Skip to main content

CWE-922

Insecure Storage of Sensitive Information

234 CVEs Avg CVSS 5.8 MITRE
8
CRITICAL
57
HIGH
133
MEDIUM
35
LOW
37
POC
0
KEV

Monthly

CVE-2026-5515 MEDIUM This Month

Sensitive information disclosure in IBM App Connect Enterprise 13.0.1.0 through 13.0.7.0 exposes potentially sensitive data via log files accessible to local users. The CVSS vector (AV:L/PR:L) confirms exploitation requires local, low-privileged authenticated access, limiting the attack surface to users already present on the system. No public exploit has been identified and CISA SSVC rates exploitation as none, but the confidentiality impact is rated High, meaning successful access to log files could yield significant sensitive data.

IBM Information Disclosure
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-32751 MEDIUM PATCH This Month

Dell PowerFlex Manager versions 4.6.2 and earlier improperly store sensitive information in a manner accessible to low-privileged local users, resulting in unauthorized disclosure of confidential data with high confidentiality impact per CVSS. Affected deployments span both the Appliance and Rack form factors of the platform. No public exploit code has been identified at time of analysis and CISA KEV does not list this vulnerability, though the CWE-922 root cause and the 'Authentication Bypass' tag suggest the exposed data may include credentials or tokens that could enable downstream privilege escalation or lateral movement.

Dell Authentication Bypass Powerflex Manager Appliance Powerflex Manager Rack Powerflex Manager
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-32746 MEDIUM PATCH This Month

Insecure storage of sensitive information in Dell PowerFlex Manager versions up to and including 4.6.2 exposes credentials, keys, or configuration secrets to any attacker with local OS-level access to the appliance - no PowerFlex Manager authentication required. The CVSS vector (AV:L/AC:L/PR:N/UI:N) confirms the attacker needs only local system access, not application credentials, to retrieve the improperly protected data. No public exploit identified at time of analysis and no CISA KEV listing; however, the 'Authentication Bypass' tag in the intelligence data suggests the exposed sensitive material may itself enable downstream privilege escalation or authentication bypass against PowerFlex or its managed infrastructure.

Dell Authentication Bypass Powerflex Manager Appliance Powerflex Manager Rack Powerflex Manager
NVD
CVSS 3.1
4.0
EPSS
0.0%
CVE-2026-7257 MEDIUM Monitor

Zyxel WRE6505 v2 firmware stores sensitive configuration data in an insecure manner, allowing local administrators to download and decrypt backup configuration files, leading to disclosure of confidential credentials and network settings. The vulnerability affects firmware version V1.00(ABDV.3)C0 and requires local access with administrative privileges. No public exploit code or active exploitation has been identified; however, the product is no longer supported by Zyxel, limiting patch availability.

Zyxel Information Disclosure
NVD VulDB
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-26152 HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in Windows Cryptographic Services affects Windows 10, Windows 11, and Windows Server versions from 2012 through 2025 due to insecure storage of cryptographic material. Authenticated attackers with low privileges can exploit this CWE-922 weakness (insecure storage of sensitive information) to gain high-level access to confidentiality, integrity, and availability. Microsoft has released patches for all affected versions. No public exploit identified at time of analysis,

Information Disclosure Microsoft
NVD VulDB
CVSS 3.1
7.0
EPSS
0.1%
CVE-2026-5666 MEDIUM POC This Month

Code-Projects Online FIR System 1.0 stores sensitive database backup files insecurely, allowing unauthenticated remote attackers to access the /complaints.sql backup file and disclose confidential information. The CVSS 5.5 score reflects low confidentiality impact but network-accessible exposure; publicly available exploit code exists, elevating practical risk despite the moderate score.

Information Disclosure Online Fir System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-5650 MEDIUM POC This Month

Code-Projects Online Application System for Admission 1.0 stores sensitive information insecurely in the /enrollment/database/oas.sql file, allowing remote unauthenticated attackers to disclose confidential data. The vulnerability has publicly available exploit code and is rated CVSS 5.3 with an EPSS percentile indicating moderate exploitation probability. Attackers can access the database backup file remotely without authentication or user interaction, leading to information disclosure.

Information Disclosure Online Application System For Admission
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-10734 MEDIUM This Month

The ReviewX - WooCommerce Product Reviews plugin for WordPress contains a Sensitive Information Exposure vulnerability in the syncedData function that allows unauthenticated attackers to extract sensitive user data including names, emails, phone numbers, and addresses from affected sites. All versions up to and including 2.2.12 are vulnerable, affecting any WordPress installation running this popular review plugin. The vulnerability has a CVSS score of 5.3 (Medium) with low attack complexity and no authentication required, making it relatively straightforward to exploit.

WordPress Information Disclosure Google
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-20629 MEDIUM This Month

Improper temporary file handling in macOS allows local applications to read sensitive user data without user interaction. An attacker with local access and app execution privileges can bypass privacy controls to access confidential information. This vulnerability affects macOS Tahoe 26.3 and earlier, with no patch currently available.

Apple macOS
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-14376 Monitor

A security issue was discovered within the legacy ADI server component of Verve Asset Manager, caused by plaintext secrets stored in environment variables on the ADI server. This component has been retired and has been optional since the 1.36 release in 2024.

Information Disclosure
NVD
EPSS
0.0%
EPSS 0% CVSS 5.5
MEDIUM This Month

Sensitive information disclosure in IBM App Connect Enterprise 13.0.1.0 through 13.0.7.0 exposes potentially sensitive data via log files accessible to local users. The CVSS vector (AV:L/PR:L) confirms exploitation requires local, low-privileged authenticated access, limiting the attack surface to users already present on the system. No public exploit has been identified and CISA SSVC rates exploitation as none, but the confidentiality impact is rated High, meaning successful access to log files could yield significant sensitive data.

IBM Information Disclosure
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Dell PowerFlex Manager versions 4.6.2 and earlier improperly store sensitive information in a manner accessible to low-privileged local users, resulting in unauthorized disclosure of confidential data with high confidentiality impact per CVSS. Affected deployments span both the Appliance and Rack form factors of the platform. No public exploit code has been identified at time of analysis and CISA KEV does not list this vulnerability, though the CWE-922 root cause and the 'Authentication Bypass' tag suggest the exposed data may include credentials or tokens that could enable downstream privilege escalation or lateral movement.

Dell Authentication Bypass Powerflex Manager Appliance +2
NVD
EPSS 0% CVSS 4.0
MEDIUM PATCH This Month

Insecure storage of sensitive information in Dell PowerFlex Manager versions up to and including 4.6.2 exposes credentials, keys, or configuration secrets to any attacker with local OS-level access to the appliance - no PowerFlex Manager authentication required. The CVSS vector (AV:L/AC:L/PR:N/UI:N) confirms the attacker needs only local system access, not application credentials, to retrieve the improperly protected data. No public exploit identified at time of analysis and no CISA KEV listing; however, the 'Authentication Bypass' tag in the intelligence data suggests the exposed sensitive material may itself enable downstream privilege escalation or authentication bypass against PowerFlex or its managed infrastructure.

Dell Authentication Bypass Powerflex Manager Appliance +2
NVD
EPSS 0% CVSS 4.4
MEDIUM Monitor

Zyxel WRE6505 v2 firmware stores sensitive configuration data in an insecure manner, allowing local administrators to download and decrypt backup configuration files, leading to disclosure of confidential credentials and network settings. The vulnerability affects firmware version V1.00(ABDV.3)C0 and requires local access with administrative privileges. No public exploit code or active exploitation has been identified; however, the product is no longer supported by Zyxel, limiting patch availability.

Zyxel Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.0
HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in Windows Cryptographic Services affects Windows 10, Windows 11, and Windows Server versions from 2012 through 2025 due to insecure storage of cryptographic material. Authenticated attackers with low privileges can exploit this CWE-922 weakness (insecure storage of sensitive information) to gain high-level access to confidentiality, integrity, and availability. Microsoft has released patches for all affected versions. No public exploit identified at time of analysis,

Information Disclosure Microsoft
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Code-Projects Online FIR System 1.0 stores sensitive database backup files insecurely, allowing unauthenticated remote attackers to access the /complaints.sql backup file and disclose confidential information. The CVSS 5.5 score reflects low confidentiality impact but network-accessible exposure; publicly available exploit code exists, elevating practical risk despite the moderate score.

Information Disclosure Online Fir System
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Code-Projects Online Application System for Admission 1.0 stores sensitive information insecurely in the /enrollment/database/oas.sql file, allowing remote unauthenticated attackers to disclose confidential data. The vulnerability has publicly available exploit code and is rated CVSS 5.3 with an EPSS percentile indicating moderate exploitation probability. Attackers can access the database backup file remotely without authentication or user interaction, leading to information disclosure.

Information Disclosure Online Application System For Admission
NVD VulDB GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

The ReviewX - WooCommerce Product Reviews plugin for WordPress contains a Sensitive Information Exposure vulnerability in the syncedData function that allows unauthenticated attackers to extract sensitive user data including names, emails, phone numbers, and addresses from affected sites. All versions up to and including 2.2.12 are vulnerable, affecting any WordPress installation running this popular review plugin. The vulnerability has a CVSS score of 5.3 (Medium) with low attack complexity and no authentication required, making it relatively straightforward to exploit.

WordPress Information Disclosure Google
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

Improper temporary file handling in macOS allows local applications to read sensitive user data without user interaction. An attacker with local access and app execution privileges can bypass privacy controls to access confidential information. This vulnerability affects macOS Tahoe 26.3 and earlier, with no patch currently available.

Apple macOS
NVD
EPSS 0%
Monitor

A security issue was discovered within the legacy ADI server component of Verve Asset Manager, caused by plaintext secrets stored in environment variables on the ADI server. This component has been retired and has been optional since the 1.36 release in 2024.

Information Disclosure
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy