CWE-200

High likelihood

Exposure of Sensitive Information to an Unauthorized Actor

Parent: CWE-668 - Exposure of Resource to Wrong Sphere

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

9,867 vulnerabilities with CWE-200

CVE-2026-34215 MEDIUM

Parse Server: Auth data exposed via verify password endpoint

CVSS 6.5

CVE-2026-33300 MEDIUM

Discourse: Hidden group names and access metadata are exposed to moderators through the `category-chatables` endpoint

CVSS 6.5

CVE-2026-33073 MEDIUM

discourse-subscriptions plugin leaking stripe API key in multisite environment

CVSS 5.3

CVE-2026-32951 MEDIUM

Discourse: Authorization bypass in oneboxer via user-controlled category id

CVSS 4.3

CVE-2026-32620 MEDIUM

Discourse: Missing post-level authorization allows whisper metadata disclosure

CVSS 4.3

CVE-2026-32618 MEDIUM

Discourse: Unauthorized channel membership inference via excluded_memberships_channel_id

CVSS 4.3

CVE-2026-32143 MEDIUM

Discourse: Admin-only report can be exported by moderators

CVSS 6.5

CVE-2026-4020 HIGH

Gravity SMTP <= 2.1.4 - Unauthenticated Sensitive Information Exposure via REST API

CVSS 7.5

CVE-2026-29872 HIGH

awesome-llm-apps e46690f - Info Disclosure

CVSS 8.2

CVE-2026-34472 HIGH

ZTE ZXHN H188A V6.0.10P2_TE/V6.0.10P3N3_TE - Info Disclosure

CVSS 7.1

CVE-2026-5128 CRITICAL

ArthurFiorette steam-trader 2.1.1 - Info Disclosure

CVSS 10.0

CVE-2026-5003 MEDIUM

PromtEngineer localGPT Web api_server.py handle_index information disclosure

CVSS 5.3

CVE-2026-4994 LOW

wandb OpenUI APIStatusError server.py generic_exception_handler information exposure

CVSS 3.5

CVE-2026-1307 MEDIUM

Ninja Forms <= 3.14.1 - Authenticated (Contributor+) Sensitive Information Disclosure via Block Editor Token

CVSS 6.5

CVE-2026-33981 MEDIUM

Changedetection.io Discloses Environment Variables via jq env Builtin in Include Filters

CVSS 6.5

CVE-2026-33886 MEDIUM

Statamic's sensitive configuration values are exposed to content editors via Antlers-enabled fields

CVSS 6.5

CVE-2026-33882 MEDIUM

Statamic's Markdown preview endpoint exposes sensitive user data

CVSS 6.5

CVE-2026-31951 MEDIUM

LibreChat's MCP Server Header Injection Enables OAuth Token Theft

CVSS 6.8

CVE-2026-4957 LOW

OpenBMB XAgent API Key function_handler.py FunctionHandler.handle_tool_call log file

CVSS 2.7

CVE-2026-33761 MEDIUM

AVideo: Unauthenticated Access to Scheduler Plugin Endpoints Leaks Scheduled Tasks, Email Content, and User Mappings

CVSS 5.3

CVE-2026-33745 HIGH

cpp-httplib Client Leaks Authentication Credentials to Untrusted Hosts on Cross-Origin HTTP Redirect

CVSS 7.4

CVE-2026-1556 MEDIUM

Information disclosure via file URI overwrite in File (Field) Paths

CVSS 6.5

CVE-2026-4823 LOW

Enter Software Iperius Backup NTLM2 information disclosure

CVSS 2.5

CVE-2026-28878 MEDIUM

Apple Ios And Ipados < 18.7.7 - Denial of Service

CVSS 6.5

CVE-2026-28877 MEDIUM

Apple Ios And Ipados < 26.4 - Denial of Service

CVSS 5.5

Details

Vulnerabilities 9,867

Exploit Likelihood High

Links