Total
185 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-22285 | 1 Dell | 1 Device Management Agent | 2026-03-05 | N/A | 4.4 MEDIUM |
|
Dell Device Management Agent (DDMA), versions prior to 26.02, contain a Plaintext Storage of Password vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Unauthorized Access.
|
|||||
| CVE-2024-55026 | 1 Weintek | 3 Cmt-3072xh2, Cmt-3072xh2 Firmware, Easyweb | 2026-03-04 | N/A | 9.8 CRITICAL |
|
An issue in the reset_pj.cgi endpoint of Weintek cMT-3072XH2 easyweb v2.1.53, OS v20231011 allows unauthorized attackers to execute arbitrary commands via supplying a crafted GET request.
|
|||||
| CVE-2026-28360 | 1 Nocodb | 1 Nocodb | 2026-03-03 | N/A | 5.3 MEDIUM |
|
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, shared view passwords were stored in plaintext in the database and compared using direct string equality. This issue has been patched in version 0.301.3.
|
|||||
| CVE-2025-12680 | 1 Broadcom | 1 Sannav | 2026-03-03 | N/A | 4.9 MEDIUM |
|
Brocade SANnav before Brocade SANnav 2.4.0b logs database passwords in clear text in the standby SANnav server, after disaster recovery failover. The vulnerability could allow a remote authenticated attacker with admin privilege able to access the SANnav logs or the supportsave to read the database password.
|
|||||
| CVE-2026-21660 | 1 Johnsoncontrols | 2 Frick Controls Quantum Hd, Frick Controls Quantum Hd Firmware | 2026-03-02 | N/A | 9.8 CRITICAL |
|
Hardcoded Email Credentials Saved as Plaintext in Firmware (CWE-256: Plaintext Storage of a Password) vulnerability in Frick Controls Quantum HD version 10.22 and prior lead to unauthorized access, exposure of sensitive information, and potential misuse or system compromise
This issue affects Frick Controls Quantum HD version 10.22 and prior.
|
|||||
| CVE-2025-15128 | 2026-02-24 | 5.0 MEDIUM | 5.3 MEDIUM | ||
|
A vulnerability was detected in ZKTeco BioTime up to 9.0.3/9.0.4/9.5.2. This affects an unknown part of the file /base/safe_setting/ of the component Endpoint. Performing a manipulation of the argument backup_encryption_password_decrypt/export_encryption_password_decrypt results in unprotected storage of credentials. Remote exploitation of the attack is possible. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2026-23797 | 1 Opensolution | 1 Quick.cart | 2026-02-19 | N/A | 4.9 MEDIUM |
|
In Quick.Cart user passwords are stored in plaintext form. An attacker with high privileges can display users' password in user editing page.
The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.7 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
|
|||||
| CVE-2025-36425 | 1 Ibm | 1 Db2 | 2026-02-18 | N/A | 5.3 MEDIUM |
|
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 through 11.5.9 and 12.1.0 through 12.1.3 could allow an authenticated user to obtain sensitive information under specific HADR configuration.
|
|||||
| CVE-2020-37115 | 1 Gunet | 1 Open Eclass Platform | 2026-02-10 | N/A | 6.5 MEDIUM |
|
GUnet OpenEclass 1.7.3 stores user credentials in plaintext, allowing administrators to view all registered users' usernames and passwords without encryption. This vulnerability exposes sensitive information and increases the risk of credential theft and unauthorized access.
|
|||||
| CVE-2026-21417 | 1 Dell | 1 Cloudboost Virtual Appliance | 2026-02-06 | N/A | 7.0 HIGH |
|
Dell CloudBoost Virtual Appliance, versions prior to 19.14.0.0, contains a Plaintext Storage of Password vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Elevation of privileges.
|
|||||
| CVE-2025-1709 | 1 Endress | 2 Meac300-fnade4, Meac300-fnade4 Firmware | 2026-02-06 | N/A | 6.5 MEDIUM |
|
Several credentials for the local PostgreSQL database are stored in plain text (partially base64 encoded).
|
|||||
| CVE-2025-13187 | 1 Intelbras | 2 Icip 30, Icip 30 Firmware | 2026-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
|
A security vulnerability has been detected in Intelbras ICIP 2.0.20. Affected is an unknown function of the file /xml/sistema/acessodeusuario.xml. Such manipulation of the argument NomeUsuario/SenhaAcess leads to unprotected storage of credentials. The attack may be launched remotely. The exploit has been disclosed publicly and may be used.
|
|||||
| CVE-2025-25051 | 2026-01-26 | N/A | 6.1 MEDIUM | ||
|
An attacker could decrypt sensitive data, impersonate legitimate users
or devices, and potentially gain access to network resources for lateral
attacks.
|
|||||
| CVE-2024-3623 | 1 Redhat | 1 Mirror Registry | 2026-01-21 | N/A | 6.5 MEDIUM |
|
A flaw was found when using mirror-registry to install Quay. It uses a default database secret key, which is stored in plain-text format in one of the configuration template files. This issue may lead to all instances of Quay deployed using mirror-registry to have the same database secret key. This flaw allows a malicious actor to access sensitive information from Quay's database.
|
|||||
| CVE-2025-66910 | 1 Turms-im | 1 Turms | 2026-01-02 | N/A | 6.0 MEDIUM |
|
Turms Server v0.10.0-SNAPSHOT and earlier contains a plaintext password storage vulnerability in the administrator authentication system. The BaseAdminService class caches administrator passwords in plaintext within AdminInfo objects to optimize authentication performance. Upon successful login, raw passwords are stored unencrypted in memory in the rawPassword field. Attackers with local system access can extract these passwords through memory dumps, heap analysis, or debugger attachment, bypass ...
Show More |
|||||
| CVE-2018-25130 | 2025-12-29 | N/A | 6.2 MEDIUM | ||
|
Beward Intercom 2.3.1 contains a credentials disclosure vulnerability that allows local attackers to access plain-text authentication credentials stored in an unencrypted database file. Attackers can read the BEWARD.INTERCOM.FDB file to extract usernames and passwords, enabling unauthorized access to IP cameras and door stations.
|
|||||
| CVE-2025-65009 | 2025-12-19 | N/A | N/A | ||
|
In WODESYS WD-R608U router (also known as WDR122B V2.0 and WDR28) admin password is stored in configuration file as plaintext and can be obtained by unauthorized user by direct references to the resource in question.
The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version WDR28081123OV1.01 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
|
|||||
| CVE-2024-42197 | 2025-12-12 | N/A | 5.5 MEDIUM | ||
|
HCL Workload Scheduler stores user credentials in plain text which can be read by a local user.
|
|||||
| CVE-2025-14183 | 2025-12-08 | 4.0 MEDIUM | 4.3 MEDIUM | ||
|
A vulnerability was found in SGAI Space1 NAS N1211DS up to 1.0.915. This issue affects the function GET_FACTORY_INFO/GET_USER_INFO of the file /cgi-bin/JSONAPI of the component gsaiagent. The manipulation results in unprotected storage of credentials. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-56527 | 1 Cinnamon | 1 Kotaemon | 2025-12-02 | N/A | 7.5 HIGH |
|
Plaintext password storage in Kotaemon 0.11.0 in the client's localStorage.
|
|||||
| CVE-2025-13221 | 2025-11-18 | 5.0 MEDIUM | 5.3 MEDIUM | ||
|
A weakness has been identified in Intelbras UnniTI 24.07.11. The affected element is an unknown function of the file /xml/sistema/usuarios.xml. Executing manipulation of the argument Usuario/Senha can lead to unprotected storage of credentials. The attack can be executed remotely. The exploit has been made available to the public and could be exploited.
|
|||||
| CVE-2025-9982 | 1 Opensolution | 1 Quick.cms | 2025-11-17 | N/A | 7.5 HIGH |
|
A vulnerability exists in QuickCMS version 6.8 where sensitive admin credentials are hardcoded in a configuration file and stored in plaintext. This flaw allows attackers with access to the source code or the server file system to retrieve authentication details, potentially leading to privilege escalation.
The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnera ...
Show More |
|||||
| CVE-2025-46366 | 1 Dell | 1 Cloudlink | 2025-11-07 | N/A | 6.7 MEDIUM |
|
Dell CloudLink, versions prior to 8.1.1, contain a vulnerability where a privileged user may exploit and gain parallel privilege escalation or access to the database to obtain confidential information.
|
|||||
| CVE-2025-53677 | 1 Jenkins | 1 Xooa | 2025-11-04 | N/A | 5.3 MEDIUM |
|
Jenkins Xooa Plugin 0.0.7 and earlier does not mask the Xooa Deployment Token on the global configuration form, increasing the potential for attackers to observe and capture it.
|
|||||
| CVE-2025-53675 | 1 Jenkins | 1 Warrior Framework | 2025-11-04 | N/A | 6.5 MEDIUM |
|
Jenkins Warrior Framework Plugin 1.2 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
|
|||||
| CVE-2025-53674 | 1 Jenkins | 1 Sensedia Api Platform Tools | 2025-11-04 | N/A | 5.3 MEDIUM |
|
Jenkins Sensedia Api Platform tools Plugin 1.0 does not mask the Sensedia API Manager integration token on the global configuration form, increasing the potential for attackers to observe and capture it.
|
|||||
| CVE-2025-53671 | 1 Jenkins | 1 Nouvola Divecloud | 2025-11-04 | N/A | 6.5 MEDIUM |
|
Jenkins Nouvola DiveCloud Plugin 1.08 and earlier does not mask DiveCloud API Keys and Credentials Encryption Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them.
|
|||||
| CVE-2025-53669 | 1 Jenkins | 1 Vaddy | 2025-11-04 | N/A | 4.3 MEDIUM |
|
Jenkins VAddy Plugin 1.2.8 and earlier does not mask Vaddy API Auth Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them.
|
|||||
| CVE-2025-53665 | 1 Jenkins | 1 Apica Loadtest | 2025-11-04 | N/A | 4.3 MEDIUM |
|
Jenkins Apica Loadtest Plugin 1.10 and earlier does not mask Apica Loadtest LTP authentication tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them.
|
|||||
| CVE-2025-53664 | 1 Jenkins | 1 Apica Loadtest | 2025-11-04 | N/A | 6.5 MEDIUM |
|
Jenkins Apica Loadtest Plugin 1.10 and earlier stores Apica Loadtest LTP authentication tokens unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
|
|||||
| CVE-2025-53662 | 1 Jenkins | 1 Ifttt Build Notifier | 2025-11-04 | N/A | 6.5 MEDIUM |
|
Jenkins IFTTT Build Notifier Plugin 1.2 and earlier stores IFTTT Maker Channel Keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
|
|||||
| CVE-2025-53660 | 1 Jenkins | 1 Qmetry Test Management | 2025-11-04 | N/A | 4.3 MEDIUM |
|
Jenkins QMetry Test Management Plugin 1.13 and earlier does not mask Qmetry Automation API Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them.
|
|||||
| CVE-2025-53656 | 1 Jenkins | 1 Readyapi Functional Testing | 2025-11-04 | N/A | 6.5 MEDIUM |
|
Jenkins ReadyAPI Functional Testing Plugin 1.11 and earlier stores SLM License Access Keys, client secrets, and passwords unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
|
|||||
| CVE-2025-53655 | 1 Jenkins | 1 Statistics Gatherer | 2025-11-04 | N/A | 5.3 MEDIUM |
|
Jenkins Statistics Gatherer Plugin 2.0.3 and earlier does not mask the AWS Secret Key on the global configuration form, increasing the potential for attackers to observe and capture it.
|
|||||
| CVE-2024-29978 | 2025-11-04 | N/A | 5.9 MEDIUM | ||
|
User passwords are decrypted and stored on memory before any user logged in. Those decrypted passwords can be retrieved from the coredump file. As for the details of affected product names, model numbers, and versions, refer to the information provided by the respective vendors listed under [References].
|
|||||
| CVE-2025-11193 | 2025-11-04 | N/A | 5.5 MEDIUM | ||
|
A potential vulnerability was reported in some Lenovo Tablets that could allow a local authenticated user or application to gain access to sensitive device specific information.
|
|||||
| CVE-2024-36464 | 1 Zabbix | 1 Zabbix | 2025-11-03 | N/A | 2.7 LOW |
|
When exporting media types, the password is exported in the YAML in plain text. This appears to be a best practices type issue and may have no actual impact. The user would need to have permissions to access the media types and therefore would be expected to have access to these passwords.
|
|||||
| CVE-2024-36460 | 1 Zabbix | 1 Zabbix | 2025-11-03 | N/A | 8.1 HIGH |
|
The front-end audit log allows viewing of unprotected plaintext passwords, where the passwords are displayed in plain text.
|
|||||
| CVE-2023-31002 | 1 Ibm | 1 Security Access Manager Container | 2025-11-03 | N/A | 5.1 MEDIUM |
|
IBM Security Access Manager Container 10.0.0.0 through 10.0.6.1 temporarily stores sensitive information in files that could be accessed by a local user. IBM X-Force ID: 254657.
|
|||||
| CVE-2025-27656 | 1 Printerlogic | 2 Vasion Print, Virtual Appliance | 2025-11-03 | N/A | 9.8 CRITICAL |
|
Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.862 Application 20.0.2014 allows Password Stored in Process List V-2023-011.
|
|||||