CWE•Base•Incomplete•13 recent CVEs
CWE-212Improper Removal of Sensitive Information Before Storage or Transfer
Description
The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors.
[object Object]
Common consequences
- Confidentiality→Read Files or Directories,Read Application DataSensitive data may be exposed to an unauthorized actor in another control sphere. This may have a wide range of secondary consequences that will depend on what data is exposed. One possibility is the exposure of system data - such as file l
Potential mitigations
- RequirementsClearly specify which information should be regarded as private or sensitive, and require that the product offers functionality that allows the user to cleanse the sensitive information from the resource before it is published or exported to other parties.
- Architecture and Design[object Object]
- Implementation,Operation[object Object]
- ImplementationUse naming conventions and strong types to make it easier to spot when sensitive data is being used. When creating structures, objects, or other complex entities, separate the sensitive and non-sensitive data as much as possible.
- ImplementationAvoid errors related to improper resource shutdown or release (CWE-404), which may leave the sensitive data within the resource if it is in an incomplete state.
Related CWEs
Recent CVEs classified under this CWE
CVE-2026-466577.12026-06-08CVE-2026-361784.62026-06-04CVE-2026-450465.52026-05-27CVE-2026-278926.52026-05-18CVE-2026-421867.52026-05-14CVE-2026-428809.62026-05-07CVE-2024-433848.02026-05-07CVE-2026-435286.52026-05-05CVE-2026-438247.72026-05-02CVE-2026-209284.62026-04-14CVE-2026-399372026-04-07CVE-2026-342147.72026-03-31CVE-2024-499977.52024-10-21