Total
502 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-27944 | 2026-03-05 | N/A | 9.8 CRITICAL | ||
|
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.3, the /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the X-Backup-Security response header. This allows an unauthenticated attacker to download a full system backup containing sensitive data (user credentials, session tokens, SSL private keys, Nginx configurations) and decrypt it immediately. This issue has been patched in version 2.3.3.
|
|||||
| CVE-2025-69969 | 2026-03-04 | N/A | 9.6 CRITICAL | ||
|
A lack of authentication and authorization mechanisms in the Bluetooth Low Energy (BLE) communication protocol of SRK Powertech Pvt Ltd Pebble Prism Ultra v2.9.2 allows attackers to reverse engineer the protocol and execute arbitrary commands on the device without establishing a connection. This is exploitable over Bluetooth Low Energy (BLE) proximity (Adjacent), requiring no physical contact with the device. Furthermore, the vulnerability is not limited to arbitrary commands but includes cleart ...
Show More |
|||||
| CVE-2023-31819 | 1 Keisei Store | 1 Livre | 2026-03-03 | N/A | 7.5 HIGH |
|
An issue found in KEISEI STORE Co, Ltd. LIVRE KEISEI v.13.6.1 allows a remote attacker to gain access to sensitive information via the channel access token in the miniapp function.
|
|||||
| CVE-2025-13453 | 1 Lenovo | 8 Thinkplus Fu100, Thinkplus Fu100 Firmware, Thinkplus Fu200 and 5 more | 2026-02-25 | N/A | 4.6 MEDIUM |
|
A potential vulnerability was reported in some ThinkPlus USB drives that could allow a user with physical access to read data stored on the drive.
|
|||||
| CVE-2022-40295 | 1 Phppointofsale | 1 Php Point Of Sale | 2026-02-25 | N/A | 4.9 MEDIUM |
|
The application was vulnerable to an authenticated information disclosure, allowing administrators to view unsalted user passwords, which could lead to the compromise of plaintext passwords via offline attacks.
|
|||||
| CVE-2025-15548 | 2026-02-04 | N/A | N/A | ||
|
Some VX800v v1.0 web interface endpoints transmit sensitive information over unencrypted HTTP due to missing application layer encryption, allowing a network adjacent attacker to intercept this traffic and compromise its confidentiality.
|
|||||
| CVE-2025-65098 | 1 Typebot | 1 Typebot | 2026-01-30 | N/A | 7.4 HIGH |
|
Typebot is an open-source chatbot builder. In versions prior to 3.13.2, client-side script execution in Typebot allows stealing all stored credentials from any user. When a victim previews a malicious typebot by clicking "Run", JavaScript executes in their browser and exfiltrates their OpenAI keys, Google Sheets tokens, and SMTP passwords. The `/api/trpc/credentials.getCredentials` endpoint returns plaintext API keys without verifying credential ownership. Version 3.13.2 fixes the issue.
|
|||||
| CVE-2025-13053 | 1 Asustor | 1 Data Master | 2026-01-28 | N/A | 3.7 LOW |
|
When a user configures the NAS to retrieve UPS status or control the UPS, a non-enforced TLS certificate verification can allow an attacker able to intercept network traffic between the client and server can perform a man-in-the-middle (MITM) attack, which may obtain the sensitive information of the UPS server configuation.
This issue affects ADM: from 4.1.0 through 4.3.3.RKD2, from 5.0.0 through 5.1.0.RN42.
|
|||||
| CVE-2025-15065 | 2025-12-31 | N/A | 6.3 MEDIUM | ||
|
Exposure of Sensitive Information to an Unauthorized Actor, Missing Encryption of Sensitive Data, Files or Directories Accessible to External Parties vulnerability in Kings Information & Network Co. KESS Enterprise on Windows allows Privilege Escalation, Modify Existing Service, Modify Shared File.This issue affects KESS Enterprise: before *.25.9.19.exe
|
|||||
| CVE-2025-65825 | 1 Meatmeet | 2 Meatmeet Pro Wifi \& Bluetooth Meat Thermometer, Meatmeet Pro Wifi \& Bluetooth Meat Thermometer Firmware | 2025-12-30 | N/A | 4.6 MEDIUM |
|
The firmware on the basestation of the Meatmeet is not encrypted. An adversary with physical access to the Meatmeet device can disassemble the device, connect over UART, and retrieve the firmware dump for analysis. Within the NVS partition they may discover the credentials of the current and previous Wi-Fi networks. This information could be used to gain unauthorized access to the victim's Wi-Fi network.
|
|||||
| CVE-2025-10227 | 3 Axxonsoft, Linux, Microsoft | 3 Axxon One, Linux Kernel, Windows | 2025-12-19 | N/A | 4.6 MEDIUM |
|
Missing Encryption of Sensitive Data (CWE-311) in the Object Archive component in AxxonSoft Axxon One (C-Werk) before 2.0.8 on Windows and Linux allows a local attacker with access to exported storage or stolen physical drives to extract sensitive archive data in plaintext via lack of encryption at rest.
|
|||||
| CVE-2025-36751 | 2025-12-15 | N/A | N/A | ||
|
Encryption is missing on the configuration interface for Growatt ShineLan-X and MIC 3300TL-X. This allows an attacker with access to the network to intercept and potentially manipulate communication requests between the inverter and its cloud endpoint.
|
|||||
| CVE-2023-46219 | 2 Fedoraproject, Haxx | 2 Fedora, Curl | 2025-12-02 | N/A | 5.3 MEDIUM |
|
When saving HSTS data to an excessively long file name, curl could end up
removing all contents, making subsequent requests using that file unaware of
the HSTS status they should otherwise use.
|
|||||
| CVE-2025-64147 | 1 Jenkins | 1 Curseforge Publisher | 2025-11-04 | N/A | 4.3 MEDIUM |
|
Jenkins Curseforge Publisher Plugin 1.0 does not mask API Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them.
|
|||||
| CVE-2025-64146 | 1 Jenkins | 1 Curseforge Publisher | 2025-11-04 | N/A | 4.3 MEDIUM |
|
Jenkins Curseforge Publisher Plugin 1.0 stores API Keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission, or access to the Jenkins controller file system.
|
|||||
| CVE-2025-64145 | 1 Jenkins | 1 Byteguard Build Actions | 2025-11-04 | N/A | 4.3 MEDIUM |
|
Jenkins ByteGuard Build Actions Plugin 1.0 does not mask API tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them.
|
|||||
| CVE-2025-64144 | 1 Jenkins | 1 Byteguard Build Actions | 2025-11-04 | N/A | 4.3 MEDIUM |
|
Jenkins ByteGuard Build Actions Plugin 1.0 stores API tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission, or access to the Jenkins controller file system.
|
|||||
| CVE-2025-64143 | 1 Jenkins | 1 Openshift Pipeline | 2025-11-04 | N/A | 4.3 MEDIUM |
|
Jenkins OpenShift Pipeline Plugin 1.0.57 and earlier stores authorization tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission, or access to the Jenkins controller file system.
|
|||||
| CVE-2025-53678 | 1 Jenkins | 1 User1st Utester | 2025-11-04 | N/A | 6.5 MEDIUM |
|
Jenkins User1st uTester Plugin 1.1 and earlier stores the uTester JWT token unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to the Jenkins controller file system.
|
|||||
| CVE-2025-53676 | 1 Jenkins | 1 Xooa | 2025-11-04 | N/A | 6.5 MEDIUM |
|
Jenkins Xooa Plugin 0.0.7 and earlier stores the Xooa Deployment Token unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to the Jenkins controller file system.
|
|||||
| CVE-2025-53673 | 1 Jenkins | 1 Sensedia Api Platform Tools | 2025-11-04 | N/A | 6.5 MEDIUM |
|
Jenkins Sensedia Api Platform tools Plugin 1.0 stores the Sensedia API Manager integration token unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to the Jenkins controller file system.
|
|||||
| CVE-2025-53668 | 1 Jenkins | 1 Vaddy | 2025-11-04 | N/A | 6.5 MEDIUM |
|
Jenkins VAddy Plugin 1.2.8 and earlier stores Vaddy API Auth Keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
|
|||||
| CVE-2025-53666 | 1 Jenkins | 1 Dead Man\'s Snitch | 2025-11-04 | N/A | 6.5 MEDIUM |
|
Jenkins Dead Man's Snitch Plugin 0.1 stores Dead Man's Snitch tokens unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
|
|||||
| CVE-2025-53663 | 1 Jenkins | 1 Ibm Cloud Devops | 2025-11-04 | N/A | 6.5 MEDIUM |
|
Jenkins IBM Cloud DevOps Plugin 2.0.16 and earlier stores SonarQube authentication tokens unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
|
|||||
| CVE-2025-53659 | 1 Jenkins | 1 Qmetry Test Management | 2025-11-04 | N/A | 6.5 MEDIUM |
|
Jenkins QMetry Test Management Plugin 1.13 and earlier stores Qmetry Automation API Keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
|
|||||
| CVE-2025-53653 | 1 Jenkins | 1 Aqua Security Scanner | 2025-11-04 | N/A | 4.3 MEDIUM |
|
Jenkins Aqua Security Scanner Plugin 3.2.8 and earlier stores Scanner Tokens for Aqua API unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
|
|||||
| CVE-2020-10124 | 1 Ncr | 2 Aptra Xfs, Selfserv Atm | 2025-11-04 | 4.4 MEDIUM | 7.1 HIGH |
|
NCR SelfServ ATMs running APTRA XFS 05.01.00 do not encrypt, authenticate, or verify the integrity of messages between the BNA and the host computer, which could allow an attacker with physical access to the internal components of the ATM to execute arbitrary code, including code that enables the attacker to commit deposit forgery.
|
|||||
| CVE-2024-7396 | 2025-11-04 | N/A | N/A | ||
|
Missing encryption of sensitive data in Korenix JetPort 5601v3 allows Eavesdropping.This issue affects JetPort 5601v3: through 1.2.
|
|||||
| CVE-2024-25027 | 1 Ibm | 1 Security Verify Access | 2025-11-03 | N/A | 6.2 MEDIUM |
|
IBM Security Verify Access 10.0.6 could disclose sensitive snapshot information due to missing encryption. IBM X-Force ID: 281607.
|
|||||
| CVE-2023-38267 | 1 Ibm | 2 Security Verify Access, Security Verify Access Docker | 2025-11-03 | N/A | 6.2 MEDIUM |
|
IBM Security Access Manager Appliance (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.6.1) could allow a local user to possibly elevate their privileges due to sensitive configuration information being exposed. IBM X-Force ID: 260584.
|
|||||
| CVE-2025-43274 | 1 Apple | 1 Macos | 2025-11-03 | N/A | 4.4 MEDIUM |
|
A privacy issue was addressed by removing the vulnerable code. This issue is fixed in macOS Sequoia 15.6. A sandboxed process may be able to circumvent sandbox restrictions.
|
|||||
| CVE-2025-31977 | 1 Hcltech | 1 Bigfix Service Management | 2025-10-29 | N/A | 5.3 MEDIUM |
|
HCL BigFix SM is affected by cryptographic weakness due to weak or outdated encryption algorithms. An attacker with network access could exploit this weakness to decrypt or manipulate encrypted communications under certain conditions.
|
|||||
| CVE-2024-41980 | 1 Siemens | 1 Opcenter Quality | 2025-10-23 | N/A | 3.1 LOW |
|
A vulnerability has been identified in SmartClient modules Opcenter QL Home (SC) (All versions >= V13.2 < V2506), SOA Audit (All versions >= V13.2 < V2506), SOA Cockpit (All versions >= V13.2 < V2506). The affected application do not encrypt the communication in LDAP interface by default. This could allow an authenticated attacker to gain unauthorized access to sensitive information.
|
|||||
| CVE-2024-41982 | 1 Siemens | 1 Opcenter Quality | 2025-10-23 | N/A | 4.8 MEDIUM |
|
A vulnerability has been identified in SmartClient modules Opcenter QL Home (SC) (All versions >= V13.2 < V2506), SOA Audit (All versions >= V13.2 < V2506), SOA Cockpit (All versions >= V13.2 < V2506). The affected application does not have adequate encryption of sensitive information. This could allow an authenticated attacker to gain access of sensitive information.
|
|||||
| CVE-2014-2379 | 1 Sensysnetworks | 4 Trafficdot, Vds, Vsn240-f and 1 more | 2025-10-13 | 4.3 MEDIUM | N/A |
|
Sensys Networks VSN240-F and VSN240-T sensors VDS before 2.10.1 and TrafficDOT before 2.10.3 do not use encryption, which allows remote attackers to interfere with traffic control by replaying transmissions on a wireless network.
|
|||||
| CVE-2025-48981 | 2025-10-08 | N/A | 8.6 HIGH | ||
|
An insecure implementation of the proprietary protocol DNET in Product CGM MEDICO allows attackers within the intranet to eavesdrop and manipulate data on the protocol because encryption is optional for this connection.
|
|||||
| CVE-2024-41757 | 1 Ibm | 1 Concert | 2025-09-29 | N/A | 5.9 MEDIUM |
|
IBM Concert Software 1.0.0 and 1.0.1 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques.
|
|||||
| CVE-2024-56439 | 1 Huawei | 1 Harmonyos | 2025-09-26 | N/A | 7.5 HIGH |
|
Access control vulnerability in the identity authentication module
Impact: Successful exploitation of this vulnerability may affect service confidentiality.
|
|||||
| CVE-2025-59410 | 1 Linuxfoundation | 1 Dragonfly | 2025-09-18 | N/A | 3.7 LOW |
|
Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the code in the scheduler for downloading a tiny file is hard coded to use the HTTP protocol, rather than HTTPS. This means that an attacker could perform a Man-in-the-Middle attack, changing the network request so that a different piece of data gets downloaded. This vulnerability is fixed in 2.1.0.
|
|||||
| CVE-2025-45768 | 1 Pyjwt Project | 1 Pyjwt | 2025-09-12 | N/A | 7.0 HIGH |
|
pyjwt v2.10.1 was discovered to contain weak encryption. NOTE: this is disputed by the Supplier because the key length is chosen by the application that uses the library (admittedly, library users may benefit from a minimum value and a mechanism for opting in to strict enforcement).
|
|||||