CWE-532
Insertion of Sensitive Information into Log File
The product writes sensitive information to a log file.
CVE-2026-49200 (GCVE-0-2026-49200)
Vulnerability from cvelistv5 – Published: 2026-05-29 08:51 – Updated: 2026-05-29 10:54- CWE-532 - Sensitive information inserted into log archives
| Vendor | Product | Version | |
|---|---|---|---|
| Acer | Wave 7 router |
Affected:
T7c_GBL_1.01.000055 , ≤ *
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-49200",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T10:54:09.713245Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T10:54:23.855Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "Wave 7 router",
"vendor": "Acer",
"versions": [
{
"lessThanOrEqual": "*",
"status": "affected",
"version": "T7c_GBL_1.01.000055",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Gergo Pap"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The acer_cgi.log file in the device firmware is accessible without authentication via the web interface. This file contains cleartext login credentials (for web and Telnet), leading to unauthorized system access."
}
],
"value": "The acer_cgi.log file in the device firmware is accessible without authentication via the web interface. This file contains cleartext login credentials (for web and Telnet), leading to unauthorized system access."
}
],
"impacts": [
{
"capecId": "CAPEC-37",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-37: Retrieve Embedded Sensitive Data"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Sensitive information inserted into log archives",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T08:51:15.717Z",
"orgId": "8fc372e3-d9c5-46e4-9410-38469745c639",
"shortName": "Acer"
},
"references": [
{
"url": "https://community.acer.com/en/kb/articles/19673"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Acer Wave 7 router: Broken Access Control",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "8fc372e3-d9c5-46e4-9410-38469745c639",
"assignerShortName": "Acer",
"cveId": "CVE-2026-49200",
"datePublished": "2026-05-29T08:51:15.717Z",
"dateReserved": "2026-05-28T02:47:39.776Z",
"dateUpdated": "2026-05-29T10:54:23.855Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4957 (GCVE-0-2026-4957)
Vulnerability from cvelistv5 – Published: 2026-03-27 14:52 – Updated: 2026-03-27 15:31| URL | Tags |
|---|---|
| https://vuldb.com/?id.353834 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.353834 | signaturepermissions-required |
| https://vuldb.com/?submit.777615 | third-party-advisory |
| https://gist.github.com/YLChen-007/6279f3de0c2dff… | exploit |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4957",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-27T15:30:58.845106Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T15:31:57.067Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:openbmb:xagent:*:*:*:*:*:*:*:*"
],
"modules": [
"API Key Handler"
],
"product": "XAgent",
"vendor": "OpenBMB",
"versions": [
{
"status": "affected",
"version": "1.0.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Eric-z (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB"
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw has been found in OpenBMB XAgent 1.0.0. The impacted element is the function FunctionHandler.handle_tool_call of the file XAgent/function_handler.py of the component API Key Handler. This manipulation of the argument api_key causes sensitive information in log files. The attack may be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 2.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 2.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 3.3,
"vectorString": "AV:N/AC:L/Au:M/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "Sensitive Information in Log Files",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "Information Disclosure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T14:52:21.328Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-353834 | OpenBMB XAgent API Key function_handler.py FunctionHandler.handle_tool_call log file",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.353834"
},
{
"name": "VDB-353834 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.353834"
},
{
"name": "Submit #777615 | OpenBMB XAgent v1.0.0 CWE-532",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.777615"
},
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/YLChen-007/6279f3de0c2dff7732eaaf820843b562"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-27T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-03-27T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-03-27T09:13:11.000Z",
"value": "VulDB entry last update"
}
],
"title": "OpenBMB XAgent API Key function_handler.py FunctionHandler.handle_tool_call log file"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-4957",
"datePublished": "2026-03-27T14:52:21.328Z",
"dateReserved": "2026-03-27T08:07:45.767Z",
"dateUpdated": "2026-03-27T15:31:57.067Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-50205 (GCVE-0-2026-50205)
Vulnerability from cvelistv5 – Published: 2026-06-04 06:43 – Updated: 2026-06-04 12:38- CWE-532 - Insertion of Sensitive Information into Log File
| Vendor | Product | Version | |
|---|---|---|---|
| Acer | Connect M6E 5G Portable WiFi Router |
Affected:
* , ≤ M6E_AI_1.00.000019
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-50205",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-04T12:38:33.444474Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T12:38:53.152Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Connect M6E 5G Portable WiFi Router",
"vendor": "Acer",
"versions": [
{
"lessThanOrEqual": "M6E_AI_1.00.000019",
"status": "affected",
"version": "*",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ta-Lun Yen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "System log files output unencrypted SMTP server authentication passwords alongside sensitive employee corporate identification data."
}
],
"value": "System log files output unencrypted SMTP server authentication passwords alongside sensitive employee corporate identification data."
}
],
"impacts": [
{
"capecId": "CAPEC-118",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-118: Collect and Analyze Information"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T06:43:00.057Z",
"orgId": "8fc372e3-d9c5-46e4-9410-38469745c639",
"shortName": "Acer"
},
"references": [
{
"url": "https://community.acer.com/en/kb/articles/19707"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Plaintext Log Credential Leakage",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "8fc372e3-d9c5-46e4-9410-38469745c639",
"assignerShortName": "Acer",
"cveId": "CVE-2026-50205",
"datePublished": "2026-06-04T06:43:00.057Z",
"dateReserved": "2026-06-04T01:29:10.111Z",
"dateUpdated": "2026-06-04T12:38:53.152Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-54236 (GCVE-0-2026-54236)
Vulnerability from cvelistv5 – Published: 2026-06-22 22:09 – Updated: 2026-06-23 12:33- CWE-532 - Insertion of Sensitive Information into Log File
| URL | Tags |
|---|---|
| https://github.com/vllm-project/vllm/security/adv… | x_refsource_CONFIRM |
| https://github.com/vllm-project/vllm/pull/45119 | x_refsource_MISC |
| https://github.com/vllm-project/vllm/commit/94923… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| vllm-project | vllm |
Affected:
< 0.23.1rc0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-54236",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-23T12:32:56.752434Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T12:33:28.108Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-hgg8-fqqc-vfmw"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "vllm",
"vendor": "vllm-project",
"versions": [
{
"status": "affected",
"version": "\u003c 0.23.1rc0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.23.1rc0, the fix for CVE-2026-22778, which introduced a sanitize_message helper that strips object-repr memory addresses from error messages before they reach the client, is incomplete: several response paths echo str(exc) directly to clients without calling sanitize_message. The unsanitized sites include the Anthropic API router in vllm/entrypoints/anthropic/api_router.py (the POST /v1/messages and POST /v1/messages/count_tokens handlers), the Server-Sent Events streaming converter in vllm/entrypoints/anthropic/serving.py, and the realtime speech-to-text WebSocket in vllm/entrypoints/speech_to_text/realtime/connection.py. These paths catch the exception inside the route coroutine and construct the JSONResponse themselves, bypassing the sanitizing global FastAPI exception handler, and WebSocket frames do not traverse that handler chain at all. Using the same primitive as the parent issue, an unauthenticated attacker can send malformed image bytes through the Anthropic Messages API image content parts so that PIL.Image.open raises an UnidentifiedImageError whose message contains the BytesIO object repr, leaking the heap memory address verbatim in the error.message field of the response body. This vulnerability is fixed in 0.23.1rc0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T22:09:15.034Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/vllm-project/vllm/security/advisories/GHSA-hgg8-fqqc-vfmw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-hgg8-fqqc-vfmw"
},
{
"name": "https://github.com/vllm-project/vllm/pull/45119",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vllm-project/vllm/pull/45119"
},
{
"name": "https://github.com/vllm-project/vllm/commit/94923629729381d7f7c9efde72071a2441f7fd82",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vllm-project/vllm/commit/94923629729381d7f7c9efde72071a2441f7fd82"
}
],
"source": {
"advisory": "GHSA-hgg8-fqqc-vfmw",
"discovery": "UNKNOWN"
},
"title": "vLLM: incomplete CVE-2026-22778 fix leaks PIL repr addresses via Anthropic router"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-54236",
"datePublished": "2026-06-22T22:09:15.034Z",
"dateReserved": "2026-06-12T16:25:43.084Z",
"dateUpdated": "2026-06-23T12:33:28.108Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-54652 (GCVE-0-2026-54652)
Vulnerability from cvelistv5 – Published: 2026-07-08 14:52 – Updated: 2026-07-08 15:20| URL | Tags |
|---|---|
| https://github.com/blakeblackshear/frigate/securi… | x_refsource_CONFIRM |
| https://github.com/blakeblackshear/frigate/commit… | x_refsource_MISC |
| https://github.com/blakeblackshear/frigate/commit… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| blakeblackshear | frigate |
Affected:
<= 0.17.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-54652",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-08T15:20:07.339673Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T15:20:23.777Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-c4qf-xxq4-vf55"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "frigate",
"vendor": "blakeblackshear",
"versions": [
{
"status": "affected",
"version": "\u003c= 0.17.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Frigate is an open source network video recorder. In version 0.17.1, the GET /api/logs/{service} endpoint allows any authenticated user including the viewer role to download Frigate and nginx logs, exposing auto-generated admin passwords and camera credentials logged in request query strings and enabling viewer-to-admin privilege escalation. A fixed release has not been identified."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-598",
"description": "CWE-598: Use of GET Request Method With Sensitive Query Strings",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T14:52:42.752Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-c4qf-xxq4-vf55",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-c4qf-xxq4-vf55"
},
{
"name": "https://github.com/blakeblackshear/frigate/commit/68e8afd35c76f05f68de47ee9588d2c91796de4b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/blakeblackshear/frigate/commit/68e8afd35c76f05f68de47ee9588d2c91796de4b"
},
{
"name": "https://github.com/blakeblackshear/frigate/commit/bd1fc1cc72cd4fa371464a087cbf3d7f3142edc6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/blakeblackshear/frigate/commit/bd1fc1cc72cd4fa371464a087cbf3d7f3142edc6"
}
],
"source": {
"advisory": "GHSA-c4qf-xxq4-vf55",
"discovery": "UNKNOWN"
},
"title": "Frigate viewer can read logs exposing admin and camera credentials"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-54652",
"datePublished": "2026-07-08T14:52:42.752Z",
"dateReserved": "2026-06-15T20:16:46.199Z",
"dateUpdated": "2026-07-08T15:20:23.777Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-54704 (GCVE-0-2026-54704)
Vulnerability from cvelistv5 – Published: 2026-07-01 21:15 – Updated: 2026-07-02 12:23- CWE-532 - Insertion of Sensitive Information into Log File
| URL | Tags |
|---|---|
| https://github.com/open-telemetry/opentelemetry-j… | x_refsource_CONFIRM |
| Vendor | Product | Version | |
|---|---|---|---|
| open-telemetry | opentelemetry-java-instrumentation |
Affected:
< 2.28.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-54704",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-02T12:23:43.311803Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T12:23:50.336Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "opentelemetry-java-instrumentation",
"vendor": "open-telemetry",
"versions": [
{
"status": "affected",
"version": "\u003c 2.28.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. In versions prior to 2.28.0, the JDBC auto-instrumentation may fail to sanitize passwords in SQL CONNECT statements when the password is double-quoted. As a result, clear-text database passwords can be added to trace span attributes and exported to observability backends. This issue has been fixed in version 2.28.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T21:15:37.903Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/open-telemetry/opentelemetry-java-instrumentation/security/advisories/GHSA-rwqx-fvqh-6wm4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/open-telemetry/opentelemetry-java-instrumentation/security/advisories/GHSA-rwqx-fvqh-6wm4"
}
],
"source": {
"advisory": "GHSA-rwqx-fvqh-6wm4",
"discovery": "UNKNOWN"
},
"title": "OpenTelemetry Java Instrumentation: JDBC Auto-Instrumentation Logging Clear-Text Passwords"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-54704",
"datePublished": "2026-07-01T21:15:37.903Z",
"dateReserved": "2026-06-15T22:58:06.563Z",
"dateUpdated": "2026-07-02T12:23:50.336Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-56457 (GCVE-0-2026-56457)
Vulnerability from cvelistv5 – Published: 2026-06-29 13:18 – Updated: 2026-06-29 13:58- CWE-532 - Insertion of sensitive information into log file
| Vendor | Product | Version | |
|---|---|---|---|
| HCLSoftware | HCL DevOps Deploy / HCL Launch |
Affected:
7.3-7.3.2.18, 8.0-8.0.1.13, 8.1-8.1.2.6, 8.2-8.2.1.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-56457",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T13:58:36.273301Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T13:58:43.773Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "HCL DevOps Deploy / HCL Launch",
"vendor": "HCLSoftware",
"versions": [
{
"status": "affected",
"version": "7.3-7.3.2.18, 8.0-8.0.1.13, 8.1-8.1.2.6, 8.2-8.2.1.0"
}
]
}
],
"datePublic": "2026-06-29T13:18:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eHCL DevOps Deploy / HCL Launch is susceptible to an exposure of sensitive information vulnerability in output logs. This exposure could allow an attacker with access to the logs to potentially obtain sensitive values related to that step.\u003c/p\u003e"
}
],
"value": "HCL DevOps Deploy / HCL Launch is susceptible to an exposure of sensitive information vulnerability in output logs. This exposure could allow an attacker with access to the logs to potentially obtain sensitive values related to that step."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532 Insertion of sensitive information into log file",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T13:18:59.104Z",
"orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
"shortName": "HCL"
},
"references": [
{
"url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0131694"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "HCL DevOps Deploy / HCL Launch is susceptible to an exposure of sensitive information",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
"assignerShortName": "HCL",
"cveId": "CVE-2026-56457",
"datePublished": "2026-06-29T13:18:59.104Z",
"dateReserved": "2026-06-22T13:38:32.649Z",
"dateUpdated": "2026-06-29T13:58:43.773Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-56459 (GCVE-0-2026-56459)
Vulnerability from cvelistv5 – Published: 2026-07-09 08:25 – Updated: 2026-07-09 12:37- CWE-532 - Insertion of sensitive information into log file
| Vendor | Product | Version | |
|---|---|---|---|
| HCLSoftware | HCL DevOps Deploy / HCL Launch |
Affected:
7.3-7.3.2.18, 8.0-8.0.1.13, 8.1-8.1.2.6, 8.2-8.2.1.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-56459",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T12:37:02.972180Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T12:37:09.372Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "HCL DevOps Deploy / HCL Launch",
"vendor": "HCLSoftware",
"versions": [
{
"status": "affected",
"version": "7.3-7.3.2.18, 8.0-8.0.1.13, 8.1-8.1.2.6, 8.2-8.2.1.0"
}
]
}
],
"datePublic": "2026-07-09T08:25:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eHCL DevOps Deploy / HCL Launch is susceptible to sensitive information disclosure. \u0026nbsp;The application stores potentially sensitive information in log files that could be read by a local user.\u003c/p\u003e"
}
],
"value": "HCL DevOps Deploy / HCL Launch is susceptible to sensitive information disclosure. \u00a0The application stores potentially sensitive information in log files that could be read by a local user."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532 Insertion of sensitive information into log file",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T08:25:50.779Z",
"orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
"shortName": "HCL"
},
"references": [
{
"url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0131696"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "HCL DevOps Deploy / HCL Launch is susceptible to sensitive information disclosure",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
"assignerShortName": "HCL",
"cveId": "CVE-2026-56459",
"datePublished": "2026-07-09T08:25:50.779Z",
"dateReserved": "2026-06-22T13:38:32.650Z",
"dateUpdated": "2026-07-09T12:37:09.372Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-59947 (GCVE-0-2026-59947)
Vulnerability from cvelistv5 – Published: 2026-07-08 19:33 – Updated: 2026-07-09 14:01- CWE-532 - Insertion of Sensitive Information into Log File
| URL | Tags |
|---|---|
| https://github.com/composer/composer/security/adv… | x_refsource_CONFIRM |
| https://github.com/composer/composer/commit/6bd66… | x_refsource_MISC |
| https://github.com/composer/composer/commit/8887a… | x_refsource_MISC |
| https://github.com/composer/composer/releases/tag… | x_refsource_MISC |
| https://github.com/composer/composer/releases/tag… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-59947",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T14:01:31.826906Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T14:01:42.612Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "composer",
"vendor": "composer",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.0, \u003c 2.2.29"
},
{
"status": "affected",
"version": "\u003e= 2.3.0, \u003c 2.10.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Composer is a dependency Manager for the PHP language. Prior to 2.2.29 and 2.10.2, when Composer is run with -vvv debug verbosity, it could print a credential embedded in the username slot of a repository or package URL, such as a GitHub Personal Access Token in https://TOKEN@host/, to debug output because AuthHelper, Url::sanitize, and ProcessExecutor did not sanitize username-only URL credentials. This issue is fixed in versions 2.2.29 and 2.10.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T19:33:56.009Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/composer/composer/security/advisories/GHSA-g6xq-892h-64w3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/composer/composer/security/advisories/GHSA-g6xq-892h-64w3"
},
{
"name": "https://github.com/composer/composer/commit/6bd66874ae523ecb69aca5964487a0cdfda03ef8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/composer/composer/commit/6bd66874ae523ecb69aca5964487a0cdfda03ef8"
},
{
"name": "https://github.com/composer/composer/commit/8887ad76fbd830cb1861a2b1fd8ead78ed1fa1ec",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/composer/composer/commit/8887ad76fbd830cb1861a2b1fd8ead78ed1fa1ec"
},
{
"name": "https://github.com/composer/composer/releases/tag/2.10.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/composer/composer/releases/tag/2.10.2"
},
{
"name": "https://github.com/composer/composer/releases/tag/2.2.29",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/composer/composer/releases/tag/2.2.29"
}
],
"source": {
"advisory": "GHSA-g6xq-892h-64w3",
"discovery": "UNKNOWN"
},
"title": "Composer: URL-embedded HTTP-Basic username leaks to verbose logs (GitHub PAT exposure)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-59947",
"datePublished": "2026-07-08T19:33:56.009Z",
"dateReserved": "2026-07-07T18:49:15.607Z",
"dateUpdated": "2026-07-09T14:01:42.612Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6720 (GCVE-0-2026-6720)
Vulnerability from cvelistv5 – Published: 2026-05-28 15:47 – Updated: 2026-05-28 17:04| Vendor | Product | Version | |
|---|---|---|---|
| Tigera | Calico |
Affected:
0 , < 3.32.0
(semver)
|
|
| Tigera | Calico Enterprise |
Affected:
0 , < 3.21.7
(semver)
Unaffected: 3.22.3 (semver) |
|
| Tigera | Calico Cloud |
Affected:
0 , < 22.4.0
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6720",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T17:04:05.727153Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T17:04:11.659Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Calico",
"vendor": "Tigera",
"versions": [
{
"lessThan": "3.32.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Calico Enterprise",
"vendor": "Tigera",
"versions": [
{
"lessThan": "3.21.7",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "3.22.3",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Calico Cloud",
"vendor": "Tigera",
"versions": [
{
"lessThan": "22.4.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:tigera:calico:*:*:*:*:*:*:*:*",
"versionEndExcluding": "3.32.0",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:tigera:calico_enterprise:*:*:*:*:*:*:*:*",
"versionEndExcluding": "3.21.7",
"versionStartIncluding": "0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tigera:calico_enterprise:3.22.3:*:*:*:*:*:*:*",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:tigera:calico_cloud:*:*:*:*:*:*:*:*",
"versionEndExcluding": "22.4.0",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Behnam Shobiri"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Behnam Shobiri"
},
{
"lang": "en",
"type": "remediation verifier",
"value": "Anthony Tam"
}
],
"datePublic": "2026-05-28T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan\u003eWhen \u003c/span\u003e\u003cspan\u003ecalicoctl\u003c/span\u003e\u003cspan\u003e is invoked with \u003c/span\u003e\u003cspan\u003e--log-level=info\u003c/span\u003e\u003cspan\u003e or \u003c/span\u003e\u003cspan\u003e--log-level=debug\u003c/span\u003e\u003cspan\u003e, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential \u003c/span\u003e\u003cspan\u003ecalicoctl\u003c/span\u003e\u003cspan\u003e uses to talk to the cluster \u2014 inline kubeconfig (with bearer token), Kubernetes API bearer token, etcd password, and inline PEM-encoded etcd client certificate and key. Any reader of that stderr stream \u2014 CI job logs, session-recording archives, shared support-ticket transcripts, or local filesystem viewers on the host that ran \u003c/span\u003e\u003cspan\u003ecalicoctl\u003c/span\u003e\u003cspan\u003e \u2014 can extract these credentials with zero Kubernetes privilege. \u003c/span\u003e\u003cspan\u003ecalicoctl\u003c/span\u003e\u003cspan\u003e\u0027s default log level is \u003c/span\u003e\u003cspan\u003epanic\u003c/span\u003e\u003cspan\u003e, so this issue only triggers when verbose logging is explicitly enabled.\u003c/span\u003e"
}
],
"value": "When calicoctl is invoked with --log-level=info or --log-level=debug, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential calicoctl uses to talk to the cluster \u2014 inline kubeconfig (with bearer token), Kubernetes API bearer token, etcd password, and inline PEM-encoded etcd client certificate and key. Any reader of that stderr stream \u2014 CI job logs, session-recording archives, shared support-ticket transcripts, or local filesystem viewers on the host that ran calicoctl \u2014 can extract these credentials with zero Kubernetes privilege. calicoctl\u0027s default log level is panic, so this issue only triggers when verbose logging is explicitly enabled."
}
],
"impacts": [
{
"capecId": "CAPEC-150",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-150 Collect Data from Common Resource Locations"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T15:47:42.519Z",
"orgId": "e6d453f4-3dae-4941-bcea-9af25f4e824d",
"shortName": "Tigera"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/projectcalico/calico/pull/12535"
},
{
"tags": [
"patch"
],
"url": "https://github.com/projectcalico/calico/pull/12536"
},
{
"tags": [
"patch"
],
"url": "https://github.com/projectcalico/calico/pull/12537"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.tigera.io/security-bulletins/tta-2026-003/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Calicoctl leaks cluster credentials to stderr when verbose logging is enabled",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "e6d453f4-3dae-4941-bcea-9af25f4e824d",
"assignerShortName": "Tigera",
"cveId": "CVE-2026-6720",
"datePublished": "2026-05-28T15:47:42.519Z",
"dateReserved": "2026-04-20T19:31:31.065Z",
"dateUpdated": "2026-05-28T17:04:11.659Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phases: Architecture and Design, Implementation
Description:
- Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.
Mitigation
Phase: Distribution
Description:
- Remove debug log files before deploying the application into production.
Mitigation
Phase: Operation
Description:
- Protect log files against unauthorized read/write.
Mitigation
Phase: Implementation
Description:
- Adjust configurations appropriately when software is transitioned from a debug state to production.
CAPEC-215: Fuzzing for application mapping
An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.