Total
1305 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-48709 | 1 Bmc | 1 Control-m\/server | 2025-12-18 | N/A | 3.8 LOW |
| BMC Control-M/Server 9.0.21.300 displays cleartext database credentials in process lists and logs. An authenticated attacker with shell access could observe these credentials and use them to log in to the database server. For example, when Control-M/Server on Windows has a database connection on, it runs 'DBUStatus.exe' frequently, which then calls 'dbu_connection_details.vbs' with the username, password, database hostname, and port written in cleartext, which can be seen in event and process logs in two separate locations. Fixed in PACTV.9.0.21.307. | |||||
| CVE-2025-58130 | 1 Apache | 1 Fineract | 2025-12-18 | N/A | 9.1 CRITICAL |
| Insufficiently Protected Credentials vulnerability in Apache Fineract. This issue affects Apache Fineract: through 1.11.0. The issue is fixed in version 1.12.1. Users are encouraged to upgrade to version 1.13.0, the latest release. | |||||
| CVE-2020-36896 | 1 Howfor | 1 Qihang Media Web Digital Signage | 2025-12-17 | N/A | 7.5 HIGH |
| QiHang Media Web Digital Signage 3.0.9 contains a cleartext credentials vulnerability that allows unauthenticated attackers to access administrative login information through an unprotected XML file. Attackers can retrieve hardcoded admin credentials by requesting the '/xml/User/User.xml' file, enabling direct authentication bypass. | |||||
| CVE-2025-0890 | 1 Zyxel | 28 Sbg3300-n000, Sbg3300-n000 Firmware, Sbg3300-nb00 and 25 more | 2025-12-15 | N/A | 9.8 CRITICAL |
| **UNSUPPORTED WHEN ASSIGNED** Insecure default credentials for the Telnet function in the legacy DSL CPE Zyxel VMG4325-B10A firmware version 1.00(AAFR.4)C0_20170615 could allow an attacker to log in to the management interface if the administrators have the option to change the default credentials but fail to do so. | |||||
| CVE-2025-63361 | 1 Waveshare | 2 Rs232\/485 To Wifi Eth \(b\), Rs232\/485 To Wifi Eth \(b\) Firmware | 2025-12-15 | N/A | 5.7 MEDIUM |
| Waveshare RS232/485 TO WIFI ETH (B) Serial to Ethernet/Wi-Fi Gateway Firmware V3.1.1.0: HW 4.3.2.1: Webpage V7.04T.07.002880.0301 was discovered to render the Administrator password in plaintext. | |||||
| CVE-2025-64898 | 1 Adobe | 1 Coldfusion | 2025-12-12 | N/A | 4.3 MEDIUM |
| ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Insufficiently Protected Credentials vulnerability that could result in limited unauthorized write access. An attacker could leverage this vulnerability to gain unauthorized access by exploiting improperly stored or transmitted credentials. Exploitation of this issue does not require user interaction. | |||||
| CVE-2024-28110 | 1 Cloudevents | 1 Go Sdk | 2025-12-04 | N/A | 7.5 HIGH |
| Go SDK for CloudEvents is the official CloudEvents SDK to integrate applications with CloudEvents. Prior to version 2.15.2, using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper causes the go-sdk to leak credentials to arbitrary endpoints. When the transport is populated with an authenticated transport, then http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to any endpoint it is used to contact. Version 2.15.2 patches this issue. | |||||
| CVE-2025-13758 | 1 Devolutions | 1 Devolutions Server | 2025-12-03 | N/A | 3.5 LOW |
| Exposure of credentials in unintended requests in Devolutions Server.This issue affects Server: through 2025.2.20, through 2025.3.8. | |||||
| CVE-2025-34078 | 1 Nsclient | 1 Nsclient\+\+ | 2025-11-25 | N/A | 7.8 HIGH |
| A local privilege escalation vulnerability exists in NSClient++ 0.5.2.35 when both the web interface and ExternalScripts features are enabled. The configuration file (nsclient.ini) stores the administrative password in plaintext and is readable by local users. By extracting this password, an attacker can authenticate to the NSClient++ web interface (typically accessible on port 8443) and abuse the ExternalScripts plugin to inject and execute arbitrary commands as SYSTEM by registering a custom script, saving the configuration, and triggering it via the API. This behavior is documented but insecure, as the plaintext credential exposure undermines access isolation between local users and administrative functions. | |||||
| CVE-2025-36096 | 1 Ibm | 2 Aix, Vios | 2025-11-19 | N/A | 9.0 CRITICAL |
| IBM AIX 7.2, and 7.3 and IBM VIOS 3.1, and 4.1 stores NIM private keys used in NIM environments in an insecure way which is susceptible to unauthorized access by an attacker using man in the middle techniques. | |||||
| CVE-2025-13164 | 2025-11-18 | N/A | 4.9 MEDIUM | ||
| EasyFlow GP developed by Digiwin has an Insufficiently Protected Credentials vulnerability, allowing privileged remote attackers to obtain plaintext credentials of AD and system mail from the system frontend. | |||||
| CVE-2025-13163 | 2025-11-18 | N/A | 4.9 MEDIUM | ||
| EasyFlow GP developed by Digiwin has an Insufficiently Protected Credentials vulnerability, allowing privileged remote attackers to obtain plaintext database account credentials from the system frontend. | |||||
| CVE-2025-6526 | 1 70mai | 2 M300, M300 Firmware | 2025-11-14 | 1.8 LOW | 3.1 LOW |
| A vulnerability, which was classified as problematic, has been found in 70mai M300 up to 20250611. This issue affects some unknown processing of the component HTTP Server. The manipulation leads to insufficiently protected credentials. The attack can only be done within the local network. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-33093 | 1 Ibm | 1 Sterling Partner Engagement Manager | 2025-11-13 | N/A | 7.5 HIGH |
| IBM Sterling Partner Engagement Manager 6.1.0, 6.2.0, 6.2.2 JWT secret is stored in public Helm Charts and is not stored as a Kubernetes secret. | |||||
| CVE-2025-34139 | 2025-11-12 | N/A | N/A | ||
| A vulnerability exists in Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud that could allow an unauthenticated attacker to read arbitrary files. This vulnerability affects all Experience Platform topologies (XM, XP, XC) from 8.0 Initial Release through 10.4 Initial Release and later. This issue affects Content Management (CM) and standalone instances. PaaS and containerized solutions are also affected. | |||||
| CVE-2025-12636 | 2025-11-12 | N/A | 6.5 MEDIUM | ||
| The Ubia camera ecosystem fails to adequately secure API credentials, potentially enabling an attacker to connect to backend services. The attacker would then be able to gain unauthorized access to available cameras, enabling the viewing of live feeds or modification of settings. | |||||
| CVE-2025-42897 | 2025-11-12 | N/A | 5.3 MEDIUM | ||
| Due to information disclosure vulnerability in anonymous API provided by SAP Business One (SLD), an attacker with normal user access could gain access to unauthorized information. As a result, it has a low impact on the confidentiality of the application but no impact on the integrity and availability. | |||||
| CVE-2025-6571 | 2025-11-12 | N/A | 6.0 MEDIUM | ||
| A 3rd-party component exposed its password in process arguments, allowing for low-privileged users to access it. | |||||
| CVE-2025-54863 | 1 Radiometrics | 1 Vizair | 2025-11-12 | N/A | 10.0 CRITICAL |
| Radiometrics VizAir is vulnerable to exposure of the system's REST API key through a publicly accessible configuration file. This allows attackers to remotely alter weather data and configurations, automate attacks against multiple instances, and extract sensitive meteorological data, which could potentially compromise airport operations. Additionally, attackers could flood the system with false alerts, leading to a denial-of-service condition and significant disruption to airport operations. Unauthorized remote control over aviation weather monitoring and data manipulation could result in incorrect flight planning and hazardous takeoff and landing conditions. | |||||
| CVE-2022-30231 | 1 Siemens | 1 Sicam Gridedge Essential | 2025-11-12 | 4.0 MEDIUM | 4.9 MEDIUM |
| A vulnerability has been identified in SICAM GridEdge (Classic) (All versions < V2.6.6). The affected application discloses password hashes of other users upon request. This could allow an authenticated user to retrieve another user's password hash. | |||||