Skip to main content

CWE-209

Error Message Information Leak

441 CVEs Avg CVSS 5.5 MITRE
24
CRITICAL
56
HIGH
307
MEDIUM
53
LOW
65
POC
2
KEV

Monthly

CVE-2026-56139 MEDIUM PATCH This Month

Information disclosure in Apache Camel's camel-undertow HTTP server consumer (versions 4.0.0 through 4.21.0) exposes complete Java stack traces to unauthenticated HTTP clients whenever a route processing exception occurs, due to a misconfigured default and a code-level bypass. Unlike every other Camel HTTP server component (camel-http, camel-jetty, camel-servlet, camel-platform-http), all of which default muteException to true, camel-undertow defaulted this option to false - and for Rest DSL consumers the option was silently ignored entirely due to a hard-coded false in RestUndertowHttpBinding, meaning muteException=true gave false confidence without actual protection. No public exploit has been identified at time of analysis; however exploitation requires only the ability to send a malformed HTTP request to a reachable endpoint, making this trivially accessible to any network-level attacker.

Apache Java Information Disclosure Camel
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-49365 MEDIUM PATCH This Month

Stack trace disclosure in Apache Camel's camel-netty-http component (versions 4.0.0-4.21.0 across three release streams) exposes full Java Throwable stack traces to unauthenticated HTTP clients whenever a route processing error occurs under the default configuration. The root cause is an insecure default: the muteException option backed by an uninitialized Java primitive boolean defaulted to false in camel-netty-http while all other Camel HTTP server components (camel-http, camel-jetty, camel-servlet, camel-platform-http) correctly default it to true. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the low-effort triggering condition - any malformed request that causes a route exception - makes opportunistic enumeration straightforward against exposed endpoints.

Apache Java Information Disclosure Camel
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-56331 MEDIUM PATCH This Month

Improper error handling in Capgo's /private/accept_invitation endpoint before version 12.128.2 allows unauthenticated network attackers to trigger HTTP 500 Internal Server Error responses by submitting malformed magic_invite_string values, leaking internal processing details in violation of CWE-209. Exploitation requires no privileges or user interaction - only the publicly accessible endpoint and knowledge of its path - making any internet-exposed Capgo instance susceptible to targeted reconnaissance. No public exploit has been identified and this vulnerability is not listed in CISA KEV; the risk is constrained to information disclosure that could support a broader attack chain.

Information Disclosure Capgo
NVD GitHub
CVSS 4.0
6.9
EPSS
0.2%
CVE-2025-36328 MEDIUM PATCH This Month

IBM watsonx.data Intelligence versions 5.2.0 through 5.3.0 leak sensitive technical information to the browser via verbose error messages, giving authenticated remote attackers a reconnaissance foothold for follow-on attacks. The flaw is rooted in CWE-209 (overly informative error generation), which can expose stack traces, internal paths, backend technology details, or configuration fragments depending on what error condition is triggered. No public exploit code has been identified and no active exploitation is confirmed; the mandatory authentication barrier (PR:L) and information-only impact limit immediate blast radius, but the data gathered can materially assist more sophisticated attacks against the same system.

IBM Information Disclosure Watsonx Data Intelligence
NVD
CVSS 3.1
4.3
EPSS
0.4%
CVE-2026-47775 MEDIUM PATCH This Month

The OAuth2 HTTP filter in Envoy Proxy prior to versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1 implements AES-256-CBC encryption for the PKCE CodeVerifier cookie without any authentication tag, creating a classic padding oracle through differential HTTP responses on the /callback endpoint. An attacker who obtains the victim's encrypted CodeVerifier cookie and a stolen authorization code can recover the plaintext PKCE code_verifier in approximately 6,200 crafted requests (~100 seconds), then complete the OAuth token exchange to hijack the victim's access token. No public exploit code or CISA KEV listing has been identified at time of analysis; vendor-confirmed patches are available in all four current release branches.

Oracle Microsoft Information Disclosure Envoy
NVD GitHub
CVSS 3.1
6.8
EPSS
0.2%
CVE-2026-49979 MEDIUM This Month

Server-side request forgery and internal network enumeration in Appsmith (prior to 1.99) is enabled by the POST /api/v1/admin/send-test-email endpoint accepting attacker-controlled smtpHost and smtpPort values, which JavaMail uses to establish raw TCP connections without IP address validation - completely bypassing the application's existing WebClientUtils.IP_CHECK_FILTER. Verbatim MailException error messages are returned in API responses, enabling authenticated administrators (or attackers who have compromised admin credentials) to probe internal network topology, enumerate open ports, and harvest service banners. No public exploit identified at time of analysis; the vulnerability is fixed in version 1.99.

Java Information Disclosure Appsmith
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.3%
CVE-2026-55375 PHP MEDIUM PATCH GHSA This Month

OAuth2 credential exposure in the jleehr/canto-saas-api PHP Composer library (versions ≤ 2.0.0) allows any party with read access to web server logs, proxy logs, APM traces, or error tracking platforms to harvest Canto app_secret, refresh_token, and authorization code values in plaintext. The library violates RFC 6749 §2.3.1 by transmitting these credentials as URL query parameters on POST requests to the Canto OAuth token endpoint, rather than in the form-encoded POST body - causing them to be recorded by default in virtually every HTTP logging layer. A second exposure path exists through failed token requests: Guzzle exception messages containing the full credential-laden URI were propagated unmodified into AuthorizationFailedException, meaning error trackers such as Sentry may also have captured these secrets. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Information Disclosure
NVD GitHub
CVSS 3.1
5.3
CVE-2025-59872 CRITICAL Act Now

Unrestricted file upload in HCL ZIE for Web (Z and I Emulator) version 16.0 allows remote attackers to upload a web shell that can yield arbitrary command execution on the server, but only when the server is configured to execute uploaded code and the file lands inside the Webroot. The CVSS 3.1 base score is 9.8, yet CISA's SSVC framework rates exploitation as 'none' and not automatable with only partial technical impact, and EPSS sits at just 0.34% (26th percentile). No public exploit is identified at time of analysis and the issue is not listed in CISA KEV.

File Upload Information Disclosure RCE Zie
NVD VulDB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-48039 PyPI CRITICAL POC PATCH GHSA Act Now

Unauthenticated remote attackers can invoke MCP tool handlers and exfiltrate the operator's long-lived Meta Graph API access token from pipeboard-co/meta-ads-mcp through version 1.0.108 when the server is run with the streamable-HTTP transport on a network-reachable port. The AuthInjectionMiddleware silently forwards requests lacking an Authorization or X-PIPEBOARD-API-TOKEN header, tool handlers fall back to the META_ACCESS_TOKEN environment variable, and Graph API error responses echo the request URL - including the token query parameter - back to the caller. A working proof-of-concept is published in GHSA-9gw6-46qc-99vr; no public exploit identified at time of analysis as a separate weaponized tool, but the PoC is sufficient to reproduce end-to-end.

Python Authentication Bypass Information Disclosure Docker
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-40997 MEDIUM PATCH This Month

Information disclosure in Spring Web Services (Spring-WS) exposes account lifecycle state - such as locked, disabled, or expired status - to remote unauthenticated SOAP clients through verbose exception messages or callback outcomes during authentication processing. Affected are four actively maintained branches (3.1.x through 5.0.x) when the SOAP layer is integrated with Spring Security; the root cause is CWE-209, where error handling fails to normalize Spring Security's typed account-state exceptions into generic authentication failures. No public exploit code and no CISA KEV listing have been identified at time of analysis; however, the CVSS 5.3 (Medium) rating reflects genuine reconnaissance utility for account enumeration against exposed SOAP endpoints.

Java Information Disclosure Spring Web Services
NVD HeroDevs
CVSS 3.1
5.3
EPSS
0.0%
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Information disclosure in Apache Camel's camel-undertow HTTP server consumer (versions 4.0.0 through 4.21.0) exposes complete Java stack traces to unauthenticated HTTP clients whenever a route processing exception occurs, due to a misconfigured default and a code-level bypass. Unlike every other Camel HTTP server component (camel-http, camel-jetty, camel-servlet, camel-platform-http), all of which default muteException to true, camel-undertow defaulted this option to false - and for Rest DSL consumers the option was silently ignored entirely due to a hard-coded false in RestUndertowHttpBinding, meaning muteException=true gave false confidence without actual protection. No public exploit has been identified at time of analysis; however exploitation requires only the ability to send a malformed HTTP request to a reachable endpoint, making this trivially accessible to any network-level attacker.

Apache Java Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Stack trace disclosure in Apache Camel's camel-netty-http component (versions 4.0.0-4.21.0 across three release streams) exposes full Java Throwable stack traces to unauthenticated HTTP clients whenever a route processing error occurs under the default configuration. The root cause is an insecure default: the muteException option backed by an uninitialized Java primitive boolean defaulted to false in camel-netty-http while all other Camel HTTP server components (camel-http, camel-jetty, camel-servlet, camel-platform-http) correctly default it to true. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the low-effort triggering condition - any malformed request that causes a route exception - makes opportunistic enumeration straightforward against exposed endpoints.

Apache Java Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Improper error handling in Capgo's /private/accept_invitation endpoint before version 12.128.2 allows unauthenticated network attackers to trigger HTTP 500 Internal Server Error responses by submitting malformed magic_invite_string values, leaking internal processing details in violation of CWE-209. Exploitation requires no privileges or user interaction - only the publicly accessible endpoint and knowledge of its path - making any internet-exposed Capgo instance susceptible to targeted reconnaissance. No public exploit has been identified and this vulnerability is not listed in CISA KEV; the risk is constrained to information disclosure that could support a broader attack chain.

Information Disclosure Capgo
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

IBM watsonx.data Intelligence versions 5.2.0 through 5.3.0 leak sensitive technical information to the browser via verbose error messages, giving authenticated remote attackers a reconnaissance foothold for follow-on attacks. The flaw is rooted in CWE-209 (overly informative error generation), which can expose stack traces, internal paths, backend technology details, or configuration fragments depending on what error condition is triggered. No public exploit code has been identified and no active exploitation is confirmed; the mandatory authentication barrier (PR:L) and information-only impact limit immediate blast radius, but the data gathered can materially assist more sophisticated attacks against the same system.

IBM Information Disclosure Watsonx Data Intelligence
NVD
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

The OAuth2 HTTP filter in Envoy Proxy prior to versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1 implements AES-256-CBC encryption for the PKCE CodeVerifier cookie without any authentication tag, creating a classic padding oracle through differential HTTP responses on the /callback endpoint. An attacker who obtains the victim's encrypted CodeVerifier cookie and a stolen authorization code can recover the plaintext PKCE code_verifier in approximately 6,200 crafted requests (~100 seconds), then complete the OAuth token exchange to hijack the victim's access token. No public exploit code or CISA KEV listing has been identified at time of analysis; vendor-confirmed patches are available in all four current release branches.

Oracle Microsoft Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM This Month

Server-side request forgery and internal network enumeration in Appsmith (prior to 1.99) is enabled by the POST /api/v1/admin/send-test-email endpoint accepting attacker-controlled smtpHost and smtpPort values, which JavaMail uses to establish raw TCP connections without IP address validation - completely bypassing the application's existing WebClientUtils.IP_CHECK_FILTER. Verbatim MailException error messages are returned in API responses, enabling authenticated administrators (or attackers who have compromised admin credentials) to probe internal network topology, enumerate open ports, and harvest service banners. No public exploit identified at time of analysis; the vulnerability is fixed in version 1.99.

Java Information Disclosure Appsmith
NVD GitHub VulDB
CVSS 5.3
MEDIUM PATCH This Month

OAuth2 credential exposure in the jleehr/canto-saas-api PHP Composer library (versions ≤ 2.0.0) allows any party with read access to web server logs, proxy logs, APM traces, or error tracking platforms to harvest Canto app_secret, refresh_token, and authorization code values in plaintext. The library violates RFC 6749 §2.3.1 by transmitting these credentials as URL query parameters on POST requests to the Canto OAuth token endpoint, rather than in the form-encoded POST body - causing them to be recorded by default in virtually every HTTP logging layer. A second exposure path exists through failed token requests: Guzzle exception messages containing the full credential-laden URI were propagated unmodified into AuthorizationFailedException, meaning error trackers such as Sentry may also have captured these secrets. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Information Disclosure
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unrestricted file upload in HCL ZIE for Web (Z and I Emulator) version 16.0 allows remote attackers to upload a web shell that can yield arbitrary command execution on the server, but only when the server is configured to execute uploaded code and the file lands inside the Webroot. The CVSS 3.1 base score is 9.8, yet CISA's SSVC framework rates exploitation as 'none' and not automatable with only partial technical impact, and EPSS sits at just 0.34% (26th percentile). No public exploit is identified at time of analysis and the issue is not listed in CISA KEV.

File Upload Information Disclosure RCE +1
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL POC PATCH Act Now

Unauthenticated remote attackers can invoke MCP tool handlers and exfiltrate the operator's long-lived Meta Graph API access token from pipeboard-co/meta-ads-mcp through version 1.0.108 when the server is run with the streamable-HTTP transport on a network-reachable port. The AuthInjectionMiddleware silently forwards requests lacking an Authorization or X-PIPEBOARD-API-TOKEN header, tool handlers fall back to the META_ACCESS_TOKEN environment variable, and Graph API error responses echo the request URL - including the token query parameter - back to the caller. A working proof-of-concept is published in GHSA-9gw6-46qc-99vr; no public exploit identified at time of analysis as a separate weaponized tool, but the PoC is sufficient to reproduce end-to-end.

Python Authentication Bypass Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Information disclosure in Spring Web Services (Spring-WS) exposes account lifecycle state - such as locked, disabled, or expired status - to remote unauthenticated SOAP clients through verbose exception messages or callback outcomes during authentication processing. Affected are four actively maintained branches (3.1.x through 5.0.x) when the SOAP layer is integrated with Spring Security; the root cause is CWE-209, where error handling fails to normalize Spring Security's typed account-state exceptions into generic authentication failures. No public exploit code and no CISA KEV listing have been identified at time of analysis; however, the CVSS 5.3 (Medium) rating reflects genuine reconnaissance utility for account enumeration against exposed SOAP endpoints.

Java Information Disclosure Spring Web Services
NVD HeroDevs

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy