Total
860 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-8874 | 2026-06-04 | N/A | 7.1 HIGH | ||
| Version 3.0.7 of the Securly Chrome Extension downloads JSON files containing crisis alert keywords and filtering rules over unencrypted HTTP via the Fetch API. Other endpoints in the same extension correctly fetch IWF and CIPA data over HTTPS, demonstrating an inconsistent implementation of TLS. | |||||
| CVE-2026-36610 | 2026-06-04 | N/A | 5.9 MEDIUM | ||
| Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 transmits DDNS credentials over plaintext HTTP with only Base64 encoding. The firmware contains no TLS implementation, allowing man-in-the-middle interception of DDNS service credentials. | |||||
| CVE-2023-52951 | 2026-06-04 | N/A | 5.9 MEDIUM | ||
| A cleartext transmission of sensitive information vulnerability in Synology Note Station Client before 2.2.4-703 allows man-in-the-middle attackers to obtain user credential. | |||||
| CVE-2026-45432 | 2026-06-04 | N/A | N/A | ||
| This vulnerability exists in GX Earth ONT models due to the transmission of user credentials in plaintext over HTTP in its web management interface. A remote attacker could exploit this vulnerability by intercepting network traffic to obtain sensitive authentication information, which could lead to unauthorized access to the targeted device. | |||||
| CVE-2026-7666 | 2026-06-04 | N/A | 3.1 LOW | ||
| An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. `django.core.mail.backends.smtp.EmailBackend` in Django fails to prevent reuse of a partially-initialized connection after a failed `STARTTLS` handshake when `fail_silently=True`, which allows on-path network attackers to read email content via cleartext interception. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Kasper Dupont for reporting this issue. | |||||
| CVE-2026-10584 | 2026-06-04 | N/A | 5.9 MEDIUM | ||
| Proxy server in Graph Explorer before 3.0.1 falls back to HTTP when certificate files are missing, which might allow remote threat actors to obtain sensitive information via interception of requests intended to be sent over HTTPS. To remediate this issue, users should upgrade to Graph Explorer v3.0.1 or later. | |||||
| CVE-2026-34126 | 1 Tp-link | 6 Tapo D100c, Tapo D100c Firmware, Tapo L535e and 3 more | 2026-06-03 | N/A | 7.5 HIGH |
| TP-Link has identified a vulnerability in Tapo L535E v1.0 and v3.0, Tapo P300 v1.0, and Tapo D100C v1.0, where Bluetooth communication during the initial setup phase is transmitted in cleartext without encryption. Bluetooth is only used during initialization. An attacker within the Bluetooth range could exploit this behavior using Bluetooth sniffing or man-in-the-middle techniques, which may allow eavesdropping on Bluetooth communication, manipulate transmitted setup data and potentially gain unauthorized control of the device during initialization. An attacker within the Bluetooth range could exploit this behavior using Bluetooth sniffing or man-in-the-middle techniques, which may allow eavesdropping on Bluetooth communication, manipulate transmitted setup data and potentially gain unauthorized control of the device during initialization. D100C is the chime delivered with your Tapo camera, and it is delivered with the following Tapo products: D130, D210, D235, D225, TD21, TDB21 and TD25 | |||||
| CVE-2026-5119 | 2 Gnome, Redhat | 2 Libsoup, Enterprise Linux | 2026-06-03 | N/A | 5.9 MEDIUM |
| A flaw was found in libsoup. When establishing HTTPS tunnels through a configured HTTP proxy, sensitive session cookies are transmitted in cleartext within the initial HTTP CONNECT request. A network-positioned attacker or a malicious HTTP proxy can intercept these cookies, leading to potential session hijacking or user impersonation. | |||||
| CVE-2018-8855 | 1 Echelon | 8 I.lon 100, I.lon 100 Firmware, I.lon 600 and 5 more | 2026-06-02 | 7.5 HIGH | 9.8 CRITICAL |
| Echelon SmartServer 1 all versions, SmartServer 2 all versions prior to release 4.11.007, i.LON 100 all versions, and i.LON 600 all versions. The devices allow unencrypted Web connections by default, and devices can receive configuration and firmware updates by unsecure FTP. | |||||
| CVE-2015-0987 | 1 Omron | 3 Cj2h Plc, Cj2m Plc, Cx-programmer | 2026-06-02 | 5.0 MEDIUM | 10.0 CRITICAL |
| Omron CX-One CX-Programmer before 9.6, CJ2M PLC devices before 2.1, and CJ2H PLC devices before 1.5 rely on cleartext password transmission, which allows remote attackers to obtain sensitive information by sniffing the network during a PLC unlock request. | |||||
| CVE-2026-43625 | 2026-06-02 | N/A | 5.9 MEDIUM | ||
| CodexBar prior to 0.32.0 contains a session cookie leakage vulnerability that allows network attackers to intercept imported browser session cookies by exploiting improper redirect handling for Amp and Ollama provider sessions. Attackers can position themselves on the network path to receive cleartext HTTP requests carrying imported session cookies when a provider-controlled redirect target issues a redirect to a cleartext HTTP endpoint within the same provider domain. | |||||
| CVE-2026-48902 | 1 Joomla | 1 Joomla\! | 2026-06-02 | N/A | 9.8 CRITICAL |
| The password and username reset features created plain http links for https connections if the "Force SSL" flag wasn't explicitly set. | |||||
| CVE-2026-25599 | 2026-06-01 | N/A | 6.3 MEDIUM | ||
| Missing authentication and clear‑text transmission of data from the heat pumps to the control server, combined with the absence of input validation on aggregated data, can lead to stored XSS that enables theft of cookies from the pump’s web control interface. Older Orca heat pump devices communicating with the Orca server over an unencrypted and unauthenticated HTTP connection on a non-secure port specifically enable an attacker to impersonate a legitimate device and inject malicious payloads. This enables the insertion of harmful code directly into the Orca user portal, potentially compromising user accounts, exposing sensitive information, and allowing further unauthorized actions within the portal. | |||||
| CVE-2023-3272 | 1 Sick | 2 Icr890-4, Icr890-4 Firmware | 2026-06-01 | N/A | 7.5 HIGH |
| Cleartext Transmission of Sensitive Information in the SICK ICR890-4 could allow a remote attacker to gather sensitive information by intercepting network traffic that is not encrypted. | |||||
| CVE-2025-13454 | 1 Lenovo | 8 Thinkplus Fu100, Thinkplus Fu100 Firmware, Thinkplus Fu200 and 5 more | 2026-06-01 | N/A | 5.5 MEDIUM |
| A potential vulnerability was reported in ThinkPlus configuration software that could allow a local authenticated user to gain access to sensitive device information. | |||||
| CVE-2021-22703 | 1 Schneider-electric | 20 Powerlogic Ion7400, Powerlogic Ion7400 Firmware, Powerlogic Ion7650 and 17 more | 2026-05-29 | 5.0 MEDIUM | 7.5 HIGH |
| A CWE-319: Cleartext transmission of sensitive information vulnerability exists in PowerLogic ION7400, ION7650, ION83xx/84xx/85xx/8600, ION8650, ION8800, ION9000 and PM800 (see notification for affected versions), that could cause disclosure of user credentials when a malicious actor intercepts HTTP network traffic between a user and the device. | |||||
| CVE-2021-22702 | 1 Schneider-electric | 24 Powerlogic Ion7300, Powerlogic Ion7300 Firmware, Powerlogic Ion7400 and 21 more | 2026-05-29 | 5.0 MEDIUM | 7.5 HIGH |
| A CWE-319: Cleartext transmission of sensitive information vulnerability exists in PowerLogic ION7400, ION7650, ION7700/73xx, ION83xx/84xx/85xx/8600, ION8650, ION8800, ION9000 and PM800 (see notification for affected versions), that could cause disclosure of user credentials when a malicious actor intercepts Telnet network traffic between a user and the device. | |||||
| CVE-2020-7488 | 1 Schneider-electric | 11 Ecostruxure Machine Expert, Modicon M218, Modicon M218 Firmware and 8 more | 2026-05-28 | 5.0 MEDIUM | 7.5 HIGH |
| A CWE-319: Cleartext Transmission of Sensitive Information vulnerability exists which could leak sensitive information transmitted between the software and the Modicon M218, M241, M251, and M258 controllers. | |||||
| CVE-2024-47269 | 1 Synology | 2 Diskstation Manager, Surveillance Station | 2026-05-28 | N/A | 4.9 MEDIUM |
| Cleartext transmission of sensitive information vulnerability in Export Key functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to obtain sensitive information via unspecified vectors. | |||||
| CVE-2026-24212 | 2 Linux, Nvidia | 2 Linux Kernel, Isaac Launchable | 2026-05-27 | N/A | 7.5 HIGH |
| NVIDIA Isaac Launchable for Linux contains a vulnerability where sensitive information is transmitted in clear text. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. | |||||