Total
1230 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-28228 | 1 Electrolink | 1 Fm\/dab\/tv Transmitter Web Management System | 2025-08-07 | N/A | 7.5 HIGH |
| A credential exposure vulnerability in Electrolink 500W, 1kW, 2kW Medium DAB Transmitter Web v01.09, v01.08, v01.07, and Display v1.4, v1.2 allows unauthorized attackers to access credentials in plaintext. | |||||
| CVE-2025-54876 | 2025-08-06 | N/A | N/A | ||
| The Janssen Project is an open-source identity and access management (IAM) platform. In versions 1.9.0 and below, Janssen stores passwords in plaintext in the local cli_cmd.log file. This is fixed in the nightly prerelease. | |||||
| CVE-2025-53008 | 1 Glpi-project | 1 Glpi | 2025-08-04 | N/A | 6.5 MEDIUM |
| GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 9.3.1 through 10.0.19, a connected user can use a malicious payload to steal mail receiver credentials. This is fixed in version 10.0.19. | |||||
| CVE-2025-54422 | 1 Sandboxie-plus | 1 Sandboxie | 2025-08-04 | N/A | 5.5 MEDIUM |
| Sandboxie is a sandbox-based isolation software for 32-bit and 64-bit Windows NT-based operating systems. In versions 1.16.1 and below, a critical security vulnerability exists in password handling mechanisms. During encrypted sandbox creation, user passwords are transmitted via shared memory, exposing them to potential interception. The vulnerability is particularly severe during password modification operations, where both old and new passwords are passed as plaintext command-line arguments to the Imbox process without any encryption or obfuscation. This implementation flaw allows any process within the user session, including unprivileged processes, to retrieve these sensitive credentials by reading the command-line arguments, thereby bypassing standard privilege requirements and creating a significant security risk. This is fixed in version 1.16.2. | |||||
| CVE-2021-1232 | 1 Cisco | 1 Catalyst Sd-wan Manager | 2025-08-04 | N/A | 6.5 MEDIUM |
| A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to read arbitrary files on the underlying filesystem of an affected system. This vulnerability is due to insufficient access control for sensitive information that is written to an affected system. An attacker could exploit this vulnerability by accessing sensitive information that they are not authorized to access on an affected system. A successful exploit could allow the attacker to gain access to devices and other network management systems that they should not have access to.Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. | |||||
| CVE-2025-5922 | 2025-07-31 | N/A | N/A | ||
| Access to TSplus Remote Access Admin Tool is restricted to administrators (unless "Disable UAC" option is enabled) and requires a PIN code. In versions below v18.40.6.17 the PIN's hash is stored in a system registry accessible to regular users, making it possible to perform a brute-force attack using rainbow tables, since the hash is not salted. LTS (Long-Term Support) versions also received patches in v17.2025.6.27 and v16.2025.6.27 releases. | |||||
| CVE-2025-54428 | 2025-07-29 | N/A | 9.8 CRITICAL | ||
| RevelaCode is an AI-powered faith-tech project that decodes biblical verses, prophecies and global events into accessible language. In versions below 1.0.1, a valid MongoDB Atlas URI with embedded username and password was accidentally committed to the public repository. This could allow unauthorized access to production or staging databases, potentially leading to data exfiltration, modification, or deletion. This is fixed in version 1.0.1. Workarounds include: immediately rotating credentials for the exposed database user, using a secret manager (like Vault, Doppler, AWS Secrets Manager, etc.) instead of storing secrets directly in code, or auditing recent access logs for suspicious activity. | |||||
| CVE-2024-47109 | 3 Ibm, Linux, Microsoft | 4 Aix, Sterling File Gateway, Linux Kernel and 1 more | 2025-07-25 | N/A | 5.3 MEDIUM |
| IBM Sterling File Gateway 6.0.0.0 through 6.1.2.6 and 6.2.0.0 through 6.2.0.3 UI could disclosure the installation path of the server which could aid in further attacks against the system. | |||||
| CVE-2025-7565 | 1 Lb-link | 2 Bl-ac3600, Bl-ac3600 Firmware | 2025-07-17 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability, which was classified as critical, was found in LB-LINK BL-AC3600 up to 1.0.22. This affects the function geteasycfg of the file /cgi-bin/lighttpd.cgi of the component Web Management Interface. The manipulation of the argument Password leads to information disclosure. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-38291 | 1 Extremenetworks | 1 Xiq-se | 2025-07-11 | N/A | 8.8 HIGH |
| In XIQ-SE before 24.2.11, a low-privileged user may be able to access admin passwords, which could lead to privilege escalation. | |||||
| CVE-2020-9250 | 1 Huawei | 2 Mate 20 Pro, Mate 20 Pro Firmware | 2025-07-11 | N/A | 3.3 LOW |
| There is an insufficient authentication vulnerability in some Huawei smart phone. An unauthenticated, local attacker can crafts software package to exploit this vulnerability. Due to insufficient verification, successful exploitation may impact the service. (Vulnerability ID: HWPSIRT-2019-12302) This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2020-9250. | |||||
| CVE-2025-24508 | 2025-07-08 | N/A | 6.4 MEDIUM | ||
| Extraction of Account Connectivity Credentials (ACCs) from the IT Management Agent secure storage | |||||
| CVE-2025-34062 | 2025-07-03 | N/A | N/A | ||
| An information disclosure vulnerability exists in OneLogin AD Connector versions prior to 6.1.5 via the /api/adc/v4/configuration endpoint. An attacker with access to a valid directory_token—which may be retrievable from host registry keys or improperly secured logs—can retrieve a plaintext response disclosing sensitive credentials. These may include an API key, AWS IAM access and secret keys, and a base64-encoded JWT signing key used in the tenant’s SSO IdP configuration. | |||||
| CVE-2025-6081 | 2025-07-03 | N/A | 6.8 MEDIUM | ||
| Insufficiently Protected Credentials in LDAP in Konica Minolta bizhub 227 Multifunction printers version GCQ-Y3 or earlier allows an attacker can reconfigure the target device to use an external LDAP service controlled by the attacker. If an LDAP password is set on the target device, the attacker can force the target device to authenticate to the attacker controlled LDAP service. This will allow the attacker to capture the plaintext password of the configured LDAP service. | |||||
| CVE-2024-49364 | 2025-07-03 | N/A | N/A | ||
| tiny-secp256k1 is a tiny secp256k1 native/JS wrapper. Prior to version 1.1.7, a private key can be extracted on signing a malicious JSON-stringifiable object, when global Buffer is the buffer package. This affects only environments where require('buffer') is the NPM buffer package. The Buffer.isBuffer check can be bypassed, resulting in k reuse for different messages, leading to private key extraction over a single invalid message (and a second one for which any message/signature could be taken, e.g. previously known valid one). This issue has been patched in version 1.1.7. | |||||
| CVE-2024-50699 | 1 Tp-link | 2 Tl-wr845n, Tl-wr845n Firmware | 2025-07-02 | N/A | 8.0 HIGH |
| TP-Link TL-WR845N(UN)_V4_201214, TL-WR845N(UN)_V4_200909 and TL-WR845N(UN)_V4_190219 were discovered to contain weak default credentials for the Administrator account. | |||||
| CVE-2025-4679 | 1 Synology | 1 Active Backup For Microsoft 365 | 2025-07-02 | N/A | 6.5 MEDIUM |
| A vulnerability in Synology Active Backup for Microsoft 365 allows remote authenticated attackers to obtain sensitive information via unspecified vectors. | |||||
| CVE-2024-51984 | 2025-06-26 | N/A | 6.8 MEDIUM | ||
| An authenticated attacker can reconfigure the target device to use an external service (such as LDAP or FTP) controlled by the attacker. If an existing password is present for an external service, the attacker can force the target device to authenticate to an attacker controlled device using the existing credentials for that external service. In the case of an external LDAP or FTP service, this will disclose the plaintext password for that external service to the attacker. | |||||
| CVE-2025-6526 | 2025-06-26 | 1.8 LOW | 3.1 LOW | ||
| A vulnerability, which was classified as problematic, has been found in 70mai M300 up to 20250611. This issue affects some unknown processing of the component HTTP Server. The manipulation leads to insufficiently protected credentials. The attack can only be done within the local network. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-29055 | 2025-06-20 | N/A | 7.5 HIGH | ||
| In Apache Kylin version 2.0.0 to 4.0.3, there is a Server Config web interface that displays the content of file 'kylin.properties', that may contain serverside credentials. When the kylin service runs over HTTP (or other plain text protocol), it is possible for network sniffers to hijack the HTTP payload and get access to the content of kylin.properties and potentially the containing credentials. To avoid this threat, users are recommended to * Always turn on HTTPS so that network payload is encrypted. * Avoid putting credentials in kylin.properties, or at least not in plain text. * Use network firewalls to protect the serverside such that it is not accessible to external attackers. * Upgrade to version Apache Kylin 4.0.4, which filters out the sensitive content that goes to the Server Config web interface. | |||||