Log inLog in

Base weakness

Draft

CWE-202: Exposure of Sensitive Information Through Data Queries

When trying to keep information confidential, an attacker can often infer some of the information by using statistics.

Last updated May 1, 2026

31

Recorded CVEs

With this primary weakness

0

KEVs

In the CISA KEV catalog

Medium

Likelihood of exploit

Per MITRE

Base

Abstraction

MITRE classification

Overview

In situations where data should not be tied to individual users, but a large number of users should be able to make queries that "scrub" the identity of users, it may be possible to get information about a user -- e.g., by specifying search terms that are known to be unique to that user.

Real-world CVEs

31 recorded CVEs are caused by CWE-202 (Exposure of Sensitive Information Through Data Queries). The highest-severity and most recent are shown first. 5 new CWE-202 CVEs have been recorded so far in 2026 (8 in 2025).

2025-02-12

CVE-2024-6400

Cleartext Storage of Username and Password in Finrota's Netahsilat

High · CVSS 8.2

2024-10-04

CVE-2026-33530

InvenTree Vulnerable to ORM Filter Injection

High · CVSS 7.7

2026-03-26

CVE-2026-30778

Apache SkyWalking: The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL.

High · CVSS 7.5

2026-04-15

CVE-2025-69200

phpMyFAQ has unauthenticated config backup download via /api/setup/backup

Post Grid Combo – 36+ Gutenberg Blocks <= 2.2.68 - Information Exposure via get_posts API Endpoint

High · CVSS 7.5

2024-03-12

CVE-2022-41623

WordPress ALD - AliExpress Dropshipping and Fulfillment for WooCommerce premium plugin <= 1.1.0 - Sensitive Data Exposure vulnerability

High · CVSS 7.5

2022-10-14

Showing 12 of 31 recorded CWE-202 CVEs. Track new ones as they are published and get AI-written analysis and fixes.

Monitor CWE-202 vulnerabilities

Common consequences

What can happen when CWE-202 is exploited.

Read Files or Directories, Read Application Data

Affects: Confidentiality

Sensitive information may possibly be leaked through data queries accidentally.

How it happens

When it is introduced

Typically introduced during these phases of the software lifecycle.

Architecture and Design

Implementation

How to prevent it

Practical mitigations for CWE-202, grouped by where in the lifecycle they apply.

Architecture and Design

This is a complex topic. See the [REF-1492] for a good discussion of best practices.

Illustrative examples

Real CVEs that MITRE cites as examples of this weakness.

CVE-2022-41935 — Wiki product allows an adversary to discover filenames via a series of queries starting with one letter and then iteratively extending the match.

Terminology & mappings

Mapped taxonomies

CLASP: Accidental leaking of sensitive information through data queries

Frequently asked questions

Common questions about CWE-202.

What is CWE-202?

When trying to keep information confidential, an attacker can often infer some of the information by using statistics.

What CVEs are caused by CWE-202?

31 recorded CVEs are attributed to CWE-202, including CVE-2021-32743, CVE-2024-2088, CVE-2025-25205.

How do you prevent CWE-202?

This is a complex topic. See the [REF-1492] for a good discussion of best practices.

What are the consequences of CWE-202?

Exploiting CWE-202 can lead to: Read Files or Directories, Read Application Data.

Is CWE-202 actively exploited?

31 recorded CVEs are caused by CWE-202; none are currently in CISA's KEV catalog of actively exploited flaws.

References

Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.

Stay ahead of CWE-202

Get alerted the moment a new CWE-202 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.

Start free See pricing

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

Illustrative examples

Related weaknesses

Parent

Related

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-202?

What CVEs are caused by CWE-202?

How do you prevent CWE-202?

What are the consequences of CWE-202?

Is CWE-202 actively exploited?

References

Stay ahead of CWE-202