CWE-209
Generation of Error Message Containing Sensitive Information
The product generates an error message that includes sensitive information about its environment, users, or associated data.
CVE-2026-44226 (GCVE-0-2026-44226)
Vulnerability from cvelistv5 – Published: 2026-05-11 16:36 – Updated: 2026-05-11 18:27
VLAI
Title
pyLoad: Unauthenticated traceback disclosure via global exception handler in WebUI
Summary
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, pyload-ng WebUI returns full Python traceback details to clients on unhandled exceptions. Because /web/<path:filename> is reachable without authentication and renders attacker-controlled template names, an unauthenticated user can reliably trigger a server exception (for example by requesting a non-existent template) and receive internal stack traces in the HTTP response. This vulnerability is fixed in 0.5.0b3.dev100.
Severity
5.3 (Medium)
CWE
- CWE-209 - Generation of Error Message Containing Sensitive Information
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/pyload/pyload/security/advisor… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44226",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T18:26:38.527027Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T18:27:05.705Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/pyload/pyload/security/advisories/GHSA-c3gc-9pf2-84gg"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "pyload",
"vendor": "pyload",
"versions": [
{
"status": "affected",
"version": "\u003c 0.5.0b3.dev100"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, pyload-ng WebUI returns full Python traceback details to clients on unhandled exceptions. Because /web/\u003cpath:filename\u003e is reachable without authentication and renders attacker-controlled template names, an unauthenticated user can reliably trigger a server exception (for example by requesting a non-existent template) and receive internal stack traces in the HTTP response. This vulnerability is fixed in 0.5.0b3.dev100."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-209",
"description": "CWE-209: Generation of Error Message Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T16:36:35.156Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pyload/pyload/security/advisories/GHSA-c3gc-9pf2-84gg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pyload/pyload/security/advisories/GHSA-c3gc-9pf2-84gg"
}
],
"source": {
"advisory": "GHSA-c3gc-9pf2-84gg",
"discovery": "UNKNOWN"
},
"title": "pyLoad: Unauthenticated traceback disclosure via global exception handler in WebUI"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44226",
"datePublished": "2026-05-11T16:36:35.156Z",
"dateReserved": "2026-05-05T15:42:40.518Z",
"dateUpdated": "2026-05-11T18:27:05.705Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45728 (GCVE-0-2026-45728)
Vulnerability from cvelistv5 – Published: 2026-05-26 16:38 – Updated: 2026-05-26 17:31
VLAI
Title
Algernon: Single-file mode unconditionally enables debug mode
Summary
Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, when Algernon is invoked with a single file path instead of a directory, singleFileMode is set to true and debugMode is forcibly enabled. debugMode activates the PrettyError renderer, which on any Lua or template error response dumps the absolute path of the file that errored, complete byte contents of that file, and exception or parser error text. This response is served with HTTP 200 OK to whoever sent the request that triggered the error. Any client able to reach the server and able to provoke a runtime error in the served script obtains the full server-side source of that script and of any sibling Lua data file consulted during the request. This vulnerability is fixed in 1.17.7.
Severity
7.5 (High)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/xyproto/algernon/security/advi… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45728",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-26T17:31:16.231606Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T17:31:40.280Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/xyproto/algernon/security/advisories/GHSA-fwqx-8365-9983"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "algernon",
"vendor": "xyproto",
"versions": [
{
"status": "affected",
"version": "\u003c 1.17.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, when Algernon is invoked with a single file path instead of a directory, singleFileMode is set to true and debugMode is forcibly enabled. debugMode activates the PrettyError renderer, which on any Lua or template error response dumps the absolute path of the file that errored, complete byte contents of that file, and exception or parser error text. This response is served with HTTP 200 OK to whoever sent the request that triggered the error. Any client able to reach the server and able to provoke a runtime error in the served script obtains the full server-side source of that script and of any sibling Lua data file consulted during the request. This vulnerability is fixed in 1.17.7."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-209",
"description": "CWE-209: Generation of Error Message Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-489",
"description": "CWE-489: Active Debug Code",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-540",
"description": "CWE-540: Inclusion of Sensitive Information in Source Code",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1188",
"description": "CWE-1188: Insecure Default Initialization of Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T16:38:50.435Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xyproto/algernon/security/advisories/GHSA-fwqx-8365-9983",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xyproto/algernon/security/advisories/GHSA-fwqx-8365-9983"
}
],
"source": {
"advisory": "GHSA-fwqx-8365-9983",
"discovery": "UNKNOWN"
},
"title": "Algernon: Single-file mode unconditionally enables debug mode"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45728",
"datePublished": "2026-05-26T16:38:50.435Z",
"dateReserved": "2026-05-13T05:51:48.667Z",
"dateUpdated": "2026-05-26T17:31:40.280Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4633 (GCVE-0-2026-4633)
Vulnerability from cvelistv5 – Published: 2026-03-23 10:53 – Updated: 2026-04-01 14:38
VLAI
Title
Keycloak: keycloak: user enumeration via differential error messages
Summary
A flaw was found in Keycloak. A remote attacker can exploit differential error messages during the identity-first login flow when Organizations are enabled. This vulnerability allows an attacker to determine the existence of users, leading to information disclosure through user enumeration.
Severity
CWE
- CWE-209 - Generation of Error Message Containing Sensitive Information
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://access.redhat.com/security/cve/CVE-2026-4633 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2450247 | issue-trackingx_refsource_REDHAT |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Red Hat | Red Hat Build of Keycloak |
cpe:/a:redhat:build_keycloak: |
Date Public
2025-03-23 05:05
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4633",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-23T15:07:15.419255Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T15:52:36.681Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:build_keycloak:"
],
"defaultStatus": "affected",
"packageName": "rhbk/keycloak-rhel9",
"product": "Red Hat Build of Keycloak",
"vendor": "Red Hat"
}
],
"datePublic": "2025-03-23T05:05:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Keycloak. A remote attacker can exploit differential error messages during the identity-first login flow when Organizations are enabled. This vulnerability allows an attacker to determine the existence of users, leading to information disclosure through user enumeration."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Low"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-209",
"description": "Generation of Error Message Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T14:38:10.321Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-4633"
},
{
"name": "RHBZ#2450247",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450247"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-23T08:34:37.879Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2025-03-23T05:05:00.000Z",
"value": "Made public."
}
],
"title": "Keycloak: keycloak: user enumeration via differential error messages",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
},
"x_redhatCweChain": "CWE-209: Generation of Error Message Containing Sensitive Information"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2026-4633",
"datePublished": "2026-03-23T10:53:35.655Z",
"dateReserved": "2026-03-23T08:36:31.514Z",
"dateUpdated": "2026-04-01T14:38:10.321Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4994 (GCVE-0-2026-4994)
Vulnerability from cvelistv5 – Published: 2026-03-28 09:15 – Updated: 2026-03-30 17:41
VLAI
Title
wandb OpenUI APIStatusError server.py generic_exception_handler information exposure
Summary
A vulnerability was found in wandb OpenUI up to 1.0/3.5-turb. Affected is the function generic_exception_handler of the file backend/openui/server.py of the component APIStatusError Handler. The manipulation of the argument key results in information exposure through error message. Access to the local network is required for this attack. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.353881 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.353881 | signaturepermissions-required |
| https://vuldb.com/?submit.778266 | third-party-advisory |
| https://gist.github.com/YLChen-007/8c6ff147186855… | exploit |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4994",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-30T17:40:56.383246Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-30T17:41:13.509Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"APIStatusError Handler"
],
"product": "OpenUI",
"vendor": "wandb",
"versions": [
{
"status": "affected",
"version": "1.0"
},
{
"status": "affected",
"version": "3.5-turb"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Eric-b (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in wandb OpenUI up to 1.0/3.5-turb. Affected is the function generic_exception_handler of the file backend/openui/server.py of the component APIStatusError Handler. The manipulation of the argument key results in information exposure through error message. Access to the local network is required for this attack. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 2.7,
"vectorString": "AV:A/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-209",
"description": "Information Exposure Through Error Message",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "Information Disclosure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-28T09:15:12.348Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-353881 | wandb OpenUI APIStatusError server.py generic_exception_handler information exposure",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.353881"
},
{
"name": "VDB-353881 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.353881"
},
{
"name": "Submit #778266 | Weights and Biases OpenUI \u003c= 1.0 (commit f9d8f0e) Generation of Error Message Containing Sensitive Information (CWE-209)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.778266"
},
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/YLChen-007/8c6ff147186855e4b716e7526de213e1"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-27T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-03-27T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-03-27T14:53:46.000Z",
"value": "VulDB entry last update"
}
],
"title": "wandb OpenUI APIStatusError server.py generic_exception_handler information exposure"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-4994",
"datePublished": "2026-03-28T09:15:12.348Z",
"dateReserved": "2026-03-27T13:48:00.731Z",
"dateUpdated": "2026-03-30T17:41:13.509Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5511 (GCVE-0-2026-5511)
Vulnerability from cvelistv5 – Published: 2026-05-19 15:58 – Updated: 2026-05-19 17:06
VLAI
Title
Information Disclosure via Diagnostic Interface Due to Improper Input Validation on TP-Link's Archer AX72
Summary
In the web management interface of Archer AX72 (SG) v1, the network diagnostic feature improperly handles invalid user input, resulting in limited exposure of diagnostic command usage information.
An authenticated attacker with administrative privileges could exploit this issue to confirm the presence of the diagnostic utility and view its valid command-line syntax and options. The exposed information is limited in scope and does not include sensitive system data.
Severity
CWE
- CWE-209 - Generation of error message containing sensitive information
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.tp-link.com/sg/support/download/arche… | patch |
| https://www.tp-link.com/us/support/faq/5096/ | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| TP-Link Systems Inc. | Archer AX72 (SG) v1.0 |
Affected:
0 , < 1.4.6 Build 20260112 rel.66206
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5511",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-19T17:05:56.109153Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T17:06:21.425Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Archer AX72 (SG) v1.0",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "1.4.6 Build 20260112 rel.66206",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "George Chen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In the web management interface of Archer AX72 (SG) v1, the network diagnostic feature improperly handles invalid user input, resulting in limited exposure of diagnostic command usage information.\u0026nbsp;\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eAn authenticated attacker with administrative privileges could exploit this issue to confirm the presence of the diagnostic utility and view its valid command-line syntax and options.\u0026nbsp; The exposed information is limited in scope and does not include sensitive system data.\u003c/div\u003e"
}
],
"value": "In the web management interface of Archer AX72 (SG) v1, the network diagnostic feature improperly handles invalid user input, resulting in limited exposure of diagnostic command usage information.\u00a0\n\n\nAn authenticated attacker with administrative privileges could exploit this issue to confirm the presence of the diagnostic utility and view its valid command-line syntax and options.\u00a0 The exposed information is limited in scope and does not include sensitive system data."
}
],
"impacts": [
{
"capecId": "CAPEC-54",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-54 Query System for Information"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-209",
"description": "CWE-209 Generation of error message containing sensitive information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T15:58:46.404Z",
"orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"shortName": "TPLink"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/sg/support/download/archer-ax72/#Firmware"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.tp-link.com/us/support/faq/5096/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Information Disclosure via Diagnostic Interface Due to Improper Input Validation on TP-Link\u0027s Archer AX72",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"assignerShortName": "TPLink",
"cveId": "CVE-2026-5511",
"datePublished": "2026-05-19T15:58:46.404Z",
"dateReserved": "2026-04-03T17:31:05.618Z",
"dateUpdated": "2026-05-19T17:06:21.425Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7860 (GCVE-0-2026-7860)
Vulnerability from cvelistv5 – Published: 2026-05-19 11:01 – Updated: 2026-05-21 18:09
VLAI
Title
Possible information disclosure of environment variables in Vaadin Build Plugins via Failed Frontend Build
Summary
A possible information disclosure vulnerability exists in the Vaadin Maven plugin and Vaadin Gradle plugin that exposes the full set of environment variables in build logs whenever the frontend build process exits with a non-zero status. Because the build environment may contain credentials supplied as secrets, any failed frontend build can expose those secrets in clear text in CI logs and archived build artifacts.
Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:
Product version
Vaadin 23.0.0 - 23.6.9
Vaadin 24.0.0 - 24.9.16
Vaadin 24.10.0 - 24.10.3
Vaadin 25.0.0 - 25.0.10
Vaadin 25.1.0 - 25.1.4
Mitigation
Upgrade to 23.6.10
Upgrade to 24.9.17 or newer
Upgrade to 24.10.4 or newer
Upgrade to 25.0.11 or newer
Upgrade to 25.1.5 or newer
Please note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 23, 24, or 25 version.
ArtifactsMaven coordinatesVulnerable versionsFixed versioncom.vaadin:flow-plugin-base23.0.0 - 23.6.10≥23.6.11com.vaadin:flow-plugin-base24.0.0 - 24.9.17≥24.9.18com.vaadin:flow-plugin-base24.10.0 - 24.10.3≥24.10.4com.vaadin:flow-plugin-base25.0.0 - 25.0.11≥25.0.12com.vaadin:flow-plugin-base25.1.0 - 25.1.4≥25.1.5com.vaadin:flow-maven-plugin23.0.0 - 23.6.10≥23.6.11com.vaadin:flow-maven-plugin24.0.0 - 24.9.17≥24.9.18com.vaadin:flow-maven-plugin24.10.0 - 24.10.3≥24.10.4com.vaadin:flow-maven-plugin25.0.0 - 25.0.11≥25.0.12com.vaadin:flow-maven-plugin25.1.0 - 25.1.4≥25.1.5com.vaadin:flow-gradle-plugin24.0.0 - 24.9.17≥24.9.18com.vaadin:flow-gradle-plugin24.10.0 - 24.10.3≥24.10.4com.vaadin:flow-gradle-plugin25.0.0 - 25.0.11≥25.0.12com.vaadin:flow-gradle-plugin25.1.0 - 25.1.4≥25.1.5
Severity
CWE
- CWE-209 - Generation of Error Message Containing Sensitive Information
Assigner
References
2 references
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| vaadin | flow |
Affected:
23.0.0 , ≤ 23.6.10
(maven)
Affected: 24.0.0 , ≤ 24.9.17 (maven) Affected: 24.10.0 , ≤ 24.10.3 (maven) Affected: 25.0.0 , ≤ 25.0.11 (maven) Affected: 25.1.0 , ≤ 25.1.4 (maven) |
|
| vaadin | flow |
Affected:
23.0.0 , ≤ 23.6.10
(maven)
Affected: 24.0.0 , ≤ 24.9.17 (maven) Affected: 24.10.0 , ≤ 24.10.3 (maven) Affected: 25.0.0 , ≤ 25.0.11 (maven) Affected: 25.1.0 , ≤ 25.1.4 (maven) |
|
| vaadin | flow |
Affected:
24.0.0 , ≤ 24.9.17
(maven)
Affected: 24.10.0 , ≤ 24.10.3 (maven) Affected: 25.0.0 , ≤ 25.0.11 (maven) Affected: 25.1.0 , ≤ 25.1.4 (maven) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7860",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-19T13:42:28.555116Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T13:42:39.109Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "com.vaadin:flow-plugin-base",
"product": "flow",
"repo": "https://github.com/vaadin/flow",
"vendor": "vaadin",
"versions": [
{
"lessThanOrEqual": "23.6.10",
"status": "affected",
"version": "23.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "24.9.17",
"status": "affected",
"version": "24.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "24.10.3",
"status": "affected",
"version": "24.10.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "25.0.11",
"status": "affected",
"version": "25.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "25.1.4",
"status": "affected",
"version": "25.1.0",
"versionType": "maven"
}
]
},
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "com.vaadin:flow-maven-plugin",
"product": "flow",
"repo": "https://github.com/vaadin/flow",
"vendor": "vaadin",
"versions": [
{
"lessThanOrEqual": "23.6.10",
"status": "affected",
"version": "23.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "24.9.17",
"status": "affected",
"version": "24.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "24.10.3",
"status": "affected",
"version": "24.10.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "25.0.11",
"status": "affected",
"version": "25.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "25.1.4",
"status": "affected",
"version": "25.1.0",
"versionType": "maven"
}
]
},
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "com.vaadin:flow-gradle-plugin",
"product": "flow",
"repo": "https://github.com/vaadin/flow",
"vendor": "vaadin",
"versions": [
{
"lessThanOrEqual": "24.9.17",
"status": "affected",
"version": "24.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "24.10.3",
"status": "affected",
"version": "24.10.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "25.0.11",
"status": "affected",
"version": "25.0.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "25.1.4",
"status": "affected",
"version": "25.1.0",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan\u003eA possible information disclosure vulnerability exists in the Vaadin Maven plugin and Vaadin Gradle plugin that exposes the full set of environment variables in build logs whenever the frontend build process exits with a non-zero status. Because the build environment may contain credentials supplied as secrets, any failed frontend build can expose those secrets in clear text in CI logs and archived build artifacts.\u003cbr\u003e\u003cbr\u003e\u003cbr\u003eUsers of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:\u003cbr\u003e\u003cbr\u003eProduct version\u003cbr\u003eVaadin 23.0.0 - 23.6.9\u003cbr\u003eVaadin 24.0.0 - 24.9.16\u003cbr\u003eVaadin 24.10.0 - 24.10.3\u003cbr\u003eVaadin 25.0.0 - 25.0.10\u003cbr\u003eVaadin 25.1.0 - 25.1.4\u003cbr\u003e\u003cbr\u003eMitigation\u003cbr\u003eUpgrade to 23.6.10\u003cbr\u003eUpgrade to 24.9.17 or newer\u003cbr\u003eUpgrade to 24.10.4 or newer\u003cbr\u003eUpgrade to 25.0.11 or newer\u003cbr\u003eUpgrade to 25.1.5 or newer\u003cbr\u003e\u003cbr\u003ePlease note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 23, 24, or 25 version.\u003cbr\u003e\u003cbr\u003eArtifacts\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eMaven coordinates\u003c/td\u003e\u003ctd\u003eVulnerable versions\u003c/td\u003e\u003ctd\u003eFixed version\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-plugin-base\u003c/td\u003e\u003ctd\u003e23.0.0 - 23.6.10\u003c/td\u003e\u003ctd\u003e\u226523.6.11\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-plugin-base\u003c/td\u003e\u003ctd\u003e24.0.0 - 24.9.17\u003c/td\u003e\u003ctd\u003e\u226524.9.18\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-plugin-base\u003c/td\u003e\u003ctd\u003e24.10.0 - 24.10.3\u003c/td\u003e\u003ctd\u003e\u226524.10.4\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-plugin-base\u003c/td\u003e\u003ctd\u003e25.0.0 - 25.0.11\u003c/td\u003e\u003ctd\u003e\u226525.0.12\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-plugin-base\u003c/td\u003e\u003ctd\u003e25.1.0 - 25.1.4\u003c/td\u003e\u003ctd\u003e\u226525.1.5\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-maven-plugin\u003c/td\u003e\u003ctd\u003e23.0.0 - 23.6.10\u003c/td\u003e\u003ctd\u003e\u226523.6.11\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-maven-plugin\u003c/td\u003e\u003ctd\u003e24.0.0 - 24.9.17\u003c/td\u003e\u003ctd\u003e\u226524.9.18\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-maven-plugin\u003c/td\u003e\u003ctd\u003e24.10.0 - 24.10.3\u003c/td\u003e\u003ctd\u003e\u226524.10.4\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-maven-plugin\u003c/td\u003e\u003ctd\u003e25.0.0 - 25.0.11\u003c/td\u003e\u003ctd\u003e\u226525.0.12\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-maven-plugin\u003c/td\u003e\u003ctd\u003e25.1.0 - 25.1.4\u003c/td\u003e\u003ctd\u003e\u226525.1.5\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-gradle-plugin\u003c/td\u003e\u003ctd\u003e24.0.0 - 24.9.17\u003c/td\u003e\u003ctd\u003e\u226524.9.18\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-gradle-plugin\u003c/td\u003e\u003ctd\u003e24.10.0 - 24.10.3\u003c/td\u003e\u003ctd\u003e\u226524.10.4\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-gradle-plugin\u003c/td\u003e\u003ctd\u003e25.0.0 - 25.0.11\u003c/td\u003e\u003ctd\u003e\u226525.0.12\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-gradle-plugin\u003c/td\u003e\u003ctd\u003e25.1.0 - 25.1.4\u003c/td\u003e\u003ctd\u003e\u226525.1.5\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003c/span\u003e"
}
],
"value": "A possible information disclosure vulnerability exists in the Vaadin Maven plugin and Vaadin Gradle plugin that exposes the full set of environment variables in build logs whenever the frontend build process exits with a non-zero status. Because the build environment may contain credentials supplied as secrets, any failed frontend build can expose those secrets in clear text in CI logs and archived build artifacts.\n\n\nUsers of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:\n\nProduct version\nVaadin 23.0.0 - 23.6.9\nVaadin 24.0.0 - 24.9.16\nVaadin 24.10.0 - 24.10.3\nVaadin 25.0.0 - 25.0.10\nVaadin 25.1.0 - 25.1.4\n\nMitigation\nUpgrade to 23.6.10\nUpgrade to 24.9.17 or newer\nUpgrade to 24.10.4 or newer\nUpgrade to 25.0.11 or newer\nUpgrade to 25.1.5 or newer\n\nPlease note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 23, 24, or 25 version.\n\nArtifactsMaven coordinatesVulnerable versionsFixed versioncom.vaadin:flow-plugin-base23.0.0 - 23.6.10\u226523.6.11com.vaadin:flow-plugin-base24.0.0 - 24.9.17\u226524.9.18com.vaadin:flow-plugin-base24.10.0 - 24.10.3\u226524.10.4com.vaadin:flow-plugin-base25.0.0 - 25.0.11\u226525.0.12com.vaadin:flow-plugin-base25.1.0 - 25.1.4\u226525.1.5com.vaadin:flow-maven-plugin23.0.0 - 23.6.10\u226523.6.11com.vaadin:flow-maven-plugin24.0.0 - 24.9.17\u226524.9.18com.vaadin:flow-maven-plugin24.10.0 - 24.10.3\u226524.10.4com.vaadin:flow-maven-plugin25.0.0 - 25.0.11\u226525.0.12com.vaadin:flow-maven-plugin25.1.0 - 25.1.4\u226525.1.5com.vaadin:flow-gradle-plugin24.0.0 - 24.9.17\u226524.9.18com.vaadin:flow-gradle-plugin24.10.0 - 24.10.3\u226524.10.4com.vaadin:flow-gradle-plugin25.0.0 - 25.0.11\u226525.0.12com.vaadin:flow-gradle-plugin25.1.0 - 25.1.4\u226525.1.5"
}
],
"impacts": [
{
"capecId": "CAPEC-169",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-169 Footprinting"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "AUTOMATIC",
"Safety": "NEGLIGIBLE",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 1.6,
"baseSeverity": "LOW",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "LOW",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"valueDensity": "CONCENTRATED",
"vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N/E:U/S:N/AU:N/R:A/V:C/RE:L/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-209",
"description": "CWE-209 Generation of Error Message Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T18:09:14.990Z",
"orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"shortName": "Vaadin"
},
"references": [
{
"url": "https://vaadin.com/security/cve-2026-7860"
},
{
"url": "https://github.com/vaadin/flow/pull/24219"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cb\u003e\u003cspan style=\"background-color: transparent;\"\u003eUsers of affected versions should apply the following mitigation or upgrade.\u003c/span\u003e\u003c/b\u003e\u003cbr\u003e"
}
],
"value": "Users of affected versions should apply the following mitigation or upgrade."
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Possible information disclosure of environment variables in Vaadin Build Plugins via Failed Frontend Build",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
"assignerShortName": "Vaadin",
"cveId": "CVE-2026-7860",
"datePublished": "2026-05-19T11:01:47.212Z",
"dateReserved": "2026-05-05T11:51:33.170Z",
"dateUpdated": "2026-05-21T18:09:14.990Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9583 (GCVE-0-2026-9583)
Vulnerability from cvelistv5 – Published: 2026-05-26 21:00 – Updated: 2026-05-26 21:00 X_Freeware
VLAI
Title
SourceCodester CET Automated Grading System with AI Predictive Analytics SQL index.php information exposure
Summary
A weakness has been identified in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0. This impacts an unknown function of the file /index.php of the component SQL Handler. Executing a manipulation can lead to information exposure through error message. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks.
Severity
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/365639 | vdb-entry |
| https://vuldb.com/vuln/365639/cti | signaturepermissions-required |
| https://vuldb.com/submit/817932 | third-party-advisory |
| https://github.com/NARKHEDE-VAIBHAV/poc/blob/main… | exploit |
| https://github.com/NARKHEDE-VAIBHAV/poc/blob/main… | exploit |
| https://www.sourcecodester.com/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SourceCodester | CET Automated Grading System with AI Predictive Analytics |
Affected:
1.0
cpe:2.3:a:sourcecodester:cet_automated_grading_system_with_ai_predictive_analytics:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:sourcecodester:cet_automated_grading_system_with_ai_predictive_analytics:*:*:*:*:*:*:*:*"
],
"modules": [
"SQL Handler"
],
"product": "CET Automated Grading System with AI Predictive Analytics",
"vendor": "SourceCodester",
"versions": [
{
"status": "affected",
"version": "1.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "vaibhavnarkhede (VulDB User)"
},
{
"lang": "en",
"type": "analyst",
"value": "vaibhavnarkhede (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A weakness has been identified in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0. This impacts an unknown function of the file /index.php of the component SQL Handler. Executing a manipulation can lead to information exposure through error message. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-209",
"description": "Information Exposure Through Error Message",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "Information Disclosure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T21:00:14.669Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-365639 | SourceCodester CET Automated Grading System with AI Predictive Analytics SQL index.php information exposure",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/vuln/365639"
},
{
"name": "VDB-365639 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/365639/cti"
},
{
"name": "Submit #817932 | SourceCodester CET Automated Grading System with AI Predictive Analytics in PHP and MySQL 1.0 Information Disclosure",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/817932"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/NARKHEDE-VAIBHAV/poc/blob/main/CVE-2026-9583-Information-Disclosure/Advisory.md"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/NARKHEDE-VAIBHAV/poc/blob/main/CVE-2026-9583-Information-Disclosure/poc.sh"
},
{
"tags": [
"product"
],
"url": "https://www.sourcecodester.com/"
}
],
"tags": [
"x_freeware"
],
"timeline": [
{
"lang": "en",
"time": "2026-05-26T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-05-26T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-05-26T19:22:50.000Z",
"value": "VulDB entry last update"
}
],
"title": "SourceCodester CET Automated Grading System with AI Predictive Analytics SQL index.php information exposure"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-9583",
"datePublished": "2026-05-26T21:00:14.669Z",
"dateReserved": "2026-05-26T12:53:04.055Z",
"dateUpdated": "2026-05-26T21:00:14.669Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation ID: MIT-39
Phase: Implementation
Description:
- Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
- If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
- Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
Mitigation
Phase: Implementation
Description:
- Handle exceptions internally and do not display errors containing potentially sensitive information to a user.
Mitigation ID: MIT-33
Phase: Implementation
Strategy: Attack Surface Reduction
Description:
- Use naming conventions and strong types to make it easier to spot when sensitive data is being used. When creating structures, objects, or other complex entities, separate the sensitive and non-sensitive data as much as possible.
Mitigation ID: MIT-40
Phases: Implementation, Build and Compilation
Strategy: Compilation or Build Hardening
Description:
- Debugging information should not make its way into a production release.
Mitigation ID: MIT-40
Phases: Implementation, Build and Compilation
Strategy: Environment Hardening
Description:
- Debugging information should not make its way into a production release.
Mitigation
Phase: System Configuration
Description:
- Where available, configure the environment to use less verbose error messages. For example, in PHP, disable the display_errors setting during configuration, or at runtime using the error_reporting() function.
Mitigation
Phase: System Configuration
Description:
- Create default error pages or messages that do not leak any information.
CAPEC-215: Fuzzing for application mapping
An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.
CAPEC-463: Padding Oracle Crypto Attack
An adversary is able to efficiently decrypt data without knowing the decryption key if a target system leaks data on whether or not a padding error happened while decrypting the ciphertext. A target system that leaks this type of information becomes the padding oracle and an adversary is able to make use of that oracle to efficiently decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). In addition to performing decryption, an adversary is also able to produce valid ciphertexts (i.e., perform encryption) by using the padding oracle, all without knowing the encryption key.
CAPEC-54: Query System for Information
An adversary, aware of an application's location (and possibly authorized to use the application), probes an application's structure and evaluates its robustness by submitting requests and examining responses. Often, this is accomplished by sending variants of expected queries in the hope that these modified queries might return information beyond what the expected set of queries would provide.
CAPEC-7: Blind SQL Injection
Blind SQL Injection results from an insufficient mitigation for SQL Injection. Although suppressing database error messages are considered best practice, the suppression alone is not sufficient to prevent SQL Injection. Blind SQL Injection is a form of SQL Injection that overcomes the lack of error messages. Without the error messages that facilitate SQL Injection, the adversary constructs input strings that probe the target through simple Boolean SQL expressions. The adversary can determine if the syntax and structure of the injection was successful based on whether the query was executed or not. Applied iteratively, the adversary determines how and where the target is vulnerable to SQL Injection.