Total
765 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-34428 | 1 Mailenable | 1 Mailenable | 2025-12-17 | N/A | 7.8 HIGH |
|
MailEnable versions prior to 10.54 contain a cleartext storage of credentials vulnerability that can lead to local credential compromise and account takeover. The product stores user and administrative passwords in plaintext within AUTH.SAV with overly permissive filesystem access. A local authenticated user with read access to this file can recover all user passwords and super-admin credentials, then use them to authenticate to MailEnable services such as POP3, SMTP, or the webmail interface, e ...
Show More |
|||||
| CVE-2020-36887 | 1 Spinetix | 1 Fusion Digital Signage | 2025-12-17 | N/A | 7.5 HIGH |
|
SpinetiX Fusion Digital Signage 3.4.8 contains an unauthenticated information disclosure vulnerability in the database backup directory. Attackers can access the /content/files/backups/ endpoint to download sensitive backup files containing user credentials and system information.
|
|||||
| CVE-2025-59701 | 1 Entrust | 10 Nshield 5c, Nshield 5c Firmware, Nshield Connect Xc Base and 7 more | 2025-12-08 | N/A | 4.1 MEDIUM |
|
Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a physically proximate attacker (with elevated privileges) to read and modify the Appliance SSD contents (because they are unencrypted).
|
|||||
| CVE-2024-58277 | 2025-12-08 | N/A | N/A | ||
|
R Radio Network FM Transmitter 1.07 allows unauthenticated attackers to access the admin user's password through the system.cgi endpoint, enabling authentication bypass and FM station setup access.
|
|||||
| CVE-2025-3784 | 2025-12-08 | N/A | 5.5 MEDIUM | ||
|
Cleartext Storage of Sensitive Information Vulnerability in GX Works2 all versions allows an attacker to disclose credential information stored in plaintext from project files. As a result, the attacker may be able to open project files protected by user authentication using disclosed credential information, and obtain or modify project information.
|
|||||
| CVE-2025-59792 | 1 Apache | 1 Kvrocks | 2025-12-04 | N/A | 5.3 MEDIUM |
|
Reveals plaintext credentials in the MONITOR command vulnerability in Apache Kvrocks.
This issue affects Apache Kvrocks: from 1.0.0 through 2.13.0.
Users are recommended to upgrade to version 2.14.0, which fixes the issue.
|
|||||
| CVE-2025-32353 | 2025-11-24 | N/A | 8.2 HIGH | ||
|
Kaseya Rapid Fire Tools Network Detective 2.0.16.0 has Unencrypted Credentials (for privileged access) stored in the collector.txt configuration file.
|
|||||
| CVE-2024-4235 | 1 Netgear | 2 Dg834gv5, Dg834gv5 Firmware | 2025-11-20 | 3.3 LOW | 2.7 LOW |
|
A vulnerability classified as problematic was found in Netgear DG834Gv5 1.6.01.34. This vulnerability affects unknown code of the component Web Management Interface. The manipulation leads to cleartext storage of sensitive information. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-262126 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-54342 | 1 Desktopalert | 1 Pingalert Application Server | 2025-11-19 | N/A | 3.3 LOW |
|
A vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2. There is Exposure of Sensitive Information because of Incompatible Policies.
|
|||||
| CVE-2025-62261 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-11-10 | N/A | 6.5 MEDIUM |
|
Liferay Portal 7.4.0 through 7.4.3.99, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 34, and older unsupported versions stores password reset tokens in plain text, which allows attackers with access to the database to obtain the token, reset a user’s password and take over the user’s account.
|
|||||
| CVE-2023-22894 | 1 Strapi | 1 Strapi | 2025-11-07 | N/A | 4.9 MEDIUM |
|
Strapi through 4.5.5 allows attackers (with access to the admin panel) to discover sensitive user details by exploiting the query filter. The attacker can filter users by columns that contain sensitive information and infer a value from API responses. If the attacker has super admin access, then this can be exploited to discover the password hash and password reset token of all users. If the attacker has admin panel access to an account with permission to access the username and email of API use ...
Show More |
|||||
| CVE-2025-34270 | 1 Nagios | 1 Log Server | 2025-11-06 | N/A | 4.9 MEDIUM |
|
Nagios Log Server versions prior to 2024R2.0.2 contain a vulnerability in the AD/LDAP user import functionality as it fails to obfuscate the password field during import. As a result, the plaintext password supplied for imported accounts may be exposed in the user interface, logs, or other diagnostic output. This can leak sensitive credentials to administrators or anyone with access to import results.
|
|||||
| CVE-2025-53742 | 1 Jenkins | 1 Applitools Eyes | 2025-11-04 | N/A | 6.5 MEDIUM |
|
Jenkins Applitools Eyes Plugin 1.16.5 and earlier stores Applitools API keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
|
|||||
| CVE-2025-53672 | 1 Jenkins | 1 Kryptowire | 2025-11-04 | N/A | 6.5 MEDIUM |
|
Jenkins Kryptowire Plugin 0.2 and earlier stores the Kryptowire API key unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to the Jenkins controller file system.
|
|||||
| CVE-2025-53670 | 1 Jenkins | 1 Nouvola Divecloud | 2025-11-04 | N/A | 6.5 MEDIUM |
|
Jenkins Nouvola DiveCloud Plugin 1.08 and earlier stores DiveCloud API Keys and Credentials Encryption Keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
|
|||||
| CVE-2023-46384 | 1 Loytec | 1 L-inx Configurator | 2025-11-04 | N/A | 7.5 HIGH |
|
LOYTEC electronics GmbH LINX Configurator (all versions) is vulnerable to Insecure Permissions. Cleartext storage of credentials allows remote attackers to disclose admin password and bypass an authentication to login Loytec device.
|
|||||
| CVE-2024-29146 | 2025-11-04 | N/A | 5.9 MEDIUM | ||
|
User passwords are decrypted and stored on memory before any user logged in. Those decrypted passwords can be retrieved from the coredump file. As for the details of affected product names, model numbers, and versions, refer to the information provided by the respective vendors listed under [References].
|
|||||
| CVE-2023-49113 | 2025-11-04 | N/A | 7.8 HIGH | ||
|
The Kiuwan Local Analyzer (KLA) Java scanning application contains several
hard-coded secrets in plain text format. In some cases, this can
potentially compromise the confidentiality of the scan results. Several credentials were found in the JAR files of the Kiuwan Local Analyzer.
The
JAR file "lib.engine/insight/optimyth-insight.jar" contains the file
"InsightServicesConfig.properties", which has the configuration tokens
"insight.github.user" as well as "insight.github.password" prefilled ...
Show More |
|||||
| CVE-2020-11918 | 1 Svakom | 2 Svakom Siime Eye, Svakom Siime Eye Firmware | 2025-11-04 | N/A | 5.4 MEDIUM |
|
An issue was discovered in Siime Eye 14.1.00000001.3.330.0.0.3.14. When a backup file is created through the web interface, information on all users, including passwords, can be found in cleartext in the backup file. An attacker capable of accessing the web interface can create the backup file.
|
|||||
| CVE-2024-33892 | 1 Hms-networks | 7 Ewon Cosy\+ 4g Apac, Ewon Cosy\+ 4g Eu, Ewon Cosy\+ 4g Jp and 4 more | 2025-11-04 | N/A | 7.5 HIGH |
|
Insecure Permissions vulnerability in Cosy+ devices running a firmware 21.x below 21.2s10 or a firmware 22.x below 22.1s3 are susceptible to leaking information through cookies. This is fixed in version 21.2s10 and 22.1s3
|
|||||
| CVE-2024-38877 | 1 Siemens | 7 Omnivise T3000 Application Server, Omnivise T3000 Domain Controller, Omnivise T3000 Network Intrusion Detection System and 4 more | 2025-11-03 | N/A | 8.2 HIGH |
|
A vulnerability has been identified in Omnivise T3000 Application Server R9.2 (All versions), Omnivise T3000 Domain Controller R9.2 (All versions), Omnivise T3000 Network Intrusion Detection System (NIDS) R9.2 (All versions), Omnivise T3000 Product Data Management (PDM) R9.2 (All versions), Omnivise T3000 R8.2 SP3 (All versions), Omnivise T3000 R8.2 SP4 (All versions), Omnivise T3000 Security Server R9.2 (All versions), Omnivise T3000 Terminal Server R9.2 (All versions), Omnivise T3000 Thin Clie ...
Show More |
|||||
| CVE-2023-31002 | 1 Ibm | 1 Security Access Manager Container | 2025-11-03 | N/A | 5.1 MEDIUM |
|
IBM Security Access Manager Container 10.0.0.0 through 10.0.6.1 temporarily stores sensitive information in files that could be accessed by a local user. IBM X-Force ID: 254657.
|
|||||
| CVE-2023-22332 | 1 Pgpool | 1 Pgpool-ii | 2025-11-03 | N/A | 6.5 MEDIUM |
|
Information disclosure vulnerability exists in Pgpool-II 4.4.0 to 4.4.1 (4.4 series), 4.3.0 to 4.3.4 (4.3 series), 4.2.0 to 4.2.11 (4.2 series), 4.1.0 to 4.1.14 (4.1 series), 4.0.0 to 4.0.21 (4.0 series), All versions of 3.7 series, All versions of 3.6 series, All versions of 3.5 series, All versions of 3.4 series, and All versions of 3.3 series. A specific database user's authentication information may be obtained by another database user. As a result, the information stored in the database may ...
Show More |
|||||
| CVE-2024-31486 | 2025-11-03 | N/A | 5.3 MEDIUM | ||
|
A vulnerability has been identified in OPUPI0 AMQP/MQTT (All versions < V5.30). The affected devices stores MQTT client passwords without sufficient protection on the devices. An attacker with remote shell access or physical access could retrieve the credentials leading to confidentiality loss.
|
|||||
| CVE-2025-27685 | 1 Printerlogic | 2 Vasion Print, Virtual Appliance | 2025-11-03 | N/A | 7.5 HIGH |
|
Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 1.0.735 Application 20.0.1330 allows Configuration File Contains CA & Private Key V-2022-001.
|
|||||
| CVE-2025-26495 | 1 Tableau | 1 Tableau Server | 2025-10-29 | N/A | 7.5 HIGH |
|
Cleartext Storage of Sensitive Information vulnerability in Salesforce Tableau Server can record the Personal Access Token (PAT) into logging repositories.This issue affects Tableau Server: before 2022.1.3, before 2021.4.8, before 2021.3.13, before 2021.2.14, before 2021.1.16, before 2020.4.19.
|
|||||
| CVE-2025-21060 | 1 Samsung | 1 Smart Switch | 2025-10-28 | N/A | 5.5 MEDIUM |
|
Cleartext storage of sensitive information in Smart Switch prior to version 3.7.67.2 allows local attackers to access backup data from applications. User interaction is required for triggering this vulnerability.
|
|||||
| CVE-2025-21061 | 1 Samsung | 1 Smart Switch | 2025-10-28 | N/A | 7.1 HIGH |
|
Cleartext storage of sensitive information in Smart Switch prior to version 3.7.67.2 allows local attackers to access sensitive data. User interaction is required for triggering this vulnerability.
|
|||||
| CVE-2025-55334 | 1 Microsoft | 4 Windows 11 22h2, Windows 11 23h2, Windows 11 24h2 and 1 more | 2025-10-27 | N/A | 6.2 MEDIUM |
|
Cleartext storage of sensitive information in Windows Kernel allows an unauthorized attacker to bypass a security feature locally.
|
|||||
| CVE-2025-48428 | 2025-10-27 | N/A | 6.7 MEDIUM | ||
|
Cleartext Storage of Sensitive Information (CWE-312) in the Gallagher Morpho integration could allow an authenticated user with access to the Command Centre Server to export a specific signing key while in use allowing them to deploy a compromised or counterfeit device on that site.
This issue affects Command Centre Server: 9.20 prior to vEL9.20.2819 (MR4), 9.10 prior to vEL9.10.3672 (MR7), 9.00 prior to vEL9.00.3831 (MR8), all versions of 8.90 and prior.
|
|||||
| CVE-2025-47820 | 1 Flocksafety | 1 Gunshot Detection Firmware | 2025-10-24 | N/A | 2.0 LOW |
|
Flock Safety Gunshot Detection devices before 1.3 have cleartext storage of code.
|
|||||
| CVE-2025-59409 | 1 Flocksafety | 1 License Plate Reader Firmware | 2025-10-24 | N/A | 7.5 HIGH |
|
Flock Safety Falcon and Sparrow License Plate Readers OPM1.171019.026 ship with development Wi-Fi credentials (test_flck) stored in cleartext in production firmware.
|
|||||
| CVE-2025-47824 | 1 Flocksafety | 1 License Plate Reader Firmware | 2025-10-23 | N/A | 2.0 LOW |
|
Flock Safety LPR (License Plate Reader) devices with firmware through 2.2 have cleartext storage of code.
|
|||||
| CVE-2011-4723 | 1 Dlink | 1 Dir-300 | 2025-10-22 | 6.8 MEDIUM | 5.7 MEDIUM |
|
The D-Link DIR-300 router stores cleartext passwords, which allows context-dependent attackers to obtain sensitive information via unspecified vectors.
|
|||||
| CVE-2024-6400 | 1 Finrota | 1 Finrota | 2025-10-14 | N/A | 7.5 HIGH |
|
Cleartext Storage of Sensitive Information, Exposure of Sensitive Information Through Data Queries vulnerability in Finrota Netahsilat allows Retrieve Embedded Sensitive Data, Authentication Bypass, IMAP/SMTP Command Injection, Collect Data from Common Resource Locations.
This issue solved in versions 1.21.10, 1.23.01, 1.23.08, 1.23.11 and 1.24.03.
|
|||||
| CVE-2025-34216 | 1 Vasion | 2 Virtual Appliance Application, Virtual Appliance Host | 2025-10-09 | N/A | 9.8 CRITICAL |
|
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.1026 and Application prior to version 20.0.2702 (VA deployments only) expose a set of unauthenticated REST API endpoints that return configuration files and clear‑text passwords. The same endpoints also disclose the Laravel APP_KEY used for cryptographic signing. Because the APP_KEY is required to generate valid signed requests, an attacker who obtains it can craft malicious payloads that are accepted by the applic ...
Show More |
|||||
| CVE-2025-51055 | 1 Vedo Suite Project | 1 Vedo Suite | 2025-10-09 | N/A | 8.6 HIGH |
|
Insecure Data Storage of credentials has been found in /api_vedo/configuration/config.yml file in Vedo Suite version 2024.17. This file contains clear-text credentials, secret keys, and database information.
|
|||||
| CVE-2025-59450 | 2025-10-08 | N/A | 4.3 MEDIUM | ||
|
The YoSmart YoLink Smart Hub firmware 0382 is unencrypted, and data extracted from it can be used to determine network access credentials.
|
|||||
| CVE-2025-23291 | 2025-10-02 | N/A | 2.4 LOW | ||
|
NVIDIA Delegated Licensing Service for all appliance platforms contains a vulnerability where an User/Attacker may cause an authorized action. A successful exploit of this vulnerability may lead to information disclosure.
|
|||||
| CVE-2024-45744 | 1 Topquadrant | 1 Topbraid Edg | 2025-10-02 | N/A | 3.0 LOW |
|
TopQuadrant TopBraid EDG stores external credentials insecurely. An authenticated attacker with file system access can read edg-setup.properites and obtain the secret to decrypt external passwords stored in edg-vault.properties. An authenticated attacker could gain file system access using a separate vulnerability such as CVE-2024-45745. At least version 7.1.3 is affected. Version 7.3 adds HashiCorp Vault integration that does not store external passwords locally. Version 8.3.0 warns when using ...
Show More |
|||||