CWE-538

8/20/2025CWE-538, CWE-538

In JetBrains TeamCity before 2025.07.1 aWS credentials were exposed in Docker script files

CVE-2019-12623

8/21/2019CWE-538, CWE-538

A vulnerability in the web server functionality of Cisco Enterprise Network Functions Virtualization Infrastructure Software (NFVIS) could allow an authenticated, remote attacker to perform file enume

A vulnerability in the web server functionality of Cisco Enterprise Network Functions Virtualization Infrastructure Software (NFVIS) could allow an authenticated, remote attacker to perform file enume...

CVE-2022-44623

In JetBrains TeamCity version before 2022.10, Project Viewer could see scrambled secure values in the MetaRunner settings

11/3/2022CWE-538

CVE-2025-61138

Qlik Sense Enterprise v14.212.13 was discovered to contain an information leak via the /dev-hub/ directory.

11/20/2025CWE-538

CVE-2025-25586

4.2MEDIUM

yimioa before v2024.07.04 was discovered to contain an information disclosure vulnerability via the component /resources/application.yml.

3/18/2025CWE-538

CVE-2018-20932

2.7LOW

cPanel before 70.0.23 exposes Apache HTTP Server logs after creation of certain domains (SEC-406).

8/1/2019CWE-538

CVE-2025-31421

Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in Oblak Studio Srbtranslatin allows Retrieve Embedded Sensitive Data.This issue affects Srbtranslatin: fr

Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in Oblak Studio Srbtranslatin allows Retrieve Embedded Sensitive Data.This issue affects Srbtranslatin: fr...

4/4/2025CWE-538

CVE-2025-31558

Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in Greg TailPress allows Retrieve Embedded Sensitive Data. This issue affects TailPress: from n/a through

Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in Greg TailPress allows Retrieve Embedded Sensitive Data. This issue affects TailPress: from n/a through ...

4/3/2025CWE-538

CVE-2023-5937

3.8LOW

On Windows systems, the Arc configuration files resulted to be world-readable. This can lead to information disclosure by local attackers, via exfiltration of sensitive data from configuration file

On Windows systems, the Arc configuration files resulted to be world-readable. This can lead to information disclosure by local attackers, via exfiltration of sensitive data from configuration file...

5/15/2024CWE-538

CVE-2018-16970

Wisetail Learning Ecosystem (LE) through v4.11.6 allows insecure direct object reference (IDOR) attacks to download non-purchased course files via a modified id parameter.

9/12/2018CWE-538

CVE-2025-31550

Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in thom4 WP-LESS allows Retrieve Embedded Sensitive Data. This issue affects WP-LESS: from 1.9.3 through 3

Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in thom4 WP-LESS allows Retrieve Embedded Sensitive Data. This issue affects WP-LESS: from 1.9.3 through 3...

4/1/2025CWE-538

CVE-2025-22773

Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in WPChill Htaccess File Editor allows Exploiting Incorrectly Configured Access Control Security Levels.Th

Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in WPChill Htaccess File Editor allows Exploiting Incorrectly Configured Access Control Security Levels.Th...

1/15/2025CWE-538

CVE-2025-22306

Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in Link Whisper Link Whisper Free.This issue affects Link Whisper Free: from n/a through 0.7.7.

1/7/2025CWE-538

CVE-2017-16770

2/27/2018CWE-538, CWE-200

File and directory information exposure vulnerability in SYNO.SurveillanceStation.PersonalSettings.Photo in Synology Surveillance Station before 8.1.2-5469 allows remote authenticated users to obtain

File and directory information exposure vulnerability in SYNO.SurveillanceStation.PersonalSettings.Photo in Synology Surveillance Station before 8.1.2-5469 allows remote authenticated users to obtain ...

CVE-2025-22633

Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in Matt Cromwell Give – Divi Donation Modules allows Retrieve Embedded Sensitive Data. This issue affects

Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in Matt Cromwell Give – Divi Donation Modules allows Retrieve Embedded Sensitive Data. This issue affects ...

2/23/2025CWE-538

CVE-2016-10399

Sendio versions before 8.2.1 were affected by a Local File Inclusion vulnerability that allowed an unauthenticated, remote attacker to read potentially sensitive system files via a specially crafted U

Sendio versions before 8.2.1 were affected by a Local File Inclusion vulnerability that allowed an unauthenticated, remote attacker to read potentially sensitive system files via a specially crafted U...

7/27/2017CWE-538

CVE-2025-24689

5.9MEDIUM

Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in codection Import and export users and customers allows Retrieve Embedded Sensitive Data. This issue aff

Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in codection Import and export users and customers allows Retrieve Embedded Sensitive Data. This issue aff...

1/27/2025CWE-538

CVE-2025-46602

4.4MEDIUM

Dell SupportAssist OS Recovery, versions prior to 5.5.15.0, contain an Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability. A low privileged attacker with loc

Dell SupportAssist OS Recovery, versions prior to 5.5.15.0, contain an Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability. A low privileged attacker with loc...

10/27/2025CWE-538

CVE-2019-6851

10/29/2019CWE-538, CWE-200

A CWE-538: File and Directory Information Exposure vulnerability exists in Modicon M580, Modicon M340, Modicon Premium , Modicon Quantum (all firmware versions), which could cause the disclosure of in

A CWE-538: File and Directory Information Exposure vulnerability exists in Modicon M580, Modicon M340, Modicon Premium , Modicon Quantum (all firmware versions), which could cause the disclosure of in...

CVE-2021-4471

NONE

TG8 Firewall exposes a directory such as /data/ over HTTP without authentication. This directory stores credential files for previously logged-in users. A remote unauthenticated attacker can enumerate

TG8 Firewall exposes a directory such as /data/ over HTTP without authentication. This directory stores credential files for previously logged-in users. A remote unauthenticated attacker can enumerate...

11/14/2025CWE-538

CVE-2025-11891

11/21/2024CWE-538, CWE-532

The Shelf Planner plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.7.0 through publicly exposed log files. This makes it possible for unauth

The Shelf Planner plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.7.0 through publicly exposed log files. This makes it possible for unauth...

11/11/2025CWE-538

CVE-2022-43933

4.4MEDIUM

An information exposure through log file vulnerability exists in Brocade SANnav before Brocade SANnav 2.2.2, where configuration secrets are logged in supportsave. Supportsave file is generated by an

An information exposure through log file vulnerability exists in Brocade SANnav before Brocade SANnav 2.2.2, where configuration secrets are logged in supportsave. Supportsave file is generated by an ...

CVE-2022-26329

1.8LOW

File existence disclosure vulnerability in NetIQ Identity Manager plugin prior to version 4.8.5 allows attacker to determine whether a file exists on the filesystem. This issue affects: Micro Focus Ne

File existence disclosure vulnerability in NetIQ Identity Manager plugin prior to version 4.8.5 allows attacker to determine whether a file exists on the filesystem. This issue affects: Micro Focus Ne...

1/26/2023CWE-538, CWE-668

CVE-2019-10320

Jenkins Credentials Plugin 2.1.18 and earlier allowed users with permission to create or update credentials to confirm the existence of files on the Jenkins master with an attacker-specified path, and

Jenkins Credentials Plugin 2.1.18 and earlier allowed users with permission to create or update credentials to confirm the existence of files on the Jenkins master with an attacker-specified path, and...

5/21/2019CWE-538

CVE-2018-11798

The Apache Thrift Node.js static web server in versions 0.9.2 through 0.11.0 have been determined to contain a security vulnerability in which a remote user has the ability to access files outside the

The Apache Thrift Node.js static web server in versions 0.9.2 through 0.11.0 have been determined to contain a security vulnerability in which a remote user has the ability to access files outside the...

1/7/2019CWE-538

CVE-2025-11079

9/27/2025CWE-200, CWE-538 +1

A security flaw has been discovered in Campcodes Farm Management System 1.0. Affected by this issue is some unknown functionality. The manipulation results in file and directory information exposure.

A security flaw has been discovered in Campcodes Farm Management System 1.0. Affected by this issue is some unknown functionality. The manipulation results in file and directory information exposure. ...

CVE-2024-6880

NONE

During MegaBIP installation process, a user is encouraged to change a default path to administrative portal, as keeping it secret is listed by the author as one of the protection mechanisms. Publicly

During MegaBIP installation process, a user is encouraged to change a default path to administrative portal, as keeping it secret is listed by the author as one of the protection mechanisms. Publicly...

1/10/2025CWE-538

CVE-2024-47580

6.8MEDIUM

An attacker authenticated as an administrator can use an exposed webservice to create a PDF with an embedded attachment. By specifying the file to be an internal server file and subsequently download

An attacker authenticated as an administrator can use an exposed webservice to create a PDF with an embedded attachment. By specifying the file to be an internal server file and subsequently download...

12/10/2024CWE-538

CVE-2024-31954

7.3HIGH

An issue was discovered in the installer in Samsung Portable SSD for T5 1.6.10 on Windows. Because it is possible to tamper with the directory and DLL files used during the installation process, an at

An issue was discovered in the installer in Samsung Portable SSD for T5 1.6.10 on Windows. Because it is possible to tamper with the directory and DLL files used during the installation process, an at...

5/14/2024CWE-538

CVE-2023-4595

An information exposure vulnerability has been found, the exploitation of which could allow a remote user to retrieve sensitive information stored on the server such as credential files, configuration

An information exposure vulnerability has been found, the exploitation of which could allow a remote user to retrieve sensitive information stored on the server such as credential files, configuration...

11/23/2023CWE-538

CVE-2017-5387

3.3LOW

The existence of a specifically requested local file can be found due to the double firing of the "onerror" when the "source" attribute on a "<track>" tag refers to a file that does not exist if the s

The existence of a specifically requested local file can be found due to the double firing of the "onerror" when the "source" attribute on a "<track>" tag refers to a file that does not exist if the s...

6/11/2018CWE-538

CVE-2024-47579

6.8MEDIUM

An attacker authenticated as an administrator can use an exposed webservice to upload or download a custom PDF font file on the system server. Using the upload functionality to copy an internal file

An attacker authenticated as an administrator can use an exposed webservice to upload or download a custom PDF font file on the system server. Using the upload functionality to copy an internal file ...

12/10/2024CWE-538

CVE-2024-22045

7.6HIGH

A vulnerability has been identified in SINEMA Remote Connect Client (All versions < V3.1 SP1). The product places sensitive information into files or directories that are accessible to actors who are

A vulnerability has been identified in SINEMA Remote Connect Client (All versions < V3.1 SP1). The product places sensitive information into files or directories that are accessible to actors who are ...

3/12/2024CWE-538

CVE-2024-21501

2/24/2024CWE-200, CWE-538

Versions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style attribute allowed, allowing enumeration of files in the system (i

Versions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style attribute allowed, allowing enumeration of files in the system (i...

CVE-2023-38558

5.5MEDIUM

A vulnerability has been identified in SIMATIC PCS neo (Administration Console) V4.0 (All versions), SIMATIC PCS neo (Administration Console) V4.0 Update 1 (All versions). The affected application lea

A vulnerability has been identified in SIMATIC PCS neo (Administration Console) V4.0 (All versions), SIMATIC PCS neo (Administration Console) V4.0 Update 1 (All versions). The affected application lea...

9/14/2023CWE-538, CWE-668

CVE-2019-7618

4/23/2018CWE-538, CWE-311

A local file disclosure flaw was found in Elastic Code versions 7.3.0, 7.3.1, and 7.3.2. If a malicious code repository is imported into Code it is possible to read arbitrary files from the local file

A local file disclosure flaw was found in Elastic Code versions 7.3.0, 7.3.1, and 7.3.2. If a malicious code repository is imported into Code it is possible to read arbitrary files from the local file...

10/1/2019CWE-538, CWE-22

CVE-2018-4847

4.6MEDIUM

A vulnerability has been identified in SIMATIC WinCC OA Operator iOS App (All versions < V1.4). Insufficient protection of sensitive information (e.g. session key for accessing server) in Siemens WinC

A vulnerability has been identified in SIMATIC WinCC OA Operator iOS App (All versions < V1.4). Insufficient protection of sensitive information (e.g. session key for accessing server) in Siemens WinC...

CVE-2025-27017

Apache NiFi 1.13.0 through 2.2.0 includes the username and password used to authenticate with MongoDB in the NiFi provenance events that MongoDB components generate during processing. An authorized us

Apache NiFi 1.13.0 through 2.2.0 includes the username and password used to authenticate with MongoDB in the NiFi provenance events that MongoDB components generate during processing. An authorized us...

3/12/2025CWE-538

CVE-2023-4480

5.5MEDIUM

Due to an out-of-date dependency in the “Fusion File Manager” component accessible through the admin panel, an attacker can send a crafted request that allows them to read the contents of files on th

Due to an out-of-date dependency in the “Fusion File Manager” component accessible through the admin panel, an attacker can send a crafted request that allows them to read the contents of files on th...

9/5/2023CWE-538, CWE-22

CVE-2021-32822

4.0MEDIUM

The npm hbs package is an Express view engine wrapper for Handlebars. Depending on usage, users of hbs may be vulnerable to a file disclosure vulnerability. There is currently no patch for this vulner

The npm hbs package is an Express view engine wrapper for Handlebars. Depending on usage, users of hbs may be vulnerable to a file disclosure vulnerability. There is currently no patch for this vulner...

8/16/2021CWE-538, CWE-94

CVE-2016-15056

NONE

Ubee EVW3226 cable modem/routers firmware versions up to and including 1.0.20 store configuration backup files in the web root after they are generated for download. These backup files remain accessib

Ubee EVW3226 cable modem/routers firmware versions up to and including 1.0.20 store configuration backup files in the web root after they are generated for download. These backup files remain accessib...

11/14/2025CWE-538

CVE-2025-27150

Tuleap is an Open Source Suite to improve management of software developments and collaboration. The password to connect the Redis instance is not purged from the archive generated with tuleap collect

Tuleap is an Open Source Suite to improve management of software developments and collaboration. The password to connect the Redis instance is not purged from the archive generated with tuleap collect...

3/4/2025CWE-538

CVE-2025-0194

An issue was discovered in GitLab CE/EE affecting all versions starting from 17.4 prior to 17.5.5, starting from 17.6 prior to 17.6.3, and starting from 17.7 prior to 17.7.1. Under certain conditions,

An issue was discovered in GitLab CE/EE affecting all versions starting from 17.4 prior to 17.5.5, starting from 17.6 prior to 17.6.3, and starting from 17.7 prior to 17.7.1. Under certain conditions,...

1/8/2025CWE-538

CVE-2024-22433

8.8HIGH

Dell Data Protection Search 19.2.0 and above contain an exposed password opportunity in plain text when using LdapSettings.get_ldap_info in DP Search. A remote unauthorized unauthenticated attacker c

Dell Data Protection Search 19.2.0 and above contain an exposed password opportunity in plain text when using LdapSettings.get_ldap_info in DP Search. A remote unauthorized unauthenticated attacker c...

2/6/2024CWE-538

CVE-2024-0191

A vulnerability was found in RRJ Nueva Ecija Engineer Online Portal 1.0. It has been classified as problematic. Affected is an unknown function of the file /admin/uploads/. The manipulation leads to f

A vulnerability was found in RRJ Nueva Ecija Engineer Online Portal 1.0. It has been classified as problematic. Affected is an unknown function of the file /admin/uploads/. The manipulation leads to f...

1/2/2024CWE-538

CVE-2025-58458

In Jenkins Git client Plugin 6.3.2 and earlier, except 6.1.4 and 6.2.1, Git URL field form validation responses differ based on whether the specified file path exists on the controller when specifying

In Jenkins Git client Plugin 6.3.2 and earlier, except 6.1.4 and 6.2.1, Git URL field form validation responses differ based on whether the specified file path exists on the controller when specifying...

9/3/2025CWE-200, CWE-538

CVE-2018-10590

5/15/2018CWE-548, CWE-538

In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAcce

In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAcce...

CVE-2024-51977

An unauthenticated attacker who can access either the HTTP service (TCP port 80), the HTTPS service (TCP port 443), or the IPP service (TCP port 631), can leak several pieces of sensitive information

An unauthenticated attacker who can access either the HTTP service (TCP port 80), the HTTPS service (TCP port 443), or the IPP service (TCP port 631), can leak several pieces of sensitive information ...

6/25/2025CWE-538

CVE-2023-46723

8.9HIGH

lte-pic32-writer is a writer for PIC32 devices. In versions 0.0.1 and prior, those who use `sendto.txt` are vulnerable to attackers who known the IMEI reading the sendto.txt. The sendto.txt file can c

lte-pic32-writer is a writer for PIC32 devices. In versions 0.0.1 and prior, those who use `sendto.txt` are vulnerable to attackers who known the IMEI reading the sendto.txt. The sendto.txt file can c...

10/31/2023CWE-538

CVE-2017-9947