CWE-209: Generation of Error Message Containing Sensitive Information — known CVE vulnerabilities
CVEs classified under CWE-209 (Generation of Error Message Containing Sensitive Information), ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (50)
CVE-2025-62168 — CVSS 10.0 (critical): Squid is a caching proxy for the Web. In Squid versions prior to 7.2, a failure to redact HTTP authentication credentials in error handling…
CVE-2025-68110 — CVSS 9.9 (critical): ChurchCRM is an open-source church management system. Versions prior to 6.5.3 may disclose database information in an error message…
CVE-2024-28285 — CVSS 9.8 (critical): A Fault Injection vulnerability in the SymmetricDecrypt function in cryptopp/elgamal.h of Cryptopp Crypto++ 8.9, allows an attacker to…
CVE-2023-40767 — CVSS 9.8 (critical): User enumeration is found in in PHPJabbers Make an Offer Widget v1.0. This issue occurs during password recovery, where a difference in…
CVE-2023-40766 — CVSS 9.8 (critical): User enumeration is found in in PHPJabbers Ticket Support Script v3.2. This issue occurs during password recovery, where a difference in…
CVE-2023-40765 — CVSS 9.8 (critical): User enumeration is found in PHPJabbers Event Booking Calendar v4.0. This issue occurs during password recovery, where a difference in…
CVE-2023-40764 — CVSS 9.8 (critical): User enumeration is found in PHP Jabbers Car Rental Script v3.0. This issue occurs during password recovery, where a difference in messages…
CVE-2023-40763 — CVSS 9.8 (critical): User enumeration is found in PHPJabbers Taxi Booking Script v2.0. This issue occurs during password recovery, where a difference in…
CVE-2023-40762 — CVSS 9.8 (critical): User enumeration is found in PHPJabbers Fundraising Script v1.0. This issue occurs during password recovery, where a difference in messages…
CVE-2023-40761 — CVSS 9.8 (critical): User enumeration is found in PHPJabbers Yacht Listing Script v2.0. This issue occurs during password recovery, where a difference in…
CVE-2023-40760 — CVSS 9.8 (critical): User enumeration is found in PHP Jabbers Hotel Booking System v4.0. This issue occurs during password recovery, where a difference in…
CVE-2023-40759 — CVSS 9.8 (critical): User enumeration is found in PHP Jabbers Restaurant Booking Script v3.0. This issue occurs during password recovery, where a difference in…
CVE-2023-40758 — CVSS 9.8 (critical): User enumeration is found in PHPJabbers Document Creator v1.0. This issue occurs during password recovery, where a difference in messages…
CVE-2023-40757 — CVSS 9.8 (critical): User enumeration is found in PHPJabbers Food Delivery Script v3.1. This issue occurs during password recovery, where a difference in…
CVE-2021-42777 — CVSS 9.8 (critical): Stimulsoft (aka Stimulsoft Reports) 2013.1.1600.0, when Compilation Mode is used, allows an attacker to execute arbitrary C# code on any…
CVE-2019-7644 — CVSS 9.8 (critical): Auth0 Auth0-WCF-Service-JWT before 1.0.4 leaks the expected JWT signature in an error message when it cannot successfully validate the JWT…
CVE-2018-14925 — CVSS 9.8 (critical): Matera Banco 1.0.0 mishandles Java errors in the backend, as demonstrated by a stack trace revealing use of net.sf.acegisecurity components.
CVE-2018-11325 — CVSS 9.8 (critical): An issue was discovered in Joomla! Core before 3.8.8. The web install application would autofill password fields after either a form…
CVE-2017-7551 — CVSS 9.8 (critical): 389-ds-base version before 1.3.5.19 and 1.3.6.7 are vulnerable to password brute-force attacks during account lockout due to different…
CVE-2017-7945 — CVSS 9.8 (critical): The GlobalProtect external interface in Palo Alto Networks PAN-OS before 6.1.17, 7.x before 7.0.15, 7.1.x before 7.1.9, and 8.x before…
CVE-2022-31229 — CVSS 9.6 (critical): Dell PowerScale OneFS, 8.2.x through 9.3.0.x, contain an error message with sensitive information. An administrator could potentially…
CVE-2023-40171 — CVSS 9.1 (critical): Dispatch is an open source security incident management tool. The server response includes the JWT Secret Key used for signing JWT tokens…
CVE-2022-34882 — CVSS 9.0 (critical): Information Exposure Through an Error Message vulnerability in Hitachi RAID Manager Storage Replication Adapter allows remote authenticated…
CVE-2024-6984 — CVSS 8.8 (high): An issue was discovered in Juju that resulted in the leak of the sensitive context ID, which allows a local unprivileged attacker to access…
CVE-2024-23689 — CVSS 8.8 (high): Exposure of sensitive information in exceptions in ClichHouse's clickhouse-r2dbc, com.clickhouse:clickhouse-jdbc, and…
CVE-2023-29193 — CVSS 8.7 (high): SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions…
CVE-2024-54141 — CVSS 8.6 (high): phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Prior to 4.0.0, phpMyFAQ exposes the…
CVE-2018-17961 — CVSS 8.6 (high): Artifex Ghostscript 9.25 and earlier allows attackers to bypass a sandbox protection mechanism via vectors involving errorhandler setup…
CVE-2025-22218 — CVSS 8.5 (high): VMware Aria Operations for Logs contains an information disclosure vulnerability. A malicious actor with View Only Admin permissions may be…
CVE-2026-34045 — CVSS 8.2 (high): Podman Desktop is a graphical tool for developing on containers and Kubernetes. Prior to 1.26.2, an unauthenticated HTTP server exposed by…
CVE-2025-1395 — CVSS 8.2 (high): Generation of Error Message Containing Sensitive Information vulnerability in Codriapp Innovation and Software Technologies Inc. HeyGarson…
CVE-2023-37260 — CVSS 8.2 (high): league/oauth2-server is an implementation of an OAuth 2.0 authorization server written in PHP. Starting in version 8.3.2 and prior to…
CVE-2021-21421 — CVSS 8.1 (high): node-etsy-client is a NodeJs Etsy ReST API Client. Applications that are using node-etsy-client and reporting client error to the end user…
CVE-2018-12886 — CVSS 8.1 (high): stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under…
CVE-2018-8042 — CVSS 8.1 (high): Apache Ambari, version 2.5.0 to 2.6.2, passwords for Hadoop credential stores are exposed in Ambari Agent informational log messages when…
CVE-2023-41027 — CVSS 8.0 (high): Credential disclosure in the '/webs/userpasswd.htm' endpoint in Juplink RX4-1500 Wifi router firmware versions V1.0.4 and V1.0.5 allows an…
CVE-2024-11625 — CVSS 7.7 (high): Information Exposure Through an Error Message vulnerability in Progress Software Corporation Sitefinity.This issue affects Sitefinity: from…
CVE-2022-31124 — CVSS 7.7 (high): openssh_key_parser is an open source Python package providing utilities to parse and pack OpenSSH private and public key files. In versions…
CVE-2021-32775 — CVSS 7.7 (high): Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.4, a non admin user can get access to many class/field…
CVE-2020-15125 — CVSS 7.7 (high): In auth0 (npm package) versions before 2.27.1, a DenyList of specific keys that should be sanitized from the request object contained in…
CVE-2026-45728 — CVSS 7.5 (high): Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, when Algernon is invoked with a single file path instead of a…
CVE-2026-42552 — CVSS 7.5 (high): Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the default error handler Engine::_error() writes the full exception…
CVE-2026-43873 — CVSS 7.5 (high): WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/CloneSite/cloneClient.json.php echoes the local…
CVE-2026-29146 — CVSS 7.5 (high): Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration. This issue affects Apache Tomcat: from…
CVE-2025-71282 — CVSS 7.5 (high): XenForo before 2.3.7 discloses filesystem paths through exception messages triggered by open_basedir restrictions. This allows an attacker…
CVE-2022-50686 — CVSS 7.5 (high): An information disclosure vulnerability in Kentico Xperience allows attackers to view sensitive stack trace details via Portal Engine form…
CVE-2025-36003 — CVSS 7.5 (high): IBM Security Verify Governance Identity Manager 10.0.2 could allow a remote attacker to obtain sensitive information when detailed…
CVE-2025-23320 — CVSS 7.5 (high): NVIDIA Triton Inference Server for Windows and Linux contains a vulnerability in the Python backend, where an attacker could cause the…