Common Weakness Enumeration

CWE-209

Generation of Error Message Containing Sensitive Information

The product generates an error message that includes sensitive information about its environment, users, or associated data.

CVE-2026-47248 (GCVE-0-2026-47248)

Vulnerability from cvelistv5 – Published: 2026-06-12 18:21 – Updated: 2026-06-12 20:04
VLAI
Title
Parse Server: GraphQL "Did you mean" validation suggestions disclose schema to unauthenticated callers
Summary
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.78 and 9.9.1-alpha.2, Parse Server's GraphQL endpoint discloses schema metadata to unauthenticated callers through Did you mean ...? suggestions embedded in GraphQL validation-error messages. An unauthenticated caller who knows only the public application id can iteratively send malformed queries to reconstruct class names, field names, argument names, mutation names, and input-object fields. This issue has been patched in versions 8.6.78 and 9.9.1-alpha.2.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-209 - Generation of Error Message Containing Sensitive Information
Assigner
Impacted products
Vendor Product Version
parse-community parse-server Affected: < 8.6.78
Affected: >= 9.0.0, < 9.9.1-alpha.2
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-47248",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-12T20:04:32.992755Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-12T20:04:40.587Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "parse-server",
          "vendor": "parse-community",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 8.6.78"
            },
            {
              "status": "affected",
              "version": "\u003e= 9.0.0, \u003c 9.9.1-alpha.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.78 and 9.9.1-alpha.2, Parse Server\u0027s GraphQL endpoint discloses schema metadata to unauthenticated callers through Did you mean ...? suggestions embedded in GraphQL validation-error messages. An unauthenticated caller who knows only the public application id can iteratively send malformed queries to reconstruct class names, field names, argument names, mutation names, and input-object fields. This issue has been patched in versions 8.6.78 and 9.9.1-alpha.2."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-209",
              "description": "CWE-209: Generation of Error Message Containing Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-12T18:21:31.511Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-8cph-rgr4-g5vj",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-8cph-rgr4-g5vj"
        },
        {
          "name": "https://github.com/parse-community/parse-server/pull/10467",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/parse-community/parse-server/pull/10467"
        },
        {
          "name": "https://github.com/parse-community/parse-server/pull/10468",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/parse-community/parse-server/pull/10468"
        }
      ],
      "source": {
        "advisory": "GHSA-8cph-rgr4-g5vj",
        "discovery": "UNKNOWN"
      },
      "title": "Parse Server: GraphQL \"Did you mean\" validation suggestions disclose schema to unauthenticated callers"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-47248",
    "datePublished": "2026-06-12T18:21:31.511Z",
    "dateReserved": "2026-05-18T22:54:18.272Z",
    "dateUpdated": "2026-06-12T20:04:40.587Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-47775 (GCVE-0-2026-47775)

Vulnerability from cvelistv5 – Published: 2026-06-26 17:23 – Updated: 2026-06-29 15:20
VLAI
Title
Envoy OAuth2 Filter: Padding Oracle via AES-256-CBC Cookie Decryption
Summary
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, the OAuth2 HTTP filter's encrypt()/decrypt() functions use AES-256-CBC without an authentication tag (no HMAC, no AEAD). The /callback endpoint returns HTTP 302 on successful decryption and HTTP 401 on padding failure, creating a padding oracle. An attacker who obtains the encrypted CodeVerifier cookie can recover the plaintext PKCE code_verifier in ~6,200 requests (~100 seconds), then exchange it with a stolen authorization code to obtain the victim's access token. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.
SSVC
Exploitation: poc Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-209 - Generation of Error Message Containing Sensitive Information
  • CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
Assigner
References
Impacted products
Vendor Product Version
envoyproxy envoy Affected: >= 1.38.0, < 1.38.1
Affected: >= 1.37.0, < 1.37.3
Affected: >= 1.36.0, < 1.36.7
Affected: < 1.35.11
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-47775",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-29T15:05:22.645121Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-29T15:20:39.815Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-396h-jpq4-vc7p"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "envoy",
          "vendor": "envoyproxy",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.38.0, \u003c 1.38.1"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.37.0, \u003c 1.37.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.36.0, \u003c 1.36.7"
            },
            {
              "status": "affected",
              "version": "\u003c 1.35.11"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, the OAuth2 HTTP filter\u0027s encrypt()/decrypt() functions use AES-256-CBC without an authentication tag (no HMAC, no AEAD). The /callback endpoint returns HTTP 302 on successful decryption and HTTP 401 on padding failure, creating a padding oracle. An attacker who obtains the encrypted CodeVerifier cookie can recover the plaintext PKCE code_verifier in ~6,200 requests (~100 seconds), then exchange it with a stolen authorization code to obtain the victim\u0027s access token. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-209",
              "description": "CWE-209: Generation of Error Message Containing Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-327",
              "description": "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-26T17:23:51.663Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-396h-jpq4-vc7p",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-396h-jpq4-vc7p"
        }
      ],
      "source": {
        "advisory": "GHSA-396h-jpq4-vc7p",
        "discovery": "UNKNOWN"
      },
      "title": "Envoy OAuth2 Filter: Padding Oracle via AES-256-CBC Cookie Decryption"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-47775",
    "datePublished": "2026-06-26T17:23:51.663Z",
    "dateReserved": "2026-05-19T22:36:16.882Z",
    "dateUpdated": "2026-06-29T15:20:39.815Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-49365 (GCVE-0-2026-49365)

Vulnerability from cvelistv5 – Published: 2026-07-06 08:11 – Updated: 2026-07-07 12:34
VLAI
Title
Apache Camel: Camel-Netty-HTTP: The muteException consumer option defaulted to false, so a processing error returned the full Java stack trace in the HTTP response body, disclosing sensitive internal information to unauthenticated clients
Summary
Generation of Error Message Containing Sensitive Information vulnerability in Apache Camel Netty HTTP component. The camel-netty-http HTTP server consumer exposes a muteException option that controls what is returned to the client when a route processing error occurs. This option defaulted to false because the backing field was an uninitialised primitive boolean (Java's default of false), whereas the other Camel HTTP server components (camel-http / camel-jetty / camel-servlet and camel-platform-http) default it to true. With muteException=false, when a request triggers an exception during route processing the consumer writes the full Throwable stack trace into the HTTP response body as text/plain (via DefaultNettyHttpBinding) instead of returning an empty body. Any unauthenticated client that can reach the endpoint and cause a processing error - for example by sending a malformed request body, an invalid parameter, or otherwise triggering a route-internal failure - therefore receives a complete Java stack trace. Such a stack trace can disclose sensitive internal information, including credentials embedded in exception messages, internal host names and IP addresses, filesystem paths, dependency and version details, database and class names, and the application's internal structure, which an attacker can use to plan further attacks. This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. For deployments that cannot upgrade immediately, set muteException=true explicitly on the camel-netty-http consumer (for example netty-http: http://0.0.0.0:8080/api?muteException=true , or globally via the camel.component.netty-http.configuration.mute-exception=true property), so that processing errors no longer return the stack trace to the client.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-209 - Generation of Error Message Containing Sensitive Information
Assigner
Impacted products
Vendor Product Version
Apache Software Foundation Apache Camel Affected: 4.0.0 , < 4.14.8 (semver)
Affected: 4.15.0 , < 4.18.3 (semver)
Affected: 4.19.0 , < 4.21.0 (semver)
Create a notification for this product.
Credits
Yu Bao from PayPal Andrea Cosentino
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-07-06T09:25:45.988Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/07/05/25"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 5.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-49365",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-07T12:34:23.255778Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-07T12:34:51.854Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "org.apache.camel:camel-netty-http",
          "product": "Apache Camel",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "4.14.8",
              "status": "affected",
              "version": "4.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "4.18.3",
              "status": "affected",
              "version": "4.15.0",
              "versionType": "semver"
            },
            {
              "lessThan": "4.21.0",
              "status": "affected",
              "version": "4.19.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Yu Bao from PayPal"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Andrea Cosentino"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eGeneration of Error Message Containing Sensitive Information vulnerability in Apache Camel Netty HTTP component.\u003c/p\u003eThe camel-netty-http HTTP server consumer exposes a muteException option that controls what is returned to the client when a route processing error occurs. This option defaulted to false because the backing field was an uninitialised primitive boolean (Java\u0027s default of false), whereas the other Camel HTTP server components (camel-http / camel-jetty / camel-servlet and camel-platform-http) default it to true. With muteException=false, when a request triggers an exception during route processing the consumer writes the full Throwable stack trace into the HTTP response body as text/plain (via DefaultNettyHttpBinding) instead of returning an empty body. Any unauthenticated client that can reach the endpoint and cause a processing error - for example by sending a malformed request body, an invalid parameter, or otherwise triggering a route-internal failure - therefore receives a complete Java stack trace. Such a stack trace can disclose sensitive internal information, including credentials embedded in exception messages, internal host names and IP addresses, filesystem paths, dependency and version details, database and class names, and the application\u0027s internal structure, which an attacker can use to plan further attacks.\u003cbr\u003e\u003cp\u003eThis issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. For deployments that cannot upgrade immediately, set muteException=true explicitly on the camel-netty-http consumer (for example netty-http:\u003ca target=\"_blank\" rel=\"nofollow\" href=\"http://0.0.0.0:8080/api?muteException=true\"\u003ehttp://0.0.0.0:8080/api?muteException=true\u003c/a\u003e, or globally via the camel.component.netty-http.configuration.mute-exception=true property), so that processing errors no longer return the stack trace to the client.\u003c/p\u003e"
            }
          ],
          "value": "Generation of Error Message Containing Sensitive Information vulnerability in Apache Camel Netty HTTP component.\n\nThe camel-netty-http HTTP server consumer exposes a muteException option that controls what is returned to the client when a route processing error occurs. This option defaulted to false because the backing field was an uninitialised primitive boolean (Java\u0027s default of false), whereas the other Camel HTTP server components (camel-http / camel-jetty / camel-servlet and camel-platform-http) default it to true. With muteException=false, when a request triggers an exception during route processing the consumer writes the full Throwable stack trace into the HTTP response body as text/plain (via DefaultNettyHttpBinding) instead of returning an empty body. Any unauthenticated client that can reach the endpoint and cause a processing error - for example by sending a malformed request body, an invalid parameter, or otherwise triggering a route-internal failure - therefore receives a complete Java stack trace. Such a stack trace can disclose sensitive internal information, including credentials embedded in exception messages, internal host names and IP addresses, filesystem paths, dependency and version details, database and class names, and the application\u0027s internal structure, which an attacker can use to plan further attacks.\nThis issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.\n\nUsers are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. For deployments that cannot upgrade immediately, set muteException=true explicitly on the camel-netty-http consumer (for example netty-http: http://0.0.0.0:8080/api?muteException=true , or globally via the camel.component.netty-http.configuration.mute-exception=true property), so that processing errors no longer return the stack trace to the client."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-209",
              "description": "CWE-209 Generation of Error Message Containing Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-06T08:11:49.232Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://camel.apache.org/security/CVE-2026-49365.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Apache Camel: Camel-Netty-HTTP: The muteException consumer option defaulted to false, so a processing error returned the full Java stack trace in the HTTP response body, disclosing sensitive internal information to unauthenticated clients",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-49365",
    "datePublished": "2026-07-06T08:11:49.232Z",
    "dateReserved": "2026-05-29T16:50:08.917Z",
    "dateUpdated": "2026-07-07T12:34:51.854Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-4994 (GCVE-0-2026-4994)

Vulnerability from cvelistv5 – Published: 2026-03-28 09:15 – Updated: 2026-03-30 17:41
VLAI
Title
wandb OpenUI APIStatusError server.py generic_exception_handler information exposure
Summary
A vulnerability was found in wandb OpenUI up to 1.0/3.5-turb. Affected is the function generic_exception_handler of the file backend/openui/server.py of the component APIStatusError Handler. The manipulation of the argument key results in information exposure through error message. Access to the local network is required for this attack. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-209 - Information Exposure Through Error Message
  • CWE-200 - Information Disclosure
Assigner
References
URL Tags
https://vuldb.com/?id.353881 vdb-entrytechnical-description
https://vuldb.com/?ctiid.353881 signaturepermissions-required
https://vuldb.com/?submit.778266 third-party-advisory
https://gist.github.com/YLChen-007/8c6ff147186855… exploit
Impacted products
Vendor Product Version
wandb OpenUI Affected: 1.0
Affected: 3.5-turb
Create a notification for this product.
Credits
Eric-b (VulDB User) VulDB
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-4994",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-30T17:40:56.383246Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-30T17:41:13.509Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "modules": [
            "APIStatusError Handler"
          ],
          "product": "OpenUI",
          "vendor": "wandb",
          "versions": [
            {
              "status": "affected",
              "version": "1.0"
            },
            {
              "status": "affected",
              "version": "3.5-turb"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Eric-b (VulDB User)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "VulDB"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was found in wandb OpenUI up to 1.0/3.5-turb. Affected is the function generic_exception_handler of the file backend/openui/server.py of the component APIStatusError Handler. The manipulation of the argument key results in information exposure through error message. Access to the local network is required for this attack. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 5.1,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 3.5,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 3.5,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 2.7,
            "vectorString": "AV:A/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-209",
              "description": "Information Exposure Through Error Message",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "Information Disclosure",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-28T09:15:12.348Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-353881 | wandb OpenUI APIStatusError server.py generic_exception_handler information exposure",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.353881"
        },
        {
          "name": "VDB-353881 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.353881"
        },
        {
          "name": "Submit #778266 | Weights and Biases OpenUI \u003c= 1.0 (commit f9d8f0e) Generation of Error Message Containing Sensitive Information (CWE-209)",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.778266"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://gist.github.com/YLChen-007/8c6ff147186855e4b716e7526de213e1"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-03-27T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-03-27T01:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-03-27T14:53:46.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "wandb OpenUI APIStatusError server.py generic_exception_handler information exposure"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-4994",
    "datePublished": "2026-03-28T09:15:12.348Z",
    "dateReserved": "2026-03-27T13:48:00.731Z",
    "dateUpdated": "2026-03-30T17:41:13.509Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-49979 (GCVE-0-2026-49979)

Vulnerability from cvelistv5 – Published: 2026-06-24 21:38 – Updated: 2026-06-26 18:43
VLAI
Title
Appsmith: SSRF via `POST /api/v1/admin/send-test-email` — JavaMail Bypasses WebClient IP Filter
Summary
Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.99, the POST /api/v1/admin/send-test-email endpoint accepts attacker-controlled smtpHost and smtpPort values and establishes a raw JavaMail TCP connection without any IP validation. This completely bypasses WebClientUtils.IP_CHECK_FILTER, which only applies to Spring WebClient HTTP requests. Additionally, the raw MailException.getMessage() is returned verbatim in the API error response, enabling error-based internal port scanning and service banner enumeration. This vulnerability is fixed in 1.99.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-209 - Generation of Error Message Containing Sensitive Information
  • CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
Impacted products
Vendor Product Version
appsmithorg appsmith Affected: < 1.99
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-49979",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-26T17:51:00.907972Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-26T18:43:27.057Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "appsmith",
          "vendor": "appsmithorg",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.99"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.99, the POST /api/v1/admin/send-test-email endpoint accepts attacker-controlled smtpHost and smtpPort values and establishes a raw JavaMail TCP connection without any IP validation. This completely bypasses WebClientUtils.IP_CHECK_FILTER, which only applies to Spring WebClient HTTP requests. Additionally, the raw MailException.getMessage() is returned verbatim in the API error response, enabling error-based internal port scanning and service banner enumeration. This vulnerability is fixed in 1.99."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 5.1,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "HIGH",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-209",
              "description": "CWE-209: Generation of Error Message Containing Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918: Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-24T21:38:50.890Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/appsmithorg/appsmith/security/advisories/GHSA-vvxf-f8q9-86gh",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/appsmithorg/appsmith/security/advisories/GHSA-vvxf-f8q9-86gh"
        }
      ],
      "source": {
        "advisory": "GHSA-vvxf-f8q9-86gh",
        "discovery": "UNKNOWN"
      },
      "title": "Appsmith: SSRF via `POST /api/v1/admin/send-test-email` \u2014 JavaMail Bypasses WebClient IP Filter"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-49979",
    "datePublished": "2026-06-24T21:38:50.890Z",
    "dateReserved": "2026-06-02T18:30:51.282Z",
    "dateUpdated": "2026-06-26T18:43:27.057Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-53906 (GCVE-0-2026-53906)

Vulnerability from cvelistv5 – Published: 2026-07-01 11:58 – Updated: 2026-07-01 13:39
VLAI
Title
Path Disclosure and Path Traversal in MCO
Summary
MCO is vulnerable to Path Disclosure and Path Traversal in file handling functionality related to data export and upload. Improper validation of the filename parameter allows writing files to arbitrary locations as well as indirect disclosure of absolute server paths through error messages. Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
  • CWE-209 - Generation of Error Message Containing Sensitive Information
Assigner
References
Impacted products
Vendor Product Version
MyComplianceOffice MCO Affected: 25.3.3.1 (custom)
Create a notification for this product.
Credits
Hubert Decyusz (AFINE Team)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-53906",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-01T13:39:08.768534Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-01T13:39:18.244Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "MCO",
          "vendor": "MyComplianceOffice",
          "versions": [
            {
              "status": "affected",
              "version": "25.3.3.1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Hubert Decyusz (AFINE Team)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "MCO is vulnerable to Path Disclosure and Path Traversal in file handling functionality related to data export and upload. Improper validation of the \u003ci\u003efilename\u003c/i\u003e parameter allows writing files to arbitrary locations as well as indirect disclosure of absolute server paths through error messages.\u003cbr\u003e\u003cbr\u003eBecause vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1\u0026nbsp;but may also affect other versions."
            }
          ],
          "value": "MCO is vulnerable to Path Disclosure and Path Traversal in file handling functionality related to data export and upload. Improper validation of the filename parameter allows writing files to arbitrary locations as well as indirect disclosure of absolute server paths through error messages.\n\nBecause vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1\u00a0but may also affect other versions."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-139",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-139 Relative Path Traversal"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 5.1,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "HIGH",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-209",
              "description": "CWE-209 Generation of Error Message Containing Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-01T11:58:55.138Z",
        "orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
        "shortName": "CERT-PL"
      },
      "references": [
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://cert.pl/en/posts/2026/07/CVE-2026-53902"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://mco.mycomplianceoffice.com/"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Path Disclosure and Path Traversal in MCO",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
    "assignerShortName": "CERT-PL",
    "cveId": "CVE-2026-53906",
    "datePublished": "2026-07-01T11:58:55.138Z",
    "dateReserved": "2026-06-11T07:44:52.179Z",
    "dateUpdated": "2026-07-01T13:39:18.244Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-5511 (GCVE-0-2026-5511)

Vulnerability from cvelistv5 – Published: 2026-05-19 15:58 – Updated: 2026-05-19 17:06
VLAI
Title
Information Disclosure via Diagnostic Interface Due to Improper Input Validation on TP-Link's Archer AX72
Summary
In the web management interface of Archer AX72 (SG) v1, the network diagnostic feature improperly handles invalid user input, resulting in limited exposure of diagnostic command usage information.  An authenticated attacker with administrative privileges could exploit this issue to confirm the presence of the diagnostic utility and view its valid command-line syntax and options.  The exposed information is limited in scope and does not include sensitive system data.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-209 - Generation of error message containing sensitive information
Assigner
Impacted products
Vendor Product Version
TP-Link Systems Inc. Archer AX72 (SG) v1.0 Affected: 0 , < 1.4.6 Build 20260112 rel.66206 (custom)
Create a notification for this product.
Credits
George Chen
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-5511",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-19T17:05:56.109153Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-19T17:06:21.425Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Archer AX72 (SG) v1.0",
          "vendor": "TP-Link Systems Inc.",
          "versions": [
            {
              "lessThan": "1.4.6 Build 20260112 rel.66206",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "George Chen"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "In the web management interface of Archer AX72 (SG) v1, the network diagnostic feature improperly handles invalid user input, resulting in limited exposure of diagnostic command usage information.\u0026nbsp;\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eAn authenticated attacker with administrative privileges could exploit this issue to confirm the presence of the diagnostic utility and view its valid command-line syntax and options.\u0026nbsp; The exposed information is limited in scope and does not include sensitive system data.\u003c/div\u003e"
            }
          ],
          "value": "In the web management interface of Archer AX72 (SG) v1, the network diagnostic feature improperly handles invalid user input, resulting in limited exposure of diagnostic command usage information.\u00a0\n\n\nAn authenticated attacker with administrative privileges could exploit this issue to confirm the presence of the diagnostic utility and view its valid command-line syntax and options.\u00a0 The exposed information is limited in scope and does not include sensitive system data."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-54",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-54 Query System for Information"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 4.6,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "HIGH",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-209",
              "description": "CWE-209 Generation of error message containing sensitive information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-19T15:58:46.404Z",
        "orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
        "shortName": "TPLink"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://www.tp-link.com/sg/support/download/archer-ax72/#Firmware"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.tp-link.com/us/support/faq/5096/"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Information Disclosure via Diagnostic Interface Due to Improper Input Validation on TP-Link\u0027s Archer AX72",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
    "assignerShortName": "TPLink",
    "cveId": "CVE-2026-5511",
    "datePublished": "2026-05-19T15:58:46.404Z",
    "dateReserved": "2026-04-03T17:31:05.618Z",
    "dateUpdated": "2026-05-19T17:06:21.425Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-56139 (GCVE-0-2026-56139)

Vulnerability from cvelistv5 – Published: 2026-07-06 08:15 – Updated: 2026-07-06 20:55
VLAI
Title
Apache Camel Undertow: The muteException consumer option defaulted to false, so a processing error returned the full Java stack trace in the HTTP response body, disclosing sensitive internal information to unauthenticated clients
Summary
Generation of Error Message Containing Sensitive Information vulnerability in Apache Camel Undertow Component. The camel-undertow HTTP server consumer exposes a muteException option that controls what is returned to the client when a route processing error occurs. This option defaulted to false, whereas the other Camel HTTP server components (camel-http / camel-jetty / camel-servlet and camel-platform-http) default it to true. With muteException=false, when a request triggers an exception during route processing the consumer writes the full Throwable stack trace into the HTTP response body as text/plain instead of returning an empty body. Any unauthenticated client that can reach the endpoint and cause a processing error - for example by sending a malformed request body, an invalid parameter, or otherwise triggering a route-internal failure - therefore receives a complete Java stack trace. Such a stack trace can disclose sensitive internal information, including credentials embedded in exception messages, internal host names and IP addresses, filesystem paths, dependency and version details, database and class names, and the application's internal structure, which an attacker can use to plan further attacks. In addition, for Rest DSL consumers the muteException option was not honoured at all: the RestUndertowHttpBinding was created with a hard-coded false, so the stack trace was returned even when muteException=true had been configured. This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. For deployments that cannot upgrade immediately, set muteException=true explicitly on the camel-undertow consumer (for example undertow: http://0.0.0.0:8080/api?muteException=true , or globally via the camel.component.undertow.mute-exception=true property), so that processing errors no longer return the stack trace to the client; note that on affected releases this workaround does not cover Rest DSL consumers, whose binding ignores the option until the fix is applied.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-209 - Generation of Error Message Containing Sensitive Information
Assigner
Impacted products
Vendor Product Version
Apache Software Foundation Apache Camel Undertow Affected: 4.0.0 , < 4.14.8 (semver)
Affected: 4.15.0 , < 4.18.3 (semver)
Affected: 4.19.0 , < 4.21.0 (semver)
Create a notification for this product.
Credits
Yu Bao from PayPal Andrea Cosentino
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-07-06T09:26:06.541Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/07/05/29"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 5.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-56139",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-06T20:55:36.900366Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-06T20:55:43.126Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "org.apache.camel:camel-undertow",
          "product": "Apache Camel Undertow",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "4.14.8",
              "status": "affected",
              "version": "4.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "4.18.3",
              "status": "affected",
              "version": "4.15.0",
              "versionType": "semver"
            },
            {
              "lessThan": "4.21.0",
              "status": "affected",
              "version": "4.19.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Yu Bao from PayPal"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Andrea Cosentino"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eGeneration of Error Message Containing Sensitive Information vulnerability in Apache Camel Undertow Component.\u003c/p\u003eThe camel-undertow HTTP server consumer exposes a muteException option that controls what is returned to the client when a route processing error occurs. This option defaulted to false, whereas the other Camel HTTP server components (camel-http / camel-jetty / camel-servlet and camel-platform-http) default it to true. With muteException=false, when a request triggers an exception during route processing the consumer writes the full Throwable stack trace into the HTTP response body as text/plain instead of returning an empty body. Any unauthenticated client that can reach the endpoint and cause a processing error - for example by sending a malformed request body, an invalid parameter, or otherwise triggering a route-internal failure - therefore receives a complete Java stack trace. Such a stack trace can disclose sensitive internal information, including credentials embedded in exception messages, internal host names and IP addresses, filesystem paths, dependency and version details, database and class names, and the application\u0027s internal structure, which an attacker can use to plan further attacks. In addition, for Rest DSL consumers the muteException option was not honoured at all: the RestUndertowHttpBinding was created with a hard-coded false, so the stack trace was returned even when muteException=true had been configured.\u003cbr\u003e\u003cp\u003eThis issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. For deployments that cannot upgrade immediately, set muteException=true explicitly on the camel-undertow consumer (for example undertow:\u003ca target=\"_blank\" rel=\"nofollow\" href=\"http://0.0.0.0:8080/api?muteException=true\"\u003ehttp://0.0.0.0:8080/api?muteException=true\u003c/a\u003e, or globally via the camel.component.undertow.mute-exception=true property), so that processing errors no longer return the stack trace to the client; note that on affected releases this workaround does not cover Rest DSL consumers, whose binding ignores the option until the fix is applied.\u003c/p\u003e"
            }
          ],
          "value": "Generation of Error Message Containing Sensitive Information vulnerability in Apache Camel Undertow Component.\n\nThe camel-undertow HTTP server consumer exposes a muteException option that controls what is returned to the client when a route processing error occurs. This option defaulted to false, whereas the other Camel HTTP server components (camel-http / camel-jetty / camel-servlet and camel-platform-http) default it to true. With muteException=false, when a request triggers an exception during route processing the consumer writes the full Throwable stack trace into the HTTP response body as text/plain instead of returning an empty body. Any unauthenticated client that can reach the endpoint and cause a processing error - for example by sending a malformed request body, an invalid parameter, or otherwise triggering a route-internal failure - therefore receives a complete Java stack trace. Such a stack trace can disclose sensitive internal information, including credentials embedded in exception messages, internal host names and IP addresses, filesystem paths, dependency and version details, database and class names, and the application\u0027s internal structure, which an attacker can use to plan further attacks. In addition, for Rest DSL consumers the muteException option was not honoured at all: the RestUndertowHttpBinding was created with a hard-coded false, so the stack trace was returned even when muteException=true had been configured.\nThis issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.\n\nUsers are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. For deployments that cannot upgrade immediately, set muteException=true explicitly on the camel-undertow consumer (for example undertow: http://0.0.0.0:8080/api?muteException=true , or globally via the camel.component.undertow.mute-exception=true property), so that processing errors no longer return the stack trace to the client; note that on affected releases this workaround does not cover Rest DSL consumers, whose binding ignores the option until the fix is applied."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-209",
              "description": "CWE-209 Generation of Error Message Containing Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-06T08:15:08.493Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://camel.apache.org/security/CVE-2026-56139.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Apache Camel Undertow: The muteException consumer option defaulted to false, so a processing error returned the full Java stack trace in the HTTP response body, disclosing sensitive internal information to unauthenticated clients",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-56139",
    "datePublished": "2026-07-06T08:15:08.493Z",
    "dateReserved": "2026-06-19T09:53:55.822Z",
    "dateUpdated": "2026-07-06T20:55:43.126Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-56331 (GCVE-0-2026-56331)

Vulnerability from cvelistv5 – Published: 2026-06-30 22:08 – Updated: 2026-07-01 14:42
VLAI
Title
Capgo - Improper Error Handling in Accept Invitation Endpoint via Invalid Magic String
Summary
Capgo before 12.128.2 contains improper error handling in the /private/accept_invitation endpoint that returns HTTP 500 instead of safe 4xx errors when magic_invite_string is invalid. Attackers can trigger this vulnerability using only the public key by submitting malformed magic_invite_string values to cause server errors and leak internal processing details.
SSVC
Exploitation: poc Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-209 - Generation of Error Message Containing Sensitive Information
Assigner
References
Impacted products
Vendor Product Version
Capgo Capgo Affected: 0 , < 12.128.2 (semver)
Unaffected: 12.128.2 (semver)
Create a notification for this product.
Date Public
2026-03-03 00:00
Credits
Judel777
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-56331",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-01T14:42:08.528073Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-01T14:42:21.453Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/Cap-go/capgo/security/advisories/GHSA-34p8-fh3m-376x"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Capgo",
          "vendor": "Capgo",
          "versions": [
            {
              "lessThan": "12.128.2",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "12.128.2",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Judel777"
        }
      ],
      "datePublic": "2026-03-03T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Capgo before 12.128.2 contains improper error handling in the /private/accept_invitation endpoint that returns HTTP 500 instead of safe 4xx errors when magic_invite_string is invalid. Attackers can trigger this vulnerability using only the public key by submitting malformed magic_invite_string values to cause server errors and leak internal processing details."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS"
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-209",
              "description": "Generation of Error Message Containing Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-30T22:08:32.681Z",
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck"
      },
      "references": [
        {
          "name": "GitHub Security Advisory (GHSA-34p8-fh3m-376x)",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://github.com/Cap-go/capgo/security/advisories/GHSA-34p8-fh3m-376x"
        },
        {
          "name": "VulnCheck Advisory: Capgo - Improper Error Handling in Accept Invitation Endpoint via Invalid Magic String",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.vulncheck.com/advisories/capgo-improper-error-handling-in-accept-invitation-endpoint-via-invalid-magic-string"
        }
      ],
      "title": "Capgo - Improper Error Handling in Accept Invitation Endpoint via Invalid Magic String",
      "x_generator": {
        "engine": "vulncheck-endgame"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "cveId": "CVE-2026-56331",
    "datePublished": "2026-06-30T22:08:32.681Z",
    "dateReserved": "2026-06-20T13:06:29.994Z",
    "dateUpdated": "2026-07-01T14:42:21.453Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-7860 (GCVE-0-2026-7860)

Vulnerability from cvelistv5 – Published: 2026-05-19 11:01 – Updated: 2026-05-21 18:09
VLAI
Title
Possible information disclosure of environment variables in Vaadin Build Plugins via Failed Frontend Build
Summary
A possible information disclosure vulnerability exists in the Vaadin Maven plugin and Vaadin Gradle plugin that exposes the full set of environment variables in build logs whenever the frontend build process exits with a non-zero status. Because the build environment may contain credentials supplied as secrets, any failed frontend build can expose those secrets in clear text in CI logs and archived build artifacts. Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include: Product version Vaadin 23.0.0 - 23.6.9 Vaadin 24.0.0 - 24.9.16 Vaadin 24.10.0 - 24.10.3 Vaadin 25.0.0 - 25.0.10 Vaadin 25.1.0 - 25.1.4 Mitigation Upgrade to 23.6.10 Upgrade to 24.9.17 or newer Upgrade to 24.10.4 or newer Upgrade to 25.0.11 or newer Upgrade to 25.1.5 or newer Please note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 23, 24, or 25 version. ArtifactsMaven coordinatesVulnerable versionsFixed versioncom.vaadin:flow-plugin-base23.0.0 - 23.6.10≥23.6.11com.vaadin:flow-plugin-base24.0.0 - 24.9.17≥24.9.18com.vaadin:flow-plugin-base24.10.0 - 24.10.3≥24.10.4com.vaadin:flow-plugin-base25.0.0 - 25.0.11≥25.0.12com.vaadin:flow-plugin-base25.1.0 - 25.1.4≥25.1.5com.vaadin:flow-maven-plugin23.0.0 - 23.6.10≥23.6.11com.vaadin:flow-maven-plugin24.0.0 - 24.9.17≥24.9.18com.vaadin:flow-maven-plugin24.10.0 - 24.10.3≥24.10.4com.vaadin:flow-maven-plugin25.0.0 - 25.0.11≥25.0.12com.vaadin:flow-maven-plugin25.1.0 - 25.1.4≥25.1.5com.vaadin:flow-gradle-plugin24.0.0 - 24.9.17≥24.9.18com.vaadin:flow-gradle-plugin24.10.0 - 24.10.3≥24.10.4com.vaadin:flow-gradle-plugin25.0.0 - 25.0.11≥25.0.12com.vaadin:flow-gradle-plugin25.1.0 - 25.1.4≥25.1.5
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-209 - Generation of Error Message Containing Sensitive Information
Assigner
Impacted products
Vendor Product Version
vaadin flow Affected: 23.0.0 , ≤ 23.6.10 (maven)
Affected: 24.0.0 , ≤ 24.9.17 (maven)
Affected: 24.10.0 , ≤ 24.10.3 (maven)
Affected: 25.0.0 , ≤ 25.0.11 (maven)
Affected: 25.1.0 , ≤ 25.1.4 (maven)
Create a notification for this product.
vaadin flow Affected: 24.0.0 , ≤ 24.9.17 (maven)
Affected: 24.10.0 , ≤ 24.10.3 (maven)
Affected: 25.0.0 , ≤ 25.0.11 (maven)
Affected: 25.1.0 , ≤ 25.1.4 (maven)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-7860",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-19T13:42:28.555116Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-19T13:42:39.109Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "com.vaadin:flow-plugin-base",
          "product": "flow",
          "repo": "https://github.com/vaadin/flow",
          "vendor": "vaadin",
          "versions": [
            {
              "lessThanOrEqual": "23.6.10",
              "status": "affected",
              "version": "23.0.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "24.9.17",
              "status": "affected",
              "version": "24.0.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "24.10.3",
              "status": "affected",
              "version": "24.10.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "25.0.11",
              "status": "affected",
              "version": "25.0.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "25.1.4",
              "status": "affected",
              "version": "25.1.0",
              "versionType": "maven"
            }
          ]
        },
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "com.vaadin:flow-maven-plugin",
          "product": "flow",
          "repo": "https://github.com/vaadin/flow",
          "vendor": "vaadin",
          "versions": [
            {
              "lessThanOrEqual": "23.6.10",
              "status": "affected",
              "version": "23.0.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "24.9.17",
              "status": "affected",
              "version": "24.0.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "24.10.3",
              "status": "affected",
              "version": "24.10.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "25.0.11",
              "status": "affected",
              "version": "25.0.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "25.1.4",
              "status": "affected",
              "version": "25.1.0",
              "versionType": "maven"
            }
          ]
        },
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "com.vaadin:flow-gradle-plugin",
          "product": "flow",
          "repo": "https://github.com/vaadin/flow",
          "vendor": "vaadin",
          "versions": [
            {
              "lessThanOrEqual": "24.9.17",
              "status": "affected",
              "version": "24.0.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "24.10.3",
              "status": "affected",
              "version": "24.10.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "25.0.11",
              "status": "affected",
              "version": "25.0.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "25.1.4",
              "status": "affected",
              "version": "25.1.0",
              "versionType": "maven"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan\u003eA possible information disclosure vulnerability exists in the Vaadin Maven plugin and Vaadin Gradle plugin that exposes the full set of environment variables in build logs whenever the frontend build process exits with a non-zero status. Because the build environment may contain credentials supplied as secrets, any failed frontend build can expose those secrets in clear text in CI logs and archived build artifacts.\u003cbr\u003e\u003cbr\u003e\u003cbr\u003eUsers of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:\u003cbr\u003e\u003cbr\u003eProduct version\u003cbr\u003eVaadin 23.0.0 - 23.6.9\u003cbr\u003eVaadin 24.0.0 - 24.9.16\u003cbr\u003eVaadin 24.10.0 - 24.10.3\u003cbr\u003eVaadin 25.0.0 - 25.0.10\u003cbr\u003eVaadin 25.1.0 - 25.1.4\u003cbr\u003e\u003cbr\u003eMitigation\u003cbr\u003eUpgrade to 23.6.10\u003cbr\u003eUpgrade to 24.9.17 or newer\u003cbr\u003eUpgrade to 24.10.4 or newer\u003cbr\u003eUpgrade to 25.0.11 or newer\u003cbr\u003eUpgrade to 25.1.5 or newer\u003cbr\u003e\u003cbr\u003ePlease note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 23, 24, or 25 version.\u003cbr\u003e\u003cbr\u003eArtifacts\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eMaven coordinates\u003c/td\u003e\u003ctd\u003eVulnerable versions\u003c/td\u003e\u003ctd\u003eFixed version\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-plugin-base\u003c/td\u003e\u003ctd\u003e23.0.0 - 23.6.10\u003c/td\u003e\u003ctd\u003e\u226523.6.11\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-plugin-base\u003c/td\u003e\u003ctd\u003e24.0.0 - 24.9.17\u003c/td\u003e\u003ctd\u003e\u226524.9.18\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-plugin-base\u003c/td\u003e\u003ctd\u003e24.10.0 - 24.10.3\u003c/td\u003e\u003ctd\u003e\u226524.10.4\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-plugin-base\u003c/td\u003e\u003ctd\u003e25.0.0 - 25.0.11\u003c/td\u003e\u003ctd\u003e\u226525.0.12\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-plugin-base\u003c/td\u003e\u003ctd\u003e25.1.0 - 25.1.4\u003c/td\u003e\u003ctd\u003e\u226525.1.5\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-maven-plugin\u003c/td\u003e\u003ctd\u003e23.0.0 - 23.6.10\u003c/td\u003e\u003ctd\u003e\u226523.6.11\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-maven-plugin\u003c/td\u003e\u003ctd\u003e24.0.0 - 24.9.17\u003c/td\u003e\u003ctd\u003e\u226524.9.18\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-maven-plugin\u003c/td\u003e\u003ctd\u003e24.10.0 - 24.10.3\u003c/td\u003e\u003ctd\u003e\u226524.10.4\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-maven-plugin\u003c/td\u003e\u003ctd\u003e25.0.0 - 25.0.11\u003c/td\u003e\u003ctd\u003e\u226525.0.12\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-maven-plugin\u003c/td\u003e\u003ctd\u003e25.1.0 - 25.1.4\u003c/td\u003e\u003ctd\u003e\u226525.1.5\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-gradle-plugin\u003c/td\u003e\u003ctd\u003e24.0.0 - 24.9.17\u003c/td\u003e\u003ctd\u003e\u226524.9.18\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-gradle-plugin\u003c/td\u003e\u003ctd\u003e24.10.0 - 24.10.3\u003c/td\u003e\u003ctd\u003e\u226524.10.4\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-gradle-plugin\u003c/td\u003e\u003ctd\u003e25.0.0 - 25.0.11\u003c/td\u003e\u003ctd\u003e\u226525.0.12\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:flow-gradle-plugin\u003c/td\u003e\u003ctd\u003e25.1.0 - 25.1.4\u003c/td\u003e\u003ctd\u003e\u226525.1.5\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003c/span\u003e"
            }
          ],
          "value": "A possible information disclosure vulnerability exists in the Vaadin Maven plugin and Vaadin Gradle plugin that exposes the full set of environment variables in build logs whenever the frontend build process exits with a non-zero status. Because the build environment may contain credentials supplied as secrets, any failed frontend build can expose those secrets in clear text in CI logs and archived build artifacts.\n\n\nUsers of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:\n\nProduct version\nVaadin 23.0.0 - 23.6.9\nVaadin 24.0.0 - 24.9.16\nVaadin 24.10.0 - 24.10.3\nVaadin 25.0.0 - 25.0.10\nVaadin 25.1.0 - 25.1.4\n\nMitigation\nUpgrade to 23.6.10\nUpgrade to 24.9.17 or newer\nUpgrade to 24.10.4 or newer\nUpgrade to 25.0.11 or newer\nUpgrade to 25.1.5 or newer\n\nPlease note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 23, 24, or 25 version.\n\nArtifactsMaven coordinatesVulnerable versionsFixed versioncom.vaadin:flow-plugin-base23.0.0 - 23.6.10\u226523.6.11com.vaadin:flow-plugin-base24.0.0 - 24.9.17\u226524.9.18com.vaadin:flow-plugin-base24.10.0 - 24.10.3\u226524.10.4com.vaadin:flow-plugin-base25.0.0 - 25.0.11\u226525.0.12com.vaadin:flow-plugin-base25.1.0 - 25.1.4\u226525.1.5com.vaadin:flow-maven-plugin23.0.0 - 23.6.10\u226523.6.11com.vaadin:flow-maven-plugin24.0.0 - 24.9.17\u226524.9.18com.vaadin:flow-maven-plugin24.10.0 - 24.10.3\u226524.10.4com.vaadin:flow-maven-plugin25.0.0 - 25.0.11\u226525.0.12com.vaadin:flow-maven-plugin25.1.0 - 25.1.4\u226525.1.5com.vaadin:flow-gradle-plugin24.0.0 - 24.9.17\u226524.9.18com.vaadin:flow-gradle-plugin24.10.0 - 24.10.3\u226524.10.4com.vaadin:flow-gradle-plugin25.0.0 - 25.0.11\u226525.0.12com.vaadin:flow-gradle-plugin25.1.0 - 25.1.4\u226525.1.5"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-169",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-169 Footprinting"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NO",
            "Recovery": "AUTOMATIC",
            "Safety": "NEGLIGIBLE",
            "attackComplexity": "HIGH",
            "attackRequirements": "PRESENT",
            "attackVector": "LOCAL",
            "baseScore": 1.6,
            "baseSeverity": "LOW",
            "exploitMaturity": "UNREPORTED",
            "privilegesRequired": "LOW",
            "providerUrgency": "GREEN",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "PASSIVE",
            "valueDensity": "CONCENTRATED",
            "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N/E:U/S:N/AU:N/R:A/V:C/RE:L/U:Green",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "LOW"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-209",
              "description": "CWE-209 Generation of Error Message Containing Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-21T18:09:14.990Z",
        "orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
        "shortName": "Vaadin"
      },
      "references": [
        {
          "url": "https://vaadin.com/security/cve-2026-7860"
        },
        {
          "url": "https://github.com/vaadin/flow/pull/24219"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cb\u003e\u003cspan style=\"background-color: transparent;\"\u003eUsers of affected versions should apply the following mitigation or upgrade.\u003c/span\u003e\u003c/b\u003e\u003cbr\u003e"
            }
          ],
          "value": "Users of affected versions should apply the following mitigation or upgrade."
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "Possible information disclosure of environment variables in Vaadin Build Plugins via Failed Frontend Build",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
    "assignerShortName": "Vaadin",
    "cveId": "CVE-2026-7860",
    "datePublished": "2026-05-19T11:01:47.212Z",
    "dateReserved": "2026-05-05T11:51:33.170Z",
    "dateUpdated": "2026-05-21T18:09:14.990Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Mitigation ID: MIT-39

Phase: Implementation

Description:

  • Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
  • If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
  • Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
Mitigation

Phase: Implementation

Description:

  • Handle exceptions internally and do not display errors containing potentially sensitive information to a user.
Mitigation ID: MIT-33

Phase: Implementation

Strategy: Attack Surface Reduction

Description:

  • Use naming conventions and strong types to make it easier to spot when sensitive data is being used. When creating structures, objects, or other complex entities, separate the sensitive and non-sensitive data as much as possible.
Mitigation ID: MIT-40

Phases: Implementation, Build and Compilation

Strategy: Compilation or Build Hardening

Description:

  • Debugging information should not make its way into a production release.
Mitigation ID: MIT-40

Phases: Implementation, Build and Compilation

Strategy: Environment Hardening

Description:

  • Debugging information should not make its way into a production release.
Mitigation

Phase: System Configuration

Description:

  • Where available, configure the environment to use less verbose error messages. For example, in PHP, disable the display_errors setting during configuration, or at runtime using the error_reporting() function.
Mitigation

Phase: System Configuration

Description:

  • Create default error pages or messages that do not leak any information.
CAPEC-215: Fuzzing for application mapping

An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.

CAPEC-463: Padding Oracle Crypto Attack

An adversary is able to efficiently decrypt data without knowing the decryption key if a target system leaks data on whether or not a padding error happened while decrypting the ciphertext. A target system that leaks this type of information becomes the padding oracle and an adversary is able to make use of that oracle to efficiently decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). In addition to performing decryption, an adversary is also able to produce valid ciphertexts (i.e., perform encryption) by using the padding oracle, all without knowing the encryption key.

CAPEC-54: Query System for Information

An adversary, aware of an application's location (and possibly authorized to use the application), probes an application's structure and evaluates its robustness by submitting requests and examining responses. Often, this is accomplished by sending variants of expected queries in the hope that these modified queries might return information beyond what the expected set of queries would provide.

CAPEC-7: Blind SQL Injection

Blind SQL Injection results from an insufficient mitigation for SQL Injection. Although suppressing database error messages are considered best practice, the suppression alone is not sufficient to prevent SQL Injection. Blind SQL Injection is a form of SQL Injection that overcomes the lack of error messages. Without the error messages that facilitate SQL Injection, the adversary constructs input strings that probe the target through simple Boolean SQL expressions. The adversary can determine if the syntax and structure of the injection was successful based on whether the query was executed or not. Applied iteratively, the adversary determines how and where the target is vulnerable to SQL Injection.

Back to CWE stats page