CWE-200

High likelihood

Exposure of Sensitive Information to an Unauthorized Actor

Parent: CWE-668 - Exposure of Resource to Wrong Sphere

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

9,867 vulnerabilities with CWE-200
CVE-2026-34242 HIGH
Weblate: Arbitrary File Read via Symlink
CVSS 7.7
CVE-2026-33220 MEDIUM
Weblate: JavaScript localization CDN add-on allows arbitrary local file read outside the repository
CVSS 6.8
CVE-2026-32631 HIGH
Git for Windows: `git clone` from manipulated repositories can leak NTLM hashes to arbitrary servers
CVSS 7.4
CVE-2026-25219 MEDIUM
Apache Airflow: Sensitive Azure Service Bus connection string (and possibly other providers) exposed to users with view access
CVSS 6.5
CVE-2026-25125 MEDIUM
October CMS: Environment Variable Exfiltration via INI Parser Interpolation
CVSS 4.9
CVE-2026-33829 MEDIUM
Windows Snipping Tool Spoofing Vulnerability
CVSS 4.3
CVE-2026-32151 MEDIUM
Windows Shell Information Disclosure Vulnerability
CVSS 6.5
CVE-2026-32085 MEDIUM
Remote Procedure Call Information Disclosure Vulnerability
CVSS 5.5
CVE-2026-32084 MEDIUM
Windows Print Spooler Information Disclosure Vulnerability
CVSS 5.5
CVE-2026-32081 MEDIUM
Package Catalog Information Disclosure Vulnerability
CVSS 5.5
CVE-2026-32079 MEDIUM
Web Account Manager Information Disclosure Vulnerability
CVSS 5.5
CVE-2026-34984 MEDIUM
External Secrets Operator has DNS exfiltration via getHostByName in its v2 template engine
CVSS 6.5
CVE-2026-32270 LOW
Craft Commerce: Unauthenticated information disclosure in `commerce/payments/pay` can leak some customer order data on anonymous payments
CVE-2026-6160 MEDIUM
code-projects Simple ChatBox Endpoint chatbox.sql SimpleChatbox_PHP file information disclosure
CVSS 5.3
CVE-2026-3691 MEDIUM
OpenClaw Client PKCE Verifier Information Disclosure Vulnerability
CVSS 5.3
CVE-2026-40159 MEDIUM
PraisonAI Exposes Sensitive Environment Variable via Untrusted MCP Subprocess Execution
CVSS 5.5
CVE-2026-31262 MEDIUM
Altenar Sportsbook Software Platform 2.0 - XSS
CVSS 6.1
CVE-2026-6000 MEDIUM
code-projects Online Library Management System SQL Database Backup File library.sql information disclosure
CVSS 4.3
CVE-2026-40151 MEDIUM
PraisonAI Affected by Unauthenticated Information Disclosure of Agent Instructions via /api/agents in AgentOS
CVSS 5.3
CVE-2026-39943 MEDIUM
Directus exposes sensitive fields in revision history
CVSS 6.5
CVE-2026-5960 MEDIUM
code-projects Patient Record Management System SQL Database Backup File hcpms.sql information disclosure
CVSS 4.3
CVE-2026-4660 HIGH
Go-getter may allow to arbitrary filesystem reads through git operations
CVSS 7.5
CVE-2026-5847 MEDIUM
code-projects Movie Ticketing System SQL Database Backup File moviedb.sql information disclosure
CVSS 4.3
CVE-2026-39889 HIGH
PraisonAI has Unauthenticated SSE Event Stream Exposes All Agent Activity in A2U Server
CVSS 7.5
CVE-2026-39412 MEDIUM
LiquidJS has an ownPropertyOnly bypass via sort_natural filter — prototype property information disclosure through sorting side-channel
CVSS 5.3
Details
Vulnerabilities 9,867
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits