Total
28 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-27205 | 1 Palletsprojects | 1 Flask | 2026-02-24 | N/A | 4.3 MEDIUM |
| Flask is a web server gateway interface (WSGI) web application framework. In versions 3.1.2 and below, when the session object is accessed, Flask should set the Vary: Cookie header., resulting in a Use of Cache Containing Sensitive Information vulnerability. The logic instructs caches not to cache the response, as it may contain information specific to a logged in user. This is handled in most cases, but some forms of access such as the Python in operator were overlooked. The severity and risk depend on the application being hosted behind a caching proxy that doesn't ignore responses with cookies, not setting a Cache-Control header to mark pages as private or non-cacheable, and accessing the session in a way that only touches keys without reading values or mutating the session. The issue has been fixed in version 3.1.3. | |||||
| CVE-2026-25540 | 1 Joinmastodon | 1 Mastodon | 2026-02-20 | N/A | 6.5 MEDIUM |
| Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.3.19, 4.4.13, 4.5.6, Mastodon is vulnerable to web cache poisoning via `Rails.cache. When AUTHORIZED_FETCH is enabled, the ActivityPub endpoints for pinned posts and featured hashtags have contents that depend on the account that signed the HTTP request. However, these contents are stored in an internal cache and reused with no regards to the signing actor. As a result, an empty response generated for a blocked user account may be served to requests from legitimate non-blocked actors, or conversely, content intended for non-blocked actors may be returned to blocked actors. This issue has been patched in versions 4.3.19, 4.4.13, 4.5.6. | |||||
| CVE-2025-69581 | 1 Chamilo | 1 Chamilo Lms | 2026-02-05 | N/A | 5.5 MEDIUM |
| An issue was discovered in Chamillo LMS 1.11.2. The Social Network /personal_data endpoint exposes full sensitive user information even after logout because proper cache-control is missing. Using the browser back button restores all personal data, allowing unauthorized users on the same device to view confidential information. This leads to profiling, impersonation, targeted attacks, and significant privacy risks. | |||||
| CVE-2026-24472 | 1 Hono | 1 Hono | 2026-02-04 | N/A | 5.3 MEDIUM |
| Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, Cache Middleware contains an information disclosure vulnerability caused by improper handling of HTTP cache control directives. The middleware does not respect standard cache control headers such as `Cache-Control: private` or `Cache-Control: no-store`, which may result in private or authenticated responses being cached and subsequently exposed to unauthorized users. Version 4.11.7 has a patch for the issue. | |||||
| CVE-2025-69202 | 1 Axios-cache-interceptor | 1 Axios Cache Interceptor | 2026-01-05 | N/A | 6.5 MEDIUM |
| Axios Cache Interceptor is a cache interceptor for axios. Prior to version 1.11.1, when a server calls an upstream service using different auth tokens, axios-cache-interceptor returns incorrect cached responses, leading to authorization bypass. The cache key is generated only from the URL, ignoring request headers like `Authorization`. When the server responds with `Vary: Authorization` (indicating the response varies by auth token), the library ignores this, causing all requests to share the same cache regardless of authorization. Server-side applications (APIs, proxies, backend services) that use axios-cache-interceptor to cache requests to upstream services, handle requests from multiple users with different auth tokens, and upstream services replies on `Vary` to differentiate caches are affected. Browser/client-side applications (single user per browser session) are not affected. Services using different auth tokens to call upstream services will return incorrect cached data, bypassing authorization checks and leaking user data across different authenticated sessions. After `v1.11.1`, automatic `Vary` header support is now enabled by default. When server responds with `Vary: Authorization`, cache keys now include the authorization header value. Each user gets their own cache. | |||||
| CVE-2025-65681 | 1 Edly | 1 Tutor | 2025-12-30 | N/A | 3.3 LOW |
| An issue was discovered in Overhang.IO (tutor-open-edx) (overhangio/tutor) 20.0.2 allowing local unauthorized attackers to gain access to sensitive information due to the absence of proper cache-control HTTP headers and client-side session checks. | |||||
| CVE-2025-43410 | 1 Apple | 1 Macos | 2025-12-17 | N/A | 2.4 LOW |
| The issue was addressed with improved handling of caches. This issue is fixed in macOS Sequoia 15.7.2, macOS Tahoe 26.2, macOS Sonoma 14.8.2. An attacker with physical access may be able to view deleted notes. | |||||
| CVE-2025-64762 | 1 Workos | 1 Authkit-nextjs | 2025-12-11 | N/A | 9.1 CRITICAL |
| The AuthKit library for Next.js provides convenient helpers for authentication and session management using WorkOS & AuthKit with Next.js. In authkit-nextjs version 2.11.0 and below, authenticated responses do not defensively apply anti-caching headers. In environments where CDN caching is enabled, this can result in session tokens being included in cached responses and subsequently served to multiple users. Next.js applications deployed on Vercel are unaffected unless they manually enable CDN caching by setting cache headers on authenticated paths. Patched in authkit-nextjs 2.11.1, which applies anti-caching headers to all responses behind authentication. | |||||
| CVE-2025-64696 | 2025-12-09 | N/A | 3.3 LOW | ||
| Android App "Brother iPrint&Scan" versions 6.13.7 and earlier improperly uses an external cache directory. If exploited, application-specific files may be accessed from other malicious applications. | |||||
| CVE-2025-61598 | 1 Discourse | 1 Discourse | 2025-12-03 | N/A | 5.3 MEDIUM |
| Discourse is an open source discussion platform. Version before 3.6.2 and 3.6.0.beta2, default Cache-Control response header with value no-store, no-cache was missing from error responses. This may caused unintended caching of those responses by proxies potentially leading to cache poisoning attacks. This vulnerability is fixed in 3.6.2 and 3.6.0.beta2. | |||||
| CVE-2024-30127 | 1 Hcltech | 1 Hcl Leap | 2025-11-17 | N/A | 3.2 LOW |
| Missing "no cache" headers in HCL Leap permits sensitive data to be cached. | |||||
| CVE-2023-37516 | 1 Hcltech | 1 Hcl Leap | 2025-11-17 | N/A | 3.2 LOW |
| Missing "no cache" headers in HCL Leap permits user directory information to be cached. | |||||
| CVE-2024-45596 | 1 Monospace | 1 Directus | 2025-11-17 | N/A | 7.4 HIGH |
| Directus is a real-time API and App dashboard for managing SQL database content. An unauthenticated user can access credentials of last authenticated user via OpenID or OAuth2 where the authentication URL did not include redirect query string. This happens because on that endpoint for both OpenId and Oauth2 Directus is using the respond middleware, which by default will try to cache GET requests that met some conditions. Although, those conditions do not include this scenario, when an unauthenticated request returns user credentials. This vulnerability is fixed in 10.13.3 and 11.1.0. | |||||
| CVE-2023-37517 | 1 Hcltech | 1 Domino Leap | 2025-10-30 | N/A | 3.2 LOW |
| Missing "no cache" headers in HCL Leap permits sensitive data to be cached. | |||||
| CVE-2024-33004 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2025-10-23 | N/A | 4.3 MEDIUM |
| SAP Business Objects Business Intelligence Platform is vulnerable to Insecure Storage as dynamic web pages are getting cached even after logging out. On successful exploitation, the attacker can see the sensitive information through cache and can open the pages causing limited impact on Confidentiality, Integrity and Availability of the application. | |||||
| CVE-2025-57752 | 1 Vercel | 1 Next.js | 2025-09-08 | N/A | 6.2 MEDIUM |
| Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization API routes are affected by cache key confusion. When images returned from API routes vary based on request headers (such as Cookie or Authorization), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug. This vulnerability has been fixed in Next.js versions 14.2.31 and 15.4.5. All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled. | |||||
| CVE-2025-9901 | 2025-09-04 | N/A | 5.9 MEDIUM | ||
| A flaw was found in libsoup’s caching mechanism, SoupCache, where the HTTP Vary header is ignored when evaluating cached responses. This header ensures that responses vary appropriately based on request headers such as language or authentication. Without this check, cached content can be incorrectly reused across different requests, potentially exposing sensitive user information. While the issue is unlikely to affect everyday desktop use, it could result in confidentiality breaches in proxy or multi-user environments. | |||||
| CVE-2025-5141 | 2025-08-29 | N/A | 5.5 MEDIUM | ||
| A binary in the BoKS Server Agent component of Fortra's Core Privileged Access Manager (BoKS) on versions 7.2.0 (up to 7.2.0.17), 8.1.0 (up to 8.1.0.22), 8.1.1 (up to 8.1.1.7), 9.0.0 (up to 9.0.0.1) and also legacy tar installs of BoKS 7.2 without hotfix #0474 on Linux, AIX, and Solaris allows low privilege local users to dump data from the cache. | |||||
| CVE-2025-4233 | 2025-06-16 | N/A | N/A | ||
| An insufficient implementation of cache vulnerability in Palo Alto Networks Prisma® Access Browser enables users to bypass certain data control policies. | |||||
| CVE-2023-45696 | 1 Hcltech | 1 Sametime | 2025-06-03 | N/A | 4.0 MEDIUM |
| Sametime is impacted by sensitive fields with autocomplete enabled in the Legacy web chat client. By default, this allows user entered data to be stored by the browser. | |||||