CWE-538
AllowedInsertion of Sensitive Information into Externally-Accessible File or Directory
Abstraction: Base · Status: Draft
The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information.
155 vulnerabilities reference this CWE, most recent first.
GHSA-5J6P-JRRM-6X94
Vulnerability from github – Published: 2026-06-01 09:31 – Updated: 2026-07-08 19:45A bug in Apache Airflow's KubernetesExecutor caused JWT tokens used by worker pods to authenticate against the Execution API to be passed to the worker container as command-line arguments visible in the pod spec. An authenticated UI/API user with Kubernetes read-only access to the cluster (e.g. pods/get in the Airflow namespace) could harvest the JWT from kubectl describe pod output and then call state-mutating Execution API endpoints — triggering Dag runs, clearing runs, reading or writing Variables / Connections / XComs — as if they were a running task. Affects deployments using the KubernetesExecutor. Users are advised to upgrade to apache-airflow 3.2.2 or later. This is the airflow-core half of the same vulnerability addressed by CVE-2026-27173, which shipped the apache-airflow-providers-cncf-kubernetes side of the fix. Deployments that already upgraded apache-airflow-providers-cncf-kubernetes to 10.17.0 or later per the CVE-2026-27173 advisory should additionally upgrade apache-airflow to 3.2.2 or later to close the core-side surface — the two fixes are complementary, not duplicates.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "apache-airflow-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.2.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-49298"
],
"database_specific": {
"cwe_ids": [
"CWE-538"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-08T19:45:01Z",
"nvd_published_at": "2026-06-01T09:16:20Z",
"severity": "HIGH"
},
"details": "A bug in Apache Airflow\u0027s KubernetesExecutor caused JWT tokens used by worker pods to authenticate against the Execution API to be passed to the worker container as command-line arguments visible in the pod spec. An authenticated UI/API user with Kubernetes read-only access to the cluster (e.g. `pods/get` in the Airflow namespace) could harvest the JWT from `kubectl describe pod` output and then call state-mutating Execution API endpoints \u2014 triggering Dag runs, clearing runs, reading or writing Variables / Connections / XComs \u2014 as if they were a running task. Affects deployments using the `KubernetesExecutor`. Users are advised to upgrade to `apache-airflow` 3.2.2 or later. This is the airflow-core half of the same vulnerability addressed by [CVE-2026-27173](https://www.cve.org/CVERecord?id=CVE-2026-27173), which shipped the apache-airflow-providers-cncf-kubernetes side of the fix. Deployments that already upgraded `apache-airflow-providers-cncf-kubernetes` to 10.17.0 or later per the CVE-2026-27173 advisory should additionally upgrade `apache-airflow` to 3.2.2 or later to close the core-side surface \u2014 the two fixes are complementary, not duplicates.",
"id": "GHSA-5j6p-jrrm-6x94",
"modified": "2026-07-08T19:45:01Z",
"published": "2026-06-01T09:31:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49298"
},
{
"type": "WEB",
"url": "https://github.com/apache/airflow/pull/60108"
},
{
"type": "WEB",
"url": "https://github.com/apache/airflow/pull"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/wo09vrks8189dzsot39rvrx3vnx102tt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Apache Airflow: Execution API JWT leaked via KubernetesExecutor worker command-line args"
}
GHSA-5QRX-VVMC-FQ55
Vulnerability from github – Published: 2026-02-10 21:31 – Updated: 2026-02-10 21:31The ZOLL ePCR IOS application reflects unsanitized user input into a WebView. Attacker-controlled strings placed into PCR fields (run number, incident, call sign, notes) are interpreted as HTML/JS when the app prints or renders that content. In the proof of concept (POC), injected scripts return local file content, which would allow arbitrary local file reads from the app's runtime context. These local files contain device and user data within the ePCR medical application, and if exposed, would allow an attacker to access protected health information (PHI) or device telemetry.
{
"affected": [],
"aliases": [
"CVE-2025-12699"
],
"database_specific": {
"cwe_ids": [
"CWE-538"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-10T21:15:59Z",
"severity": "MODERATE"
},
"details": "The ZOLL ePCR IOS application reflects unsanitized user input into a WebView. Attacker-controlled strings placed into PCR fields (run number, incident, call sign, notes) are interpreted as HTML/JS when the app prints or renders that content. In the proof of concept (POC), injected scripts return local file content, which would allow arbitrary local file reads from the app\u0027s runtime context. These local files contain device and user data within the ePCR medical application, and if exposed, would allow an attacker to access protected health information (PHI) or device telemetry.",
"id": "GHSA-5qrx-vvmc-fq55",
"modified": "2026-02-10T21:31:31Z",
"published": "2026-02-10T21:31:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12699"
},
{
"type": "WEB",
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsma-26-041-01.json"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-26-041-01"
},
{
"type": "WEB",
"url": "https://www.zolldata.com/contact-us."
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-5W3W-4XG4-WWHF
Vulnerability from github – Published: 2026-03-16 15:30 – Updated: 2026-03-16 15:30ZKTeco ZKTime.Net 3.0.1.6 contains an insecure file permissions vulnerability that allows unprivileged users to escalate privileges by modifying executable files. Attackers can exploit world-writable permissions on the ZKTimeNet3.0 directory and its contents to replace executable files with malicious binaries for privilege escalation.
{
"affected": [],
"aliases": [
"CVE-2016-20024"
],
"database_specific": {
"cwe_ids": [
"CWE-538"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-16T14:17:48Z",
"severity": "CRITICAL"
},
"details": "ZKTeco ZKTime.Net 3.0.1.6 contains an insecure file permissions vulnerability that allows unprivileged users to escalate privileges by modifying executable files. Attackers can exploit world-writable permissions on the ZKTimeNet3.0 directory and its contents to replace executable files with malicious binaries for privilege escalation.",
"id": "GHSA-5w3w-4xg4-wwhf",
"modified": "2026-03-16T15:30:40Z",
"published": "2026-03-16T15:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-20024"
},
{
"type": "WEB",
"url": "https://cxsecurity.com/issue/WLB-2016080264"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/116487"
},
{
"type": "WEB",
"url": "https://packetstormsecurity.com/files/138565"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/40322"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/zkteco-zktime-net-insecure-file-permissions-privilege-escalation"
},
{
"type": "WEB",
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5360.php"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-5WGW-4VG2-8HXP
Vulnerability from github – Published: 2025-04-04 15:31 – Updated: 2026-04-01 18:34Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in Oblak Studio Srbtranslatin allows Retrieve Embedded Sensitive Data.This issue affects Srbtranslatin: from n/a through 3.2.0.
{
"affected": [],
"aliases": [
"CVE-2025-31421"
],
"database_specific": {
"cwe_ids": [
"CWE-538"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-04T13:15:46Z",
"severity": "MODERATE"
},
"details": "Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in Oblak Studio Srbtranslatin allows Retrieve Embedded Sensitive Data.This issue affects Srbtranslatin: from n/a through 3.2.0.",
"id": "GHSA-5wgw-4vg2-8hxp",
"modified": "2026-04-01T18:34:28Z",
"published": "2025-04-04T15:31:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31421"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/srbtranslatin/vulnerability/wordpress-srbtranslatin-plugin-3-2-0-sensitive-data-exposure-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5WVM-HC4P-R45F
Vulnerability from github – Published: 2024-05-14 18:30 – Updated: 2024-05-14 18:30An issue was discovered in the installer in Samsung Portable SSD for T5 1.6.10 on Windows. Because it is possible to tamper with the directory and DLL files used during the installation process, an attacker can escalate privileges through arbitrary code execution. (An attacker must already have user privileges)
{
"affected": [],
"aliases": [
"CVE-2024-31954"
],
"database_specific": {
"cwe_ids": [
"CWE-538"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-14T15:30:12Z",
"severity": "HIGH"
},
"details": "An issue was discovered in the installer in Samsung Portable SSD for T5 1.6.10 on Windows. Because it is possible to tamper with the directory and DLL files used during the installation process, an attacker can escalate privileges through arbitrary code execution. (An attacker must already have user privileges)",
"id": "GHSA-5wvm-hc4p-r45f",
"modified": "2024-05-14T18:30:45Z",
"published": "2024-05-14T18:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31954"
},
{
"type": "WEB",
"url": "https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2024-31954"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5X39-CC3P-MJ36
Vulnerability from github – Published: 2024-10-09 15:32 – Updated: 2024-10-09 15:32A vulnerability was found in 3Scale. There is no auth mechanism to see a PDF invoice of a Developer user if the URL is known. Anyone can see the invoice if the URL is known or guessed.
{
"affected": [],
"aliases": [
"CVE-2024-9671"
],
"database_specific": {
"cwe_ids": [
"CWE-538",
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-09T15:15:17Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in 3Scale. There is no auth mechanism to see a PDF invoice of a Developer user if the URL is known. Anyone can see the invoice if the URL is known or guessed.",
"id": "GHSA-5x39-cc3p-mj36",
"modified": "2024-10-09T15:32:21Z",
"published": "2024-10-09T15:32:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9671"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2024-9671"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2317449"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6774-M48G-HR35
Vulnerability from github – Published: 2026-01-20 18:31 – Updated: 2026-01-20 18:31IBM Business Automation Workflow containers 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 006. IBM Cloud Pak for Business Automation and IBM Business Automation Workflow containers may disclose sensitve configuration information in a config map.
{
"affected": [],
"aliases": [
"CVE-2025-36058"
],
"database_specific": {
"cwe_ids": [
"CWE-538"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-20T16:16:02Z",
"severity": "MODERATE"
},
"details": "IBM Business Automation Workflow containers 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 006. IBM Cloud Pak for Business Automation and IBM Business Automation Workflow containers may disclose sensitve configuration information in a config map.",
"id": "GHSA-6774-m48g-hr35",
"modified": "2026-01-20T18:31:57Z",
"published": "2026-01-20T18:31:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36058"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7256777"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6X5M-7Q5P-875P
Vulnerability from github – Published: 2024-03-12 12:30 – Updated: 2024-03-12 12:30A vulnerability has been identified in SINEMA Remote Connect Client (All versions < V3.1 SP1). The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information. This information is also available via the web interface of the product.
{
"affected": [],
"aliases": [
"CVE-2024-22045"
],
"database_specific": {
"cwe_ids": [
"CWE-538"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-12T11:15:49Z",
"severity": "HIGH"
},
"details": "A vulnerability has been identified in SINEMA Remote Connect Client (All versions \u003c V3.1 SP1). The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information. This information is also available via the web interface of the product.",
"id": "GHSA-6x5m-7q5p-875p",
"modified": "2024-03-12T12:30:48Z",
"published": "2024-03-12T12:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22045"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-653855.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-76RJ-9H8W-CWX9
Vulnerability from github – Published: 2025-02-04 18:30 – Updated: 2025-02-04 18:30An information exposure through log file vulnerability exists in Brocade SANnav before Brocade SANnav 2.2.2, where configuration secrets are logged in supportsave. Supportsave file is generated by an admin user troubleshooting the switch. The Logged information may include usernames and passwords, and secret keys.
{
"affected": [],
"aliases": [
"CVE-2022-43933"
],
"database_specific": {
"cwe_ids": [
"CWE-532",
"CWE-538"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-21T11:15:11Z",
"severity": "MODERATE"
},
"details": "An information exposure through log file vulnerability exists in Brocade SANnav before Brocade SANnav 2.2.2, where configuration secrets are logged in supportsave. Supportsave file is generated by an admin user troubleshooting the switch. The Logged information may include usernames and passwords, and secret keys.",
"id": "GHSA-76rj-9h8w-cwx9",
"modified": "2025-02-04T18:30:46Z",
"published": "2025-02-04T18:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43933"
},
{
"type": "WEB",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/21221"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7F5C-RPF4-86P8
Vulnerability from github – Published: 2021-09-02 17:16 – Updated: 2021-08-26 17:12The npm hbs package is an Express view engine wrapper for Handlebars. Depending on usage, users of hbs may be vulnerable to a file disclosure vulnerability. There is currently no patch for this vulnerability. hbs mixes pure template data with engine configuration options through the Express render API. By overwriting internal configuration options a file disclosure vulnerability may be triggered in downstream applications. For an example PoC see the referenced GHSL-2021-020.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "hbs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "4.1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-32822"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-538",
"CWE-94"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-26T17:12:06Z",
"nvd_published_at": "2021-08-16T19:15:00Z",
"severity": "MODERATE"
},
"details": "The npm hbs package is an Express view engine wrapper for Handlebars. Depending on usage, users of hbs may be vulnerable to a file disclosure vulnerability. There is currently no patch for this vulnerability. hbs mixes pure template data with engine configuration options through the Express render API. By overwriting internal configuration options a file disclosure vulnerability may be triggered in downstream applications. For an example PoC see the referenced GHSL-2021-020.",
"id": "GHSA-7f5c-rpf4-86p8",
"modified": "2021-08-26T17:12:06Z",
"published": "2021-09-02T17:16:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32822"
},
{
"type": "PACKAGE",
"url": "https://github.com/pillarjs/hbs"
},
{
"type": "ADVISORY",
"url": "https://securitylab.github.com/advisories/GHSL-2021-020-pillarjs-hbs"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Insertion of Sensitive Information into Externally-Accessible File or Directory and Exposure of Sensitive Information to an Unauthorized Actor in hbs"
}
Mitigation
Do not expose file and directory information to the user.
CAPEC-95: WSDL Scanning
This attack targets the WSDL interface made available by a web service. The attacker may scan the WSDL interface to reveal sensitive information about invocation patterns, underlying technology implementations and associated vulnerabilities. This type of probing is carried out to perform more serious attacks (e.g. parameter tampering, malicious content injection, command injection, etc.). WSDL files provide detailed information about the services ports and bindings available to consumers. For instance, the attacker can submit special characters or malicious content to the Web service and can cause a denial of service condition or illegal access to database records. In addition, the attacker may try to guess other private methods by using the information provided in the WSDL files.