Total
1211 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-10879 | 1 Dingtian-tech | 2 Dt-r002, Dt-r002 Firmware | 2025-09-29 | N/A | 5.3 MEDIUM |
| All versions of Dingtian DT-R002 are vulnerable to an Insufficiently Protected Credentials vulnerability that could allow an attacker to retrieve the current user's username without authentication. | |||||
| CVE-2025-10360 | 2025-09-24 | N/A | N/A | ||
| In Puppet Enterprise versions 2025.4.0 and 2025.5, the encryption key used for encrypting content in the Infra Assistant database was not excluded from the files gathered by Puppet backup. The key is only present on the system if the user has a Puppet Enterprise Advanced license and has enabled the Infra Assistant feature. The key is used for encrypting one particular bit of data in the Infra Assistant database: the API key for their AI provider account. This has been fixed in Puppet Enterprise version 2025.6, and release notes for 2025.6 have remediation steps for users of affected versions who can't update to the latest version. | |||||
| CVE-2024-9014 | 1 Pgadmin | 1 Pgadmin 4 | 2025-09-22 | N/A | 9.9 CRITICAL |
| pgAdmin versions 8.11 and earlier are vulnerable to a security flaw in OAuth2 authentication. This vulnerability allows an attacker to potentially obtain the client ID and secret, leading to unauthorized access to user data. | |||||
| CVE-2014-0755 | 1 Rockwellautomation | 2 Logix 5000 Controller, Rslogix 5000 Design And Configuration Software | 2025-09-19 | 6.3 MEDIUM | N/A |
| Rockwell Automation RSLogix 5000 7 through 20.01, and 21.0, does not properly implement password protection for .ACD files (aka project files), which allows local users to obtain sensitive information or modify data via unspecified vectors. | |||||
| CVE-2025-23342 | 1 Nvidia | 1 Nvdebug | 2025-09-18 | N/A | 8.2 HIGH |
| The NVIDIA NVDebug tool contains a vulnerability that may allow an actor to gain access to a privileged account . A successful exploit of this vulnerability may lead to code execution, denial of service, escalation of privileges, information disclosure and data tampering. | |||||
| CVE-2025-54467 | 2025-09-17 | N/A | 5.3 MEDIUM | ||
| When a Java command with password parameters is executed and terminated by NeuVector for Process rule violation the password will appear in the NeuVector security event log. | |||||
| CVE-2024-12511 | 2025-09-17 | N/A | 7.6 HIGH | ||
| With address book access, SMB/FTP settings could be modified, redirecting scans and possibly capturing credentials. This requires enabled scan functions and printer access. | |||||
| CVE-2019-11272 | 2 Debian, Vmware | 2 Debian Linux, Spring Security | 2025-09-12 | 7.5 HIGH | 7.3 HIGH |
| Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null". | |||||
| CVE-2025-42933 | 2025-09-09 | N/A | 8.8 HIGH | ||
| When a user logs in via SAP Business One native client, the SLD backend service fails to enforce proper encryption of certain APIs. This leads to exposure of sensitive credentials within http response body. As a result, it has a high impact on the confidentiality, integrity, and availability of the application. | |||||
| CVE-2025-41682 | 2025-09-08 | N/A | 8.8 HIGH | ||
| An authenticated, low-privileged attacker can obtain credentials stored on the charge controller including the manufacturer password. | |||||
| CVE-2025-58366 | 2025-09-08 | N/A | N/A | ||
| Onyxia is a data science environment for kubernetes. In versions 4.6.0 through 4.8.0, Onyxia-API leaked the credentials of private helm repositories in the public (unauthenticated) /public/catalogs endpoint.vOnly instances using private helm repositories (i.e setting username & password in the catalogs configuration) are affected. This is fixed in version 4.9.0. | |||||
| CVE-2025-55739 | 2025-09-05 | N/A | N/A | ||
| api is a module for FreePBX@, which is an open source GUI that controls and manages Asterisk© (PBX). In versions lower than 15.0.13, 16.0.2 through 16.0.14, 17.0.1 and 17.0.2, there is an identical OAuth private key used across multiple systems that installed the same FreePBX RPM or DEB package. An attacker with access to the shared OAuth private key could forge JWT tokens, bypass authentication, and potentially gain full access to both REST and GraphQL APIs. Systems with the "api" module enabled, configured and previously activated by an administrator for remote inbound connections may be affected. This issue is fixed in versions 15.0.13, 16.0.15 and 17.0.3. | |||||
| CVE-2024-43779 | 1 Clear | 1 Clearml Enterprise Server | 2025-09-05 | N/A | 7.7 HIGH |
| An information disclosure vulnerability exists in the Vault API functionality of ClearML Enterprise Server 3.22.5-1533. A specially crafted HTTP request can lead to reading vaults that have been previously disabled, possibly leaking sensitive credentials. An attacker can send a series of HTTP requests to trigger this vulnerability. | |||||
| CVE-2024-23306 | 1 F5 | 1 Big-ip Next Cloud-native Network Functions | 2025-09-05 | N/A | 7.1 HIGH |
| A vulnerability exists in BIG-IP Next CNF and SPK systems that may allow access to undisclosed sensitive files. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated | |||||
| CVE-2024-34885 | 1 Bitrix24 | 1 Bitrix24 | 2025-09-04 | N/A | 6.8 MEDIUM |
| Insufficiently protected credentials in SMTP server settings in 1C-Bitrix Bitrix24 23.300.100 allows remote administrators to read SMTP accounts passwords via HTTP GET request. | |||||
| CVE-2025-57806 | 2025-09-04 | N/A | N/A | ||
| Local Deep Research is an AI-powered research assistant for deep, iterative research. Versions 0.2.0 through 0.6.7 stored confidential information, including API keys, in a local SQLite database without encryption. This behavior was not clearly documented outside of the database architecture page. Users were not given the ability to configure the database location, allowing anyone with access to the container or host filesystem to retrieve sensitive data in plaintext by accessing the .db file. This is fixed in version 1.0.0. | |||||
| CVE-2024-5657 | 1 Born05 | 1 Two-factor Authentication | 2025-09-03 | N/A | 3.7 LOW |
| The CraftCMS plugin Two-Factor Authentication in versions 3.3.1, 3.3.2 and 3.3.3 discloses the password hash of the currently authenticated user after submitting a valid TOTP. | |||||
| CVE-2025-54380 | 1 Apereo | 1 Opencast | 2025-08-26 | N/A | 6.5 MEDIUM |
| Opencast is a free, open-source platform to support the management of educational audio and video content. Prior to version 17.6, Opencast would incorrectly send the hashed global system account credentials (ie: org.opencastproject.security.digest.user and org.opencastproject.security.digest.pass) when attempting to fetch mediapackage elements included in a mediapackage XML file. A previous CVE prevented many cases where the credentials were inappropriately sent, but not all. Anyone with ingest permissions could cause Opencast to send its hashed global system account credentials to a url of their choosing. This issue is fixed in Opencast 17.6. | |||||
| CVE-2024-31415 | 1 Eaton | 1 Foreseer Electrical Power Monitoring System | 2025-08-26 | N/A | 6.3 MEDIUM |
| The Eaton Foreseer software provides the feasibility for the user to configure external servers for multiple purposes such as network management, user management, etc. The software uses encryption to store these configurations securely on the host machine. However, the keys used for this encryption were insecurely stored, which could be abused to possibly change or remove the server configuration. | |||||
| CVE-2025-2772 | 1 Bectechnologies | 1 Router Firmware | 2025-08-21 | N/A | 6.5 MEDIUM |
| BEC Technologies Multiple Routers Insufficiently Protected Credentials Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of BEC Technologies routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within /cgi-bin/tools_usermanage.asp. The issue results from transmitting a list of users and their credentials to be handled on the client side. An attacker can leverage this vulnerability to disclose transported credentials, leading to further compromise. Was ZDI-CAN-25895. | |||||