Information Disclosure
Information disclosure occurs when an application unintentionally exposes sensitive data that aids attackers in reconnaissance or directly compromises security.
How It Works
Information disclosure occurs when an application unintentionally exposes sensitive data that aids attackers in reconnaissance or directly compromises security. This happens through multiple channels: verbose error messages that display stack traces revealing internal paths and frameworks, improperly secured debug endpoints left active in production, and misconfigured servers that expose directory listings or version control artifacts like .git folders. APIs often leak excessive data in responses—returning full user objects when only a name is needed, or revealing system internals through metadata fields.
Attackers exploit these exposures systematically. They probe for common sensitive files (.env, config.php, backup archives), trigger error conditions to extract framework details, and analyze response timing or content differences to enumerate valid usernames or resources. Even subtle variations—like "invalid password" versus "user not found"—enable account enumeration. Exposed configuration files frequently contain database credentials, API keys, or internal service URLs that unlock further attack vectors.
The attack flow typically starts with passive reconnaissance: examining HTTP headers, JavaScript bundles, and public endpoints for version information and architecture clues. Active probing follows—testing predictable paths, manipulating parameters to trigger exceptions, and comparing responses across similar requests to identify information leakage patterns.
Impact
- Credential compromise: Exposed configuration files, hardcoded secrets in source code, or API keys enable direct authentication bypass
- Attack surface mapping: Stack traces, framework versions, and internal paths help attackers craft targeted exploits for known vulnerabilities
- Data breach: Direct exposure of user data, payment information, or proprietary business logic through oversharing APIs or accessible backups
- Privilege escalation pathway: Internal URLs, service discovery information, and architecture details facilitate lateral movement and SSRF attacks
- Compliance violations: GDPR, PCI-DSS, and HIPAA penalties for exposing regulated data through preventable disclosures
Real-World Examples
A major Git repository exposure affected thousands of websites when .git folders remained accessible on production servers, allowing attackers to reconstruct entire source code histories including deleted commits containing credentials. Tools like GitDumper automated mass exploitation of this misconfiguration.
Cloud storage misconfigurations have repeatedly exposed sensitive data when companies left S3 buckets or Azure Blob containers publicly readable. One incident exposed 150 million voter records because verbose API error messages revealed the storage URL structure, and no authentication was required.
Framework debug modes left enabled in production have caused numerous breaches. Django's DEBUG=True setting exposed complete stack traces with database queries and environment variables, while Laravel's debug pages revealed encryption keys through the APP_KEY variable in environment dumps.
Mitigation
- Generic error pages: Return uniform error messages to users; log detailed exceptions server-side only
- Disable debug modes: Enforce production configurations that suppress stack traces, verbose logging, and debug endpoints through deployment automation
- Access control audits: Restrict or remove development artifacts (
.git, backup files,phpinfo()) and internal endpoints before deployment - Response minimization: API responses should return only necessary fields; implement allowlists rather than blocklists for data exposure
- Security headers: Deploy
X-Content-Type-Options, remove server version banners, and disable directory indexing - Timing consistency: Ensure authentication and validation responses take uniform time regardless of input validity
Recent CVEs (12996)
Insertion of Sensitive Information Into Sent Data vulnerability in Liquid Web GiveWP allows Retrieve Embedded Sensitive Data.6.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The WP Private Content Plus plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.6.2 via the 'validate_restrictions' function. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
SAP NetWeaver Application Server ABAP (BIC Document) allows an authenticated attacker to craft a request that, when submitted to a BIC Document application, could cause a memory corruption error. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
SAP Fiori (Launchpad) is vulnerable to Reverse Tabnabbing vulnerability due to inadequate external navigation protections for its link (<a>) elements. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The SAP NetWeaver Application Server ABAP and ABAP Platform Internet Communication Manager (ICM) permits authorized users with admin privileges and local access to log files to read sensitive. Rated medium severity (CVSS 4.1). No vendor patch available.
Vim is an open source, command line text editor. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
OpenKilda is an open-source OpenFlow controller. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Catalyst::Authentication::Credential::HTTP versions 1.018 and earlier for Perl generate nonces using the Perl Data::UUID library. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. No vendor patch available.
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. No vendor patch available.
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. No vendor patch available.
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. No vendor patch available.
YugabyteDB Anywhere web server does not properly enforce authentication for the /metamaster/universe API endpoint. Rated medium severity (CVSS 5.1), this vulnerability is low attack complexity. No vendor patch available.
In the Linux kernel, the following vulnerability has been resolved: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns What we want is to verify there is that clone. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.
Shared Access Signature token is not masked in the backup configuration response and is also exposed in the yb_backup logs. Rated medium severity (CVSS 6.8). No vendor patch available.
A vulnerability was identified in WuKongOpenSource WukongCRM 11.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
YugabyteDB diagnostic information was transmitted over HTTP, which could expose sensitive data during transmission. Rated high severity (CVSS 7.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
YugabyteDB has been collecting diagnostics information from YugabyteDB servers, which may include sensitive gflag configurations. Rated high severity (CVSS 7.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
A vulnerability was determined in jshERP up to 3.5. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability was found in jshERP up to 3.5. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
in OpenHarmony v5.0.3 and prior versions allow a local attacker case DOS through missing release of memory. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.
in OpenHarmony v5.0.3 and prior versions allow a local attacker cause DOS through type confusion. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.
in OpenHarmony v5.0.3 and prior versions allow a local attacker case DOS through improper input. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.
in OpenHarmony v5.0.3 and prior versions allow a local attacker case DOS through missing release of memory. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.
in OpenHarmony v5.0.3 and prior versions allow a local attacker case DOS through missing release of memory. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.
A vulnerability was found in xujeff tianti 天梯 up to 2.3. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability was found in LitmusChaos Litmus up to 3.19.0 and classified as critical. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability, which was classified as critical, was found in LitmusChaos Litmus up to 3.19.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability classified as problematic was found in LitmusChaos Litmus up to 3.19.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability classified as problematic has been found in LitmusChaos Litmus up to 3.19.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability was found in LitmusChaos Litmus up to 3.19.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
In EMQX before 5.8.6, administrators can install arbitrary novel plugins via the Dashboard web interface. Rated low severity (CVSS 3.0), this vulnerability is remotely exploitable. No vendor patch available.
A vulnerability was found in Portabilis i-Educar up to 2.9.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability has been found in riscv-boom SonicBOOM up to 2.2.3 and classified as problematic. Rated low severity (CVSS 2.0). No vendor patch available.
A vulnerability was found in Ruijie EG306MG 3.0(1)B11P309. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
A vulnerability was found in TRENDnet TN-200 1.02b02. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
A vulnerability was found in TRENDnet TEW-822DRE FW103B02. Rated high severity (CVSS 7.3). No vendor patch available.
A vulnerability was found in TRENDnet TV-IP110WN 1.2.2 and classified as problematic. Rated high severity (CVSS 7.3). No vendor patch available.
A vulnerability has been found in TDuckCloud tduck-platform up to 5.1 and classified as critical. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btnxpuart: Resolve TX timeout error in power save stress test This fixes the tx timeout issue seen while running a. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.
An incorrect encryption implementation vulnerability exists in the system log dump feature of BYD's DiLink 3.0 OS (e.g. Rated medium severity (CVSS 5.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. No vendor patch available.
A vulnerability, which was classified as problematic, has been found in Weee RICEPO App 6.17.77 on Android.xml of the component com.ricepo.app. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
The Assemblyline 4 Service Client interfaces with the API to fetch tasks and publish the result for a service in Assemblyline 4. Rated medium severity (CVSS 4.2), this vulnerability is no authentication required. No vendor patch available.
The AuthKit library for Remix provides convenient helpers for authentication and session management using WorkOS & AuthKit with Remix. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.
The AuthKit library for React Router 7+ provides helpers for authentication and session management using WorkOS & AuthKit with React Router. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.
Frappe Learning is a learning system that helps users structure their content. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable, low attack complexity.
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required.
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Kernel software installed and running inside an untrusted/rich execution environment (REE) could leak information from the trusted execution environment (TEE). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability was found in macrozheng mall 1.0.3. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.
A vulnerability was found in macrozheng mall up to 1.0.3. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.
7-Zip before 25.01 does not always properly handle symbolic links during extraction. Rated low severity (CVSS 3.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability has been found in zlt2000 microservices-platform up to 6.0.0 and classified as problematic. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. No vendor patch available.
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. No vendor patch available.
A vulnerability was found in libxml2 up to 2.14.5. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. No vendor patch available.
A TLS vulnerability exists in the phone application used to manage a connected device. Rated high severity (CVSS 8.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
The affected product allows firmware updates to be downloaded from EG4's website, transferred via USB dongles, or installed through EG4's Monitoring Center (remote, cloud-connected interface) or via. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The public-facing product registration endpoint server responds differently depending on whether the S/N is valid and unregistered, valid but already registered, or does not exist in the database. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability was identified in TRENDnet TI-G160i, TI-PG102i and TPL-430AP up to 20250724. Rated high severity (CVSS 8.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The MOD3 command traffic between the monitoring application and the inverter is transmitted in plaintext without encryption or obfuscation. Rated high severity (CVSS 7.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
EnzoH has an OS command injection vulnerability. Rated medium severity (CVSS 5.7), this vulnerability is low attack complexity. No vendor patch available.
EnzoH has an OS command injection vulnerability. Rated medium severity (CVSS 4.5). No vendor patch available.
EnzoH has an OS command injection vulnerability. Rated medium severity (CVSS 5.0). No vendor patch available.
A vulnerability was found in Huuge Box App 1.0.3 on Android. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
jwe is a Ruby implementation of the RFC 7516 JSON Web Encryption (JWE) standard. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
uv is a Python package and project manager written in Rust. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
An out-of-bounds access vulnerability in the loading of ExecuTorch models can cause the runtime to crash and potentially result in code execution or other undesirable effects. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Microsoft 365 Copilot BizChat Information Disclosure Vulnerability. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Microsoft 365 Copilot BizChat Information Disclosure Vulnerability. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
ruby-jwt v3.0.0.beta1 was discovered to contain weak encryption. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
BMC Control-M/Server 9.0.21.300 displays cleartext database credentials in process lists and logs. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. No vendor patch available.
A heap buffer over-read vulnerability exists in GStreamer's isomp4 plugin that allows reading past allocated memory boundaries when parsing specially crafted MP4 files. This affects GStreamer through version 1.26.1 and can lead to information disclosure of heap memory contents. A public proof-of-concept exploit is available, though the EPSS score of 0.09% suggests relatively low exploitation likelihood in the wild.
A heap buffer over-read vulnerability exists in GStreamer's isomp4 plugin (qtdemux_parse_tree function) when parsing MP4 files, affecting versions through 1.26.1. The vulnerability allows local attackers with user-level privileges who can trick a user into opening a malicious MP4 file to disclose sensitive heap memory contents and potentially cause application crashes. Publicly available proof-of-concept code exists, and while the EPSS score of 0.02% indicates low exploitation probability overall, the presence of public exploits and the information disclosure capability warrant prompt patching.
LinkJoin through 882f196 mishandles token ownership in password reset. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
LinkJoin through 882f196 mishandles lacks type checking in password reset. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Netwrix Directory Manager (formerly Imanami GroupID) 11.0.0.0 before 11.1.25162.02 has Insufficiently Protected Credentials for requests to remote Excel resources. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Cancelling a query (e.g. Rated high severity (CVSS 7.0), this vulnerability is remotely exploitable, no authentication required.
An issue in Ollama v0.1.33 allows attackers to delete arbitrary files via sending a crafted packet to the endpoint /api/pull. Rated medium severity (CVSS 6.6), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
On multiple products of SEIKO EPSON and FUJIFILM Corporation, the initial administrator password is easy to guess from the information available via SNMP. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An issue was discovered in Akamai Ghost, as used for the Akamai CDN platform before 2025-03-26. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Inappropriate implementation in Permissions in Google Chrome prior to 139.0.7258.66 allowed a remote attacker to perform UI spoofing via a crafted HTML page. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Insufficient validation of untrusted input in Core in Google Chrome prior to 139.0.7258.66 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Thinbus Javascript Secure Remote Password is a browser SRP6a implementation for zero-knowledge password authentication. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.