CWE-200

High likelihood

Exposure of Sensitive Information to an Unauthorized Actor

Parent: CWE-668 - Exposure of Resource to Wrong Sphere

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

10,081 vulnerabilities with CWE-200
CVE-2026-47136 MEDIUM
RustFS: Unauthenticated RustFS console license endpoint exposes license metadata
CVE-2026-45332 HIGH
Automad Broken Access Control: unauthenticated exposure of administrator bcrypt password hashes and TOTP secrets via public API endpoint
CVSS 7.5
CVE-2026-7526 MEDIUM
PDF Embedder <= 4.9.3 - Authenticated (Contributor+) Information Exposure via Block Editor Page
CVSS 4.3
CVE-2026-42878 MEDIUM
FacturaScripts: Unauthenticated phpinfo() Disclosure via Installer Endpoint in FacturaScripts
CVSS 5.3
CVE-2026-46427 HIGH
Budibase: Snowflake private key returned unmasked from datasource API to BASIC users
CVSS 7.7
CVE-2026-44460 HIGH
FileRise: TOTP Bypass via Setup Endpoint Disclosing Existing Secret
CVSS 7.4
CVE-2026-8405 MEDIUM
IBM Guardium Data Protection is affected by Exposure of Sensitive Information vulnerability
CVSS 6.5
CVE-2026-36539 HIGH
Netis AC1200 Router NC21 V4.0.1.4296 - Unauthenticated Information Disclosure via skk_get.cgi
CVSS 7.3
CVE-2026-9583 MEDIUM
SourceCodester CET Automated Grading System with AI Predictive Analytics SQL index.php information exposure
CVSS 4.3
CVE-2026-24198 MEDIUM
Nvidia GeForce - Exposure of Sensitive Information to an Unauthorized Actor
CVSS 5.6
CVE-2026-9352 MEDIUM
NousResearch hermes-agent Messaging Gateway local.py _make_run_env information disclosure
CVSS 5.3
CVE-2026-9349 MEDIUM
calcom cal.diy Generic React API bookings-single-view.getServerSideProps.tsx getServerSideProps information disclosure
CVSS 5.3
CVE-2026-40166 HIGH
authentik: Non-admin user can retrieve confidential OAuth client_secret via /api/v3/oauth2/access_tokens/
CVE-2026-3636 MEDIUM
Mattermost - Sanitize Team Member Data Returned by API
CVSS 4.3
CVE-2026-7636 MEDIUM
Slider by Soliloquy <= 2.8.1 - Authenticated (Subscriber+) Information Disclosure via REST API Endpoint
CVSS 4.3
CVE-2026-44409 MEDIUM
ZTE MU5250 - Unauthorized Information Disclosure
CVSS 5.7
CVE-2026-6826 MEDIUM
Concrete 9.5.0 and below has file usage disclosure via missing permission check in Usage controller
CVSS 5.3
CVE-2026-9129 CRITICAL
Path Traversal in Altium Enterprise Server Viewer StorageController Allows Arbitrary File Read
CVE-2026-6728 MEDIUM
Slider Revolution <= 7.0.9 - Unauthenticated Sensitive Information Exposure via 'sliders/stream'
CVSS 5.3
CVE-2026-5075 MEDIUM
All in One SEO <= 4.9.7 - Authenticated (Contributor+) Sensitive Information Exposure via 'internalOptions' Localized Script Data
CVSS 4.3
CVE-2026-34970 MEDIUM
MantisBT Bugnote Revision Page Leaks Private Issue Metadata After Issue Access Is Revoked
CVE-2026-34744 MEDIUM
MantisBT authorization bypass allows continued access to self-uploaded attachments on private issues
CVE-2026-34600 MEDIUM
Joplin Server delta API returns note content after share access is revoked
CVSS 5.7
CVE-2026-34579 MEDIUM
MantisBT <2.28.2 Private Issue Monitoring - Authorization Bypass
CVE-2026-32814 MEDIUM
libheif: Uninitialized Heap Memory Information Leak via Failed Grid Tiles
CVSS 6.5
Details
Vulnerabilities 10,081
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits