers to obtain sensitive server information by triggering unhandled exceptions in the password-reset module. Attackers can acces…
- CVE-2026-41935HIGHCVSS 7.1EG 7.12026-05-14
Vvveb before 1.0.8.3 contains an uncontrolled recursion vulnerability in the admin controller dispatch cycle where Base::init() repeatedly invokes permission() on error handlers, causing infinite recursion until PHP memory limits are exhau…
- CVE-2026-42459HIGHCVSS 7.5EG 7.52026-05-27
free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, the free5GC UDM component fails to validate the supi path parameter in six GET handlers of the nudm-sdm (Subscriber Data Management) service. An unauthenticat…
- CVE-2026-42552HIGHCVSS 7.5EG 7.52026-05-13
Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the default error handler Engine::_error() writes the full exception message, exception code, and stack trace (including absolute filesystem paths) directly into the HTTP 50…
- CVE-2026-43873HIGHCVSS 7.5EG 7.52026-05-11
WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/CloneSite/cloneClient.json.php echoes the local CloneSite shared secret ($objClone->myKey, a constant md5($global['systemRootPath'] . $global['salt'…
- CVE-2026-44002MEDIUMCVSS 5.8EG 5.82026-05-13
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, vm2's CallSite wrapper class (intended as a safe wrapper for V8's native CallSite) blocks getThis() and getFunction() to prevent host object leakage, but allows getFileName() t…
- CVE-2026-44226MEDIUMCVSS 5.3EG 5.32026-05-11
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, pyload-ng WebUI returns full Python traceback details to clients on unhandled exceptions. Because /web/<path:filename> is reachable without authe…
- CVE-2026-45728HIGHCVSS 7.5EG 7.52026-05-19
Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, when Algernon is invoked with a single file path instead of a directory, singleFileMode is set to true and debugMode is forcibly enabled. debugMode activates the Prett…
- CVE-2026-47248MEDIUMCVSS 6.9EG 6.92026-05-29
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.78 and 9.9.1-alpha.2, Parse Server's GraphQL endpoint discloses schema metadata to unauthenticated callers throug…
- CVE-2026-47775MEDIUMCVSS 6.8EG 6.82026-06-26
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, the OAuth2 HTTP filter's encrypt()/decrypt() functions use AES-256-CBC without an authentication tag (no H…
- CVE-2026-49365MEDIUMCVSS 5.3EG 5.32026-07-06
Generation of Error Message Containing Sensitive Information vulnerability in Apache Camel Netty HTTP component. The camel-netty-http HTTP server consumer exposes a muteException option that controls what is returned to the client when a …
- CVE-2026-49979LOWCVSS 2.7EG 2.72026-06-24
Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.99, the POST /api/v1/admin/send-test-email endpoint accepts attacker-controlled smtpHost and smtpPort values and establishes a raw JavaMail TCP connec…
- CVE-2026-53906HIGHCVSS 8.2EG 8.22026-07-01
MCO is vulnerable to Path Disclosure and Path Traversal in file handling functionality related to data export and upload. Improper validation of the filename parameter allows writing files to arbitrary locations as well as indirect disclos…
- CVE-2026-5511LOWCVSS 2.7EG 2.72026-05-19
In the web management interface of Archer AX72 (SG) v1, the network diagnostic feature improperly handles invalid user input, resulting in limited exposure of diagnostic command usage information. An authenticated attacker with adminis…
- CVE-2026-56139MEDIUMCVSS 5.3EG 5.32026-07-06
Generation of Error Message Containing Sensitive Information vulnerability in Apache Camel Undertow Component. The camel-undertow HTTP server consumer exposes a muteException option that controls what is returned to the client when a rout…
- CVE-2026-56331MEDIUMCVSS 5.3EG 5.32026-07-01
Capgo before 12.128.2 contains improper error handling in the /private/accept_invitation endpoint that returns HTTP 500 instead of safe 4xx errors when magic_invite_string is invalid. Attackers can trigger this vulnerability using only the…
- CVE-2026-7860LOWCVSS 1.6EG 1.62026-05-19
A possible information disclosure vulnerability exists in the Vaadin Maven plugin and Vaadin Gradle plugin that exposes the full set of environment variables in build logs whenever the frontend build process exits with a non-zero status. B…
- CVE-2026-9583MEDIUMCVSS 4.3EG 4.32026-05-26
A weakness has been identified in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0. This impacts an unknown function of the file /index.php of the component SQL Handler. Executing a manipulation can lead to info…
- CVE-2026-9794MEDIUMCVSS 5.3EG 5.32026-05-28
A flaw was found in Keycloak. A remote, unauthenticated attacker can exploit this vulnerability by sending specially crafted SOAP requests to the SAML ECP (Security Assertion Markup Language Enhanced Client or Proxy) endpoint with varying …
Map vulnerabilities like CWE-209 to your infrastructure
EchelonGraph correlates every CVE — across CWE-209 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →