Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-525 (通过浏览器缓存导致的信息暴露) — Vulnerability Class 26

26 vulnerabilities classified as CWE-525 (通过浏览器缓存导致的信息暴露). AI Chinese analysis included.

CWE-525 represents a critical information exposure weakness where web applications fail to implement appropriate caching policies for sensitive data. This vulnerability typically arises when developers neglect to configure HTTP headers that control browser storage behavior, allowing private information such as login credentials, financial details, or personal identifiers to persist in local cache files. Attackers exploit this by accessing shared or public computers, retrieving cached pages, or using forensic tools to extract residual data from disk storage. To mitigate this risk, developers must explicitly instruct browsers not to store sensitive content by setting specific cache-control headers, such as "no-store," "no-cache," and "must-revalidate." Additionally, implementing secure session management and ensuring proper logout procedures further reduces the likelihood of sensitive data lingering in browser memory, thereby protecting user privacy and maintaining application integrity against unauthorized access.

MITRE CWE Description
The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached.
Common Consequences (1)
ConfidentialityRead Application Data
Browsers often store information in a client-side cache, which can leave behind sensitive information for other users to find and exploit, such as passwords or credit card numbers. The locations at most risk include public terminals, such as those in libraries and Internet cafes.
Mitigations (4)
Architecture and DesignProtect information stored in cache.
ImplementationUse a restrictive caching policy for forms and web pages that potentially contain sensitive information, such as "no-cache" in the Cache-Control header.
Architecture and DesignDo not store unnecessarily sensitive information in the cache.
Architecture and DesignConsider using encryption in the cache.
CVE IDTitleCVSSSeverityPublished
CVE-2026-41322 @astrojs/node: Cache Poisoning due to incorrect error handling when if-match header is malformed — astro 5.3 Medium2026-04-24
CVE-2025-15554 Admin Passwords Cached by Browsers in Truesec LAPSWebUI — LAPSWebUI 7.8AIHighAI2026-03-16
CVE-2025-36364 IBM DevOps Plan REST APIs are vulnerable to exposure of sensitive data through request query parameters. — DevOps Plan 6.2 Medium2026-03-03
CVE-2026-24437 Tenda W30E V2 Missing Cache Controls for Credential-bearing Pages — W30E V2 7.1AIHighAI2026-01-26
CVE-2025-52659 HCL AION is affected by a Cacheable HTTP Response vulnerability — AION 2.8 Low2026-01-19
CVE-2025-13083 Drupal core - Moderately critical - Information disclosure - SA-CORE-2025-008 — Drupal core 7.5AIHighAI2025-11-18
CVE-2025-62276 Liferay Portal和Liferay DXP 安全漏洞 — Portal 4.7 -2025-10-31
CVE-2025-52625 HCL AION is susceptible to Cacheable SSL Page Found vulnerability — AION 3.7 Low2025-10-10
CVE-2025-36082 IBM OpenPages information disclosure — OpenPages 4.0 Medium2025-09-15
CVE-2025-1348 IBM Sterling B2B Integrator and IBM Sterling File Gateway information disclosure — Sterling B2B Integrator 4.0 Medium2025-06-18
CVE-2025-48947 NextJS-Auth0 SDK Vulnerable to CDN Caching of Session Cookies — nextjs-auth0 6.5AIMediumAI2025-06-04
CVE-2025-1334 IBM QRadar Suite Software and IBM Cloud Pak for Security information disclosure — QRadar Suite Software 4.0 Medium2025-06-03
CVE-2025-27525 Information Exposure vulnerability in JP1/IT Desktop Management 2 - Smart Device Manager — JP1/IT Desktop Management 2 - Smart Device Manager 3.9 Low2025-05-15
CVE-2023-43035 IBM Sterling Control Center information disclosure — Sterling Control Center 4.0 Medium2025-04-10
CVE-2024-31906 IBM Automation Decision Services information disclosure — Automation Decision Services 6.2 Medium2025-01-26
CVE-2024-22349 IBM UrbanCode Velocity information disclosure — UrbanCode Velocity 4.0 Medium2025-01-20
CVE-2024-45314 Flask-AppBuilder login form allows browser to cache sensitive fields — Flask-AppBuilder 3.6 Low2024-09-04
CVE-2024-30130 HCL Nomad server on Domino is affected by a use of web browser cache containing sensitive information vulnerability — Nomad server on Domino 3.7 Low2024-07-19
CVE-2022-38383 IBM Cloud Pak for Security information disclosure — Cloud Pak for Security 4.0 Medium2024-06-28
CVE-2024-25142 Apache Airflow: Cache Control - Storage of Sensitive Data in Browser Cache — Apache Airflow 7.5AIHighAI2024-06-14
CVE-2024-22333 IBM Maximo Application Suite information disclosure — Maximo Application Suite 3.3 Low2024-06-13
CVE-2022-43841 IBM Aspera Console information disclosure — Aspera Console 4.0 Medium2024-05-30
CVE-2024-22343 IBM TXSeries for Multiplatforms information disclosure — TXSeries for Multiplatforms 4.0 Medium2024-05-10
CVE-2023-46181 IBM Secure Proxy information disclosure — Secure Proxy 4.0 Medium2024-03-15
CVE-2023-27545 IBM Watson CloudPak for Data Data Stores information disclosure — Watson CloudPak for Data Data Stores 4.0 Medium2024-02-29
CVE-2021-42015 Siemens Mendix 安全漏洞 — Mendix Applications using Mendix 7 5.5 -2021-11-09

Vulnerabilities classified as CWE-525 (通过浏览器缓存导致的信息暴露) represent 26 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.