Skip to main content

CWE-202

Exposure of Sensitive Information Through Data Queries

28 CVEs Avg CVSS 6.5 MITRE
1
CRITICAL
11
HIGH
15
MEDIUM
1
LOW
9
POC
0
KEV

Monthly

CVE-2026-42797 Maven MEDIUM PATCH This Month

Malicious JEXL expression injection in Apache Syncope's Derived Schema feature enables privileged information disclosure across administrative roles. An administrator holding entitlements over Derived Schemas can embed a crafted JEXL expression that, when evaluated in the context of another administrator's User read operation, exposes security-sensitive User attributes that would not normally be accessible. Affected versions span three release lines (3.0.x through 3.0.16, 4.0.x through 4.0.5, and 4.1.0); no active exploitation is confirmed (no CISA KEV listing) and the EPSS score of 0.02% places this in the 4th percentile for exploitation probability.

Information Disclosure Apache Apache Syncope
NVD VulDB
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-30778 Maven HIGH PATCH GHSA This Week

The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL. This issue affects Apache SkyWalking: from 9.7.0 through 10.3.0. Users are recommended to upgrade to version 10.4.0, which fixes the issue.

Apache Information Disclosure PostgreSQL
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-33530 HIGH PATCH This Week

Authenticated attackers with low-level privileges can exfiltrate sensitive database information from InvenTree open source inventory management systems prior to version 1.2.6 by abusing unvalidated filter parameters in bulk operation API endpoints. The vulnerability enables blind boolean-based data extraction through Django ORM relationship traversal, achieving high confidentiality impact with changed scope per CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N (score 7.7). No public exploit identified at time of analysis, and vendor-released patches are available in versions 1.2.6 and 1.3.0.

Python Information Disclosure
NVD GitHub
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-3546 MEDIUM This Month

The e-shot form builder plugin for WordPress contains a sensitive information exposure vulnerability in the eshot_form_builder_get_account_data() AJAX handler that is accessible to any authenticated user without capability checks or nonce verification. An attacker with Subscriber-level access or higher can extract the e-shot API token and subaccount information by calling this AJAX endpoint, potentially compromising the victim's e-shot platform account. The vulnerability affects all versions up to and including 1.0.2, and while this CVE does not appear in the KEV catalog or have public proof-of-concept code readily available, the CVSS score of 5.3 reflects moderate risk due to the low attack complexity and lack of user interaction required.

WordPress Information Disclosure
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-25050 npm MEDIUM PATCH This Month

Vendure versions up to 3.5.3 contains a vulnerability that allows attackers to enumerate valid usernames (email addresses) (CVSS 5.3).

Information Disclosure Vendure
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-68456 PHP CRITICAL POC PATCH Act Now

Craft CMS (5.0.0-RC1 through 5.8.20, 3.x through 4.16.16) allows unauthenticated users to trigger database backup operations, leading to resource exhaustion or information disclosure if backups are stored in accessible locations. PoC available, patches available.

Information Disclosure Craft Cms
NVD GitHub
CVSS 3.1
9.1
EPSS
0.2%
CVE-2025-64504 MEDIUM PATCH This Month

Langfuse is an open source large language model engineering platform. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Langfuse
NVD GitHub
CVSS 3.1
5.0
EPSS
0.1%
CVE-2025-36575 HIGH PATCH This Week

A information disclosure vulnerability in an Exposure of Sensitive Information (CVSS 7.5). High severity vulnerability requiring prompt remediation.

Information Disclosure Dell Wyse Management Suite
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-29981 HIGH This Week

Dell Wyse Management Suite, versions prior to WMS 5.1, contains an Exposure of Sensitive Information Through Data Queries vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Dell Information Disclosure Wyse Management Suite
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2025-25205 HIGH POC PATCH This Week

Audiobookshelf is a self-hosted audiobook and podcast server. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Authentication Bypass Denial Of Service Audiobookshelf
NVD GitHub
CVSS 3.1
8.2
EPSS
0.6%
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

Malicious JEXL expression injection in Apache Syncope's Derived Schema feature enables privileged information disclosure across administrative roles. An administrator holding entitlements over Derived Schemas can embed a crafted JEXL expression that, when evaluated in the context of another administrator's User read operation, exposes security-sensitive User attributes that would not normally be accessible. Affected versions span three release lines (3.0.x through 3.0.16, 4.0.x through 4.0.5, and 4.1.0); no active exploitation is confirmed (no CISA KEV listing) and the EPSS score of 0.02% places this in the 4th percentile for exploitation probability.

Information Disclosure Apache Apache Syncope
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL. This issue affects Apache SkyWalking: from 9.7.0 through 10.3.0. Users are recommended to upgrade to version 10.4.0, which fixes the issue.

Apache Information Disclosure PostgreSQL
NVD VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Authenticated attackers with low-level privileges can exfiltrate sensitive database information from InvenTree open source inventory management systems prior to version 1.2.6 by abusing unvalidated filter parameters in bulk operation API endpoints. The vulnerability enables blind boolean-based data extraction through Django ORM relationship traversal, achieving high confidentiality impact with changed scope per CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N (score 7.7). No public exploit identified at time of analysis, and vendor-released patches are available in versions 1.2.6 and 1.3.0.

Python Information Disclosure
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

The e-shot form builder plugin for WordPress contains a sensitive information exposure vulnerability in the eshot_form_builder_get_account_data() AJAX handler that is accessible to any authenticated user without capability checks or nonce verification. An attacker with Subscriber-level access or higher can extract the e-shot API token and subaccount information by calling this AJAX endpoint, potentially compromising the victim's e-shot platform account. The vulnerability affects all versions up to and including 1.0.2, and while this CVE does not appear in the KEV catalog or have public proof-of-concept code readily available, the CVSS score of 5.3 reflects moderate risk due to the low attack complexity and lack of user interaction required.

WordPress Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Vendure versions up to 3.5.3 contains a vulnerability that allows attackers to enumerate valid usernames (email addresses) (CVSS 5.3).

Information Disclosure Vendure
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL POC PATCH Act Now

Craft CMS (5.0.0-RC1 through 5.8.20, 3.x through 4.16.16) allows unauthenticated users to trigger database backup operations, leading to resource exhaustion or information disclosure if backups are stored in accessible locations. PoC available, patches available.

Information Disclosure Craft Cms
NVD GitHub
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

Langfuse is an open source large language model engineering platform. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Langfuse
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

A information disclosure vulnerability in an Exposure of Sensitive Information (CVSS 7.5). High severity vulnerability requiring prompt remediation.

Information Disclosure Dell Wyse Management Suite
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Dell Wyse Management Suite, versions prior to WMS 5.1, contains an Exposure of Sensitive Information Through Data Queries vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Dell Information Disclosure Wyse Management Suite
NVD
EPSS 1% CVSS 8.2
HIGH POC PATCH This Week

Audiobookshelf is a self-hosted audiobook and podcast server. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Authentication Bypass Denial Of Service +1
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy