CWE-497— Exposure of Sensitive System Information to an Unauthorized Control Sphere
308 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-497page 4 of 7
- CVE-2025-32164MEDIUMCVSS 6.5EG 6.52025-04-08
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in maennchen1.de m1.DownloadList m1downloadlist allows Retrieve Embedded Sensitive Data.This issue affects m1.DownloadList: from n/a through <= 0.24.
- CVE-2025-32228MEDIUMCVSS 4.3EG 4.32025-04-10
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WP Messiah Ai Image Alt Text Generator for WP ai-image-alt-text-generator-for-wp allows Retrieve Embedded Sensitive Data.This issue affects Ai Imag…
- CVE-2025-32251MEDIUMCVSS 5.3EG 5.32025-04-04
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in J. Tyler Wiest Jetpack Feedback Exporter jetpack-feedback-exporter allows Retrieve Embedded Sensitive Data.This issue affects Jetpack Feedback Expo…
- CVE-2025-32255MEDIUMCVSS 5.3EG 5.32025-04-04
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in ERA404 StaffList stafflist allows Retrieve Embedded Sensitive Data.This issue affects StaffList: from n/a through <= 3.2.7.
- CVE-2025-32299MEDIUMCVSS 4.3EG 4.32025-05-16
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Themovation QuickCal - Appointment Booking Calendar for WordPress quickcal allows Retrieve Embedded Sensitive Data.This issue affects QuickCal - Ap…
- CVE-2025-32792HIGHCVSS 8.7EG 0.02025-04-18
SES safely executes third-party JavaScript 'strict' mode programs in compartments that have no excess authority in their global scope. Prior to version 1.12.0, web pages and web extensions using `ses` and the Compartment API to evaluate th…
- CVE-2025-34156MEDIUMCVSS 6.9EG 0.02025-10-23
Tibbo AggreGate Network Manager < 6.40.05 exposes sensitive system information through an unauthenticated endpoint at /cwmp/happyaxis.jsp. The page discloses Java system properties, server path details, and version information to unauthori…
- CVE-2025-34171MEDIUMCVSS 5.3EG 5.32026-01-02
CasaOS versions up to and including 0.4.15 expose multiple unauthenticated endpoints that allow remote attackers to retrieve sensitive configuration files and system debug information. The /v1/users/image endpoint can be abused with a user…
- CVE-2025-34283MEDIUMCVSS 6.5EG 6.52025-10-30
Nagios XI versions prior to 2024R1.4.2 revealed API keys to users who were not authorized for API access when using Neptune themes. An authenticated user without API privileges could view another user's or their own API key value.
- CVE-2025-34442HIGHCVSS 7.5EG 7.52025-12-17
AVideo versions prior to 20.1 disclose absolute filesystem paths via multiple public API endpoints. Returned metadata includes full server paths to media files, revealing underlying filesystem structure and facilitating more effective atta…
- CVE-2025-3506MEDIUMCVSS 5.3EG 5.32025-05-08
Files to be deployed with agents are accessible without authentication in Checkmk 2.1.0, Checkmk 2.2.0, Checkmk 2.3.0 and <Checkmk 2.4.0b6 allows attacker to access files that could contain secrets.
- CVE-2025-3606HIGHCVSS 7.5EG 7.52025-04-25
Vestel AC Charger version 3.75.0 contains a vulnerability that could enable an attacker to access files containing sensitive information, such as credentials which could be used to further compromise the device.
- CVE-2025-36112MEDIUMCVSS 5.3EG 5.32025-11-24
IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.0.0.0 through 6.1.2.7 and 6.2.0.0 through 6.2.0.5 and 6.2.1.1 could reveal sensitive server IP configuration information to an unauthorized user.
- CVE-2025-36146MEDIUMCVSS 4.3EG 4.32025-09-18
IBM Lakehouse (watsonx.data 2.2) could allow an authenticated user to obtain sensitive server component version information which could aid in further attacks against the system.
- CVE-2025-36160MEDIUMCVSS 5.3EG 5.32025-11-20
IBM Concert 1.0.0 through 2.0.0 could disclose sensitive server information from HTTP response headers that could aid in further attacks against the system.
- CVE-2025-36162MEDIUMCVSS 4.3EG 4.32025-09-02
IBM DevOps Deploy / IBM UrbanCode Deploy (UCD) 8.1 before 8.1.2.2 could allow an authenticated user to obtain sensitive information about configuration on the system.
- CVE-2025-36229LOWCVSS 3.1EG 3.12025-12-26
IBM Aspera Faspex 5 5.0.0 through 5.0.14.1 could allow authenticated users to enumerate sensitive information of data due by enumerating package identifiers.
- CVE-2025-36238MEDIUMCVSS 6.0EG 6.02026-02-02
IBM PowerVM Hypervisor FW1110.00 through FW1110.03, FW1060.00 through FW1060.51, and FW950.00 through FW950.F0 could allow a local user with administration privileges to obtain sensitive information from a Virtual TPM through a series of P…
- CVE-2025-36373MEDIUMCVSS 4.1EG 4.12026-04-01
IBM DataPower Gateway 10.6CD 10.6.1.0 through 10.6.5.0 and IBM DataPower Gateway 10.5.0 10.5.0.0 through 10.5.0.20 and IBM DataPower Gateway 10.6.0 10.6.0.0 through 10.6.0.8 IBM DataPower Gateway could disclose sensitive system information…
- CVE-2025-39394MEDIUMCVSS 5.3EG 5.32025-05-19
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Solid Plugins AnalyticsWP allows Retrieve Embedded Sensitive Data.This issue affects AnalyticsWP: from n/a through 2.1.2.
- CVE-2025-39439MEDIUMCVSS 5.3EG 5.32025-04-17
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Markus Drubba wpLike2Get wplike2get allows Retrieve Embedded Sensitive Data.This issue affects wpLike2Get: from n/a through <= 1.2.9.
- CVE-2025-39556MEDIUMCVSS 5.3EG 5.32025-04-16
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in mediavine Mediavine Control Panel mediavine-control-panel allows Retrieve Embedded Sensitive Data.This issue affects Mediavine Control Panel: from …
- CVE-2025-39589MEDIUMCVSS 4.3EG 4.32025-04-16
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WPDeveloper Essential Addons for Elementor essential-addons-for-elementor-lite allows Retrieve Embedded Sensitive Data.This issue affects Essential…
- CVE-2025-4229MEDIUMCVSS 6.0EG 0.02025-06-13
An information disclosure vulnerability in the SD-WAN feature of Palo Alto Networks PAN-OS® software enables an unauthorized user to view unencrypted data sent from the firewall through the SD-WAN interface. This requires the user to be a…
- CVE-2025-4235HIGHCVSS 7.2EG 0.02025-09-12
An information exposure vulnerability in the Palo Alto Networks User-ID Credential Agent (Windows-based) can expose the service account password under specific non-default configurations. This allows an unprivileged Domain User to escalate…
- CVE-2025-43024HIGHCVSS 7.5EG 7.52025-10-28
A GUI dialog of an application allows to view what files are in the file system without proper authorization.
- CVE-2025-43406MEDIUMCVSS 5.5EG 5.52025-12-12
A logic issue was addressed with improved restrictions. This issue is fixed in macOS Tahoe 26.1. An app may be able to access sensitive user data.
- CVE-2025-43471MEDIUMCVSS 5.5EG 5.52025-12-12
The issue was addressed with improved checks. This issue is fixed in macOS Tahoe 26.1. An app may be able to access sensitive user data.
- CVE-2025-4364HIGHCVSS 8.7EG 0.02025-05-20
The affected products could allow an unauthenticated attacker to access system information that could enable further access to sensitive files and obtain administrative credentials.
- CVE-2025-44823CRITICALCVSS 9.9EG 9.92025-10-07
Nagios Log Server before 2024R1.3.2 allows authenticated users to retrieve cleartext administrative API keys via a /nagioslogserver/index.php/api/system/get_users call. This is GL:NLS#475.
- CVE-2025-4614LOWCVSS 2.7EG 2.72025-10-09
An information disclosure vulnerability in Palo Alto Networks PAN-OS® software enables an authenticated administrator to view session tokens of users authenticated to the firewall web UI. This may allow impersonation of users whose sessio…
- CVE-2025-46421MEDIUMCVSS 6.8EG 6.82025-04-24
A flaw was found in libsoup. When libsoup clients encounter an HTTP redirect, they mistakenly send the HTTP Authorization header to the new host that the redirection points to. This allows the new host to impersonate the user to the origin…
- CVE-2025-4662MEDIUMCVSS 4.4EG 4.42025-07-10
Brocade SANnav before SANnav 2.4.0a logs plaintext passphrases in the Brocade SANnav host server audit logs while executing OpenSSL command using a passphrase from the command line or while providing the passphrase through a temporary file…
- CVE-2025-46717LOWCVSS 3.3EG 3.32025-05-12
sudo-rs is a memory safe implementation of sudo and su written in Rust. Prior to version 0.2.6, users with no (or very limited) sudo privileges can determine whether files exists in folders that they otherwise cannot access using `sudo --l…
- CVE-2025-46718LOWCVSS 3.3EG 3.32025-05-12
sudo-rs is a memory safe implementation of sudo and su written in Rust. Prior to version 0.2.6, users with limited sudo privileges (e.g. execution of a single command) can list sudo privileges of other users using the `-U` flag. This vulne…
- CVE-2025-46747MEDIUMCVSS 5.7EG 5.72025-05-12
An authenticated user without user-management permissions could identify other user accounts.
- CVE-2025-47319MEDIUMCVSS 6.7EG 6.72025-12-18
Information disclosure while exposing internal TA-to-TA communication APIs to HLOS
- CVE-2025-47540MEDIUMCVSS 5.3EG 5.32025-05-07
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in weDevs weMail wemail allows Retrieve Embedded Sensitive Data.This issue affects weMail: from n/a through <= 1.14.13.
- CVE-2025-47699CRITICALCVSS 9.9EG 9.92025-10-23
Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497) in the Gallagher Morpho integration could allow an authenticated operator with limited site permissions to make critical changes to local Morpho devices. …
- CVE-2025-48024MEDIUMCVSS 5.0EG 5.02025-05-15
In BlueWave Checkmate before 2.1, an authenticated regular user can access sensitive application secrets via the /api/v1/settings endpoint.
- CVE-2025-48355MEDIUMCVSS 5.3EG 5.32025-08-21
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in ProveSource LTD ProveSource Social Proof provesource allows Retrieve Embedded Sensitive Data.This issue affects ProveSource Social Proof: from n/a …
- CVE-2025-49147MEDIUMCVSS 5.3EG 5.32025-06-24
Umbraco, a free and open source .NET content management system, has a vulnerability in versions 10.0.0 through 10.8.10 and 13.0.0 through 13.9.1. Via a request to an anonymously authenticated endpoint it's possible to retrieve information …
- CVE-2025-49340MEDIUMCVSS 4.3EG 4.32025-12-31
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Digages Direct Payments WP direct-payments-wp allows Retrieve Embedded Sensitive Data.This issue affects Direct Payments WP: from n/a through <= 1.…
- CVE-2025-49419MEDIUMCVSS 5.5EG 5.52025-06-06
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in esigngenie Foxit eSign for WordPress esign-genie-for-wp allows Retrieve Embedded Sensitive Data.This issue affects Foxit eSign for WordPress: from …
- CVE-2025-49914MEDIUMCVSS 6.5EG 6.52025-12-18
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in jetmonsters Restaurant Menu by MotoPress mp-restaurant-menu allows Retrieve Embedded Sensitive Data.This issue affects Restaurant Menu by MotoPress…
- CVE-2025-52616MEDIUMCVSS 5.3EG 5.32025-10-12
HCL Unica 12.1.10 can expose sensitive system information. An attacker could use this information to form an attack plan by leveraging known vulnerabilities in the application.
- CVE-2025-52719MEDIUMCVSS 4.3EG 4.32025-06-20
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Metagauss ProfileGrid profilegrid-user-profiles-groups-and-communities allows Retrieve Embedded Sensitive Data.This issue affects ProfileGrid : fr…
- CVE-2025-52752MEDIUMCVSS 6.5EG 6.52025-10-22
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in ThemeAtelier IDonatePro idonate-pro allows Retrieve Embedded Sensitive Data.This issue affects IDonatePro: from n/a through <= 2.1.9.
- CVE-2025-53031MEDIUMCVSS 5.3EG 5.32025-07-15
Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure product of Oracle Financial Services Applications (component: Platform). Supported versions that are affected are 8.0.7.8, 8.0.8.5, 8.0.8.6, 8.1.1.4 and…
- CVE-2025-53211MEDIUMCVSS 5.3EG 5.32025-06-27
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Roland Beaussant Audio Editor & Recorder audio-editor-recorder allows Retrieve Embedded Sensitive Data.This issue affects Audio Editor & Recorder: …
Map vulnerabilities like CWE-497 to your infrastructure
EchelonGraph correlates every CVE — across CWE-497 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →