CVEs classified under CWE-201, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (50)
CVE-2025-49408 — CVSS 10.0 (critical): Insertion of Sensitive Information Into Sent Data vulnerability in WPDeveloper Templately allows Retrieve Embedded Sensitive Data. This…
CVE-2024-7205: When the device is shared, the homepage module are before 2.19.0 in eWeLink Cloud Service allows Secondary user to take over devices as…
CVE-2026-39912 — CVSS 9.1 (critical): V2Board 1.6.1 through 1.7.4 and Xboard through 0.1.9 expose authentication tokens in HTTP response bodies of the loginWithMailLink endpoint…
CVE-2025-48749 — CVSS 9.1 (critical): Netwrix Directory Manager (formerly Imanami GroupID) v11.0.0.0 and before & after v.11.1.25134.03 inserts Sensitive Information into Sent…
CVE-2025-11500: Tinycontrol devices such as tcPDU and LAN Controllers LK3.5, LK3.9 and LK4 have two separate authentication mechanisms - one solely for…
CVE-2025-48045: An unauthenticated HTTP GET request to the /client.php endpoint will disclose the default administrator user credentials.
CVE-2026-5483 — CVSS 8.5 (high): A flaw was found in odh-dashboard in Red Hat Openshift AI. This vulnerability in the `odh-dashboard` component of Red Hat OpenShift AI…
CVE-2023-3399 — CVSS 8.5 (high): An issue has been discovered in GitLab EE affecting all versions starting from 11.6 before 16.3.6, all versions starting from 16.4 before…
CVE-2026-54848 — CVSS 8.3 (high): Insertion of Sensitive Information Into Sent Data vulnerability in Saad Iqbal APIExperts Square for WooCommerce allows Retrieve Embedded…
CVE-2026-46481 — CVSS 8.3 (high): OpenMetadata is a unified metadata platform. Prior to version 1.12.4, a non-admin SSO user can trigger a TEST_CONNECTION workflow for a…
CVE-2025-58098 — CVSS 8.3 (high): Apache HTTP Server 2.4.65 and earlier with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi) passes the shell-escaped query…
CVE-2025-24858: Develocity (formerly Gradle Enterprise) before 2024.3.1 allows an attacker who has network access to a Develocity server to obtain the…
CVE-2025-66566: yawkat LZ4 Java provides LZ4 compression for Java. Insufficient clearing of the output buffer in Java-based decompressor implementations in…
CVE-2025-3529 — CVSS 8.2 (high): The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and…
CVE-2024-3502 — CVSS 8.1 (high): In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exists where account recovery hashes of…
CVE-2024-8890 — CVSS 8.0 (high): An attacker with access to the network where the CIRCUTOR Q-SMT is located in its firmware version 1.0.4, could obtain legitimate…
CVE-2026-4035 — CVSS 7.7 (high): A vulnerability in mlflow/mlflow versions prior to 3.11.0 allows for the resolution of environment variables in AI Gateway secrets, which…
CVE-2026-42379 — CVSS 7.7 (high): Insertion of Sensitive Information Into Sent Data vulnerability in WPDeveloper Templately allows Retrieve Embedded Sensitive Data.This…
CVE-2026-40161 — CVSS 7.7 (high): Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions…
CVE-2025-66035: Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior…
CVE-2025-9958 — CVSS 7.7 (high): An issue has been discovered in GitLab CE/EE affecting all versions from 14.10 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1…
CVE-2025-43768 — CVSS 7.7 (high): Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through…
CVE-2024-23506 — CVSS 7.7 (high): Insertion of Sensitive Information Into Sent Data vulnerability in InstaWP InstaWP Connect instawp-connect.This issue affects InstaWP…
CVE-2024-7872 — CVSS 7.6 (high): Insertion of Sensitive Information Into Sent Data vulnerability in ExtremePACS Extreme XDS allows Retrieve Embedded Sensitive Data. This…
CVE-2023-28117 — CVSS 7.6 (high): Sentry SDK is the official Python SDK for Sentry, real-time crash reporting software. When using the Django integration of versions prior…
CVE-2026-49064 — CVSS 7.5 (high): Insertion of Sensitive Information Into Sent Data vulnerability in Stiofan GetPaid allows Retrieve Embedded Sensitive Data. This issue…
CVE-2026-44487 — CVSS 7.5 (high): Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios’s Node.js HTTP adapter may forward a…
CVE-2026-42673 — CVSS 7.5 (high): Insertion of Sensitive Information Into Sent Data vulnerability in Logtivity Activity Logs Activity Logs, User Activity Tracking, Multisite…
CVE-2026-4525 — CVSS 7.5 (high): If a Vault auth mount is configured to pass through the "Authorization" header, and the "Authorization" header is used to authenticate to…
CVE-2026-34226 — CVSS 7.5 (high): Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Versions prior to 20.8.9 may attach cookies…
CVE-2026-32538 — CVSS 7.5 (high): Insertion of Sensitive Information Into Sent Data vulnerability in Noor Alam SMTP Mailer smtp-mailer allows Retrieve Embedded Sensitive…
CVE-2026-32829 — CVSS 7.5 (high): lz4_flex is a pure Rust implementation of LZ4 compression/decompression. In versions 0.11.5 and below, and 0.12.0, decompressing invalid…
CVE-2026-27934 — CVSS 7.5 (high): Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a lack of visibility…
CVE-2026-27406 — CVSS 7.5 (high): Insertion of Sensitive Information Into Sent Data vulnerability in Joe Dolson My Tickets my-tickets allows Retrieve Embedded Sensitive…
CVE-2026-27370 — CVSS 7.5 (high): Insertion of Sensitive Information Into Sent Data vulnerability in Premio Chaty chaty allows Retrieve Embedded Sensitive Data.This issue…
CVE-2026-27516 — CVSS 7.5 (high): Binardat 10G08-0800GSM network switch firmware version V300SP10260209 and prior expose user passwords in plaintext within the…
CVE-2020-37150 — CVSS 7.5 (high): Edimax EW-7438RPn-v3 Mini 1.27 allows unauthenticated attackers to access the /wizard_reboot.asp page in unsetup mode, which discloses the…
CVE-2020-37093 — CVSS 7.5 (high): Netis E1+ 1.2.32533 contains an information disclosure vulnerability that allows unauthenticated attackers to retrieve WiFi passwords…
CVE-2026-24477 — CVSS 7.5 (high): AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. If AnythingLLM…
CVE-2026-24430 — CVSS 7.5 (high): Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) disclose sensitive account credentials in cleartext within…
CVE-2025-68035 — CVSS 7.5 (high): Insertion of Sensitive Information Into Sent Data vulnerability in tabbyai Tabby Checkout tabby-checkout allows Retrieve Embedded Sensitive…