CWE-532
AllowedInsertion of Sensitive Information into Log File
Abstraction: Base · Status: Incomplete
The product writes sensitive information to a log file.
1739 vulnerabilities reference this CWE, most recent first.
CVE-2026-31987 (GCVE-0-2026-31987)
Vulnerability from cvelistv5 – Published: 2026-04-16 13:31 – Updated: 2026-04-18 02:28- CWE-532 - Insertion of Sensitive Information into Log File
| URL | Tags |
|---|---|
| https://github.com/apache/airflow/pull/62964 | patch |
| https://github.com/apache/airflow/issues/62428 | issue-tracking |
| https://github.com/apache/airflow/issues/62773 | issue-tracking |
| https://lists.apache.org/thread/pvsrtxzwo9xy6xgkn… | vendor-advisory |
| http://www.openwall.com/lists/oss-security/2026/04/16/7 |
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Airflow |
Affected:
3.0.0 , < 3.2.0
(semver)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-04-16T18:24:29.466Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/16/7"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-31987",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-18T02:27:54.967201Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T02:28:44.770Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "apache-airflow",
"product": "Apache Airflow",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.2.0",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "unixengineer"
},
{
"lang": "en",
"type": "finder",
"value": "Jason Imison"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Pineapple"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "JWT Tokens used by tasks were exposed in logs. This could allow UI users to act as Dag Authors. \u003cbr\u003eUsers are advised to upgrade to Airflow version that contains fix.\u003cbr\u003e\u003cbr\u003eUsers are recommended to upgrade to version 3.2.0, which fixes this issue. \u003cbr\u003e\u003cbr\u003e"
}
],
"value": "JWT Tokens used by tasks were exposed in logs. This could allow UI users to act as Dag Authors. \nUsers are advised to upgrade to Airflow version that contains fix.\n\nUsers are recommended to upgrade to version 3.2.0, which fixes this issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "Moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532 Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-16T13:31:52.336Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/airflow/pull/62964"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/apache/airflow/issues/62428"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/apache/airflow/issues/62773"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/pvsrtxzwo9xy6xgknmwslv4zrw70kt6g"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Airflow: JWT token appearing in logs",
"x_generator": {
"engine": "airflow-s/generate_cve_json.py"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2026-31987",
"datePublished": "2026-04-16T13:31:52.336Z",
"dateReserved": "2026-03-10T18:31:09.400Z",
"dateUpdated": "2026-04-18T02:28:44.770Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-29184 (GCVE-0-2026-29184)
Vulnerability from cvelistv5 – Published: 2026-03-07 15:03 – Updated: 2026-03-09 20:24- CWE-532 - Insertion of Sensitive Information into Log File
| URL | Tags |
|---|---|
| https://github.com/backstage/backstage/security/a… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-29184",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-09T20:14:42.814469Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T20:24:16.597Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "backstage",
"vendor": "backstage",
"versions": [
{
"status": "affected",
"version": "\u003c 3.1.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Backstage is an open framework for building developer portals. Prior to version 3.1.4, a malicious scaffolder template can bypass the log redaction mechanism to exfiltrate secrets provided run through task event logs. This issue has been patched in version 3.1.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-07T15:03:18.226Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/backstage/backstage/security/advisories/GHSA-8qp7-fhr9-fw53",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/backstage/backstage/security/advisories/GHSA-8qp7-fhr9-fw53"
}
],
"source": {
"advisory": "GHSA-8qp7-fhr9-fw53",
"discovery": "UNKNOWN"
},
"title": "@backstage/plugin-scaffolder-backend: Potential Session Token Exfiltration via Log Redaction Bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-29184",
"datePublished": "2026-03-07T15:03:18.226Z",
"dateReserved": "2026-03-04T14:44:00.714Z",
"dateUpdated": "2026-03-09T20:24:16.597Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-28261 (GCVE-0-2026-28261)
Vulnerability from cvelistv5 – Published: 2026-04-08 12:43 – Updated: 2026-04-09 03:55- CWE-532 - Insertion of Sensitive Information into Log File
| URL | Tags |
|---|---|
| https://www.dell.com/support/kbdoc/en-us/00044932… | vendor-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| Dell | Elastic Cloud Storage |
Affected:
0 , < 4.2.0.1 or later
(semver)
|
|
| Dell | ObjectScale |
Affected:
0 , < 4.1.0.3
(semver)
Affected: 0 , < 4.2.0.1 or later (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28261",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-08T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T03:55:55.676Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Elastic Cloud Storage",
"vendor": "Dell",
"versions": [
{
"lessThan": "4.2.0.1 or later",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ObjectScale",
"vendor": "Dell",
"versions": [
{
"lessThan": "4.1.0.3",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.0.1 or later",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-04-05T18:30:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Dell Elastic Cloud Storage, version 3.8.1.7 and prior, and Dell ObjectScale,\u0026nbsp;versions prior to 4.1.0.3 and version 4.2.0.0, contains an Insertion of Sensitive Information into Log File vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to secret exposure. The attacker may be able to use the exposed secret to access the vulnerable system with privileges of the compromised account."
}
],
"value": "Dell Elastic Cloud Storage, version 3.8.1.7 and prior, and Dell ObjectScale,\u00a0versions prior to 4.1.0.3 and version 4.2.0.0, contains an Insertion of Sensitive Information into Log File vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to secret exposure. The attacker may be able to use the exposed secret to access the vulnerable system with privileges of the compromised account."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T12:43:54.291Z",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.dell.com/support/kbdoc/en-us/000449325/dsa-2026-143-security-update-for-dell-objectscale-prior-to-4-1-0-3-and-4-2-0-0-insertion-of-sensitive-information-into-log-file-vulnerability"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2026-28261",
"datePublished": "2026-04-08T12:43:54.291Z",
"dateReserved": "2026-02-25T18:04:25.462Z",
"dateUpdated": "2026-04-09T03:55:55.676Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27900 (GCVE-0-2026-27900)
Vulnerability from cvelistv5 – Published: 2026-02-26 00:53 – Updated: 2026-02-26 14:35- CWE-532 - Insertion of Sensitive Information into Log File
| URL | Tags |
|---|---|
| https://github.com/linode/terraform-provider-lino… | x_refsource_CONFIRM |
| https://github.com/linode/terraform-provider-lino… | x_refsource_MISC |
| https://github.com/linode/terraform-provider-lino… | x_refsource_MISC |
| https://github.com/linode/terraform-provider-lino… | x_refsource_MISC |
| http://www.openwall.com/lists/oss-security/2026/02/26/2 |
| Vendor | Product | Version | |
|---|---|---|---|
| linode | terraform-provider-linode |
Affected:
< 3.9.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-02-26T06:21:03.119Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/02/26/2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27900",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-26T14:35:17.379849Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T14:35:31.565Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "terraform-provider-linode",
"vendor": "linode",
"versions": [
{
"status": "affected",
"version": "\u003c 3.9.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Terraform Provider for Linode versions prior to v3.9.0 logged sensitive information including some passwords, StackScript content, and object storage data in debug logs without redaction. Provider debug logging is not enabled by default. This issue is exposed when debug/provider logs are explicitly enabled (for example in local troubleshooting, CI/CD jobs, or centralized log collection). If enabled, sensitive values may be written to logs and then retained, shared, or exported beyond the original execution environment. An authenticated user with access to provider debug logs (through log aggregation systems, CI/CD pipelines, or debug output) would thus be able to extract these sensitive credentials. Versions 3.9.0 and later sanitize debug logs by logging only non-sensitive metadata such as labels, regions, and resource IDs while redacting credentials, tokens, keys, scripts, and other sensitive content. Some other mitigations and workarounds are available. Disable Terraform/provider debug logging or set it to `WARN` level or above, restrict access to existing and historical logs, purge/retention-trim logs that may contain sensitive values, and/or rotate potentially exposed secrets/credentials."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T00:53:19.168Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/linode/terraform-provider-linode/security/advisories/GHSA-5rc7-2jj6-mp64",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/linode/terraform-provider-linode/security/advisories/GHSA-5rc7-2jj6-mp64"
},
{
"name": "https://github.com/linode/terraform-provider-linode/pull/2269",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/linode/terraform-provider-linode/pull/2269"
},
{
"name": "https://github.com/linode/terraform-provider-linode/commit/43a925d826b999f0355de3dc7330c55f496824c0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/linode/terraform-provider-linode/commit/43a925d826b999f0355de3dc7330c55f496824c0"
},
{
"name": "https://github.com/linode/terraform-provider-linode/releases/tag/v3.9.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/linode/terraform-provider-linode/releases/tag/v3.9.0"
}
],
"source": {
"advisory": "GHSA-5rc7-2jj6-mp64",
"discovery": "UNKNOWN"
},
"title": "Terraform Provider Debug Logs Vulnerable to Sensitive Information Exposure"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27900",
"datePublished": "2026-02-26T00:53:19.168Z",
"dateReserved": "2026-02-24T15:19:29.718Z",
"dateUpdated": "2026-02-26T14:35:31.565Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27315 (GCVE-0-2026-27315)
Vulnerability from cvelistv5 – Published: 2026-04-07 16:40 – Updated: 2026-04-09 14:38- CWE-532 - Insertion of Sensitive Information into Log File
| URL | Tags |
|---|---|
| https://issues.apache.org/jira/browse/CASSANDRA-21180 | issue-tracking |
| https://lists.apache.org/thread/ft77zrk2mzt8qsch4… | vendor-advisory |
| http://www.openwall.com/lists/oss-security/2026/04/07/8 |
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Cassandra |
Affected:
4.0 , ≤ 4.0.19
(semver)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-04-07T17:25:59.994Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/07/8"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-27315",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-09T14:37:35.522951Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T14:38:23.271Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://downloads.apache.org/cassandra/",
"defaultStatus": "unaffected",
"packageName": "apache-cassandra",
"product": "Apache Cassandra",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "4.0.19",
"status": "affected",
"version": "4.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Youlong Chen, Institute of Computing Technology, Chinese Academy of Sciences"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Sensitive Information Leak in cqlsh in Apache Cassandra 4.0 allows access to sensitive information, like passwords, from previously executed cqlsh command via \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;~/.cassandra/cqlsh_history\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003elocal file access.\u003cbr\u003e\u003c/span\u003e\u003c/span\u003e\u003cbr\u003eUsers are recommended to upgrade to version 4.0.20, which fixes this issue.\u003cbr\u003e\u003cbr\u003e--\u003cbr\u003eDescription: Cassandra\u0027s command-line tool, cqlsh, provides a command history feature that allows users to recall previously executed commands using the up/down arrow keys. These history records are saved in the ~/.cassandra/cqlsh_history file in the user\u0027s home directory.\u003cbr\u003e\u003cbr\u003eHowever, cqlsh does not redact sensitive information when saving command history. This means that if a user executes operations involving passwords (such as logging in or creating users) within cqlsh, these passwords are permanently stored in cleartext in the history file on the disk.\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Sensitive Information Leak in cqlsh in Apache Cassandra 4.0 allows access to sensitive information, like passwords, from previously executed cqlsh command via \u00a0~/.cassandra/cqlsh_history\u00a0local file access.\n\nUsers are recommended to upgrade to version 4.0.20, which fixes this issue.\n\n--\nDescription: Cassandra\u0027s command-line tool, cqlsh, provides a command history feature that allows users to recall previously executed commands using the up/down arrow keys. These history records are saved in the ~/.cassandra/cqlsh_history file in the user\u0027s home directory.\n\nHowever, cqlsh does not redact sensitive information when saving command history. This means that if a user executes operations involving passwords (such as logging in or creating users) within cqlsh, these passwords are permanently stored in cleartext in the history file on the disk."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532 Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T16:40:51.836Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"issue-tracking"
],
"url": "https://issues.apache.org/jira/browse/CASSANDRA-21180"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/ft77zrk2mzt8qsch4g6jqjj4901d22k3"
}
],
"source": {
"defect": [
"CASSANDRA-21180"
],
"discovery": "EXTERNAL"
},
"title": "Apache Cassandra: cqlsh history sensitive information leak",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2026-27315",
"datePublished": "2026-04-07T16:40:51.836Z",
"dateReserved": "2026-02-19T05:21:19.755Z",
"dateUpdated": "2026-04-09T14:38:23.271Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25918 (GCVE-0-2026-25918)
Vulnerability from cvelistv5 – Published: 2026-02-09 21:29 – Updated: 2026-02-10 15:57- CWE-532 - Insertion of Sensitive Information into Log File
| URL | Tags |
|---|---|
| https://github.com/RageAgainstThePixel/unity-cli/… | x_refsource_CONFIRM |
| https://github.com/RageAgainstThePixel/unity-cli/… | x_refsource_MISC |
| https://github.com/RageAgainstThePixel/unity-cli/… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| RageAgainstThePixel | unity-cli |
Affected:
< 1.8.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25918",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-10T15:30:06.945196Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-10T15:57:40.799Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "unity-cli",
"vendor": "RageAgainstThePixel",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "unity-cli is a command line utility for the Unity Game Engine. Prior to 1.8.2 , the sign-package command in @rage-against-the-pixel/unity-cli logs sensitive credentials in plaintext when the --verbose flag is used. Command-line arguments including --email and --password are output via JSON.stringify without sanitization, exposing secrets to shell history, CI/CD logs, and log aggregation systems. This vulnerability is fixed in 1.8.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T21:29:55.970Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/RageAgainstThePixel/unity-cli/security/advisories/GHSA-4255-c27h-62m5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/RageAgainstThePixel/unity-cli/security/advisories/GHSA-4255-c27h-62m5"
},
{
"name": "https://github.com/RageAgainstThePixel/unity-cli/commit/8d4d67b23d7c5fd8f00df3f0f10bec2961c95342",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/RageAgainstThePixel/unity-cli/commit/8d4d67b23d7c5fd8f00df3f0f10bec2961c95342"
},
{
"name": "https://github.com/RageAgainstThePixel/unity-cli/releases/tag/v1.8.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/RageAgainstThePixel/unity-cli/releases/tag/v1.8.2"
}
],
"source": {
"advisory": "GHSA-4255-c27h-62m5",
"discovery": "UNKNOWN"
},
"title": "unity-cli Exposes Plaintext Credentials in Debug Logs (sign-package command)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25918",
"datePublished": "2026-02-09T21:29:55.970Z",
"dateReserved": "2026-02-09T16:22:17.784Z",
"dateUpdated": "2026-02-10T15:57:40.799Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25813 (GCVE-0-2026-25813)
Vulnerability from cvelistv5 – Published: 2026-02-09 21:04 – Updated: 2026-02-10 15:58- CWE-532 - Insertion of Sensitive Information into Log File
| URL | Tags |
|---|---|
| https://github.com/Praskla-Technology/assessment-… | x_refsource_CONFIRM |
| Vendor | Product | Version | |
|---|---|---|---|
| Praskla-Technology | assessment-placipy |
Affected:
= 1.0.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25813",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-10T15:39:37.461144Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-10T15:58:30.406Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "assessment-placipy",
"vendor": "Praskla-Technology",
"versions": [
{
"status": "affected",
"version": "= 1.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, The application logs highly sensitive data directly to console output without masking or redaction."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T21:04:46.261Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Praskla-Technology/assessment-placipy/security/advisories/GHSA-3647-q595-wfr2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Praskla-Technology/assessment-placipy/security/advisories/GHSA-3647-q595-wfr2"
}
],
"source": {
"advisory": "GHSA-3647-q595-wfr2",
"discovery": "UNKNOWN"
},
"title": "PlaciPy Exposes Sensitive Data via Application Logs"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25813",
"datePublished": "2026-02-09T21:04:46.261Z",
"dateReserved": "2026-02-05T19:58:01.643Z",
"dateUpdated": "2026-02-10T15:58:30.406Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25211 (GCVE-0-2026-25211)
Vulnerability from cvelistv5 – Published: 2026-01-30 07:16 – Updated: 2026-02-03 16:42- CWE-532 - Insertion of Sensitive Information into Log File
| Vendor | Product | Version | |
|---|---|---|---|
| llamastack | Llama Stack |
Affected:
0 , < 0.4.0rc3
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25211",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-03T15:53:16.707713Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T16:42:00.560Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Llama Stack",
"vendor": "llamastack",
"versions": [
{
"lessThan": "0.4.0rc3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Llama Stack (aka llama-stack) before 0.4.0rc3 does not censor the pgvector password in the initialization log."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.2,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532 Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-30T07:22:14.986Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/llamastack/llama-stack/pull/4439"
},
{
"url": "https://github.com/llamastack/llama-stack/compare/v0.4.0rc2...v0.4.0rc3"
}
],
"x_generator": {
"engine": "CVE-Request-form 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2026-25211",
"datePublished": "2026-01-30T07:16:14.350Z",
"dateReserved": "2026-01-30T07:16:14.082Z",
"dateUpdated": "2026-02-03T16:42:00.560Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25193 (GCVE-0-2026-25193)
Vulnerability from cvelistv5 – Published: 2026-05-25 05:28 – Updated: 2026-05-26 14:24- CWE-532 - Insertion of sensitive information into log file
| Vendor | Product | Version | |
|---|---|---|---|
| Gallagher | Command Centre Server |
Affected:
9.40 , < 9.40.2575 (MR2)
(custom)
|
|
| Gallagher | Active Directory Sync |
Affected:
0 , < 9.10.05
(custom)
|
|
| Gallagher | Cardholder Sync Utility |
Affected:
0 , < 9.30.104
(custom)
|
|
| Gallagher | Diagnostics Service |
Affected:
0 , < 2.0.9
(custom)
|
|
| Gallagher | Elevator Service |
Affected:
0 , < 10.0.8
(custom)
|
|
| Gallagher | Encoding Kiosk Application |
Affected:
0 , < 9.60.10
(custom)
|
|
| Gallagher | Entra ID Sync |
Affected:
1.0 , < 1.0.10
(custom)
Affected: 2.0 , < 2.0.5 (custom) |
|
| Gallagher | Event Sync Utility |
Affected:
0 , < 8.70.62
(custom)
|
|
| Gallagher | Event Logger |
Affected:
0 , < 8.90.16
(custom)
|
|
| Gallagher | Middleware Framework |
Affected:
0 , < 8.90.34
(custom)
|
|
| Gallagher | Nexudus Integration |
Affected:
0 , < 9.60.21
(custom)
|
|
| Gallagher | Okta Sync |
Affected:
0 , < 9.40.05
(custom)
|
|
| Gallagher | Papercut Interface Integration |
Affected:
0 , < 9.60.02
(custom)
|
|
| Gallagher | SIP Integration |
Affected:
0 , < 10.1.0
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25193",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-26T14:24:00.870402Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T14:24:08.348Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Command Centre Server",
"vendor": "Gallagher",
"versions": [
{
"lessThan": "9.40.2575 (MR2)",
"status": "affected",
"version": "9.40",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Active Directory Sync",
"vendor": "Gallagher",
"versions": [
{
"lessThan": "9.10.05",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Cardholder Sync Utility",
"vendor": "Gallagher",
"versions": [
{
"lessThan": "9.30.104",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Diagnostics Service",
"vendor": "Gallagher",
"versions": [
{
"lessThan": "2.0.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Elevator Service",
"vendor": "Gallagher",
"versions": [
{
"lessThan": "10.0.8",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Encoding Kiosk Application",
"vendor": "Gallagher",
"versions": [
{
"lessThan": "9.60.10",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Entra ID Sync",
"vendor": "Gallagher",
"versions": [
{
"lessThan": "1.0.10",
"status": "affected",
"version": "1.0",
"versionType": "custom"
},
{
"lessThan": "2.0.5",
"status": "affected",
"version": "2.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Event Sync Utility",
"vendor": "Gallagher",
"versions": [
{
"lessThan": "8.70.62",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Event Logger",
"vendor": "Gallagher",
"versions": [
{
"lessThan": "8.90.16",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Middleware Framework",
"vendor": "Gallagher",
"versions": [
{
"lessThan": "8.90.34",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Nexudus Integration",
"vendor": "Gallagher",
"versions": [
{
"lessThan": "9.60.21",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Okta Sync",
"vendor": "Gallagher",
"versions": [
{
"lessThan": "9.40.05",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Papercut Interface Integration",
"vendor": "Gallagher",
"versions": [
{
"lessThan": "9.60.02",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "SIP Integration",
"vendor": "Gallagher",
"versions": [
{
"lessThan": "10.1.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eInsertion of Sensitive Information into Log File (CWE-532)\u0026nbsp;in some Command Centre Service installers could lead to Service Account credentials exposure.\u202f\u003cbr\u003e\u003cb\u003eMitigating Factor:\u003c/b\u003e\u0026nbsp;Only sites that install Command Centre Services with a custom Service Account (not the default Network Service account) are potentially impacted.\u003c/p\u003e\u003cdiv\u003e\u003cb\u003eMitigation:\u0026nbsp;\u003c/b\u003eFor sites concerned about exposure, the recommended action is to change the Service Account password. They can also delete any installer log files, usually found in %programdata%\\Gallagher\\Command Centre.\u003c/div\u003e"
}
],
"value": "Insertion of Sensitive Information into Log File (CWE-532)\u00a0in some Command Centre Service installers could lead to Service Account credentials exposure.\u202f\nMitigating Factor:\u00a0Only sites that install Command Centre Services with a custom Service Account (not the default Network Service account) are potentially impacted.\n\nMitigation:\u00a0For sites concerned about exposure, the recommended action is to change the Service Account password. They can also delete any installer log files, usually found in %programdata%\\Gallagher\\Command Centre."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532 Insertion of sensitive information into log file",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-25T05:28:14.766Z",
"orgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc",
"shortName": "Gallagher"
},
"references": [
{
"url": "https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2026-25193"
}
],
"source": {
"discovery": "INTERNAL"
},
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc",
"assignerShortName": "Gallagher",
"cveId": "CVE-2026-25193",
"datePublished": "2026-05-25T05:28:14.766Z",
"dateReserved": "2026-03-01T23:45:09.705Z",
"dateUpdated": "2026-05-26T14:24:08.348Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-24762 (GCVE-0-2026-24762)
Vulnerability from cvelistv5 – Published: 2026-02-03 16:06 – Updated: 2026-02-03 17:11- CWE-532 - Insertion of Sensitive Information into Log File
| URL | Tags |
|---|---|
| https://github.com/rustfs/rustfs/security/advisor… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-24762",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-03T17:11:01.054454Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T17:11:10.897Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rustfs",
"vendor": "rustfs",
"versions": [
{
"status": "affected",
"version": "\u003e= alpha.13, \u003c alpha.82"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "RustFS is a distributed object storage system built in Rust. From versions alpha.13 to alpha.81, RustFS logs sensitive credential material (access key, secret key, session token) to application logs at INFO level. This results in credentials being recorded in plaintext in log output, which may be accessible to internal or external log consumers and could lead to compromise of sensitive credentials. This issue has been patched in version alpha.82."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T16:06:17.699Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rustfs/rustfs/security/advisories/GHSA-r54g-49rx-98cr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rustfs/rustfs/security/advisories/GHSA-r54g-49rx-98cr"
}
],
"source": {
"advisory": "GHSA-r54g-49rx-98cr",
"discovery": "UNKNOWN"
},
"title": "RustFS Logs Sensitive Credentials in Plaintext"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-24762",
"datePublished": "2026-02-03T16:06:17.699Z",
"dateReserved": "2026-01-26T21:06:47.867Z",
"dateUpdated": "2026-02-03T17:11:10.897Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.
Mitigation
Remove debug log files before deploying the application into production.
Mitigation
Protect log files against unauthorized read/write.
Mitigation
Adjust configurations appropriately when software is transitioned from a debug state to production.
CAPEC-215: Fuzzing for application mapping
An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.