CVEs classified under CWE-524, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (44)
CVE-2026-53943 — CVSS 9.6 (critical): Ghost is a Node.js content management system. From until 6.37.0, when Ghost is behind a shared caching layer that results in cached content…
CVE-2025-64762 — CVSS 9.1 (critical): The AuthKit library for Next.js provides convenient helpers for authentication and session management using WorkOS & AuthKit with Next.js…
CVE-2026-50170 — CVSS 7.5 (high): Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior…
CVE-2026-48901 — CVSS 7.5 (high): The InputFilter::getInstance() method omitted a security sensitive parameter from the instance cache key.
CVE-2024-27917 — CVSS 7.5 (high): Shopware is an open commerce platform based on Symfony Framework and Vue. The Symfony Session Handler pops the Session Cookie and assigns…
CVE-2021-24027 — CVSS 7.5 (high): A cache configuration issue prior to WhatsApp for Android v2.21.4.18 and WhatsApp Business for Android v2.21.4.18 may have allowed a third…
CVE-2024-45596 — CVSS 7.4 (high): Directus is a real-time API and App dashboard for managing SQL database content. An unauthenticated user can access credentials of last…
CVE-2024-12314 — CVSS 7.2 (high): The Rapid Cache plugin for WordPress is vulnerable to Cache Poisoning in all versions up to, and including, 1.2.3. This is due to plugin…
CVE-2026-46309 — CVSS 7.0 (high): In the Linux kernel, the following vulnerability has been resolved: drm/xe/uapi: Reject coh_none PAT index for CPU cached memory in madvise…
CVE-2026-25540 — CVSS 6.5 (medium): Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.3.19, 4.4.13, 4.5.6, Mastodon is vulnerable…
CVE-2025-57752 — CVSS 6.2 (medium): Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js…
CVE-2026-47225: Typesense is a fast, typo-tolerant search engine. Prior to versions 29.1 and 30.2, there is a cache isolation issue affecting search…
CVE-2026-49858 — CVSS 5.9 (medium): API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. In versions from 2.6.0 prior to 4.1.29, 4.2.26, and…
CVE-2026-9678 — CVSS 5.9 (medium): Impact: Undici's cache interceptor incorrectly classifies some responses as cacheable when the upstream Cache-Control header uses…
CVE-2026-41841 — CVSS 5.9 (medium): Spring MVC and WebFlux applications are vulnerable to Information Disclosure attacks when resolving static resources. Affected versions…
CVE-2025-9901 — CVSS 5.9 (medium): A flaw was found in libsoup’s caching mechanism, SoupCache, where the HTTP Vary header is ignored when evaluating cached responses. This…
CVE-2023-37486 — CVSS 5.9 (medium): Under certain conditions SAP Commerce (OCC API) - versions HY_COM 2105, HY_COM 2205, COM_CLOUD 2211, endpoints allow an attacker to access…
CVE-2025-14806 — CVSS 5.7 (medium): IBM Planning Analytics Local 2.1.0 through 2.1.17 could allow an attacker to trick the caching mechanism into storing and serving…
CVE-2025-69581 — CVSS 5.5 (medium): An issue was discovered in Chamillo LMS 1.11.2. The Social Network /personal_data endpoint exposes full sensitive user information even…
CVE-2025-5141 — CVSS 5.5 (medium): A binary in the BoKS Server Agent component of Fortra's Core Privileged Access Manager (BoKS) on versions 7.2.0 (up to 7.2.0.17), 8.1.0 (up…
CVE-2022-32909 — CVSS 5.5 (medium): The issue was addressed with improved handling of caches. This issue is fixed in iOS 16. An app may be able to access user-sensitive data.
CVE-2026-40012 — CVSS 5.3 (medium): ECS zero scoped answers are stored in the packet cache while they should not. This impacts only configurations that have ECS enabled;
CVE-2026-44457 — CVSS 5.3 (medium): Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, Cache Middleware does not skip…
CVE-2026-24472 — CVSS 5.3 (medium): Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, Cache Middleware contains an…
CVE-2025-61598 — CVSS 5.3 (medium): Discourse is an open source discussion platform. Version before 3.6.2 and 3.6.0.beta2, default Cache-Control response header with value…
CVE-2024-49580 — CVSS 5.3 (medium): In JetBrains Ktor before 2.3.13 improper caching in HttpCache Plugin could lead to response information disclosure
CVE-2024-0874 — CVSS 5.3 (medium): A flaw was found in coredns. This issue could lead to invalid cache entries returning due to incorrectly implemented caching.
CVE-2021-44854 — CVSS 5.3 (medium): An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. The REST API publicly caches results…
CVE-2025-4233: An insufficient implementation of cache vulnerability in Palo Alto Networks Prisma® Access Browser enables users to bypass certain data…
CVE-2024-41906 — CVSS 4.8 (medium): A vulnerability has been identified in SINEC Traffic Analyzer (6GK8822-1BG01-0BA0) (All versions < V2.0). The affected application does not…
CVE-2022-3292 — CVSS 4.6 (medium): Use of Cache Containing Sensitive Information in GitHub repository ikus060/rdiffweb prior to 2.4.8.
CVE-2026-6907 — CVSS 4.3 (medium): An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. `django.middleware.cache.UpdateCacheMiddleware` erroneously caches…
CVE-2026-27205 — CVSS 4.3 (medium): Flask is a web server gateway interface (WSGI) web application framework. In versions 3.1.2 and below, when the session object is accessed…
CVE-2024-33004 — CVSS 4.3 (medium): SAP Business Objects Business Intelligence Platform is vulnerable to Insecure Storage as dynamic web pages are getting cached even after…
CVE-2019-14997 — CVSS 4.3 (medium): The AccessLogFilter class in Jira before version 8.4.0 allows remote anonymous attackers to learn details about other users, including…
CVE-2023-45696 — CVSS 4.0 (medium): Sametime is impacted by sensitive fields with autocomplete enabled in the Legacy web chat client. By default, this allows user entered data…
CVE-2025-64696 — CVSS 3.3 (low): Android App "Brother iPrint&Scan" versions 6.13.7 and earlier improperly uses an external cache directory. If exploited…
CVE-2026-48588 — CVSS 3.1 (low): An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before 5.2.16. `UpdateCacheMiddleware` and the `cache_page()` decorator cache…
CVE-2026-35193 — CVSS 3.1 (low): An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.middleware.cache.UpdateCacheMiddleware` in Django does…
CVE-2026-22741 — CVSS 3.1 (low): Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources. More precisely, an application can…
CVE-2025-43410 — CVSS 2.4 (low): The issue was addressed with improved handling of caches. This issue is fixed in macOS Sequoia 15.7.2, macOS Sonoma 14.8.2, macOS Tahoe…