CVEbaza.plCWE DictionaryCWE-525
Common Weakness Enumeration

CWE-525

Use of Web Browser Cache Containing Sensitive Information

Category: VariantCVE: 29
Description

The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached.

CVE vulnerabilities with CWE-525 (29)
7.7
CVSS
HIGH
CVE-2025-48947

The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. In Auth0 Next.js SDK versions 4.0.1 through 4.6.0, `__session` cookies set by auth0.middleware may be cached by CDNs due to missing Cache-Control headers. Three preconditions must be met in order for someone to be affected by the vulnerability: Applications using the NextJS-Auth0 SDK, versions between 4.0.1 to 4.6.0, applications using CDN or edge caching that caches responses with the Set-Cookie header, and if the Cache-Control header is not properly set for sensitive responses. Users should upgrade auth0/nextjs-auth0 to v4.6.1 to receive a patch.

pub. 2025-06-04
7.1
CVSS
HIGH
CVE-2026-27514

Shenzhen Tenda F3 Wireless Router firmware V12.01.01.55_multi contains a sensitive information exposure vulnerability in the configuration download functionality. The configuration download response includes the router password and administrative password in plaintext. The endpoint also omits appropriate Cache-Control directives, which can allow the response to be stored in client-side caches and recovered by other local users or processes with access to cached browser data.

pub. 2026-02-23
6.2
CVSS
MEDIUM
CVE-2025-36364

IBM DevOps Plan 3.0.0 through 3.0.5 allows web page cache to be stored locally which can be read by another user on the system.

pub. 2026-03-03
6.2
CVSS
MEDIUM
CVE-2024-31906

IBM Automation Decision Services 23.0.2 allows web pages to be stored locally which can be read by another user on the system.

pub. 2025-01-26
6.0
CVSS
MEDIUM
CVE-2025-15554

Browser caching of LAPS passwords in Truesec’s LAPSWebUI before version 2.4 allows an attacker with access to a workstation to escalate their privileges via disclosure of local admin passwords.

pub. 2026-03-16
5.9
CVSS
MEDIUM
CVE-2026-41918

A vulnerability has been identified in RUGGEDCOM RST2428P (6GK6242-6PA00) (All versions < V4.0). The affected applications stores sensitive information in the browser cache when an authenticated user modify specific configurations. This could allow an authenticated attacker to access sensitive data stored in the browser.

pub. 2026-06-02
5.5
CVSS
MEDIUM
CVE-2024-25142

Use of Web Browser Cache Containing Sensitive Information vulnerability in Apache Airflow.  Airflow did not return "Cache-Control" header for dynamic content, which in case of some browsers could result in potentially storing sensitive data in local cache of the browser. This issue affects Apache Airflow: before 2.9.2. Users are recommended to upgrade to version 2.9.2, which fixes the issue.

pub. 2024-06-14
5.5
CVSS
MEDIUM
CVE-2021-42015

A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.26), Mendix Applications using Mendix 8 (All versions < V8.18.12), Mendix Applications using Mendix 9 (All versions < V9.6.1). Applications built with affected versions of Mendix Studio Pro do not prevent file documents from being cached when files are opened or downloaded using a browser. This could allow a local attacker to read those documents by exploring the browser cache.

pub. 2021-11-09
5.3
CVSS
MEDIUM
CVE-2026-41322

@astrojs/node allows Astro to deploy your SSR site to Node targets. Prior to 10.0.5, requesting a static js/css resources from _astro path with an incorrect/malformed if-match header returns a 500 error with a one year cache lifetime instead of 412 in some cases. This has the effect that all subsequent requests to that file, regardless of if-match header will be served a 5xx error instead of the file until the cache expires. This vulnerability is fixed in 10.0.5.

pub. 2026-04-24
4.8
CVSS
MEDIUM
CVE-2026-24437

Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) serve sensitive administrative content without appropriate cache-control directives. As a result, browsers may store credential-bearing responses locally, exposing them to subsequent unauthorized access.

pub. 2026-01-26
4.6
CVSS
MEDIUM
CVE-2025-62276

The Document Library and the Adaptive Media modules in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions uses an incorrect cache-control header, which allows local users to obtain access to downloaded files via the browser's cache.

pub. 2025-11-01
4.0
CVSS
MEDIUM
CVE-2025-36082

IBM OpenPages 9.0 and 9.1 allows web page cache to be stored locally which can be read by another user on the system.

pub. 2025-09-15
4.0
CVSS
MEDIUM
CVE-2025-1348

IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.0.0.0 through 6.1.2.6 and 6.2.0.0 through 6.2.0.4 could allow a local user to obtain sensitive information from a user’s web browser cache due to not using a suitable caching policy.

pub. 2025-06-18
4.0
CVSS
MEDIUM
CVE-2025-1334

IBM QRadar Suite Software 1.10.12.0 through 1.11.2.0 and IBM Cloud Pak for Security 1.10.0.0 through 1.10.11.0 allows web pages to be stored locally which can be read by another user on the system.

pub. 2025-06-03
4.0
CVSS
MEDIUM
CVE-2023-43035

IBM Sterling Control Center 6.2.1, 6.3.1, and 6.4.0 allows web pages to be stored locally which can be read by another user on the system.

pub. 2025-04-10
4.0
CVSS
MEDIUM
CVE-2024-22349

IBM DevOps Velocity 5.0.0 and IBM UrbanCode Velocity 4.0.0 through 4.0. 25 allows web pages to be stored locally which can be read by another user on the system.

pub. 2025-01-20
4.0
CVSS
MEDIUM
CVE-2022-38383

IBM Cloud Pak for Security (CP4S) 1.10.0.0 through 1.10.11.0 and IBM QRadar Software Suite 1.10.12.0 through 1.10.21.0 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 233673.

pub. 2024-06-28
4.0
CVSS
MEDIUM
CVE-2022-43841

IBM Aspera Console 3.4.0 through 3.4.2 PL9 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 239078.

pub. 2024-05-30
4.0
CVSS
MEDIUM
CVE-2024-22343

IBM TXSeries for Multiplatforms 8.2 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 280190.

pub. 2024-05-14
4.0
CVSS
MEDIUM
CVE-2023-46181

IBM Sterling Secure Proxy 6.0.3 and 6.1.0 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 269686.

pub. 2024-03-15
Showing 20 of 29 vulnerabilities
Information
ID: CWE-525
Type: Variant
Vulnerabilities: 29
MITRE CWE ↗
← CWE Dictionary