Total
760 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-4540 | 2026-04-15 | N/A | 7.5 HIGH | ||
| A flaw was found in Keycloak in OAuth 2.0 Pushed Authorization Requests (PAR). Client-provided parameters were found to be included in plain text in the KC_RESTART cookie returned by the authorization server's HTTP response to a `request_uri` authorization request, possibly leading to an information disclosure vulnerability. | |||||
| CVE-2025-0142 | 2026-04-15 | N/A | 4.3 MEDIUM | ||
| Cleartext storage of sensitive information in the Zoom Jenkins Marketplace plugin before version 1.4 may allow an authenticated user to conduct a disclosure of information via network access. | |||||
| CVE-2023-28912 | 2026-04-15 | N/A | 5.7 MEDIUM | ||
| The MIB3 unit stores the synchronized phone contact book in clear-text, allowing an attacker with either code execution privilege on the system or physical access to the system to obtain vehicle owner's contact data. The vulnerability was originally discovered in Skoda Superb III car with MIB3 infotainment unit OEM part number 3V0035820. The list of affected MIB3 OEM part numbers is provided in the referenced resources. | |||||
| CVE-2024-23584 | 2026-04-15 | N/A | 6.6 MEDIUM | ||
| The NMAP Importer service? may expose data store credentials to authorized users of the Windows Registry. | |||||
| CVE-2024-28327 | 2026-04-15 | N/A | 8.4 HIGH | ||
| Asus RT-N12+ B1 router stores user passwords in plaintext, which could allow local attackers to obtain unauthorized access and modify router settings. | |||||
| CVE-2024-12094 | 2026-04-15 | N/A | N/A | ||
| This vulnerability exists in the Tinxy mobile app due to storage of logged-in user information in plaintext on the device database. An attacker with physical access to the rooted device could exploit this vulnerability by accessing its database leading to unauthorized access of user information such as username, email address and mobile number. Note: To exploit this vulnerability, the device must be rooted/jailbroken. | |||||
| CVE-2025-54855 | 2026-04-15 | N/A | 4.2 MEDIUM | ||
| Cleartext storage of sensitive information was discovered in Click Programming Software version v3.60. The vulnerability can be exploited by a local user with access to the file system, while an administrator session is active, to steal credentials stored in clear text. | |||||
| CVE-2023-46294 | 2026-04-15 | N/A | 3.4 LOW | ||
| An issue was discovered in Teledyne FLIR M300 2.00-19. User account passwords are encrypted locally, and can be decrypted to cleartext passwords using the utility umSetup. This utility requires root permissions to execute. | |||||
| CVE-2024-55582 | 2026-04-15 | N/A | 5.7 MEDIUM | ||
| Oxide before 6 has unencrypted Control Plane datastores. | |||||
| CVE-2025-32353 | 2026-04-15 | N/A | 8.2 HIGH | ||
| Kaseya Rapid Fire Tools Network Detective 2.0.16.0 has Unencrypted Credentials (for privileged access) stored in the collector.txt configuration file. | |||||
| CVE-2024-9432 | 2026-04-15 | N/A | N/A | ||
| Cleartext Storage of Sensitive Information vulnerability in OpenText™ Vertica allows Retrieve Embedded Sensitive Data. The vulnerability could read Vertica agent plaintext apikey.This issue affects Vertica versions: 23.X, 24.X, 25.X. | |||||
| CVE-2024-3742 | 2026-04-15 | N/A | 7.5 HIGH | ||
| Electrolink transmitters store credentials in clear-text. Use of these credentials could allow an attacker to access the system. | |||||
| CVE-2025-41647 | 2026-04-15 | N/A | 5.5 MEDIUM | ||
| A local, low-privileged attacker can learn the password of the connected controller in PLC Designer V4 due to an incorrect implementation that results in the password being displayed in plain text under special conditions. | |||||
| CVE-2024-33470 | 2026-04-15 | N/A | 4.9 MEDIUM | ||
| An issue in the SMTP Email Settings of AVTECH Room Alert 4E v4.4.0 allows attackers to gain access to credentials in plaintext via a passback attack. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2024-40457 | 2026-04-15 | N/A | 9.1 CRITICAL | ||
| No-IP Dynamic Update Client (DUC) v3.x uses cleartext credentials that may occur on a command line or in a file. NOTE: the vendor's position is that cleartext in /etc/default/noip-duc is recommended and is the intentional behavior. | |||||
| CVE-2024-58277 | 2026-04-15 | N/A | N/A | ||
| R Radio Network FM Transmitter 1.07 allows unauthenticated attackers to access the admin user's password through the system.cgi endpoint, enabling authentication bypass and FM station setup access. | |||||
| CVE-2025-2922 | 2026-04-15 | 1.2 LOW | 2.0 LOW | ||
| A vulnerability classified as problematic was found in Netis WF-2404 1.1.124EN. Affected by this vulnerability is an unknown functionality of the component BusyBox Shell. The manipulation leads to cleartext storage of sensitive information. It is possible to launch the attack on the physical device. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-7738 | 2026-04-15 | N/A | 4.4 MEDIUM | ||
| A flaw was found in Ansible Automation Platform (AAP) where the Gateway API returns the client secret for certain GitHub Enterprise authenticators in clear text. This vulnerability affects administrators or auditors accessing authenticator configurations. While access is limited to privileged users, the clear text exposure of sensitive credentials increases the risk of accidental leaks or misuse. | |||||
| CVE-2025-23027 | 2026-04-15 | N/A | N/A | ||
| next-forge is a Next.js project boilerplate for modern web application. The BASEHUB_TOKEN commited in apps/web/.env.example. Users should avoid use of this token and should remove any access it may have in their systems. | |||||
| CVE-2025-59102 | 2026-04-15 | N/A | N/A | ||
| The web server of the Access Manager offers a functionality to download a backup of the local database stored on the device. This database contains the whole configuration. This includes encrypted MIFARE keys, card data, user PINs and much more. The PINs are even stored unencrypted. Combined with the fact that an attacker can easily get access to the backup functionality by abusing the session management issue (CVE-2025-59101), or by exploiting the weak default password (CVE-2025-59108), or by simply setting a new password without prior authentication via the SOAP API (CVE-2025-59097), it is easily possible to access the sensitive data on the device. | |||||