Total
783 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-22080 | 2026-01-09 | N/A | N/A | ||
| This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the transmission of credentials encoded using reversible Base64 encoding through the web-based administrative interface. An attacker on the same network could exploit this vulnerability by intercepting network traffic and capturing the Base64-encoded credentials. Successful exploitation of this vulnerability could allow the attacker to obtain sensitive information and gain unauthorized access to the targeted device. | |||||
| CVE-2026-22079 | 2026-01-09 | N/A | N/A | ||
| This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the plaintext transmission of login credentials during the initial login or post-factory reset setup through the web-based administrative interface. An attacker on the same network could exploit this vulnerability by intercepting network traffic and capturing the credentials transmitted in plaintext. Successful exploitation of this vulnerability could allow the attacker to obtain sensitive information and gain unauthorized access to the targeted device. | |||||
| CVE-2025-62578 | 1 Deltaww | 2 Dvp-12se, Dvp-12se Firmware | 2026-01-08 | N/A | 7.5 HIGH |
| DVP-12SE - Modbus/TCP Cleartext Transmission of Sensitive Information | |||||
| CVE-2025-67159 | 2026-01-08 | N/A | 7.5 HIGH | ||
| Vatilon v1.12.37-20240124 was discovered to transmit user credentials in plaintext. | |||||
| CVE-2020-36914 | 2026-01-08 | N/A | 7.5 HIGH | ||
| QiHang Media Web Digital Signage 3.0.9 contains a sensitive information disclosure vulnerability that allows remote attackers to intercept user authentication credentials through cleartext cookie transmission. Attackers can perform man-in-the-middle attacks to capture and potentially misuse stored authentication credentials transmitted in an insecure manner. | |||||
| CVE-2020-36917 | 2026-01-08 | N/A | 7.5 HIGH | ||
| iDS6 DSSPro Digital Signage System 6.2 contains a sensitive information disclosure vulnerability that allows remote attackers to intercept authentication credentials through cleartext cookie transmission. Attackers can exploit the autoSave feature to capture user passwords during man-in-the-middle attacks on HTTP communications. | |||||
| CVE-2026-22544 | 2026-01-08 | N/A | N/A | ||
| An attacker with a network connection could detect credentials in clear text. | |||||
| CVE-2019-25278 | 2026-01-08 | N/A | 7.5 HIGH | ||
| FaceSentry Access Control System 6.4.8 contains a cleartext transmission vulnerability that allows remote attackers to intercept authentication credentials. Attackers can perform man-in-the-middle attacks to capture HTTP cookie authentication information during network communication. | |||||
| CVE-2025-62330 | 1 Hcltechsw | 1 Hcl Devops Deploy | 2026-01-07 | N/A | 5.9 MEDIUM |
| HCL DevOps Deploy is susceptible to a cleartext transmission of sensitive information because the HTTP port remains accessible and does not redirect to HTTPS as intended. As a result, an attacker with network access could intercept or modify user credentials and session-related data via passive monitoring or man-in-the-middle attacks. | |||||
| CVE-2025-65855 | 1 Netun | 2 Helpflash Iot, Helpflash Iot Firmware | 2026-01-06 | N/A | 6.6 MEDIUM |
| The OTA firmware update mechanism in Netun Solutions HelpFlash IoT (firmware v18_178_221102_ASCII_PRO_1R5_50) uses hard-coded WiFi credentials identical across all devices and does not authenticate update servers or validate firmware signatures. An attacker with brief physical access can activate OTA mode (8-second button press), create a malicious WiFi AP using the known credentials, and serve malicious firmware via unauthenticated HTTP to achieve arbitrary code execution on this safety-critical emergency signaling device. | |||||
| CVE-2025-65827 | 1 Meatmeet | 1 Meatmeet | 2025-12-30 | N/A | 9.1 CRITICAL |
| The mobile application is configured to allow clear text traffic to all domains and communicates with an API server over HTTP. As a result, an adversary located "upstream" can intercept the traffic, inspect its contents, and modify the requests in transit. TThis may result in a total compromise of the user's account if the attacker intercepts a request with active authentication tokens or cracks the MD5 hash sent on login. | |||||
| CVE-2025-13489 | 1 Ibm | 1 Devops Deploy | 2025-12-26 | N/A | 5.9 MEDIUM |
| IBM UCD - IBM DevOps Deploy 8.1 through 8.1.2.3 IBM DevOps Deploy transmits data in clear text that could allow an attacker to obtain sensitive information using man in the middle techniques. | |||||
| CVE-2024-32384 | 1 Kerlink | 1 Keros | 2025-12-23 | N/A | 6.8 MEDIUM |
| Kerlink gateways running KerOS prior to version 5.10 expose their web interface exclusively over HTTP, without HTTPS support. This lack of transport layer security allows a man-in-the-middle attacker to intercept and modify traffic between the client and the device. | |||||
| CVE-2025-61738 | 2025-12-23 | N/A | N/A | ||
| Under certain circumstances, attacker can capture the network key, read or write encrypted packets on the PowerG network. | |||||
| CVE-2025-66573 | 1 Mersive | 2 Solstice Pod, Solstice Pod Firmware | 2025-12-23 | N/A | 7.5 HIGH |
| Solstice Pod API (version 5.5, 6.2) contains an unauthenticated API endpoint (`/api/config`) that exposes sensitive information such as the session key, server version, product details, and display name. Unauthorized users can extract live session information by accessing this endpoint without authentication. | |||||
| CVE-2023-53881 | 1 Ruijienetworks | 1 Reyee Os | 2025-12-18 | N/A | 8.1 HIGH |
| ReyeeOS 1.204.1614 contains an unencrypted CWMP communication vulnerability that allows attackers to intercept and manipulate device communication through a man-in-the-middle attack. Attackers can create a fake CWMP server to inject and execute arbitrary commands on Ruijie Reyee Cloud devices by exploiting the unprotected HTTP polling requests. | |||||
| CVE-2023-53875 | 1 Gomlab | 1 Gom Player | 2025-12-18 | N/A | 8.8 HIGH |
| GOM Player 2.3.90.5360 contains a remote code execution vulnerability in its Internet Explorer component that allows attackers to execute arbitrary code through DNS spoofing. Attackers can redirect victims using a malicious URL shortcut and WebDAV technique to run a reverse shell with SMB server interaction. | |||||
| CVE-2025-63364 | 1 Waveshare | 2 Rs232\/485 To Wifi Eth \(b\), Rs232\/485 To Wifi Eth \(b\) Firmware | 2025-12-16 | N/A | 7.5 HIGH |
| Waveshare RS232/485 TO WIFI ETH (B) Serial to Ethernet/Wi-Fi Gateway Firmware V3.1.1.0: HW 4.3.2.1: Webpage V7.04T.07.002880.0301 was discovered to transmit Administrator credentials in plaintext. | |||||
| CVE-2024-43187 | 1 Ibm | 2 Security Verify Access, Security Verify Access Docker | 2025-12-15 | N/A | 5.9 MEDIUM |
| IBM Security Verify Access Appliance and Container 10.0.0 through 10.0.8 transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. | |||||
| CVE-2025-36274 | 1 Ibm | 1 Aspera Http Gateway | 2025-12-11 | N/A | 7.5 HIGH |
| IBM Aspera HTTP Gateway 2.0.0 through 2.3.1 stores sensitive information in clear text in easily obtainable files which can be read by an unauthenticated user. | |||||