Medium
CVE-2026-31610
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix mechToken leak when SPNEGO decode fails after token alloc The kernel ASN.1 BER decoder calls action callbacks incremen…
Tag: Token Leakage
All CVEs associated with "Token Leakage". Page 1/1 • 13 CVEs.
Subscribe CVEs: RSS for “Token Leakage” · RSS (High+Critical only)
About “Token Leakage”
A curated feed of “Token Leakage”-related CVEs appears below. We currently track 13 CVEs for this tag (all time). In the last 365 days, 7 were published. Average CVSS is 7.6 (all time; 7.3 over 365d), and 62% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor, CWE-401 - Missing Release of Memory after Effective Lifetime, CWE-565 - Reliance on Cookies without Validation and Integrity Checking.
In our taxonomy this topic maps to a HIGH impact class. Vendor advisories and release notes are key. Verify compatibility matrices, prefer supported long term versions, and stage rollouts with monitoring. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.
CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).
CVSS ≥ 0.0
2026-04-24
2026-04-15
Medium
CVE-2026-39963
Serendipity is a PHP-powered weblog engine. In versions 2.6-beta2 and below, the serendipity_setCookie() function in include/functions_config.inc.php uses $_SERVER['HTTP_HOST'] without validation as…
2026-03-27
Medium
CVE-2025-15617
Wazuh version 4.12.0 contains an exposure vulnerability in GitHub Actions workflow artifacts that allows attackers to extract the GITHUB_TOKEN from uploaded artifacts. Attackers can use the exposed t…
2026-03-06
High
CVE-2026-30845
Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the board composite publication in Wekan publishes all integration data for a board without any field filtering…
2026-03-02
High
CVE-2025-48635
In multiple functions of TaskFragmentOrganizerController.java, there is a possible activity token leak due to a logic error in the code. This could lead to local escalation of privilege with no addit…
2026-02-02
High
CVE-2024-5386
In lunary-ai/lunary version 1.2.2, an account hijacking vulnerability exists due to a password reset token leak. A user with a 'viewer' role can exploit this vulnerability to hijack another user's ac…
2025-11-26
High
CVE-2025-66035
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.16, 20.3.14, and 21.0.1, there is a XSRF tok…
2022-11-08
Medium
CVE-2022-40223
Nonce token leakage and missing authorization in SearchWP premium plugin <= 4.2.5 on WordPress leading to plugin settings change.
2022-09-23
Medium
CVE-2022-32227
A cleartext transmission of sensitive information exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 relating to Oauth tokens by having the permission "view-full-other-user-info", this could cause an oau…
2022-05-18
High
CVE-2022-23067
ToolJet versions v0.5.0 to v1.2.2 are vulnerable to token leakage via Referer header that leads to account takeover . If the user opens the invite link/signup link and then clicks on any external lin…
2022-05-02
High
CVE-2022-23064
In Snipe-IT, versions v3.0-alpha to v5.3.7 are vulnerable to Host Header Injection. By sending a specially crafted host header in the reset password request, it is possible to send password reset lin…
2022-03-18
High
CVE-2022-25602
Nonce token leak vulnerability leading to arbitrary file upload, theme deletion, plugin settings change discovered in Responsive Menu WordPress plugin (versions <= 4.1.7).
2019-02-07
Critical
CVE-2019-4008
API Connect V2018.1 through 2018.4.1.1 is impacted by access token leak. Authorization tokens in some URLs can result in the tokens being written to log files. IBM X-Force ID: 155626.