- **Vulnerability Type**: Sensitive Value Exposure in Generated Reports - **Affected Package**: tfplan2md - **Affected Versions**: < v1.26.1 - **Patched Versions**: v1.26.1 - **Impact**: Caused reports to render values that should have been masked as "(sensitive)" instead. Impacted AzApi resource body properties, AzureDevOps variable groups, Scriban template context variables, and hierarchical sensitivity detection. - **Severity**: High (8.5/10) - **CVE ID**: CVE-2026-27640 - **CVSS v4 Base Metrics**: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Attack Requirements: None - Privileges Required: Low - User Interaction: None - Vulnerable System Impact Metrics: - Confidentiality: High - Integrity: None - Availability: None - Subsequent System Impact Metrics: - Confidentiality: High - Integrity: High - Availability: High - **References**: Related to GHSA-vrg5-jhph-q74p. Several related issues were discovered and fixed in v1.26.1. - **Patches**: Fixed in v1.26.1 - **Workarounds**: None