Total
860 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-2311 | 2026-04-15 | N/A | 9.0 CRITICAL | ||
| Incorrect Use of Privileged APIs, Cleartext Transmission of Sensitive Information, Insufficiently Protected Credentials vulnerability in Sechard Information Technologies SecHard allows Authentication Bypass, Interface Manipulation, Authentication Abuse, Harvesting Information via API Event Monitoring.This issue affects SecHard: before 3.3.0.20220411. | |||||
| CVE-2025-10540 | 2026-04-15 | N/A | 6.5 MEDIUM | ||
| iMonitor EAM 9.6394 transmits communication between the EAM client agent and the EAM server, as well as between the EAM monitor management software and the server, in plaintext without authentication or encryption. An attacker with network access can intercept sensitive information (such as credentials, keylogger data, and personally identifiable information) and tamper with traffic. This allows both unauthorized disclosure and modification of data, including issuing arbitrary commands to client agents. | |||||
| CVE-2022-32510 | 2026-04-15 | N/A | 7.1 HIGH | ||
| An issue was discovered on certain Nuki Home Solutions devices. The HTTP API exposed by a Bridge used an unencrypted channel to provide an administrative interface. A token can be easily eavesdropped by a malicious actor to impersonate a legitimate user and gain access to the full set of API endpoints. This affects Nuki Bridge v1 before 1.22.0 and v2 before 2.13.2. | |||||
| CVE-2024-41124 | 2026-04-15 | N/A | 6.3 MEDIUM | ||
| Puncia is the Official CLI utility for Subdomain Center & Exploit Observer. `API_URLS` is utilizing HTTP instead of HTTPS for communication that can lead to issues like Eavesdropping, Data Tampering, Unauthorized Data Access & MITM Attacks. This issue has been addressed in release version 0.21 by using https rather than http connections. All users are advised to upgrade. There is no known workarounds for this vulnerability. | |||||
| CVE-2026-22544 | 2026-04-15 | N/A | N/A | ||
| An attacker with a network connection could detect credentials in clear text. | |||||
| CVE-2025-5087 | 2026-04-15 | N/A | N/A | ||
| Kaleris NAVIS N4 ULC (Ultra Light Client) communicates insecurely using zlib-compressed data over HTTP. An attacker capable of observing network traffic between Ultra Light Clients and N4 servers can extract sensitive information, including plaintext credentials. | |||||
| CVE-2025-26654 | 2026-04-15 | N/A | 6.8 MEDIUM | ||
| SAP Commerce Cloud (Public Cloud) does not allow to disable unencrypted HTTP (port 80) entirely, but instead allows a redirect from port 80 to 443 (HTTPS). As a result, Commerce normally communicates securely over HTTPS. However, the confidentiality and integrity of data sent on the first request before the redirect may be impacted if the client is configured to use HTTP and sends confidential data on the first request before the redirect. | |||||
| CVE-2025-61738 | 2026-04-15 | N/A | N/A | ||
| Under certain circumstances, attacker can capture the network key, read or write encrypted packets on the PowerG network. | |||||
| CVE-2025-42603 | 2026-04-15 | N/A | N/A | ||
| This vulnerability exists in the Meon KYC solutions due to transmission of sensitive data in plain text within the response payloads of certain API endpoints. An authenticated remote attacker could exploit this vulnerability by intercepting API response that contains unencrypted sensitive information belonging to other users. Successful exploitation of this vulnerability could allow remote attacker to impersonate the target user and gain unauthorized access to the user account. | |||||
| CVE-2025-64389 | 2026-04-15 | N/A | N/A | ||
| The web server of the device performs exchanges of sensitive information in clear text through an insecure protocol. | |||||
| CVE-2025-0631 | 2026-04-15 | N/A | N/A | ||
| A Credential Exposure Vulnerability exists in the above-mentioned product and version. The vulnerability is due to using HTTP resulting in credentials being sent in clear text. | |||||
| CVE-2025-54818 | 2026-04-15 | N/A | 8.0 HIGH | ||
| Cognex In-Sight Explorer and In-Sight Camera Firmware expose a proprietary protocol on TCP port 1069 to perform management operations such as modifying system properties. The user management functionality handles sensitive data such as registered usernames and passwords over an unencrypted channel, allowing an adjacent attacker to intercept valid credentials to gain access to the device. | |||||
| CVE-2025-10641 | 2026-04-15 | N/A | 7.1 HIGH | ||
| All WorkExaminer Professional traffic between monitoring client, console and server is transmitted as plain text. This allows an attacker with access to the network to read the transmitted sensitive data. An attacker can also freely modify the data on the wire. The monitoring clients transmit their data to the server using the unencrypted FTP. Clients connect to the FTP server on port 12304 and transmit the data unencrypted. In addition, all traffic between the console client and the server at port 12306 is unencrypted. | |||||
| CVE-2024-8059 | 2026-04-15 | N/A | 4.3 MEDIUM | ||
| IPMI credentials may be captured in XCC audit log entries when the account username length is 16 characters. | |||||
| CVE-2025-27720 | 2026-04-15 | N/A | 7.4 HIGH | ||
| The Pixmeo Osirix MD Web Portal sends credential information without encryption, which could allow an attacker to steal credentials. | |||||
| CVE-2024-28169 | 2026-04-15 | N/A | 5.4 MEDIUM | ||
| Cleartext transmission of sensitive information for some BigDL software maintained by Intel(R) before version 2.5.0 may allow an authenticated user to potentially enable denial of service via adjacent access. | |||||
| CVE-2025-8863 | 2026-04-15 | N/A | N/A | ||
| YugabyteDB diagnostic information was transmitted over HTTP, which could expose sensitive data during transmission | |||||
| CVE-2024-47789 | 2026-04-15 | N/A | N/A | ||
| ** UNSUPPORTED WHEN ASSIGNED ** This vulnerability exists in D3D Security IP Camera D8801 due to usage of weak authentication scheme of the HTTP header protocol where authorization tag contain a Base-64 encoded username and password. A remote attacker could exploit this vulnerability by crafting a HTTP packet leading to exposure of user credentials of the targeted device. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2025-44251 | 2026-04-15 | N/A | 7.5 HIGH | ||
| Ecovacs Deebot T10 1.7.2 transmits Wi-Fi credentials in cleartext during the pairing process. | |||||
| CVE-2025-52586 | 2026-04-15 | N/A | 6.9 MEDIUM | ||
| The MOD3 command traffic between the monitoring application and the inverter is transmitted in plaintext without encryption or obfuscation. This vulnerability may allow an attacker with access to a local network to intercept, manipulate, replay, or forge critical data, including read/write operations for voltage, current, and power configuration, operational status, alarms, telemetry, system reset, or inverter control commands, potentially disrupting power generation or reconfiguring inverter settings. | |||||