CWE-497— Exposure of Sensitive System Information to an Unauthorized Control Sphere
The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.— MITRE CWE catalog
338 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-497page 7 of 7
- CVE-2026-32405MEDIUMCVSS 5.3EG 5.32026-03-13
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in xtemos WoodMart woodmart allows Retrieve Embedded Sensitive Data.This issue affects WoodMart: from n/a through <= 8.3.9.
- CVE-2026-33617MEDIUMCVSS 5.3EG 5.32026-04-02
An unauthenticated remote attacker can access a configuration file containing database credentials. This can result in a some loss of confidentiality, but there is no endpoint exposed to use these credentials.
- CVE-2026-34413HIGHCVSS 8.6EG 8.62026-04-22
Xerte Online Toolkits versions 3.15 and earlier contain a missing authentication vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where an HTTP redirect to unauthenticated callers does not call exit() …
- CVE-2026-34891HIGHCVSS 7.5EG 7.52026-06-15
Unauthenticated Sensitive Data Exposure in IDPay Payment Gateway for Woocommerce <= 2.2.5 versions.
- CVE-2026-39469MEDIUMCVSS 4.3EG 4.32026-04-08
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Softaculous PageLayer pagelayer allows Retrieve Embedded Sensitive Data.This issue affects PageLayer: from n/a through <= 2.0.8.
- CVE-2026-39516MEDIUMCVSS 5.3EG 5.32026-04-08
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in POSIMYTH Nexter Blocks the-plus-addons-for-block-editor allows Retrieve Embedded Sensitive Data.This issue affects Nexter Blocks: from n/a through …
- CVE-2026-39536MEDIUMCVSS 5.3EG 5.32026-04-08
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WP Chill RSVP and Event Management rsvp allows Retrieve Embedded Sensitive Data.This issue affects RSVP and Event Management: from n/a through <= 2…
- CVE-2026-39566MEDIUMCVSS 4.3EG 4.02026-04-08
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Designinvento DirectoryPress directorypress allows Retrieve Embedded Sensitive Data.This issue affects DirectoryPress: from n/a through <= 3.6.26.
- CVE-2026-39571MEDIUMCVSS 5.3EG 5.32026-04-08
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Themefic Instantio instantio allows Retrieve Embedded Sensitive Data.This issue affects Instantio: from n/a through <= 3.3.30.
- CVE-2026-39572MEDIUMCVSS 4.3EG 4.02026-04-08
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in magepeopleteam Bus Ticket Booking with Seat Reservation bus-ticket-booking-with-seat-reservation allows Retrieve Embedded Sensitive Data.This issue…
- CVE-2026-39686MEDIUMCVSS 5.3EG 5.32026-04-08
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in bannersky BSK PDF Manager bsk-pdf-manager allows Retrieve Embedded Sensitive Data.This issue affects BSK PDF Manager: from n/a through <= 3.7.2.
- CVE-2026-40796MEDIUMCVSS 6.5EG 6.52026-06-15
Subscriber Sensitive Data Exposure in WPPizza <= 3.19.9 versions.
- CVE-2026-41335MEDIUMCVSS 5.3EG 5.32026-04-23
OpenClaw before 2026.3.31 contains an information disclosure vulnerability in the Control Interface bootstrap JSON that exposes version and assistant agent identifiers. Attackers can extract sensitive fingerprinting information from the Co…
- CVE-2026-41339MEDIUMCVSS 4.3EG 4.32026-04-23
OpenClaw before 2026.4.2 exposes configPath and stateDir metadata in Gateway connect success snapshots to non-admin authenticated clients. Non-admin clients can recover host-specific filesystem paths and deployment details, enabling host f…
- CVE-2026-41459MEDIUMCVSS 5.3EG 5.32026-04-22
Xerte Online Toolkits versions 3.15 and earlier contain an information disclosure vulnerability that allows unauthenticated attackers to retrieve the full server-side filesystem path of the application root. Attackers can send a GET reques…
- CVE-2026-41928MEDIUMCVSS 5.3EG 5.32026-05-07
Vvveb before 1.0.8.2 contains an information disclosure vulnerability in the cron controller that allows unauthenticated attackers to retrieve the application's secret cron key. Attackers can access the cron controller without authenticati…
- CVE-2026-42047HIGHCVSS 8.6EG 8.62026-05-07
Inngest is a platform for running event-driven and scheduled background functions with queueing, retries, and step orchestration. Versions 3.22.0 through 3.53.1 contain a vulnerability that allows unauthenticated remote attackers to exfilt…
- CVE-2026-42644MEDIUMCVSS 5.3EG 5.32026-04-29
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WPDeveloper BetterDocs betterdocs allows Retrieve Embedded Sensitive Data.This issue affects BetterDocs: from n/a through <= 4.3.10.
- CVE-2026-42660MEDIUMCVSS 6.5EG 6.52026-06-15
Subscriber Sensitive Data Exposure in Contest Gallery <= 28.1.7 versions.
- CVE-2026-43654HIGHCVSS 7.5EG 7.52026-05-11
The issue was addressed with improved memory handling. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. An a…
- CVE-2026-44743LOWCVSS 3.7EG 3.72026-06-09
Under certain conditions, when an unauthorized attacker accesses a specific endpoint, SAP Business Objects application leaks sensitive information .This has a low impact on the confidentiality of the data. There is no impact on integrity a…
- CVE-2026-44749MEDIUMCVSS 4.3EG 4.32026-05-26
The SAP Gateway allows attackers to inject content into error messages, potentially leading to disclosure of request artefacts (e.g., regex patterns) and revealing underlying URI parsing logic. Leading to low impact on confidentiality. Int…
- CVE-2026-48878MEDIUMCVSS 6.5EG 6.52026-06-15
Subscriber Sensitive Data Exposure in Visual Link Preview <= 2.4.1 versions.
- CVE-2026-49056HIGHCVSS 7.5EG 7.52026-06-15
Unauthenticated Sensitive Data Exposure in WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels <= 4.9.4 versions.
- CVE-2026-49066HIGHCVSS 7.5EG 7.52026-06-15
Unauthenticated Sensitive Data Exposure in Conekta Payment Gateway <= 6.0.0 versions.
- CVE-2026-49068HIGHCVSS 7.5EG 7.52026-06-15
Subscriber Sensitive Data Exposure in Coupon Affiliates <= 7.8.1 versions.
- CVE-2026-49077MEDIUMCVSS 5.3EG 5.32026-06-04
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Tips and Tricks HQ WP eMember allows Retrieve Embedded Sensitive Data. This issue affects WP eMember: from n/a through v10.2.2.
- CVE-2026-52694HIGHCVSS 7.5EG 7.52026-06-15
Unauthenticated Sensitive Data Exposure in Signature Add-On for WooCommerce <= 2.0 versions.
- CVE-2026-54824HIGHCVSS 7.5EG 7.52026-06-26
Unauthenticated Sensitive Data Exposure in Ads by WPQuads <= 3.0.3 versions.
- CVE-2026-55726MEDIUMCVSS 5.3EG 5.32026-07-03
The Azure Blob Storage container used for Gardyn device logs is publicly listable without authentication. A malicious user would be able to access any device log file available in the blob storage container.
- CVE-2026-56060HIGHCVSS 7.5EG 7.52026-06-26
Unauthenticated Sensitive Data Exposure in Print Invoice & Delivery Notes for WooCommerce <= 7.1.1 versions.
- CVE-2026-56124HIGHCVSS 7.5EG 7.52026-06-29
phpUploader before 2.0.2 contains an unauthenticated information disclosure vulnerability that allows remote attackers to access the full contents of the uploaded-files database table by visiting any page of the application. The index mode…
- CVE-2026-57316MEDIUMCVSS 6.5EG 6.52026-06-26
Subscriber Sensitive Data Exposure in GetGenie <= 4.4.2 versions.
- CVE-2026-57633MEDIUMCVSS 5.3EG 5.32026-06-26
Unauthenticated Sensitive Data Exposure in WCBoost – Products Compare <= 1.1.0 versions.
- CVE-2026-57664MEDIUMCVSS 4.3EG 4.32026-06-26
Unauthenticated Sensitive Data Exposure in Bopo – WooCommerce Product Bundle Builder <= 1.1.6 versions.
- CVE-2026-57753MEDIUMCVSS 5.3EG 5.32026-07-02
Unauthenticated Sensitive Data Exposure in Kit (formerly ConvertKit) for WooCommerce <= 2.1.5 versions.
- CVE-2026-7864MEDIUMCVSS 6.9EG 6.92026-05-08
SEPPmail Secure Email Gateway before version 15.0.4 exposes server environment variables through an unauthenticated endpoint in the new GINA UI, allowing remote attackers to obtain sensitive system information.
- CVE-2026-9307MEDIUMCVSS 6.3EG 6.32026-06-16
A sensitive information disclosure security issue exists within the affected CompactLogix controllers. The controller's web server exposes CIP Connection IDs on the diagnostics webpage, which are accessible to any unauthenticated user on…
Map vulnerabilities like CWE-497 to your infrastructure
EchelonGraph correlates every CVE — across CWE-497 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →