CWE-200

High likelihood

Exposure of Sensitive Information to an Unauthorized Actor

Parent: CWE-668 - Exposure of Resource to Wrong Sphere

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

10,081 vulnerabilities with CWE-200
CVE-2026-8385 MEDIUM
WP Go Maps < 10.0.10 - Unauthenticated Sensitive Information Disclosure via Datatables AJAX Fallback
CVSS 5.3
CVE-2026-12203 MEDIUM
HKUDS AI-Trader Research Export agents.csv information disclosure
CVSS 5.3
CVE-2026-49397 MEDIUM
Nezha Monitoring: Private services (`EnableShowInService: false`) are enumerable via per-server endpoints, leaking name and timing data
CVSS 5.3
CVE-2026-47124 MEDIUM
Nezha WebSocket server stream discloses cross-tenant server telemetry to authenticated members
CVSS 6.5
CVE-2026-54396 MEDIUM
MISP AuthKey edit endpoint allows authenticated user email enumeration
CVE-2026-47264 MEDIUM
Discourse: Don't leak restricted tag group names via tag info
CVSS 5.3
CVE-2026-47263 MEDIUM
Discourse: Prevent webhook payload disclosure on event redelivery
CVSS 4.3
CVE-2026-45085 MEDIUM
Discourse: Chat misauthorization and information disclosure
CVSS 5.3
CVE-2026-44786 HIGH
Discourse: Public chat MessageBus broadcasts are not restricted to chat-eligible users
CVSS 7.5
CVE-2026-44785 MEDIUM
Discourse: Hidden reply-to post raw can be disclosed through AI explain prompts
CVSS 4.3
CVE-2026-44784 MEDIUM
Discourse: Non-staff group owners can see email password in plaintext through group history
CVSS 6.5
CVE-2026-44782 MEDIUM
Discourse: GroupPostSerializer leaks hidden full names through reaction post association
CVSS 4.3
CVE-2026-44780 MEDIUM
Discourse: Category queue reviewers can read raw incoming emails from queued posts
CVSS 4.3
CVE-2026-44779 MEDIUM
Discourse: Bot debug endpoints disclose whisper translation audit logs
CVSS 4.3
CVE-2026-53725 MEDIUM
Parse Server: Endpoints `/login` and `/verifyPassword` disclose MFA secrets and protected fields when `_User` get is denied
CVE-2026-6046 MEDIUM
Plugin bot username conflict allows user account to be used as bot identity in Mattermost Server
CVSS 5.3
CVE-2026-3433 MEDIUM
Mattermost fails to scope role_updated websocket events to authorized team and channel members
CVSS 4.3
CVE-2026-50009 MEDIUM
Netty QUIC stateless reset token material exposed through header-visible connection IDs
CVSS 4.8
CVE-2026-44206 MEDIUM
Frappe: DB Schema Enumeration via Frappe-Authorization-Source
CVE-2026-45536 MEDIUM
Netty: Unix-socket fd receive leaks descriptors when peer sends two at once
CVSS 4.0
CVE-2026-47177 MEDIUM
Quest Bot: Ticket transcripts can disclose private ticket contents to a lower-visibility channel
CVE-2026-47176 MEDIUM
Quest Bot: Logging module can disclose private-channel message contents to a lower-visibility log channel
CVE-2026-44486 HIGH
Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection
CVSS 7.5
CVE-2026-53912 MEDIUM
Cerebrate self-registration password hash exposure via inbox and audit log views
CVE-2026-49219 MEDIUM
ImageMagick: Policy Bypass can read disallowed files
CVSS 5.5
Details
Vulnerabilities 10,081
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits