Total
1269 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-33849 | 2026-04-15 | N/A | 6.5 MEDIUM | ||
| ci solution CI-Out-of-Office Manager through 6.0.0.77 uses a Hard-coded Cryptographic Key. | |||||
| CVE-2024-36081 | 2026-04-15 | N/A | 9.8 CRITICAL | ||
| Westermo EDW-100 devices through 2024-05-03 allow an unauthenticated user to download a configuration file containing a cleartext password. NOTE: this is a serial-to-Ethernet converter that should not be placed at the edge of the network. | |||||
| CVE-2026-1966 | 2026-04-15 | N/A | N/A | ||
| YugabyteDB Anywhere displays LDAP bind passwords configured via gflags in cleartext within the web UI. An authenticated user with access to the configuration view could obtain LDAP credentials, potentially enabling unauthorized access to external directory services. | |||||
| CVE-2025-54808 | 2026-04-15 | N/A | 7.8 HIGH | ||
| Oxford Nanopore Technologies' MinKNOW software at or prior to version 24.11 stores authentication tokens in a file located in the system's temporary directory (/tmp) on the host machine. This directory is typically world-readable, allowing any local user or application to access the token. If the token is leaked (e.g., via malware infection or other local exploit), and remote access is enabled, it can be used to establish unauthorized remote connections to the sequencer. Remote access must be enabled for remote exploitation to succeed. This may occur either because the user has enabled remote access for legitimate operational reasons or because malware with elevated privileges (e.g., sudo access) enables it without user consent. This vulnerability can be chained with remote access capabilities to generate a developer token from a remote device. Developer tokens can be created with arbitrary expiration dates, enabling persistent access to the sequencer and bypassing standard authentication mechanisms. | |||||
| CVE-2025-34139 | 2026-04-15 | N/A | N/A | ||
| A vulnerability exists in Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud that could allow an unauthenticated attacker to read arbitrary files. This vulnerability affects all Experience Platform topologies (XM, XP, XC) from 8.0 Initial Release through 10.4 Initial Release and later. This issue affects Content Management (CM) and standalone instances. PaaS and containerized solutions are also affected. | |||||
| CVE-2024-38285 | 2026-04-15 | N/A | N/A | ||
| Logs storing credentials are insufficiently protected and can be decoded through the use of open source tools. | |||||
| CVE-2019-17082 | 2026-04-15 | N/A | N/A | ||
| Insufficiently Protected Credentials vulnerability in OpenText™ AccuRev allows Authentication Bypass. When installed on a Linux or Solaris system the vulnerability could allow anyone who knows a valid AccuRev username can use the AccuRev client to login and gain access to AccuRev source control without knowing the user’s password. This issue affects AccuRev: 2017.1. | |||||
| CVE-2025-67860 | 2026-04-15 | N/A | 3.8 LOW | ||
| A vulnerability has been identified in the NeuVector scanner where the scanner process accepts registry and controller credentials as command-line arguments, potentially exposing sensitive credentials to local users. | |||||
| CVE-2025-3079 | 2026-04-15 | N/A | 8.7 HIGH | ||
| A passback vulnerability which relates to office/small office multifunction printers and laser printers. | |||||
| CVE-2024-36127 | 2026-04-15 | N/A | 7.5 HIGH | ||
| apko is an apk-based OCI image builder. apko exposures HTTP basic auth credentials from repository and keyring URLs in log output. This vulnerability is fixed in v0.14.5. | |||||
| CVE-2025-5922 | 2026-04-15 | N/A | N/A | ||
| Access to TSplus Remote Access Admin Tool is restricted to administrators (unless "Disable UAC" option is enabled) and requires a PIN code. In versions below v18.40.6.17 the PIN's hash is stored in a system registry accessible to regular users, making it possible to perform a brute-force attack using rainbow tables, since the hash is not salted. LTS (Long-Term Support) versions also received patches in v17.2025.6.27 and v16.2025.6.27 releases. | |||||
| CVE-2025-54876 | 2026-04-15 | N/A | N/A | ||
| The Janssen Project is an open-source identity and access management (IAM) platform. In versions 1.9.0 and below, Janssen stores passwords in plaintext in the local cli_cmd.log file. This is fixed in the nightly prerelease. | |||||
| CVE-2021-47741 | 2026-04-15 | N/A | 7.5 HIGH | ||
| ZBL EPON ONU Broadband Router V100R001 contains a privilege escalation vulnerability that allows limited administrative users to elevate access by sending requests to configuration endpoints. Attackers can exploit the vulnerability by accessing the configuration backup or password page to disclose the super user password and gain additional privileged functionalities. | |||||
| CVE-2024-49364 | 2026-04-15 | N/A | N/A | ||
| tiny-secp256k1 is a tiny secp256k1 native/JS wrapper. Prior to version 1.1.7, a private key can be extracted on signing a malicious JSON-stringifiable object, when global Buffer is the buffer package. This affects only environments where require('buffer') is the NPM buffer package. The Buffer.isBuffer check can be bypassed, resulting in k reuse for different messages, leading to private key extraction over a single invalid message (and a second one for which any message/signature could be taken, e.g. previously known valid one). This issue has been patched in version 1.1.7. | |||||
| CVE-2024-27109 | 2026-04-15 | N/A | 7.6 HIGH | ||
| Insufficiently protected credentials in GE HealthCare EchoPAC products | |||||
| CVE-2025-12636 | 2026-04-15 | N/A | 6.5 MEDIUM | ||
| The Ubia camera ecosystem fails to adequately secure API credentials, potentially enabling an attacker to connect to backend services. The attacker would then be able to gain unauthorized access to available cameras, enabling the viewing of live feeds or modification of settings. | |||||
| CVE-2022-45157 | 2026-04-15 | N/A | 9.1 CRITICAL | ||
| A vulnerability has been identified in the way that Rancher stores vSphere's CPI (Cloud Provider Interface) and CSI (Container Storage Interface) credentials used to deploy clusters through the vSphere cloud provider. This issue leads to the vSphere CPI and CSI passwords being stored in a plaintext object inside Rancher. This vulnerability is only applicable to users that deploy clusters in vSphere environments. | |||||
| CVE-2024-29941 | 2026-04-15 | N/A | 8.0 HIGH | ||
| Insecure storage of the ICT MIFARE and DESFire encryption keys in the firmware binary allows malicious actors to create credentials for any site code and card number that is using the default ICT encryption. | |||||
| CVE-2025-61482 | 2026-04-15 | N/A | 7.2 HIGH | ||
| Improper handling of OTP/TOTP/HOTP values in NetKnights GmbH privacyIDEA Authenticator v.4.3.0 on Android allows local attackers with root access to bypass two factor authentication. By hooking into app crypto routines and intercepting decryption paths, attacker can recover plaintext secrets, enabling generation of valid one-time passwords, and bypassing authentication for enrolled accounts. | |||||
| CVE-2024-22266 | 2026-04-15 | N/A | 6.5 MEDIUM | ||
| VMware Avi Load Balancer contains an information disclosure vulnerability. A malicious actor with access to the system logs can view cloud connection credentials in plaintext. | |||||