CWE-202: Exposure of Sensitive Information Through Data Queries
When trying to keep information confidential, an attacker can often infer some of the information by using statistics.
Last updated
Overview
In situations where data should not be tied to individual users, but a large number of users should be able to make queries that "scrub" the identity of users, it may be possible to get information about a user -- e.g., by specifying search terms that are known to be unique to that user.
Real-world CVEs
31 recorded CVEs are caused by CWE-202 (Exposure of Sensitive Information Through Data Queries). The highest-severity and most recent are shown first. 5 new CWE-202 CVEs have been recorded so far in 2026 (8 in 2025).
- CVE-2021-32743High · CVSS 8.8 · EPSS 76th2021-07-15
- CVE-2024-2088
NextScripts: Social Networks Auto-Poster <= 4.4.3 - Authenticated(Subscriber+) Sensitive Information Exposure
High · CVSS 8.5 · EPSS 27th2024-05-22 - CVE-2025-25205
Remote Authentication-Bypass can lead to server crash or limited information disclosure due to faulty pattern matching
High · CVSS 8.2 · EPSS 89th2025-02-12 - CVE-2024-6400
Cleartext Storage of Username and Password in Finrota's Netahsilat
High · CVSS 8.2 · EPSS 46th2024-10-04 - CVE-2026-33530
InvenTree Vulnerable to ORM Filter Injection
High · CVSS 7.7 · EPSS 10th2026-03-26 - CVE-2026-30778
Apache SkyWalking: The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL.
High · CVSS 7.5 · EPSS 42th2026-04-15 - CVE-2025-69200
phpMyFAQ has unauthenticated config backup download via /api/setup/backup
High · CVSS 7.5 · EPSS 79th2025-12-29 - CVE-2025-36575High · CVSS 7.5 · EPSS 21th2025-06-10
- CVE-2025-29981High · CVSS 7.5 · EPSS 29th2025-04-02
- CVE-2024-13255High · CVSS 7.5 · EPSS 39th2025-01-09
- CVE-2023-7072
Post Grid Combo – 36+ Gutenberg Blocks <= 2.2.68 - Information Exposure via get_posts API Endpoint
High · CVSS 7.5 · EPSS 46th2024-03-12 - CVE-2022-41623
WordPress ALD - AliExpress Dropshipping and Fulfillment for WooCommerce premium plugin <= 1.1.0 - Sensitive Data Exposure vulnerability
High · CVSS 7.5 · EPSS 49th2022-10-14
Showing 12 of 31 recorded CWE-202 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-202 vulnerabilitiesCommon consequences
What can happen when CWE-202 is exploited.
Read Files or Directories, Read Application Data
Affects: Confidentiality
Sensitive information may possibly be leaked through data queries accidentally.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
How to prevent it
Practical mitigations for CWE-202, grouped by where in the lifecycle they apply.
This is a complex topic. See the [REF-1492] for a good discussion of best practices.
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2022-41935 — Wiki product allows an adversary to discover filenames via a series of queries starting with one letter and then iteratively extending the match.
Terminology & mappings
Mapped taxonomies
- CLASP: Accidental leaking of sensitive information through data queries
Frequently asked questions
Common questions about CWE-202.
- What is CWE-202?
- When trying to keep information confidential, an attacker can often infer some of the information by using statistics.
- What CVEs are caused by CWE-202?
- 31 recorded CVEs are attributed to CWE-202, including CVE-2021-32743, CVE-2024-2088, CVE-2025-25205.
- How do you prevent CWE-202?
- This is a complex topic. See the [REF-1492] for a good discussion of best practices.
- What are the consequences of CWE-202?
- Exploiting CWE-202 can lead to: Read Files or Directories, Read Application Data.
- Is CWE-202 actively exploited?
- 31 recorded CVEs are caused by CWE-202; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-202) (opens in a new tab)
- CWE-202 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-202
Get alerted the moment a new CWE-202 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.