Total
1269 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-37362 | 2026-04-15 | N/A | 6.3 MEDIUM | ||
| The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. (CWE-522) Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.0 and 9.3.0.8, including 8.3.x, discloses database passwords when saving connections to RedShift. Products must not disclose sensitive information without cause. Disclosure of sensitive information can lead to further exploitation. | |||||
| CVE-2025-41682 | 2026-04-15 | N/A | 8.8 HIGH | ||
| An authenticated, low-privileged attacker can obtain credentials stored on the charge controller including the manufacturer password. | |||||
| CVE-2025-62794 | 2026-04-15 | N/A | 3.8 LOW | ||
| GitHub Workflow Updater is a VS Code extension that automatically pins GitHub Actions to specific commits for enhanced security. Before 0.0.7, any provided Github token would be stored in plaintext in the editor configuration as json on disk, rather than through the more secure "securestorage" api. An attacker with read only access to your home directory could have read this token and used it to perform actions with that token. Update to 0.0.7. | |||||
| CVE-2024-47588 | 2026-04-15 | N/A | 4.7 MEDIUM | ||
| In SAP NetWeaver Java (Software Update Manager 1.1), under certain conditions when a software upgrade encounters errors, credentials are written in plaintext to a log file. An attacker with local access to the server, authenticated as a non-administrative user, can acquire the credentials from the logs. This leads to a high impact on confidentiality, with no impact on integrity or availability. | |||||
| CVE-2025-13163 | 2026-04-15 | N/A | 4.9 MEDIUM | ||
| EasyFlow GP developed by Digiwin has an Insufficiently Protected Credentials vulnerability, allowing privileged remote attackers to obtain plaintext database account credentials from the system frontend. | |||||
| CVE-2025-37728 | 2026-04-15 | N/A | 5.4 MEDIUM | ||
| Insufficiently Protected Credentials in the Crowdstrike connector can lead to Crowdstrike credentials being leaked. A malicious user can access cached credentials from a Crowdstrike connector in another space by creating and running a Crowdstrike connector in a space to which they have access. | |||||
| CVE-2025-35941 | 2026-04-15 | N/A | 5.5 MEDIUM | ||
| A password is exposed locally. | |||||
| CVE-2025-12461 | 2026-04-15 | N/A | N/A | ||
| This vulnerability allows an attacker to access parts of the application that are not protected by any type of access control. The attacker could access this path ‘…/epsilonnet/License/About.aspx’ and obtain information on both the licence and the configuration of the product by knowing which modules are installed. | |||||
| CVE-2024-53832 | 2026-04-15 | N/A | 4.6 MEDIUM | ||
| A vulnerability has been identified in CPCI85 Central Processing/Communication (All versions < V05.30). The affected devices contain a secure element which is connected via an unencrypted SPI bus. This could allow an attacker with physical access to the SPI bus to observe the password used for the secure element authentication, and then use the secure element as an oracle to decrypt all encrypted update files. | |||||
| CVE-2025-34062 | 2026-04-15 | N/A | N/A | ||
| An information disclosure vulnerability exists in OneLogin AD Connector versions prior to 6.1.5 via the /api/adc/v4/configuration endpoint. An attacker with access to a valid directory_token—which may be retrievable from host registry keys or improperly secured logs—can retrieve a plaintext response disclosing sensitive credentials. These may include an API key, AWS IAM access and secret keys, and a base64-encoded JWT signing key used in the tenant’s SSO IdP configuration. | |||||
| CVE-2025-3078 | 2026-04-15 | N/A | 8.7 HIGH | ||
| A passback vulnerability which relates to production printers and office multifunction printers. | |||||
| CVE-2024-23733 | 2026-04-15 | N/A | 7.5 HIGH | ||
| The /WmAdmin/,/invoke/vm.server/login login page in the Integration Server in Software AG webMethods 10.15.0 before Core_Fix7 allows remote attackers to reach the administration panel and discover hostname and version information by sending an arbitrary username and a blank password to the /WmAdmin/#/login/ URI. | |||||
| CVE-2024-11856 | 2026-04-15 | N/A | 3.7 LOW | ||
| A security vulnerability in HPE IceWall products could be exploited remotely to cause Unauthorized Data Modification. | |||||
| CVE-2024-43812 | 2026-04-15 | N/A | 8.4 HIGH | ||
| Kieback & Peter's DDC4000 series has an insufficiently protected credentials vulnerability, which may allow an unauthenticated attacker with access to /etc/passwd to read the password hashes of all users on the system. | |||||
| CVE-2025-10360 | 2026-04-15 | N/A | N/A | ||
| In Puppet Enterprise versions 2025.4.0 and 2025.5, the encryption key used for encrypting content in the Infra Assistant database was not excluded from the files gathered by Puppet backup. The key is only present on the system if the user has a Puppet Enterprise Advanced license and has enabled the Infra Assistant feature. The key is used for encrypting one particular bit of data in the Infra Assistant database: the API key for their AI provider account. This has been fixed in Puppet Enterprise version 2025.6, and release notes for 2025.6 have remediation steps for users of affected versions who can't update to the latest version. | |||||
| CVE-2024-51240 | 2026-04-15 | N/A | 8.0 HIGH | ||
| An issue in the luci-mod-rpc package in OpenWRT Luci LTS allows for privilege escalation from an admin account to root via the JSON-RPC-API, which is exposed by the luci-mod-rpc package | |||||
| CVE-2024-32238 | 2026-04-15 | N/A | 9.8 CRITICAL | ||
| H3C ER8300G2-X is vulnerable to Incorrect Access Control. The password for the router's management system can be accessed via the management system page login interface. | |||||
| CVE-2023-48010 | 2026-04-15 | N/A | 9.8 CRITICAL | ||
| STMicroelectronics SPC58 is vulnerable to Missing Protection Mechanism for Alternate Hardware Interface. Code running as Supervisor on the SPC58 PowerPC microcontrollers may disable the System Memory Protection Unit and gain unabridged read/write access to protected assets. | |||||
| CVE-2025-42897 | 2026-04-15 | N/A | 5.3 MEDIUM | ||
| Due to information disclosure vulnerability in anonymous API provided by SAP Business One (SLD), an attacker with normal user access could gain access to unauthorized information. As a result, it has a low impact on the confidentiality of the application but no impact on the integrity and availability. | |||||
| CVE-2024-57395 | 2026-04-15 | N/A | 9.8 CRITICAL | ||
| Password Vulnerability in Safety production process management system v1.0 allows a remote attacker to escalate privileges, execute arbitrary code and obtain sensitive information via the password and account number parameters. | |||||