CWE-201— Insertion of Sensitive Information Into Sent Data
289 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-201page 6 of 6
- CVE-2026-1539MEDIUMCVSS 5.8EG 5.82026-01-28
A flaw was found in the libsoup HTTP library that can cause proxy authentication credentials to be sent to unintended destinations. When handling HTTP redirects, libsoup removes the Authorization header but does not remove the Proxy-Author…
- CVE-2026-20151HIGHCVSS 7.3EG 7.32026-04-01
A vulnerability in the web interface of Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an authenticated, remote attacker to elevate privileges on an affected system. This vulnerability is due to the improper transmission…
- CVE-2026-22246MEDIUMCVSS 6.5EG 6.52026-01-08
Mastodon is a free, open-source social network server based on ActivityPub. Mastodon 4.3 added notifications of severed relationships, allowing end-users to inspect the relationships they lost as the result of a moderation action. The code…
- CVE-2026-22539MEDIUMCVSS 5.3EG 0.02026-01-07
As the service interaction is performed without authentication, an attacker with some knowledge of the protocol could obtain information about the charger via OCPP v1.6.
- CVE-2026-23878MEDIUMCVSS 6.5EG 6.52026-01-19
HotCRP is conference review software. Starting in commit aa20ef288828b04550950cf67c831af8a525f508 and prior to commit ceacd5f1476458792c44c6a993670f02c984b4a0, authors with at least one submission on a HotCRP site could use the document AP…
- CVE-2026-24427MEDIUMCVSS 6.8EG 5.52026-02-03
Shenzhen Tenda AC7 firmware version V03.03.03.01_cn and prior expose sensitive information in web management responses. Administrative credentials, including the router and/or admin panel password, are included in plaintext within configur…
- CVE-2026-24430HIGHCVSS 7.5EG 7.52026-01-26
Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) disclose sensitive account credentials in cleartext within HTTP responses generated by the maintenance interface. Because the management interface is accessible…
- CVE-2026-24477HIGHCVSS 7.5EG 7.52026-01-27
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. If AnythingLLM prior to version 1.10.0 is configured to use Qdrant as the vector database with an API key, this Qdr…
- CVE-2026-24557MEDIUMCVSS 5.3EG 5.32026-01-23
Insertion of Sensitive Information Into Sent Data vulnerability in WEN Solutions Contact Form 7 GetResponse Extension contact-form-7-getresponse-extension allows Retrieve Embedded Sensitive Data.This issue affects Contact Form 7 GetRespons…
- CVE-2026-24559MEDIUMCVSS 5.3EG 5.42026-01-23
Insertion of Sensitive Information Into Sent Data vulnerability in CRM Perks Integration for Contact Form 7 HubSpot cf7-hubspot allows Retrieve Embedded Sensitive Data.This issue affects Integration for Contact Form 7 HubSpot: from n/a thr…
- CVE-2026-24565MEDIUMCVSS 6.5EG 6.52026-01-23
Insertion of Sensitive Information Into Sent Data vulnerability in bPlugins B Accordion b-accordion allows Retrieve Embedded Sensitive Data.This issue affects B Accordion: from n/a through <= 2.0.2.
- CVE-2026-24589MEDIUMCVSS 5.3EG 5.32026-01-23
Insertion of Sensitive Information Into Sent Data vulnerability in Cargus eCommerce Cargus cargus allows Retrieve Embedded Sensitive Data.This issue affects Cargus: from n/a through <= 1.5.8.
- CVE-2026-24992MEDIUMCVSS 5.3EG 5.32026-02-03
Insertion of Sensitive Information Into Sent Data vulnerability in WPFactory Advanced WooCommerce Product Sales Reporting webd-woocommerce-advanced-reporting-statistics allows Retrieve Embedded Sensitive Data.This issue affects Advanced Wo…
- CVE-2026-28481MEDIUMCVSS 6.5EG 6.52026-03-05
OpenClaw versions 2026.1.30 and earlier, contain an information disclosure vulnerability, patched in 2026.2.1, in the MS Teams attachment downloader (optional extension must be enabled) that leaks bearer tokens to allowlisted suffix domain…
- CVE-2026-35447MEDIUMCVSS 5.3EG 5.32026-06-02
NamelessMC is website software for Minecraft servers. In version 2.2.4, the profile page (modules/Core/pages/profile.php) processes wall post submissions and replies before verifying whether the viewer is authorized to access the profile. …
- CVE-2026-39473MEDIUMCVSS 5.3EG 5.32026-04-08
Insertion of Sensitive Information Into Sent Data vulnerability in Pär Thernström Simple History simple-history allows Retrieve Embedded Sensitive Data.This issue affects Simple History: from n/a through <= 5.24.0.
- CVE-2026-39542MEDIUMCVSS 5.3EG 5.32026-04-08
Insertion of Sensitive Information Into Sent Data vulnerability in Doofinder Doofinder for WooCommerce doofinder-for-woocommerce allows Retrieve Embedded Sensitive Data.This issue affects Doofinder for WooCommerce: from n/a through <= 2.10…
- CVE-2026-39564MEDIUMCVSS 5.3EG 5.32026-04-08
Insertion of Sensitive Information Into Sent Data vulnerability in sunshinephotocart Sunshine Photo Cart sunshine-photo-cart allows Retrieve Embedded Sensitive Data.This issue affects Sunshine Photo Cart: from n/a through < 3.6.2.
- CVE-2026-39570MEDIUMCVSS 5.3EG 5.32026-04-08
Insertion of Sensitive Information Into Sent Data vulnerability in AA Web Servant 12 Step Meeting List 12-step-meeting-list allows Retrieve Embedded Sensitive Data.This issue affects 12 Step Meeting List: from n/a through <= 3.19.9.
- CVE-2026-39586MEDIUMCVSS 5.3EG 5.32026-04-08
Insertion of Sensitive Information Into Sent Data vulnerability in Ateeq Rafeeq RepairBuddy computer-repair-shop allows Retrieve Embedded Sensitive Data.This issue affects RepairBuddy: from n/a through <= 4.1132.
- CVE-2026-39709MEDIUMCVSS 5.3EG 5.32026-04-08
Insertion of Sensitive Information Into Sent Data vulnerability in thetechtribe The Tribal the-tech-tribe allows Retrieve Embedded Sensitive Data.This issue affects The Tribal: from n/a through <= 1.3.4.
- CVE-2026-39711MEDIUMCVSS 5.3EG 5.32026-04-08
Insertion of Sensitive Information Into Sent Data vulnerability in stmcan RT-Theme 18 | Extensions rt18-extensions allows Retrieve Embedded Sensitive Data.This issue affects RT-Theme 18 | Extensions: from n/a through <= 2.5.
- CVE-2026-39912CRITICALCVSS 9.1EG 9.12026-04-09
V2Board 1.6.1 through 1.7.4 and Xboard through 0.1.9 expose authentication tokens in HTTP response bodies of the loginWithMailLink endpoint when the login_with_mail_link_enable feature is active. Unauthenticated attackers can POST to the l…
- CVE-2026-40161HIGHCVSS 7.7EG 7.72026-04-21
Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1, the Tekton Pipelines git resolver in API mode sends the syst…
- CVE-2026-4035CRITICALCVSS 9.1EG 9.12026-06-03
A vulnerability in mlflow/mlflow versions prior to 3.11.0 allows for the resolution of environment variables in AI Gateway secrets, which can be exploited to exfiltrate sensitive server-side environment credentials to an attacker-controlle…
- CVE-2026-41181MEDIUMCVSS 5.8EG 5.82026-05-15
Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.44, 3.6.15, and 3.7.0-rc.3, there is an information disclosure vulnerability in Traefik's errors (custom error pages) middleware. When the backend returns a response matchin…
- CVE-2026-42042MEDIUMCVSS 5.4EG 5.42026-04-24
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the Axios library's XSRF token protection logic uses JavaScript truthy/falsy semantics instead of strict boolean comparison for the withXSRFToken…
- CVE-2026-42379HIGHCVSS 7.7EG 7.72026-04-27
Insertion of Sensitive Information Into Sent Data vulnerability in WPDeveloper Templately allows Retrieve Embedded Sensitive Data.This issue affects Templately: from n/a through 3.6.1.
- CVE-2026-42673HIGHCVSS 7.5EG 7.52026-06-01
Insertion of Sensitive Information Into Sent Data vulnerability in Logtivity Activity Logs... Insertion of Sensitive Information Into Sent Data vulnerability in Logtivity Activity Logs Activity Logs, User Activity Tracking, Multisite Acti…
- CVE-2026-42746HIGHCVSS 7.3EG 7.32026-05-27
Insertion of Sensitive Information Into Sent Data vulnerability in ZAYTECH Smart Online Order for Clover clover-online-orders allows Retrieve Embedded Sensitive Data.This issue affects Smart Online Order for Clover: from n/a through <= 1.6…
- CVE-2026-44653MEDIUMCVSS 6.5EG 6.52026-06-02
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.8.3, users with only `VIEW` access to an MCP server can retrieve the server's decrypted admin-managed secrets through `GET /api/m…
- CVE-2026-45215MEDIUMCVSS 5.3EG 5.32026-05-12
Insertion of Sensitive Information Into Sent Data vulnerability in Saad Iqbal WP EasyPay wp-easy-pay allows Retrieve Embedded Sensitive Data.This issue affects WP EasyPay: from n/a through <= 4.3.0.
- CVE-2026-4525HIGHCVSS 7.5EG 7.52026-04-17
If a Vault auth mount is configured to pass through the "Authorization" header, and the "Authorization" header is used to authenticate to Vault, Vault forwarded the Vault token to the auth plugin backend. Fixed in 2.0.0, 1.21.5, 1.20.10, a…
- CVE-2026-45582MEDIUMCVSS 6.5EG 6.52026-05-18
n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. Prior to 2.51.3, the workflow telemetry sanitizer could retain partial fragments of URL-shaped node parameters before sendin…
- CVE-2026-48877MEDIUMCVSS 6.5EG 6.52026-05-27
Insertion of Sensitive Information Into Sent Data vulnerability in Tom GenerateBlocks allows Retrieve Embedded Sensitive Data. This issue affects GenerateBlocks: from n/a through 2.1.0.
- CVE-2026-4927MEDIUMCVSS 6.5EG 6.52026-04-01
Exposure of sensitive information in the users MFA feature in Devolutions Server allows users with user management privileges to obtain other users OTP keys via an authenticated API request. This issue affects Server: from 2026.1.6 thro…
- CVE-2026-49370LOWCVSS 3.4EG 3.42026-05-29
In JetBrains YouTrack before 2026.1.13162 information disclosure was possible on fetchApp requests
- CVE-2026-5483HIGHCVSS 8.5EG 8.52026-04-10
A flaw was found in odh-dashboard in Red Hat Openshift AI. This vulnerability in the `odh-dashboard` component of Red Hat OpenShift AI (RHOAI) allows for the disclosure of Kubernetes Service Account tokens through a NodeJS endpoint. This c…
- CVE-2026-5512MEDIUMCVSS 4.3EG 4.32026-04-21
An improper authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated attacker to determine the names of private repositories by their numeric ID. The mobile upload policy API endpoint did not per…
Map vulnerabilities like CWE-201 to your infrastructure
EchelonGraph correlates every CVE — across CWE-201 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →