Total
827 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-2539 | 2026-04-15 | N/A | N/A | ||
| The RF communication protocol in the Micca KE700 car alarm system does not encrypt its data frames. An attacker with a radio interception tool (e.g., SDR) can capture the random number and counters transmitted in cleartext, which is sensitive information required for authentication. | |||||
| CVE-2025-59448 | 2026-04-15 | N/A | 4.7 MEDIUM | ||
| Components of the YoSmart YoLink ecosystem through 2025-10-02 leverage unencrypted MQTT to communicate over the internet. An attacker with the ability to monitor network traffic could therefore obtain sensitive information or tamper with the traffic to control affected devices. This affects YoLink Hub 0382, YoLink Mobile Application 1.40.41, and YoLink MQTT Broker. NOTE: The vendor states that the vulnerability described (related to insecure transmission) only impacts the legacy mobile application logic, not the Hub hardware or firmware. The Hub functions solely as a pass-through (transparent gateway) for LoRa wireless data and does not inspect or process the application layer data. | |||||
| CVE-2024-36426 | 2026-04-15 | N/A | 7.5 HIGH | ||
| In TARGIT Decision Suite 23.2.15007.0 before Autumn 2023, the session token is part of the URL and may be sent in a cleartext HTTP session. | |||||
| CVE-2024-40595 | 2026-04-15 | N/A | 5.3 MEDIUM | ||
| An authentication-bypass issue in the RDP component of One Identity Safeguard for Privileged Sessions (SPS) On Premise before 7.5.1 (and LTS before 7.0.5.1) allows man-in-the-middle attackers to obtain access to privileged sessions on target resources by intercepting cleartext RDP protocol information. | |||||
| CVE-2025-56447 | 2026-04-15 | N/A | 9.8 CRITICAL | ||
| TM2 Monitoring v3.04 contains an authentication bypass and plaintext credential disclosure. | |||||
| CVE-2024-48121 | 2026-04-15 | N/A | 6.5 MEDIUM | ||
| The HI-SCAN 6040i Hitrax HX-03-19-I was discovered to transmit user credentials in cleartext over the GIOP protocol. This allows attackers to possibly gain access to sensitive information via a man-in-the-middle attack. | |||||
| CVE-2025-52351 | 2026-04-15 | N/A | 8.8 HIGH | ||
| Aikaan IoT management platform v3.25.0325-5-g2e9c59796 sends a newly generated password to users in plaintext via email and also includes the same password as a query parameter in the account activation URL (e.g., https://domain.com/activate=xyz). This practice can result in password exposure via browser history, proxy logs, referrer headers, and email caching. The vulnerability impacts user credential confidentiality during initial onboarding. | |||||
| CVE-2025-53756 | 2026-04-15 | N/A | N/A | ||
| This vulnerability exists in Digisol DG-GR6821AC Router due to cleartext transmission of credentials in its web management interface. A remote attacker could exploit this vulnerability by intercepting the network traffic and capturing cleartext credentials. Successful exploitation of this vulnerability could allow the attacker to gain unauthorized access to the targeted device. | |||||
| CVE-2024-30209 | 2026-04-15 | N/A | 9.6 CRITICAL | ||
| A vulnerability has been identified in SIMATIC RTLS Locating Manager (6GT2780-0DA00) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA30) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA30) (All versions < V3.0.1.1). Affected systems transmit client-side resources without proper cryptographic protection. This could allow an attacker to eavesdrop on and modify resources in transit. A successful exploit requires an attacker to be in the network path between the RTLS Locating Manager server and a client (MitM). | |||||
| CVE-2025-53703 | 2026-04-15 | N/A | 7.5 HIGH | ||
| DuraComm SPM-500 DP-10iN-100-MU transmits sensitive data without encryption over a channel that could be intercepted by attackers. | |||||
| CVE-2025-6180 | 2026-04-15 | N/A | N/A | ||
| The StrongDM Client insufficiently protected a pre-authentication token. Attackers could exploit this to intercept and reuse the token, potentially redeeming valid authentication credentials through a race condition. | |||||
| CVE-2026-22080 | 2026-04-15 | N/A | N/A | ||
| This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the transmission of credentials encoded using reversible Base64 encoding through the web-based administrative interface. An attacker on the same network could exploit this vulnerability by intercepting network traffic and capturing the Base64-encoded credentials. Successful exploitation of this vulnerability could allow the attacker to obtain sensitive information and gain unauthorized access to the targeted device. | |||||
| CVE-2025-24849 | 2026-04-15 | N/A | 7.1 HIGH | ||
| Lack of encryption in transit for cloud infrastructure facilitating potential for sensitive data manipulation or exposure. | |||||
| CVE-2025-47698 | 2026-04-15 | N/A | N/A | ||
| An adjacent attacker without authentication can exploit this vulnerability to retrieve a set of user-privileged credentials. These credentials are present during the firmware upgrade procedure. | |||||
| CVE-2025-41718 | 2026-04-15 | N/A | 7.5 HIGH | ||
| A cleartext transmission of sensitive information vulnerability in the affected products allows an unauthorized remote attacker to gain login credentials and access the Web-UI. | |||||
| CVE-2024-0066 | 2026-04-15 | N/A | 5.3 MEDIUM | ||
| Johan Fagerström, member of the AXIS OS Bug Bounty Program, has found that a O3C feature may expose sensitive traffic between the client (Axis device) and (O3C) server. If O3C is not being used this flaw does not apply. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution. | |||||
| CVE-2025-10174 | 2026-04-15 | N/A | 8.3 HIGH | ||
| Cleartext Transmission of Sensitive Information vulnerability in Pan Software & Information Technologies Ltd. PanCafe Pro allows Flooding.This issue affects PanCafe Pro: from < 3.3.2 through 23092025. | |||||
| CVE-2024-27166 | 2026-04-15 | N/A | 7.4 HIGH | ||
| Coredump binaries in Toshiba printers have incorrect permissions. A local attacker can steal confidential information. As for the affected products/models/versions, see the reference URL. | |||||
| CVE-2024-47577 | 2026-04-15 | N/A | 2.7 LOW | ||
| Webservice API endpoints for Assisted Service Module within SAP Commerce Cloud has information disclosure vulnerability. When an authorized agent searches for customer to manage their accounts, the request url includes customer data and it is recorded in server logs. If an attacker impersonating as authorized admin visits such server logs, then they get access to the customer data. The amount of leaked confidential data however is extremely limited, and the attacker has no control over what data is leaked. | |||||
| CVE-2025-25728 | 2026-04-15 | N/A | 6.5 MEDIUM | ||
| Bosscomm IF740 Firmware versions:11001.7078 & v11001.0000 and System versions: 6.25 & 6.00 were discovered to send communications to the update API in plaintext, allowing attackers to access sensitive information via a man-in-the-middle attack. | |||||