Search Results (4601 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-49194 1 Sick 1 Media Server 2026-01-26 7.5 High
The server supports authentication methods in which credentials are sent in plaintext over unencrypted channels. If an attacker were to intercept traffic between a client and this server, the credentials would be exposed.
CVE-2024-30406 2 Juniper, Juniper Networks 13 Acx5448, Acx5448-d, Acx5448-m and 10 more 2026-01-23 5.5 Medium
A Cleartext Storage in a File on Disk vulnerability in Juniper Networks Junos OS Evolved ACX Series devices using the Paragon Active Assurance Test Agent software installed on network devices allows a local, authenticated attacker with high privileges to read all other users login credentials. This issue affects only Juniper Networks Junos OS Evolved ACX Series devices using the Paragon Active Assurance Test Agent software installed on these devices from 23.1R1-EVO through 23.2R2-EVO.  This issue does not affect releases before 23.1R1-EVO.
CVE-2025-64769 1 Aveva 1 Process Optimization 2026-01-22 7.1 High
The Process Optimization application suite leverages connection channels/protocols that by-default are not encrypted and could become subject to hijacking or data leakage in certain man-in-the-middle or passive inspection scenarios.
CVE-2025-63208 1 Bridgetech 2 Vb288, Vb288 Firmware 2026-01-15 7.5 High
An issue was discovered in bridgetech VB288 Objective QoE Content Extractor, firmware version 5.6.0-8, allowing attackers to gain sensitive information such as administrator passwords via the /probe/core/setup/passwd endpoint.
CVE-2025-25613 1 Fs 2 S3150-8t2f, S3150-8t2f Firmware 2026-01-15 7.5 High
FS Inc S3150-8T2F 8-Port Gigabit Ethernet L2+ Switch, 8 x Gigabit RJ45, with 2 x 1Gb SFP, Fanless. All versions before 2.2.0D Build 135103 were discovered to transmit cookies for their web based administrative application containing usernames and passwords. These were transmitted in cleartext using simple base64 encoding during every POST request made to the server.
CVE-2025-69272 3 Broadcom, Linux, Microsoft 3 Dx Netops Spectrum, Linux Kernel, Windows 2026-01-14 7.5 High
Cleartext Transmission of Sensitive Information vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Sniffing Attacks.This issue affects DX NetOps Spectrum: 21.2.1 and earlier.
CVE-2024-35282 1 Fortinet 2 Forticlient, Forticlientios 2026-01-14 3.9 Low
A cleartext storage of sensitive information in memory vulnerability [CWE-316] affecting FortiClient VPN iOS 7.2 all versions, 7.0 all versions, 6.4 all versions, 6.2 all versions, 6.0 all versions may allow an unauthenticated attacker that has physical access to a jailbroken device to obtain cleartext passwords via keychain dump.
CVE-2025-62578 2 Delta Electronics, Deltaww 3 Dvp-12se, Dvp-12se, Dvp-12se Firmware 2026-01-08 7.5 High
DVP-12SE - Modbus/TCP Cleartext Transmission of Sensitive Information
CVE-2024-7259 2 Ovirt, Redhat 3 Ovirt-engine, Rhev Hypervisor, Virtualization 2026-01-08 4.9 Medium
A flaw was found in oVirt. A user with administrator privileges, including users with the ReadOnlyAdmin permission, may be able to use browser developer tools to view Provider passwords in cleartext.
CVE-2025-62330 2 Hcltech, Hcltechsw 2 Devops Deploy, Hcl Devops Deploy 2026-01-07 5.9 Medium
HCL DevOps Deploy is susceptible to a cleartext transmission of sensitive information because the HTTP port remains accessible and does not redirect to HTTPS as intended. As a result, an attacker with network access could intercept or modify user credentials and session-related data via passive monitoring or man-in-the-middle attacks.
CVE-2025-65855 2 Netun, Netun Solutions 3 Helpflash Iot, Helpflash Iot Firmware, Helpflash Iot 2026-01-06 6.6 Medium
The OTA firmware update mechanism in Netun Solutions HelpFlash IoT (firmware v18_178_221102_ASCII_PRO_1R5_50) uses hard-coded WiFi credentials identical across all devices and does not authenticate update servers or validate firmware signatures. An attacker with brief physical access can activate OTA mode (8-second button press), create a malicious WiFi AP using the known credentials, and serve malicious firmware via unauthenticated HTTP to achieve arbitrary code execution on this safety-critical emergency signaling device.
CVE-2025-65832 1 Meatmeet 1 Meatmeet 2026-01-06 4.6 Medium
The mobile application insecurely handles information stored within memory. By performing a memory dump on the application after a user has logged out and terminated it, Wi-Fi credentials sent during the pairing process, JWTs used for authentication, and other sensitive details can be retrieved. As a result, an attacker with physical access to the device of a victim can retrieve this information and gain unauthorized access to their home Wi-Fi network and Meatmeet account.
CVE-2025-36154 1 Ibm 1 Concert 2025-12-30 6.2 Medium
IBM Concert 1.0.0 through 2.1.0 stores sensitive information in cleartext during recursive docker builds which could be obtained by a local user.
CVE-2025-65825 1 Meatmeet 3 Meatmeet, Meatmeet Pro Wifi \& Bluetooth Meat Thermometer, Meatmeet Pro Wifi \& Bluetooth Meat Thermometer Firmware 2025-12-30 4.6 Medium
The firmware on the basestation of the Meatmeet is not encrypted. An adversary with physical access to the Meatmeet device can disassemble the device, connect over UART, and retrieve the firmware dump for analysis. Within the NVS partition they may discover the credentials of the current and previous Wi-Fi networks. This information could be used to gain unauthorized access to the victim's Wi-Fi network.
CVE-2025-65826 1 Meatmeet 2 Meatmeet, Meatmeet Pro 2025-12-30 9.8 Critical
The mobile application was found to contain stored credentials for the network it was developed on. If an attacker retrieved this, and found the physical location of the Wi-Fi network, they could gain unauthorized access to the Wi-Fi network of the vendor. Additionally, if an attacker were located in close physical proximity to the device when it was first set up, they may be able to force the device to auto-connect to an attacker-controlled access point by setting the SSID and password to the same as which was found in the firmware file.
CVE-2025-65827 1 Meatmeet 2 Meatmeet, Meatmeet Pro 2025-12-30 9.1 Critical
The mobile application is configured to allow clear text traffic to all domains and communicates with an API server over HTTP. As a result, an adversary located "upstream" can intercept the traffic, inspect its contents, and modify the requests in transit. TThis may result in a total compromise of the user's account if the attacker intercepts a request with active authentication tokens or cracks the MD5 hash sent on login.
CVE-2025-63729 1 Syrotech 2 Sy-gpon-1110-wdont, Sy-gpon-1110-wdont Firmware 2025-12-30 9 Critical
An issue was discovered in Syrotech SY-GPON-1110-WDONT SYRO_3.7L_3.1.02-240517 allowing attackers to exctract the SSL Private Key, CA Certificate, SSL Certificate, and Client Certificates in .pem format in firmware in etc folder.
CVE-2025-65278 2 Grocerymart Project, Komal97 2 Grocerymart, Grocerymart 2025-12-30 7.5 High
An issue was discovered in file users.json in GroceryMart commit 21934e6 (2020-10-23) allowing unauthenticated attackers to gain sensitive information including plaintext usernames and passwords.
CVE-2025-13489 1 Ibm 2 Devops Deploy, Ucd Ibm Devops Deploy 2025-12-26 5.9 Medium
IBM UCD - IBM DevOps Deploy 8.1 through 8.1.2.3 IBM DevOps Deploy transmits data in clear text that could allow an attacker to obtain sensitive information using man in the middle techniques.
CVE-2024-32384 1 Kerlink 1 Keros 2025-12-23 6.8 Medium
Kerlink gateways running KerOS prior to version 5.10 expose their web interface exclusively over HTTP, without HTTPS support. This lack of transport layer security allows a man-in-the-middle attacker to intercept and modify traffic between the client and the device.