CWE-200

High likelihood

Exposure of Sensitive Information to an Unauthorized Actor

Parent: CWE-668 - Exposure of Resource to Wrong Sphere

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

10,081 vulnerabilities with CWE-200
CVE-2026-40379 CRITICAL
Microsoft Enterprise Security Token Service (ESTS) Spoofing Vulnerability
CVSS 9.3
CVE-2026-40374 MEDIUM
Microsoft Power Automate Desktop Information Disclosure Vulnerability
CVSS 6.5
CVE-2026-43992 CRITICAL
JunoClaw: MCP write tools exposed raw BIP-39 mnemonic as a tool-call parameter
CVSS 9.8
CVE-2026-42498 HIGH
Apache Tomcat: WebSocket authentication header exposure
CVSS 7.3
CVE-2026-45091 CRITICAL
sealed-env: TOTP secret embedded in unseal token payload (enterprise mode)
CVSS 9.1
CVE-2026-7626 MEDIUM
Slek Gateway for WooCommerce <= 1.0 - Unauthenticated Insufficiently Protected Credentials via Payment Redirect Form Hidden Fields
CVSS 5.3
CVE-2026-43885 HIGH
WWBN AVideo: Exposure of Sensitive Information to an Unauthorized Actor and Missing Authorization
CVE-2026-42564 HIGH
jotty·page: Unauthenticated Path Traversal leads to sensitive file disclosure and session-token reuse impact
CVSS 8.2
CVE-2026-28976 HIGH
macOS < 26.5 - Unauthorized Root Privilege Escalation
CVSS 7.5
CVE-2026-28962 HIGH
iOS/iPadOS <18.7.9, macOS/visionOS/Safari <26.5 - Sensitive Info Exposure via Malicious Web Content
CVSS 7.5
CVE-2026-28958 MEDIUM
iOS and iPadOS < 26.5 - Unprotected User Data Exposure
CVSS 5.5
CVE-2026-28922 MEDIUM
macOS - Information Disclosure
CVSS 6.5
CVE-2026-28920 MEDIUM
iOS and iPadOS < 18.7.9 - Information Leakage via Malicious Website
CVSS 6.5
CVE-2026-42873 NONE
WeGIA: Error Handling Upload DocDependente
CVE-2026-42871 MEDIUM
WeGIA: Error Handling familiar_docfamiliar
CVE-2026-5266 LOW
Wikimedia Foundation Echo - Exposure of Sensitive Information to an Unauthorized Actor
CVE-2026-42865 MEDIUM
Inbox Zero: Cross-account cleaner email stream exposure
CVSS 4.3
CVE-2026-34093 MEDIUM
Special:UserRights allows viewing user rights from private wiki
CVSS 5.3
CVE-2026-44738 HIGH
Grav: Twig sandbox allows editor-role users to exfiltrate all plugin secrets via Config::toArray()
CVSS 7.7
CVE-2026-34092 HIGH
Block UI elements in 'tools'-sidebar shows presence of an autoblocked IP
CVSS 7.5
CVE-2026-34091 HIGH
Wikimedia Foundation MediaWiki - User Localization Leaked by AbuseFilter + EventStream
CVSS 7.5
CVE-2026-34090 HIGH
Suggested investigations: Handle suppressed usernames
CVSS 7.5
CVE-2026-34088 HIGH
RecentChanges entries expose suppressed content via generated log page html
CVSS 7.5
CVE-2026-34087 HIGH
Users API leaks whether privileged users have their user groups disabled for lack of 2FA
CVSS 7.5
CVE-2026-42333 MEDIUM
quarkus-openapi-generator has overly broad path-parameter matching that sends authentication headers to unintended operations
Details
Vulnerabilities 10,081
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits