CWE-532— Insertion of Sensitive Information into Log File
The product writes sensitive information to a log file.— MITRE CWE catalog
1,106 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-532page 21 of 23
- CVE-2025-66236HIGHCVSS 7.5EG 7.52026-04-13
Before Airflow 3.2.0, it was unclear that secure Airflow deployments require the Deployment Manager to take appropriate actions and pay attention to security details and security model of Airflow. Some assumptions the Deployment Manager co…
- CVE-2025-6624HIGHCVSS 7.2EG 7.22025-06-26
Versions of the package snyk before 1.1297.3 are vulnerable to Insertion of Sensitive Information into Log File through local Snyk CLI debug logs. Container Registry credentials provided via environment variables or command line arguments …
- CVE-2025-66411MEDIUMCVSS 5.5EG 7.82025-12-03
Coder allows organizations to provision remote development environments via Terraform. Prior to 2.26.5, 2.27.7, and 2.28.4, Workspace Agent manifests containing sensitive values were logged in plaintext unsanitized. An attacker with limite…
- CVE-2025-66910MEDIUMCVSS 6.0EG 6.02025-12-19
Turms Server v0.10.0-SNAPSHOT and earlier contains a plaintext password storage vulnerability in the administrator authentication system. The BaseAdminService class caches administrator passwords in plaintext within AdminInfo objects to op…
- CVE-2025-6711MEDIUMCVSS 4.9EG 4.42025-07-07
An issue has been identified in MongoDB Server where unredacted queries may inadvertently appear in server logs when certain error conditions are encountered. This issue affects MongoDB Server v8.0 versions prior to 8.0.5, MongoDB Server v…
- CVE-2025-67223HIGHCVSS 7.5EG 7.52026-04-28
The Aranda File Server (AFS) component in Aranda Software Aranda Service Desk before 8.3.12 stores daily activity logs with predictable names in a publicly accessible directory, which allows unauthenticated remote attackers to obtain direc…
- CVE-2025-68675HIGHCVSS 7.5EG 7.52026-01-16
In Apache Airflow versions before 3.1.6, and 2.11.1 the proxies and proxy fields within a Connection may include proxy URLs containing embedded authentication information. These fields were not treated as sensitive by default and therefore…
- CVE-2025-68919MEDIUMCVSS 5.6EG 5.62025-12-24
Fujitsu / Fsas Technologies ETERNUS SF ACM/SC/Express (DX / AF Management Software) before 16.8-16.9.1 PA 2025-12, when collected maintenance data is accessible by a principal/authority other than ETERNUS SF Admin, allows an attacker to po…
- CVE-2025-70040MEDIUMCVSS 5.3EG 5.32026-03-09
An issue pertaining to CWE-532: Insertion of Sensitive Information into Log File was discovered in LupinLin1 jimeng-web-mcp v2.1.2. This allows an attacker to obtain sensitive information.
- CVE-2025-7371MEDIUMCVSS 6.8EG 6.82025-07-22
Okta On-Premises Provisioning (OPP) agents log certain user data during administrator-initiated password resets. This vulnerability allows an attacker with access to the local servers running OPP agents to retrieve user personal informatio…
- CVE-2025-7426CRITICALCVSS 9.3EG 9.32025-08-25
Information disclosure and exposure of authentication FTP credentials over the debug port 1604 in the MINOVA TTA service. This allows unauthenticated remote access to an active FTP account containing sensitive internal data and import stru…
- CVE-2025-7445MEDIUMCVSS 6.5EG 6.52025-09-05
Kubernetes secrets-store-sync-controller in versions before 0.0.2 discloses service account tokens in logs.
- CVE-2025-8663MEDIUMCVSS 6.5EG 6.52025-09-03
Insertion of Sensitive Information into Log File vulnerability in upKeeper Solutions upKeeper Manager allows Use of Known Domain Credentials.This issue affects upKeeper Manager: from 5.0.0 before 5.2.12.
- CVE-2025-8864MEDIUMCVSS 6.8EG 6.82025-08-11
Shared Access Signature token is not masked in the backup configuration response and is also exposed in the yb_backup logs
- CVE-2025-9985MEDIUMCVSS 5.3EG 5.32025-09-26
The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.2.7 through publicly exposed log files. This makes it possible for unauthenticated attackers to…
- CVE-2026-0207HIGHCVSS 8.5EG 8.52026-04-14
A vulnerability exists in FlashBlade whereby sensitive information may be logged under specific conditions.
- CVE-2026-0267MEDIUMCVSS 5.5EG 5.52026-06-10
An information exposure vulnerability in the Palo Alto Networks GlobalProtect app on macOS enables a local user to learn the configured passcodes for disabling, disconnecting, or uninstalling the GlobalProtect app. After the passcode is kn…
- CVE-2026-0519LOWCVSS 3.4EG 3.42026-01-17
In Secure Access 12.70 and prior to 14.20, the logging subsystem may write an unredacted authentication token to logs under certain configurations. Any party with access to those logs could read the token and reuse it to access an integ…
- CVE-2026-0936MEDIUMCVSS 5.0EG 5.02026-01-29
An Insertion of Sensitive Information into Log File vulnerability in B&R PVI client versions prior to 6.5 may be abused by an authenticated local attacker to gather credential information which is processed by the PVI client application. T…
- CVE-2026-11819MEDIUMCVSS 5.5EG 5.52026-06-23
Module: plugins/modules/keyring_info.py CVSS 3.1: 5.5 MEDIUM — AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Issue: The module retrieves a passphrase from the OS native keyring (GNOME Keyring, macOS Keychain, Windows Credential Manager) and pl…
- CVE-2026-11820MEDIUMCVSS 6.5EG 6.52026-06-23
A flaw was found in the community.general Ansible collection's nexmo module. The module constructs HTTP requests to the Vonage/Nexmo SMS API by encoding API credentials (api_key and api_secret) into URL query parameters and sending them vi…
- CVE-2026-12053HIGHCVSS 7.5EG 8.62026-06-25
GitLab has remediated an issue in GitLab EE affecting all versions from 19.1 before 19.1.1 that under certain conditions could have allowed a user to access sensitive information that had already been committed to a project, due to insuffi…
- CVE-2026-12086MEDIUMCVSS 5.5EG 6.22026-06-30
IBM UCD - IBM UrbanCode Deploy 7.2 through 7.2.3.23, and 7.3 through 7.3.2.18 and IBM UCD - IBM DevOps Deploy 8.0 through 8.0.1.13, 8.1 through 8.1.2.6, and 8.2 through 8.2.1.0 stores potentially sensitive information in log files that cou…
- CVE-2026-13750MEDIUMCVSS 5.5EG 5.52026-06-29
Insertion of sensitive information into log files in Snowflake CLI versions prior to 3.19 allowed plaintext credentials to be written to persistent local debug logs. An attacker could exploit this by obtaining read access to the affected u…
- CVE-2026-1495MEDIUMCVSS 6.5EG 6.52026-02-10
The vulnerability, if exploited, could allow an attacker with Event Log Reader (S-1-5-32-573) privileges to obtain proxy details, including URL and proxy credentials, from the PI to CONNECT event log files. This could enable unauthorized a…
- CVE-2026-1622MEDIUMCVSS 4.8EG 4.82026-02-04
Neo4j Enterprise and Community editions versions prior to 2026.01.3 and 5.26.21 are vulnerable to a potential information disclosure by a user who has ability to access the local log files. The "obfuscate_literals" option in the query lo…
- CVE-2026-20205HIGHCVSS 7.2EG 7.22026-04-15
In Splunk MCP Server app versions below 1.0.3 , a user who holds a role with access to the Splunk `_internal` index or possesses the high-privilege capability `mcp_tool_admin` could view users session and authorization tokens in clear text…
- CVE-2026-20239HIGHCVSS 7.5EG 7.52026-05-20
In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a role that has access to the `_internal` index could view session cooki…
- CVE-2026-20646LOWCVSS 3.3EG 3.32026-02-11
A logging issue was addressed with improved data redaction. This issue is fixed in macOS Tahoe 26.3. A malicious app may be able to read sensitive location information.
- CVE-2026-20663LOWCVSS 3.3EG 3.32026-02-11
The issue was resolved by sanitizing logging. This issue is fixed in iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3. An app may be able to enumerate a user's installed apps.
- CVE-2026-20818MEDIUMCVSS 6.2EG 6.22026-01-13
Insertion of sensitive information into log file in Windows Kernel allows an unauthorized attacker to disclose information locally.
- CVE-2026-21222MEDIUMCVSS 5.5EG 5.52026-02-10
Insertion of sensitive information into log file in Windows Kernel allows an authorized attacker to disclose information locally.
- CVE-2026-21791LOWCVSS 3.3EG 3.32026-03-10
HCL Sametime for Android is impacted by a sensitive information disclosure. Hostnames information is written in application logs and certain URL
- CVE-2026-22038HIGHCVSS 8.1EG 8.12026-02-04
AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to autogpt-platform-beta-v0.6.46, the AutoGPT platform's Stagehand integration blocks lo…
- CVE-2026-22778CRITICALCVSS 9.8EG 9.82026-02-02
vLLM is an inference and serving engine for large language models (LLMs). From 0.8.3 to before 0.14.1, when an invalid image is sent to vLLM's multimodal endpoint, PIL throws an error. vLLM returns this error to the client, leaking a heap …
- CVE-2026-22782HIGHCVSS 7.5EG 7.52026-01-16
RustFS is a distributed object storage system built in Rust. From >= 1.0.0-alpha.1 to 1.0.0-alpha.79, invalid RPC signatures cause the server to log the shared HMAC secret (and expected signature), which exposes the secret to log readers a…
- CVE-2026-22798MEDIUMCVSS 5.9EG 5.92026-01-12
hermes is an implementation of the HERMES workflow to automatize software publication with rich metadata. From 0.8.1 to before 0.9.1, hermes subcommands take arbitrary options under the -O argument. These have been logged in raw form. If u…
- CVE-2026-23493HIGHCVSS 8.6EG 8.62026-01-15
Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the http_error_log file stores the $_COOKIE and $_SERVER variables, which means sensitive information such as database passwords, cookie session …
- CVE-2026-23775HIGHCVSS 7.6EG 7.62026-04-17
Dell PowerProtect Data Domain appliances with Data Domain Operating System (DD OS) of Feature Release versions 8.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.10 contain an insertion of sensitive information into log file vu…
- CVE-2026-2401MEDIUMCVSS 5.0EG 5.02026-04-14
CWE-532 Insertion of Sensitive Information into Log File vulnerability exists that could cause confidential information to be exposed when a Web Admin user executes a malicious file provided by an attacker.
- CVE-2026-24308HIGHCVSS 7.5EG 7.52026-03-07
Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 and 3.9.4 on all platforms allows an attacker to expose sensitive information stored in client configuration in the client's logfile. Configuration values are …
- CVE-2026-24762HIGHCVSS 7.5EG 7.52026-02-03
RustFS is a distributed object storage system built in Rust. From versions alpha.13 to alpha.81, RustFS logs sensitive credential material (access key, secret key, session token) to application logs at INFO level. This results in credentia…
- CVE-2026-25193HIGHCVSS 8.1EG 8.12026-05-25
Insertion of Sensitive Information into Log File (CWE-532) in some Command Centre Service installers could lead to Service Account credentials exposure. Mitigating Factor: Only sites that install Command Centre Services with a custom …
- CVE-2026-25211LOWCVSS 3.2EG 3.22026-01-30
Llama Stack (aka llama-stack) before 0.4.0rc3 does not censor the pgvector password in the initialization log.
- CVE-2026-25813HIGHCVSS 7.5EG 7.52026-02-09
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, The application logs highly sensitive data directly to console output without masking or redaction.
- CVE-2026-25846MEDIUMCVSS 6.5EG 6.52026-02-09
In JetBrains YouTrack before 2025.3.119033 access tokens could be exposed in Mailbox logs
- CVE-2026-25918MEDIUMCVSS 5.5EG 5.52026-02-09
unity-cli is a command line utility for the Unity Game Engine. Prior to 1.8.2 , the sign-package command in @rage-against-the-pixel/unity-cli logs sensitive credentials in plaintext when the --verbose flag is used. Command-line arguments i…
- CVE-2026-2607MEDIUMCVSS 5.1EG 5.12026-05-27
IBM MQ Operator SC2: v3.2.0 through 3.2.23CD: v3.3.0, v3.4.0, v3.4.1, v3.5.0, v3.5.1 - v3.5.3, v3.6.0 - v3.6.4, v3.7.0 - v3.7.2, v3.8.0, v3.8.1, v3.9.0, v3.9.1LTS: v2.0.0 - 2.0.29 and IBM supplied MQ Advanced container images SC2: 9.4.0.…
- CVE-2026-27315MEDIUMCVSS 5.5EG 5.52026-04-07
Sensitive Information Leak in cqlsh in Apache Cassandra 4.0 allows access to sensitive information, like passwords, from previously executed cqlsh command via ~/.cassandra/cqlsh_history local file access. Users are recommended to upgra…
- CVE-2026-28261HIGHCVSS 7.8EG 7.82026-04-08
Dell Elastic Cloud Storage, version 3.8.1.7 and prior, and Dell ObjectScale, versions prior to 4.1.0.3 and version 4.2.0.0, contains an Insertion of Sensitive Information into Log File vulnerability. A low privileged attacker with local a…
Map vulnerabilities like CWE-532 to your infrastructure
EchelonGraph correlates every CVE — across CWE-532 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →