Total
1266 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-11349 | 1 Datataker | 2 Dt8x, Dt8x Firmware | 2026-01-16 | 5.0 MEDIUM | 9.8 CRITICAL |
| dataTaker DT8x dEX 1.72.007 allows remote attackers to compose programs or schedules, for purposes such as sending e-mail messages or making outbound connections to FTP servers for uploading data. | |||||
| CVE-2021-47759 | 2026-01-16 | N/A | 6.2 MEDIUM | ||
| MTPutty 1.0.1.21 contains a sensitive information disclosure vulnerability that allows local attackers to view SSH connection passwords through Windows PowerShell process listing. Attackers can run a PowerShell command to retrieve the full command line of MTPutty processes, exposing plaintext SSH credentials. | |||||
| CVE-2025-26628 | 1 Microsoft | 1 Azure Local Cluster | 2026-01-16 | N/A | 7.3 HIGH |
| Insufficiently protected credentials in Azure Local Cluster allows an authorized attacker to disclose information locally. | |||||
| CVE-2026-22043 | 1 Rustfs | 1 Rustfs | 2026-01-15 | N/A | 9.8 CRITICAL |
| RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.13 through 1.0.0-alpha.78, a flawed `deny_only` short-circuit in RustFS IAM allows a restricted service account or STS credential to self-issue an unrestricted service account, inheriting the parent’s full privileges. This enables privilege escalation and bypass of session/inline policy restrictions. Version 1.0.0-alpha.79 fixes the issue. | |||||
| CVE-2023-32280 | 1 Intel | 54 Openbmc, Xeon Bronze 3408u, Xeon Gold 5403n and 51 more | 2026-01-14 | N/A | 5.3 MEDIUM |
| Insufficiently protected credentials in some Intel(R) Server Product OpenBMC firmware before versions egs-1.05 may allow an unauthenticated user to enable information disclosure via network access. | |||||
| CVE-2025-69271 | 3 Broadcom, Linux, Microsoft | 3 Dx Netops Spectrum, Linux Kernel, Windows | 2026-01-14 | N/A | 7.5 HIGH |
| Insufficiently Protected Credentials vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Sniffing Attacks.This issue affects DX NetOps Spectrum: 24.3.13 and earlier. | |||||
| CVE-2025-67732 | 1 Dify | 1 Dify | 2026-01-12 | N/A | 6.5 MEDIUM |
| Dify is an open-source LLM app development platform. Prior to version 1.11.0, the API key is exposed in plaintext to the frontend, allowing non-administrator users to view and reuse it. This can lead to unauthorized access to third-party services, potentially consuming limited quotas. Version 1.11.0 fixes the issue. | |||||
| CVE-2025-64420 | 1 Coollabs | 1 Coolify | 2026-01-12 | N/A | 9.9 CRITICAL |
| Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions prior to and including v4.0.0-beta.434, low privileged users are able to see the private key of the root user on the Coolify instance. This allows them to ssh to the server and authenticate as root user, using the private key. As of time of publication, it is unclear if a patch is available. | |||||
| CVE-2024-23583 | 2 Hcltech, Microsoft | 2 Bigfix Platform, Windows | 2026-01-08 | N/A | 6.7 MEDIUM |
| An attacker could potentially intercept credentials via the task manager and perform unauthorized access to the Client Deploy Tool on Windows systems. | |||||
| CVE-2025-64122 | 2026-01-08 | N/A | N/A | ||
| Insufficiently Protected Credentials vulnerability in Nuvation Energy Multi-Stack Controller (MSC) allows Signature Spoofing by Key Theft.This issue affects Multi-Stack Controller (MSC): through 2.5.1. | |||||
| CVE-2021-47741 | 2025-12-31 | N/A | 7.5 HIGH | ||
| ZBL EPON ONU Broadband Router V100R001 contains a privilege escalation vulnerability that allows limited administrative users to elevate access by sending requests to configuration endpoints. Attackers can exploit the vulnerability by accessing the configuration backup or password page to disclose the super user password and gain additional privileged functionalities. | |||||
| CVE-2021-47726 | 2025-12-31 | N/A | 7.5 HIGH | ||
| NuCom 11N Wireless Router 5.07.90 contains a privilege escalation vulnerability that allows non-privileged users to access administrative credentials through the configuration backup endpoint. Attackers can send a crafted HTTP GET request to the backup configuration page with a specific cookie to retrieve and decode the admin password in Base64 format. | |||||
| CVE-2019-6242 | 1 Kentico | 1 Xperience | 2025-12-19 | 4.0 MEDIUM | 7.2 HIGH |
| Kentico v10.0.42 allows Global Administrators to read the cleartext SMTP Password by navigating to the SMTP configuration page. NOTE: the vendor considers this a best-practice violation but not a vulnerability. The vendor plans to fix it at a future time | |||||
| CVE-2025-14148 | 1 Ibm | 1 Devops Deploy | 2025-12-18 | N/A | 6.5 MEDIUM |
| IBM UCD - IBM DevOps Deploy 8.1 through 8.1.2.3 could allow an authenticated user with LLM integration configuration privileges to recover a previously saved LLM API Token. | |||||
| CVE-2025-48709 | 1 Bmc | 1 Control-m\/server | 2025-12-18 | N/A | 3.8 LOW |
| BMC Control-M/Server 9.0.21.300 displays cleartext database credentials in process lists and logs. An authenticated attacker with shell access could observe these credentials and use them to log in to the database server. For example, when Control-M/Server on Windows has a database connection on, it runs 'DBUStatus.exe' frequently, which then calls 'dbu_connection_details.vbs' with the username, password, database hostname, and port written in cleartext, which can be seen in event and process logs in two separate locations. Fixed in PACTV.9.0.21.307. | |||||
| CVE-2025-66029 | 2025-12-18 | N/A | 7.6 HIGH | ||
| Open OnDemand provides remote web access to supercomputers. In versions 4.0.8 and prior, the Apache proxy allows sensitive headers to be passed to origin servers. This means malicious users can create an origin server on a compute node that record these headers when unsuspecting users connect to it. Maintainers anticipate a patch in a 4.1 release. Workarounds exist for 4.0.x versions. Using `custom_location_directives` in `ood_portal.yml` in version 4.0.x (not available for versions below 4.0) centers can unset and or edit these headers. Note that `OIDCPassClaimsAs both` is the default and centers can set `OIDCPassClaimsAs ` to `none` or `environment` to stop passing these headers to the client. Centers that have an OIDC provider with the `OIDCPassClaimsAs` with `none` or `environment` settings can adjust the settings using guidance provided in GHSA-2cwp-8g29-9q32 to unset the mod_auth_openidc_session cookies. | |||||
| CVE-2025-58130 | 1 Apache | 1 Fineract | 2025-12-18 | N/A | 9.1 CRITICAL |
| Insufficiently Protected Credentials vulnerability in Apache Fineract. This issue affects Apache Fineract: through 1.11.0. The issue is fixed in version 1.12.1. Users are encouraged to upgrade to version 1.13.0, the latest release. | |||||
| CVE-2020-36896 | 1 Howfor | 1 Qihang Media Web Digital Signage | 2025-12-17 | N/A | 7.5 HIGH |
| QiHang Media Web Digital Signage 3.0.9 contains a cleartext credentials vulnerability that allows unauthenticated attackers to access administrative login information through an unprotected XML file. Attackers can retrieve hardcoded admin credentials by requesting the '/xml/User/User.xml' file, enabling direct authentication bypass. | |||||
| CVE-2025-0890 | 1 Zyxel | 28 Sbg3300-n000, Sbg3300-n000 Firmware, Sbg3300-nb00 and 25 more | 2025-12-15 | N/A | 9.8 CRITICAL |
| **UNSUPPORTED WHEN ASSIGNED** Insecure default credentials for the Telnet function in the legacy DSL CPE Zyxel VMG4325-B10A firmware version 1.00(AAFR.4)C0_20170615 could allow an attacker to log in to the management interface if the administrators have the option to change the default credentials but fail to do so. | |||||
| CVE-2025-63361 | 1 Waveshare | 2 Rs232\/485 To Wifi Eth \(b\), Rs232\/485 To Wifi Eth \(b\) Firmware | 2025-12-15 | N/A | 5.7 MEDIUM |
| Waveshare RS232/485 TO WIFI ETH (B) Serial to Ethernet/Wi-Fi Gateway Firmware V3.1.1.0: HW 4.3.2.1: Webpage V7.04T.07.002880.0301 was discovered to render the Administrator password in plaintext. | |||||