Total
1304 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-3079 | 2026-04-15 | N/A | 8.7 HIGH | ||
| A passback vulnerability which relates to office/small office multifunction printers and laser printers. | |||||
| CVE-2024-36127 | 2026-04-15 | N/A | 7.5 HIGH | ||
| apko is an apk-based OCI image builder. apko exposures HTTP basic auth credentials from repository and keyring URLs in log output. This vulnerability is fixed in v0.14.5. | |||||
| CVE-2025-5922 | 2026-04-15 | N/A | N/A | ||
| Access to TSplus Remote Access Admin Tool is restricted to administrators (unless "Disable UAC" option is enabled) and requires a PIN code. In versions below v18.40.6.17 the PIN's hash is stored in a system registry accessible to regular users, making it possible to perform a brute-force attack using rainbow tables, since the hash is not salted. LTS (Long-Term Support) versions also received patches in v17.2025.6.27 and v16.2025.6.27 releases. | |||||
| CVE-2025-54876 | 2026-04-15 | N/A | N/A | ||
| The Janssen Project is an open-source identity and access management (IAM) platform. In versions 1.9.0 and below, Janssen stores passwords in plaintext in the local cli_cmd.log file. This is fixed in the nightly prerelease. | |||||
| CVE-2021-47741 | 2026-04-15 | N/A | 7.5 HIGH | ||
| ZBL EPON ONU Broadband Router V100R001 contains a privilege escalation vulnerability that allows limited administrative users to elevate access by sending requests to configuration endpoints. Attackers can exploit the vulnerability by accessing the configuration backup or password page to disclose the super user password and gain additional privileged functionalities. | |||||
| CVE-2024-49364 | 2026-04-15 | N/A | N/A | ||
| tiny-secp256k1 is a tiny secp256k1 native/JS wrapper. Prior to version 1.1.7, a private key can be extracted on signing a malicious JSON-stringifiable object, when global Buffer is the buffer package. This affects only environments where require('buffer') is the NPM buffer package. The Buffer.isBuffer check can be bypassed, resulting in k reuse for different messages, leading to private key extraction over a single invalid message (and a second one for which any message/signature could be taken, e.g. previously known valid one). This issue has been patched in version 1.1.7. | |||||
| CVE-2024-27109 | 2026-04-15 | N/A | 7.6 HIGH | ||
| Insufficiently protected credentials in GE HealthCare EchoPAC products | |||||
| CVE-2025-12636 | 2026-04-15 | N/A | 6.5 MEDIUM | ||
| The Ubia camera ecosystem fails to adequately secure API credentials, potentially enabling an attacker to connect to backend services. The attacker would then be able to gain unauthorized access to available cameras, enabling the viewing of live feeds or modification of settings. | |||||
| CVE-2022-45157 | 2026-04-15 | N/A | 9.1 CRITICAL | ||
| A vulnerability has been identified in the way that Rancher stores vSphere's CPI (Cloud Provider Interface) and CSI (Container Storage Interface) credentials used to deploy clusters through the vSphere cloud provider. This issue leads to the vSphere CPI and CSI passwords being stored in a plaintext object inside Rancher. This vulnerability is only applicable to users that deploy clusters in vSphere environments. | |||||
| CVE-2024-29941 | 2026-04-15 | N/A | 8.0 HIGH | ||
| Insecure storage of the ICT MIFARE and DESFire encryption keys in the firmware binary allows malicious actors to create credentials for any site code and card number that is using the default ICT encryption. | |||||
| CVE-2025-61482 | 2026-04-15 | N/A | 7.2 HIGH | ||
| Improper handling of OTP/TOTP/HOTP values in NetKnights GmbH privacyIDEA Authenticator v.4.3.0 on Android allows local attackers with root access to bypass two factor authentication. By hooking into app crypto routines and intercepting decryption paths, attacker can recover plaintext secrets, enabling generation of valid one-time passwords, and bypassing authentication for enrolled accounts. | |||||
| CVE-2024-22266 | 2026-04-15 | N/A | 6.5 MEDIUM | ||
| VMware Avi Load Balancer contains an information disclosure vulnerability. A malicious actor with access to the system logs can view cloud connection credentials in plaintext. | |||||
| CVE-2025-2908 | 2026-04-15 | N/A | N/A | ||
| The exposure of credentials in the call forwarding configuration module in MeetMe products in versions prior to 2024-09 allows an attacker to gain access to some important assets via configuration files. | |||||
| CVE-2025-54467 | 2026-04-15 | N/A | 5.3 MEDIUM | ||
| When a Java command with password parameters is executed and terminated by NeuVector for Process rule violation the password will appear in the NeuVector security event log. | |||||
| CVE-2024-0368 | 1 Wpmudev | 1 Hustle | 2026-04-08 | N/A | 8.6 HIGH |
| The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.8.3 via hardcoded API Keys. This makes it possible for unauthenticated attackers to extract sensitive data including PII. | |||||
| CVE-2026-29872 | 1 Theunwindai | 1 Awesome Llm Apps | 2026-04-06 | N/A | 8.2 HIGH |
| A cross-session information disclosure vulnerability exists in the awesome-llm-apps project in commit e46690f99c3f08be80a9877fab52acacf7ab8251 (2026-01-19). The affected Streamlit-based GitHub MCP Agent stores user-supplied API tokens in process-wide environment variables using os.environ without proper session isolation. Because Streamlit serves multiple concurrent users from a single Python process, credentials provided by one user remain accessible to subsequent unauthenticated users. An attacker can exploit this issue to retrieve sensitive information such as GitHub Personal Access Tokens or LLM API keys, potentially leading to unauthorized access to private resources and financial abuse. | |||||
| CVE-2026-4819 | 1 Search-guard | 1 Flx | 2026-04-03 | N/A | 4.9 MEDIUM |
| In Search Guard FLX versions from 1.0.0 up to 4.0.1, the audit logging feature might log user credentials from users logging into Kibana. | |||||
| CVE-2024-54471 | 1 Apple | 1 Macos | 2026-04-02 | N/A | 5.5 MEDIUM |
| This issue was addressed with additional entitlement checks. This issue is fixed in macOS Sequoia 15.1, macOS Sonoma 14.7.1, macOS Ventura 13.7.1. A malicious application may be able to leak a user's credentials. | |||||
| CVE-2026-23658 | 1 Microsoft | 1 Azure Devops | 2026-04-01 | N/A | 8.6 HIGH |
| Insufficiently protected credentials in Azure DevOps allows an unauthorized attacker to elevate privileges over a network. | |||||
| CVE-2025-15617 | 1 Wazuh | 1 Wazuh | 2026-03-31 | N/A | 6.5 MEDIUM |
| Wazuh version 4.12.0 contains an exposure vulnerability in GitHub Actions workflow artifacts that allows attackers to extract the GITHUB_TOKEN from uploaded artifacts. Attackers can use the exposed token within a limited time window to perform unauthorized actions such as pushing malicious commits or altering release tags. | |||||