Total
1286 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-62327 | 1 Hcltechsw | 1 Hcl Devops Deploy | 2026-01-29 | N/A | 4.9 MEDIUM |
|
In HCL DevOps Deploy 8.1.2.0 through 8.1.2.3, a user with LLM configuration privileges may be able to recover a credential previously saved for performing authenticated LLM Queries.
|
|||||
| CVE-2025-52095 | 1 Pdq | 1 Smart Deploy | 2026-01-27 | N/A | 9.8 CRITICAL |
|
An issue in PDQ Smart Deploy V.3.0.2040 allows an attacker to escalate privileges via the Credential encryption routines in SDCommon.dll
|
|||||
| CVE-2025-9521 | 2026-01-27 | N/A | N/A | ||
|
Password Confirmation Bypass vulnerability in Omada Controllers, allowing an attacker with a valid session token to bypass secondary verification, and change the user’s password without proper confirmation, leading to weakened account security.
|
|||||
| CVE-2026-1223 | 2026-01-26 | N/A | 4.9 MEDIUM | ||
|
PrismX MX100 AP controller developed by BROWAN COMMUNICATIONS has an Insufficiently Protected Credentials vulnerability, allowing privileged remote attackers to allowing authenticated remote attackers to obtain SMTP plaintext passwords through the web frontend.
|
|||||
| CVE-2025-54876 | 2026-01-23 | N/A | N/A | ||
|
The Janssen Project is an open-source identity and access management (IAM) platform. In versions 1.9.0 and below, Janssen stores passwords in plaintext in the local cli_cmd.log file. This is fixed in the nightly prerelease.
|
|||||
| CVE-2025-32963 | 2026-01-23 | N/A | N/A | ||
|
MinIO Operator STS is a native IAM Authentication for Kubernetes. Prior to version 7.1.0, if no audiences are provided for the `spec.audiences` field, the default will be of the Kubernetes apiserver. Without scoping, it can be replayed to other internal systems, which may unintentionally trust it. This issue has been patched in version 7.1.0.
|
|||||
| CVE-2026-22911 | 1 Sick | 2 Tdc-x401gl, Tdc-x401gl Firmware | 2026-01-23 | N/A | 5.3 MEDIUM |
|
Firmware update files may expose password hashes for system accounts, which could allow a remote attacker to recover credentials and gain unauthorized access to the device.
|
|||||
| CVE-2017-11349 | 1 Datataker | 2 Dt8x, Dt8x Firmware | 2026-01-16 | 5.0 MEDIUM | 9.8 CRITICAL |
|
dataTaker DT8x dEX 1.72.007 allows remote attackers to compose programs or schedules, for purposes such as sending e-mail messages or making outbound connections to FTP servers for uploading data.
|
|||||
| CVE-2021-47759 | 2026-01-16 | N/A | 6.2 MEDIUM | ||
|
MTPutty 1.0.1.21 contains a sensitive information disclosure vulnerability that allows local attackers to view SSH connection passwords through Windows PowerShell process listing. Attackers can run a PowerShell command to retrieve the full command line of MTPutty processes, exposing plaintext SSH credentials.
|
|||||
| CVE-2025-26628 | 1 Microsoft | 1 Azure Local Cluster | 2026-01-16 | N/A | 7.3 HIGH |
|
Insufficiently protected credentials in Azure Local Cluster allows an authorized attacker to disclose information locally.
|
|||||
| CVE-2026-22043 | 1 Rustfs | 1 Rustfs | 2026-01-15 | N/A | 9.8 CRITICAL |
|
RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.13 through 1.0.0-alpha.78, a flawed `deny_only` short-circuit in RustFS IAM allows a restricted service account or STS credential to self-issue an unrestricted service account, inheriting the parent’s full privileges. This enables privilege escalation and bypass of session/inline policy restrictions. Version 1.0.0-alpha.79 fixes the issue.
|
|||||
| CVE-2023-32280 | 1 Intel | 54 Openbmc, Xeon Bronze 3408u, Xeon Gold 5403n and 51 more | 2026-01-14 | N/A | 5.3 MEDIUM |
|
Insufficiently protected credentials in some Intel(R) Server Product OpenBMC firmware before versions egs-1.05 may allow an unauthenticated user to enable information disclosure via network access.
|
|||||
| CVE-2025-69271 | 3 Broadcom, Linux, Microsoft | 3 Dx Netops Spectrum, Linux Kernel, Windows | 2026-01-14 | N/A | 7.5 HIGH |
|
Insufficiently Protected Credentials vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Sniffing Attacks.This issue affects DX NetOps Spectrum: 24.3.13 and earlier.
|
|||||
| CVE-2025-67732 | 1 Dify | 1 Dify | 2026-01-12 | N/A | 6.5 MEDIUM |
|
Dify is an open-source LLM app development platform. Prior to version 1.11.0, the API key is exposed in plaintext to the frontend, allowing non-administrator users to view and reuse it. This can lead to unauthorized access to third-party services, potentially consuming limited quotas. Version 1.11.0 fixes the issue.
|
|||||
| CVE-2025-64420 | 1 Coollabs | 1 Coolify | 2026-01-12 | N/A | 9.9 CRITICAL |
|
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions prior to and including v4.0.0-beta.434, low privileged users are able to see the private key of the root user on the Coolify instance. This allows them to ssh to the server and authenticate as root user, using the private key. As of time of publication, it is unclear if a patch is available.
|
|||||
| CVE-2024-23583 | 2 Hcltech, Microsoft | 2 Bigfix Platform, Windows | 2026-01-08 | N/A | 6.7 MEDIUM |
|
An attacker could potentially intercept credentials via the task manager and perform unauthorized access to the Client Deploy Tool on Windows systems.
|
|||||
| CVE-2021-47726 | 2025-12-31 | N/A | 7.5 HIGH | ||
|
NuCom 11N Wireless Router 5.07.90 contains a privilege escalation vulnerability that allows non-privileged users to access administrative credentials through the configuration backup endpoint. Attackers can send a crafted HTTP GET request to the backup configuration page with a specific cookie to retrieve and decode the admin password in Base64 format.
|
|||||
| CVE-2021-47741 | 2025-12-31 | N/A | 7.5 HIGH | ||
|
ZBL EPON ONU Broadband Router V100R001 contains a privilege escalation vulnerability that allows limited administrative users to elevate access by sending requests to configuration endpoints. Attackers can exploit the vulnerability by accessing the configuration backup or password page to disclose the super user password and gain additional privileged functionalities.
|
|||||
| CVE-2019-6242 | 1 Kentico | 1 Xperience | 2025-12-19 | 4.0 MEDIUM | 7.2 HIGH |
|
Kentico v10.0.42 allows Global Administrators to read the cleartext SMTP Password by navigating to the SMTP configuration page. NOTE: the vendor considers this a best-practice violation but not a vulnerability. The vendor plans to fix it at a future time
|
|||||
| CVE-2025-14148 | 1 Ibm | 1 Devops Deploy | 2025-12-18 | N/A | 6.5 MEDIUM |
|
IBM UCD - IBM DevOps Deploy 8.1 through 8.1.2.3 could allow an authenticated user with LLM integration configuration privileges to recover a previously saved LLM API Token.
|
|||||
| CVE-2025-48709 | 1 Bmc | 1 Control-m\/server | 2025-12-18 | N/A | 3.8 LOW |
|
BMC Control-M/Server 9.0.21.300 displays cleartext database credentials in process lists and logs. An authenticated attacker with shell access could observe these credentials and use them to log in to the database server. For example, when Control-M/Server on Windows has a database connection on, it runs 'DBUStatus.exe' frequently, which then calls 'dbu_connection_details.vbs' with the username, password, database hostname, and port written in cleartext, which can be seen in event and process lo ...
Show More |
|||||
| CVE-2025-58130 | 1 Apache | 1 Fineract | 2025-12-18 | N/A | 9.1 CRITICAL |
|
Insufficiently Protected Credentials vulnerability in Apache Fineract.
This issue affects Apache Fineract: through 1.11.0. The issue is fixed in version 1.12.1.
Users are encouraged to upgrade to version 1.13.0, the latest release.
|
|||||
| CVE-2020-36896 | 1 Howfor | 1 Qihang Media Web Digital Signage | 2025-12-17 | N/A | 7.5 HIGH |
|
QiHang Media Web Digital Signage 3.0.9 contains a cleartext credentials vulnerability that allows unauthenticated attackers to access administrative login information through an unprotected XML file. Attackers can retrieve hardcoded admin credentials by requesting the '/xml/User/User.xml' file, enabling direct authentication bypass.
|
|||||
| CVE-2025-0890 | 1 Zyxel | 28 Sbg3300-n000, Sbg3300-n000 Firmware, Sbg3300-nb00 and 25 more | 2025-12-15 | N/A | 9.8 CRITICAL |
|
**UNSUPPORTED WHEN ASSIGNED**
Insecure default credentials for the Telnet function in the legacy DSL CPE Zyxel VMG4325-B10A firmware version 1.00(AAFR.4)C0_20170615 could allow an attacker to log in to the management interface if the administrators have the option to change the default credentials but fail to do so.
|
|||||
| CVE-2025-63361 | 1 Waveshare | 2 Rs232\/485 To Wifi Eth \(b\), Rs232\/485 To Wifi Eth \(b\) Firmware | 2025-12-15 | N/A | 5.7 MEDIUM |
|
Waveshare RS232/485 TO WIFI ETH (B) Serial to Ethernet/Wi-Fi Gateway Firmware V3.1.1.0: HW 4.3.2.1: Webpage V7.04T.07.002880.0301 was discovered to render the Administrator password in plaintext.
|
|||||
| CVE-2025-64898 | 1 Adobe | 1 Coldfusion | 2025-12-12 | N/A | 4.3 MEDIUM |
|
ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Insufficiently Protected Credentials vulnerability that could result in limited unauthorized write access. An attacker could leverage this vulnerability to gain unauthorized access by exploiting improperly stored or transmitted credentials. Exploitation of this issue does not require user interaction.
|
|||||
| CVE-2024-28110 | 1 Cloudevents | 1 Go Sdk | 2025-12-04 | N/A | 7.5 HIGH |
|
Go SDK for CloudEvents is the official CloudEvents SDK to integrate applications with CloudEvents. Prior to version 2.15.2, using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper causes the go-sdk to leak credentials to arbitrary endpoints. When the transport is populated with an authenticated transport, then http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to any endpoint it is used to ...
Show More |
|||||
| CVE-2025-13758 | 1 Devolutions | 1 Devolutions Server | 2025-12-03 | N/A | 3.5 LOW |
|
Exposure of credentials in unintended requests in Devolutions Server.This issue affects Server: through 2025.2.20, through 2025.3.8.
|
|||||
| CVE-2025-34078 | 1 Nsclient | 1 Nsclient\+\+ | 2025-11-25 | N/A | 7.8 HIGH |
|
A local privilege escalation vulnerability exists in NSClient++ 0.5.2.35 when both the web interface and ExternalScripts features are enabled. The configuration file (nsclient.ini) stores the administrative password in plaintext and is readable by local users. By extracting this password, an attacker can authenticate to the NSClient++ web interface (typically accessible on port 8443) and abuse the ExternalScripts plugin to inject and execute arbitrary commands as SYSTEM by registering a custom s ...
Show More |
|||||
| CVE-2025-36096 | 1 Ibm | 2 Aix, Vios | 2025-11-19 | N/A | 9.0 CRITICAL |
|
IBM AIX 7.2, and 7.3 and IBM VIOS 3.1, and 4.1 stores NIM private keys used in NIM environments in an insecure way which is susceptible to unauthorized access by an attacker using man in the middle techniques.
|
|||||
| CVE-2025-13164 | 2025-11-18 | N/A | 4.9 MEDIUM | ||
|
EasyFlow GP developed by Digiwin has an Insufficiently Protected Credentials vulnerability, allowing privileged remote attackers to obtain plaintext credentials of AD and system mail from the system frontend.
|
|||||
| CVE-2025-13163 | 2025-11-18 | N/A | 4.9 MEDIUM | ||
|
EasyFlow GP developed by Digiwin has an Insufficiently Protected Credentials vulnerability, allowing privileged remote attackers to obtain plaintext database account credentials from the system frontend.
|
|||||
| CVE-2025-6526 | 1 70mai | 2 M300, M300 Firmware | 2025-11-14 | 1.8 LOW | 3.1 LOW |
|
A vulnerability, which was classified as problematic, has been found in 70mai M300 up to 20250611. This issue affects some unknown processing of the component HTTP Server. The manipulation leads to insufficiently protected credentials. The attack can only be done within the local network. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did ...
Show More |
|||||
| CVE-2025-33093 | 1 Ibm | 1 Sterling Partner Engagement Manager | 2025-11-13 | N/A | 7.5 HIGH |
|
IBM Sterling Partner Engagement Manager 6.1.0, 6.2.0, 6.2.2 JWT secret is stored in public Helm Charts and is not stored as a Kubernetes secret.
|
|||||
| CVE-2025-34139 | 2025-11-12 | N/A | N/A | ||
|
A vulnerability exists in Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud that could allow an unauthenticated attacker to read arbitrary files. This vulnerability affects all Experience Platform topologies (XM, XP, XC) from 8.0 Initial Release through 10.4 Initial Release and later. This issue affects Content Management (CM) and standalone instances. PaaS and containerized solutions are also affected.
|
|||||
| CVE-2025-12636 | 2025-11-12 | N/A | 6.5 MEDIUM | ||
|
The Ubia camera ecosystem fails to adequately secure API credentials,
potentially enabling an attacker to connect to backend services. The
attacker would then be able to gain unauthorized access to available
cameras, enabling the viewing of live feeds or modification of settings.
|
|||||
| CVE-2025-42897 | 2025-11-12 | N/A | 5.3 MEDIUM | ||
|
Due to information disclosure vulnerability in anonymous API provided by SAP Business One (SLD), an attacker with normal user access could gain access to unauthorized information. As a result, it has a low impact on the confidentiality of the application but no impact on the integrity and availability.
|
|||||
| CVE-2025-6571 | 2025-11-12 | N/A | 6.0 MEDIUM | ||
|
A 3rd-party component exposed its password in process arguments, allowing for low-privileged users to access it.
|
|||||
| CVE-2025-54863 | 1 Radiometrics | 1 Vizair | 2025-11-12 | N/A | 10.0 CRITICAL |
|
Radiometrics VizAir is vulnerable to exposure of the system's REST API key through a publicly accessible configuration file. This allows attackers to remotely alter weather data and configurations, automate attacks against multiple instances, and extract sensitive meteorological data, which could potentially compromise airport operations. Additionally, attackers could flood the system with false alerts, leading to a denial-of-service condition and significant disruption to airport operations. Un ...
Show More |
|||||
| CVE-2022-30231 | 1 Siemens | 1 Sicam Gridedge Essential | 2025-11-12 | 4.0 MEDIUM | 4.9 MEDIUM |
|
A vulnerability has been identified in SICAM GridEdge (Classic) (All versions < V2.6.6). The affected application discloses password hashes of other users upon request. This could allow an authenticated user to retrieve another user's password hash.
|
|||||