Total
827 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-22271 | 2026-01-23 | 7.5 High | ||
| Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains a Cleartext Transmission of Sensitive Information vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to information exposure. | ||||
| CVE-2026-22274 | 2026-01-23 | 6.5 Medium | ||
| Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains a Cleartext Transmission of Sensitive Information vulnerability in the Fabric Syslog. An unauthenticated attacker with remote access could potentially exploit this vulnerability to intercept and modify information in transit. | ||||
| CVE-2026-0767 | 2026-01-23 | N/A | ||
| Open WebUI Cleartext Transmission of Credentials Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of Open WebUI. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of credentials provided to the endpoint. The issue results from transmitting sensitive information in plaintext. An attacker can leverage this vulnerability to disclose transmitted credentials, leading to further compromise. Was ZDI-CAN-28259. | ||||
| CVE-2025-64769 | 1 Aveva | 1 Process Optimization | 2026-01-22 | 7.1 High |
| The Process Optimization application suite leverages connection channels/protocols that by-default are not encrypted and could become subject to hijacking or data leakage in certain man-in-the-middle or passive inspection scenarios. | ||||
| CVE-2019-25278 | 1 Iwt | 2 Facesentry Access Control System, Facesentry Access Control System Firmware | 2026-01-16 | 5.9 Medium |
| FaceSentry Access Control System 6.4.8 contains a cleartext transmission vulnerability that allows remote attackers to intercept authentication credentials. Attackers can perform man-in-the-middle attacks to capture HTTP cookie authentication information during network communication. | ||||
| CVE-2025-13454 | 1 Lenovo | 4 Thinkplus Fu100, Thinkplus Fu200, Thinkplus Tsd303 and 1 more | 2026-01-16 | 4.7 Medium |
| A potential vulnerability was reported in ThinkPlus configuration software that could allow a local authenticated user to gain access to sensitive device information. | ||||
| CVE-2020-36917 | 2026-01-15 | 7.5 High | ||
| iDS6 DSSPro Digital Signage System 6.2 contains a sensitive information disclosure vulnerability that allows remote attackers to intercept authentication credentials through cleartext cookie transmission. Attackers can exploit the autoSave feature to capture user passwords during man-in-the-middle attacks on HTTP communications. | ||||
| CVE-2025-69272 | 3 Broadcom, Linux, Microsoft | 3 Dx Netops Spectrum, Linux Kernel, Windows | 2026-01-14 | 7.5 High |
| Cleartext Transmission of Sensitive Information vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Sniffing Attacks.This issue affects DX NetOps Spectrum: 21.2.1 and earlier. | ||||
| CVE-2026-22079 | 1 Tenda | 2 F3, N300 | 2026-01-13 | N/A |
| This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the plaintext transmission of login credentials during the initial login or post-factory reset setup through the web-based administrative interface. An attacker on the same network could exploit this vulnerability by intercepting network traffic and capturing the credentials transmitted in plaintext. Successful exploitation of this vulnerability could allow the attacker to obtain sensitive information and gain unauthorized access to the targeted device. | ||||
| CVE-2026-22080 | 1 Tenda | 2 F3, N300 | 2026-01-13 | N/A |
| This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the transmission of credentials encoded using reversible Base64 encoding through the web-based administrative interface. An attacker on the same network could exploit this vulnerability by intercepting network traffic and capturing the Base64-encoded credentials. Successful exploitation of this vulnerability could allow the attacker to obtain sensitive information and gain unauthorized access to the targeted device. | ||||
| CVE-2025-62578 | 2 Delta Electronics, Deltaww | 3 Dvp-12se, Dvp-12se, Dvp-12se Firmware | 2026-01-08 | 7.5 High |
| DVP-12SE - Modbus/TCP Cleartext Transmission of Sensitive Information | ||||
| CVE-2025-67159 | 2026-01-08 | 7.5 High | ||
| Vatilon v1.12.37-20240124 was discovered to transmit user credentials in plaintext. | ||||
| CVE-2020-36914 | 1 Qihang Media | 1 Web Digital Signage | 2026-01-08 | 7.5 High |
| QiHang Media Web Digital Signage 3.0.9 contains a sensitive information disclosure vulnerability that allows remote attackers to intercept user authentication credentials through cleartext cookie transmission. Attackers can perform man-in-the-middle attacks to capture and potentially misuse stored authentication credentials transmitted in an insecure manner. | ||||
| CVE-2026-22544 | 2026-01-08 | N/A | ||
| An attacker with a network connection could detect credentials in clear text. | ||||
| CVE-2025-62330 | 2 Hcltech, Hcltechsw | 2 Devops Deploy, Hcl Devops Deploy | 2026-01-07 | 5.9 Medium |
| HCL DevOps Deploy is susceptible to a cleartext transmission of sensitive information because the HTTP port remains accessible and does not redirect to HTTPS as intended. As a result, an attacker with network access could intercept or modify user credentials and session-related data via passive monitoring or man-in-the-middle attacks. | ||||
| CVE-2025-11492 | 1 Connectwise | 1 Automate | 2026-01-07 | 9.6 Critical |
| In the ConnectWise Automate Agent, communications could be configured to use HTTP instead of HTTPS. In such cases, an on-path threat actor with a man-in-the-middle network position could intercept, modify, or replay agent-server traffic. Additionally, the encryption method used to obfuscate some communications over the HTTP channel is updated in the Automate 2025.9 patch to enforce HTTPS for all agent communications. | ||||
| CVE-2025-65855 | 2 Netun, Netun Solutions | 3 Helpflash Iot, Helpflash Iot Firmware, Helpflash Iot | 2026-01-06 | 6.6 Medium |
| The OTA firmware update mechanism in Netun Solutions HelpFlash IoT (firmware v18_178_221102_ASCII_PRO_1R5_50) uses hard-coded WiFi credentials identical across all devices and does not authenticate update servers or validate firmware signatures. An attacker with brief physical access can activate OTA mode (8-second button press), create a malicious WiFi AP using the known credentials, and serve malicious firmware via unauthenticated HTTP to achieve arbitrary code execution on this safety-critical emergency signaling device. | ||||
| CVE-2025-55248 | 4 Apple, Linux, Microsoft and 1 more | 22 Macos, Linux Kernel, .net and 19 more | 2026-01-02 | 4.8 Medium |
| Inadequate encryption strength in .NET, .NET Framework, Visual Studio allows an authorized attacker to disclose information over a network. | ||||
| CVE-2025-53139 | 1 Microsoft | 17 Windows, Windows 10, Windows 10 21h2 and 14 more | 2026-01-02 | 7.7 High |
| Cleartext transmission of sensitive information in Windows Hello allows an unauthorized attacker to bypass a security feature locally. | ||||
| CVE-2025-65827 | 1 Meatmeet | 2 Meatmeet, Meatmeet Pro | 2025-12-30 | 9.1 Critical |
| The mobile application is configured to allow clear text traffic to all domains and communicates with an API server over HTTP. As a result, an adversary located "upstream" can intercept the traffic, inspect its contents, and modify the requests in transit. TThis may result in a total compromise of the user's account if the attacker intercepts a request with active authentication tokens or cracks the MD5 hash sent on login. | ||||