Total
828 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-43766 | 1 Google | 1 Android | 2026-03-06 | N/A | 6.5 MEDIUM |
|
In multiple functions of btm_ble_sec.cc, there is a possible unencrypted communication due to Invalid error handling. This could lead to remote (proximal/adjacent) information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
|
|||||
| CVE-2026-30795 | 2026-03-05 | N/A | N/A | ||
|
Cleartext Transmission of Sensitive Information vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Heartbeat sync loop modules) allows Sniffing Attacks. This vulnerability is associated with program files src/hbbs_http/sync.Rs and program routines Heartbeat JSON payload construction (preset-address-book-password).
This issue affects RustDesk Client: through 1.4.5.
|
|||||
| CVE-2026-30796 | 2026-03-05 | N/A | N/A | ||
|
Cleartext Transmission of Sensitive Information vulnerability in rustdesk-server-pro RustDesk Server Pro rustdesk-server-pro on Windows, MacOS, Linux (Address book sync API modules) allows Sniffing Attacks. This vulnerability is associated with program files Closed source — API endpoint handling heartbeat sync and program routines Heartbeat API handler (accepts preset-address-book-password in plaintext).
This issue affects RustDesk Server Pro: through 1.7.5.
|
|||||
| CVE-2025-66604 | 1 Yokogawa | 1 Fast\/tools | 2026-03-05 | N/A | 5.3 MEDIUM |
|
A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corporation.
The library version
could be displayed on the web page. This information could be exploited by an
attacker for other attacks.
The
affected products and versions are as follows: FAST/TOOLS (Packages: RVSVRN, UNSVRN, HMIWEB, FTEES, HMIMOB) R9.01 to
R10.04
|
|||||
| CVE-2025-13490 | 1 Ibm | 2 App Connect Enterprise Certified Containers Operands, App Connect Operator | 2026-03-04 | N/A | 5.9 MEDIUM |
|
IBM App Connect Operator versions CD 11.3.0 through 11.6.0 and 12.1.0 through 12.20.0, LTS versions 12.0.0 through 12.0.20, and IBM App Connect Enterprise Certified Containers Operands versions CD 12.0.11.2‑r1 through 12.0.12.5‑r1 and 13.0.1.0‑r1 through 13.0.6.1‑r1, and LTS versions 12.0.12‑r1 through 12.0.12‑r20, contain a vulnerability in which the IBM App Connect Enterprise Certified Container transmits data in clear text, potentially allowing an attacker to intercept and obtain sensitive in ...
Show More |
|||||
| CVE-2025-69969 | 2026-03-04 | N/A | 9.6 CRITICAL | ||
|
A lack of authentication and authorization mechanisms in the Bluetooth Low Energy (BLE) communication protocol of SRK Powertech Pvt Ltd Pebble Prism Ultra v2.9.2 allows attackers to reverse engineer the protocol and execute arbitrary commands on the device without establishing a connection. This is exploitable over Bluetooth Low Energy (BLE) proximity (Adjacent), requiring no physical contact with the device. Furthermore, the vulnerability is not limited to arbitrary commands but includes cleart ...
Show More |
|||||
| CVE-2026-20801 | 2026-03-03 | N/A | 5.6 MEDIUM | ||
|
Cleartext Transmission of Sensitive Information (CWE-319) in a component used in the Gallagher Hanwha VMS and Gallagher NxWitness VMS integrations allows unprivileged users with local network access to view live video streams.
This issue affects all versions of Gallagher NxWitness VMS integration prior to 9.10.017 and Gallagher Hanwha VMS integration prior to 9.10.025.
|
|||||
| CVE-2026-27752 | 1 Sodola-network | 2 Sl902-swtgw124as, Sl902-swtgw124as Firmware | 2026-03-03 | N/A | 5.9 MEDIUM |
|
SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 transmit authentication credentials over unencrypted HTTP, allowing attackers to capture credentials. An attacker positioned to observe network traffic between a user and the device can intercept credentials and reuse them to gain administrative access to the gateway.
|
|||||
| CVE-2025-58107 | 2026-03-02 | N/A | 7.5 HIGH | ||
|
In Microsoft Exchange through 2019, Exchange ActiveSync (EAS) configurations on on-premises servers may transmit sensitive data from Samsung mobile devices in cleartext, including the user's name, e-mail address, device ID, bearer token, and base64-encoded password.
|
|||||
| CVE-2025-27903 | 1 Ibm | 1 Db2 Recovery Expert | 2026-02-26 | N/A | 5.9 MEDIUM |
|
IBM DB2 Recovery Expert for LUW 5.5 Interim Fix 002 IBM Db2 Recovery Expert for Linux, UNIX and Windows transmits data in a cleartext communication channel that could allow an attacker to obtain sensitive information using man in the middle techniques.
|
|||||
| CVE-2025-13454 | 1 Lenovo | 8 Thinkplus Fu100, Thinkplus Fu100 Firmware, Thinkplus Fu200 and 5 more | 2026-02-25 | N/A | 5.5 MEDIUM |
|
A potential vulnerability was reported in ThinkPlus configuration software that could allow a local authenticated user to gain access to sensitive device information.
|
|||||
| CVE-2024-1657 | 2026-02-25 | N/A | 8.1 HIGH | ||
|
A flaw was found in the ansible automation platform. An insecure WebSocket connection was being used in installation from the Ansible rulebook EDA server. An attacker that has access to any machine in the CIDR block could download all rulebook data from the WebSocket, resulting in loss of confidentiality and integrity of the system.
|
|||||
| CVE-2023-23841 | 1 Solarwinds | 1 Serv-u | 2026-02-25 | N/A | 7.5 HIGH |
|
SolarWinds Serv-U is submitting an HTTP request when changing or updating the attributes for File Share or File request. Part of the URL of the request discloses sensitive data.
|
|||||
| CVE-2024-38891 | 1 Horizoncloud | 1 Caterease | 2026-02-24 | N/A | 7.5 HIGH |
|
An issue in Horizon Business Services Inc. Caterease 16.0.1.1663 through 24.0.1.2405 and possibly later versions, allows a remote attacker to perform a Sniffing Network Traffic attack due to the cleartext transmission of sensitive information.
|
|||||
| CVE-2024-5462 | 1 Broadcom | 1 Fabric Operating System | 2026-02-23 | N/A | 7.5 HIGH |
|
If Brocade Fabric OS before Fabric OS 9.2.0 configuration settings are not set to encrypt SNMP passwords, then the SNMP privsecret / authsecret fields can be exposed in plaintext. The plaintext passwords can be exposed in a configupload capture or a supportsave capture if encryption of passwords is not enabled. An attacker can use these passwords to fetch values of the supported OIDs via SNMPv3 queries. There are also a limited number of MIB objects that can be modified.
|
|||||
| CVE-2026-24455 | 2026-02-20 | N/A | 7.5 HIGH | ||
|
The embedded web interface of the device does not support HTTPS/TLS for
authentication and uses HTTP Basic Authentication. Traffic is encoded
but not encrypted, exposing user credentials to passive interception by
attackers on the same network.
|
|||||
| CVE-2024-25960 | 1 Dell | 1 Powerscale Onefs | 2026-02-20 | N/A | 7.3 HIGH |
|
Dell PowerScale OneFS versions 8.2.2.x through 9.7.0.x contains a cleartext transmission of sensitive information vulnerability. A local low privileged attacker could potentially exploit this vulnerability, leading to escalation of privileges.
|
|||||
| CVE-2026-0714 | 1 Moxa | 70 Uc-1222a, Uc-1222a Firmware, Uc-2222a-t and 67 more | 2026-02-18 | N/A | 6.8 MEDIUM |
|
A physical attack vulnerability exists in certain Moxa industrial computers using TPM-backed LUKS full-disk encryption on Moxa Industrial Linux 3, where the discrete TPM is connected to the CPU via an SPI bus. Exploitation requires invasive physical access, including opening the device and attaching external equipment to the SPI bus to capture TPM communications. If successful, the captured data may allow offline decryption of eMMC contents. This attack cannot be performed through brief or oppor ...
Show More |
|||||
| CVE-2026-2539 | 2026-02-18 | N/A | N/A | ||
|
The RF communication protocol in the Micca KE700 car alarm system does not encrypt its data frames. An attacker with a radio interception tool (e.g., SDR) can capture the random number and counters transmitted in cleartext, which is sensitive information required for authentication.
|
|||||
| CVE-2026-22274 | 1 Dell | 2 Elastic Cloud Storage, Objectscale | 2026-02-18 | N/A | 6.5 MEDIUM |
|
Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains a Cleartext Transmission of Sensitive Information vulnerability in the Fabric Syslog. An unauthenticated attacker with remote access could potentially exploit this vulnerability to intercept and modify information in transit.
|
|||||
| CVE-2026-22271 | 1 Dell | 2 Elastic Cloud Storage, Objectscale | 2026-02-18 | N/A | 7.5 HIGH |
|
Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains a Cleartext Transmission of Sensitive Information vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to information exposure.
|
|||||
| CVE-2023-23915 | 3 Haxx, Netapp, Splunk | 12 Curl, Active Iq Unified Manager, Clustered Data Ontap and 9 more | 2026-02-13 | N/A | 6.5 MEDIUM |
|
A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality to behave incorrectly when multiple URLs are requested in parallel. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This HSTS mechanism would however surprisingly fail when multiple transfers are done in parallel as the HSTS cache file gets overwritten by the most recentlyco ...
Show More |
|||||
| CVE-2022-43551 | 4 Fedoraproject, Haxx, Netapp and 1 more | 7 Fedora, Curl, Active Iq Unified Manager and 4 more | 2026-02-13 | N/A | 7.5 HIGH |
|
A vulnerability exists in curl <7.87.0 HSTS check that could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. However, the HSTS mechanism could be bypassed if the host name in the given URL first uses IDN characters that get replaced to ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead ...
Show More |
|||||
| CVE-2022-42916 | 4 Apple, Fedoraproject, Haxx and 1 more | 4 Macos, Fedora, Curl and 1 more | 2026-02-13 | N/A | 7.5 HIGH |
|
In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCI ...
Show More |
|||||
| CVE-2026-23564 | 2 Microsoft, Teamviewer | 2 Windows, Digital Employee Experience | 2026-02-11 | N/A | 6.5 MEDIUM |
|
A vulnerability in TeamViewer DEX Client (former 1E Client) - Content Distribution Service (NomadBranch.exe) prior version 26.1 for Windows allows an attacker on the adjacent network to cause normally encrypted UDP traffic to be sent in cleartext. This can result in disclosure of sensitive information.
|
|||||
| CVE-2025-10174 | 2026-02-11 | N/A | 8.3 HIGH | ||
|
Cleartext Transmission of Sensitive Information vulnerability in Pan Software & Information Technologies Ltd. PanCafe Pro allows Flooding.This issue affects PanCafe Pro: from < 3.3.2 through 23092025.
|
|||||
| CVE-2026-24441 | 1 Tenda | 2 Ac7, Ac7 Firmware | 2026-02-10 | N/A | 5.9 MEDIUM |
|
Shenzhen Tenda AC7 firmware version V03.03.03.01_cn and prior expose account credentials in plaintext within HTTP responses, allowing an on-path attacker to obtain sensitive authentication material.
|
|||||
| CVE-2025-27457 | 1 Endress | 2 Meac300-fnade4, Meac300-fnade4 Firmware | 2026-02-06 | N/A | 6.5 MEDIUM |
|
All communication between the VNC server and client(s) is unencrypted. This allows an attacker to intercept the traffic and obtain sensitive data.
|
|||||
| CVE-2025-63292 | 1 Freebox | 10 Mini 4k, Mini 4k Firmware, One and 7 more | 2026-02-04 | N/A | 3.5 LOW |
|
Freebox v5 HD (firmware = 1.7.20), Freebox v5 Crystal (firmware = 1.7.20), Freebox v6 Révolution r1–r3 (firmware = 4.7.x), Freebox Mini 4K (firmware = 4.7.x), and Freebox One (firmware = 4.7.x) were discovered to expose subscribers' IMSI identifiers in plaintext during the initial phase of EAP-SIM authentication over the `FreeWifi_secure` network. During the EAP-Response/Identity exchange, the subscriber's full Network Access Identifier (NAI), which embeds the raw IMSI, is transmitted without en ...
Show More |
|||||
| CVE-2026-1777 | 2026-02-03 | N/A | 7.2 HIGH | ||
|
The Amazon SageMaker Python SDK before v3.2.0 and v2.256.0 includes the ModelBuilder HMAC signing key in the cleartext response elements of the DescribeTrainingJob function. A third party with permissions to both call this API and permissions to modify objects in the Training Jobs S3 output location may have the ability to upload arbitrary artifacts which are executed the next time the Training Job is invoked.
|
|||||
| CVE-2026-0767 | 1 Openwebui | 1 Open Webui | 2026-01-30 | N/A | 6.5 MEDIUM |
|
Open WebUI Cleartext Transmission of Credentials Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of Open WebUI. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the handling of credentials provided to the endpoint. The issue results from transmitting sensitive information in plaintext. An attacker can leverage this vulnerability to disclose transmit ...
Show More |
|||||
| CVE-2025-67159 | 1 Vatilon | 2 Pa4, Pa4 Firmware | 2026-01-30 | N/A | 7.5 HIGH |
|
Vatilon v1.12.37-20240124 was discovered to transmit user credentials in plaintext.
|
|||||
| CVE-2025-49183 | 1 Sick | 1 Media Server | 2026-01-29 | N/A | 7.5 HIGH |
|
All communication with the REST API is unencrypted (HTTP), allowing an attacker to intercept traffic between an actor and the webserver. This leads to the possibility of information gathering and downloading media files.
|
|||||
| CVE-2025-49194 | 1 Sick | 1 Media Server | 2026-01-26 | N/A | 7.5 HIGH |
|
The server supports authentication methods in which credentials are sent in plaintext over unencrypted channels. If an attacker were to intercept traffic between a client and this server, the credentials would be exposed.
|
|||||
| CVE-2025-64769 | 1 Aveva | 1 Process Optimization | 2026-01-22 | N/A | 7.1 HIGH |
|
The Process Optimization application suite leverages connection
channels/protocols that by-default are not encrypted and could become
subject to hijacking or data leakage in certain man-in-the-middle or
passive inspection scenarios.
|
|||||
| CVE-2019-25278 | 1 Iwt | 2 Facesentry Access Control System, Facesentry Access Control System Firmware | 2026-01-16 | N/A | 5.9 MEDIUM |
|
FaceSentry Access Control System 6.4.8 contains a cleartext transmission vulnerability that allows remote attackers to intercept authentication credentials. Attackers can perform man-in-the-middle attacks to capture HTTP cookie authentication information during network communication.
|
|||||
| CVE-2025-69272 | 3 Broadcom, Linux, Microsoft | 3 Dx Netops Spectrum, Linux Kernel, Windows | 2026-01-14 | N/A | 7.5 HIGH |
|
Cleartext Transmission of Sensitive Information vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Sniffing Attacks.This issue affects DX NetOps Spectrum: 21.2.1 and earlier.
|
|||||
| CVE-2026-22080 | 2026-01-13 | N/A | N/A | ||
|
This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the transmission of credentials encoded using reversible Base64 encoding through the web-based administrative interface. An attacker on the same network could exploit this vulnerability by intercepting network traffic and capturing the Base64-encoded credentials.
Successful exploitation of this vulnerability could allow the attacker to obtain sensitive information and gain unauthor ...
Show More |
|||||
| CVE-2026-22079 | 2026-01-13 | N/A | N/A | ||
|
This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the plaintext transmission of login credentials during the initial login or post-factory reset setup through the web-based administrative interface. An attacker on the same network could exploit this vulnerability by intercepting network traffic and capturing the credentials transmitted in plaintext.
Successful exploitation of this vulnerability could allow the attacker to obtain s ...
Show More |
|||||
| CVE-2025-62578 | 1 Deltaww | 2 Dvp-12se, Dvp-12se Firmware | 2026-01-08 | N/A | 7.5 HIGH |
|
DVP-12SE - Modbus/TCP Cleartext Transmission of Sensitive Information
|
|||||