Total
725 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-4066 | 1 Redhat | 6 Amq Broker, Enterprise Linux, Jboss A-mq and 3 more | 2025-10-10 | 5.5 Medium |
| A flaw was found in Red Hat's AMQ Broker, which stores certain passwords in a secret security-properties-prop-module, defined in ActivemqArtemisSecurity CR; however, they are shown in plaintext in the StatefulSet details yaml of AMQ Broker. | ||||
| CVE-2025-34216 | 1 Vasion | 2 Virtual Appliance Application, Virtual Appliance Host | 2025-10-09 | 9.8 Critical |
| Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.1026 and Application prior to version 20.0.2702 (VA deployments only) expose a set of unauthenticated REST API endpoints that return configuration files and clear‑text passwords. The same endpoints also disclose the Laravel APP_KEY used for cryptographic signing. Because the APP_KEY is required to generate valid signed requests, an attacker who obtains it can craft malicious payloads that are accepted by the application and achieve remote code execution on the appliance. This vulnerability has been identified by the vendor as: V-2024-018 — RCE & Leaks via API. | ||||
| CVE-2025-51055 | 2 Vedo, Vedo Suite Project | 2 Vedo Suite, Vedo Suite | 2025-10-09 | 8.6 High |
| Insecure Data Storage of credentials has been found in /api_vedo/configuration/config.yml file in Vedo Suite version 2024.17. This file contains clear-text credentials, secret keys, and database information. | ||||
| CVE-2025-59450 | 1 Yosmart | 1 Yolink Smart Hub | 2025-10-08 | 4.3 Medium |
| The YoSmart YoLink Smart Hub firmware 0382 is unencrypted, and data extracted from it can be used to determine network access credentials. | ||||
| CVE-2025-59409 | 1 Flocksafety | 2 Falcon, Sparrow License Plate Reader | 2025-10-03 | 7.5 High |
| Flock Safety Falcon and Sparrow License Plate Readers OPM1.171019.026 ship with development Wi-Fi credentials (test_flck) stored in cleartext in production firmware. | ||||
| CVE-2025-23291 | 1 Nvidia | 1 License System | 2025-10-02 | 2.4 Low |
| NVIDIA Delegated Licensing Service for all appliance platforms contains a vulnerability where an User/Attacker may cause an authorized action. A successful exploit of this vulnerability may lead to information disclosure. | ||||
| CVE-2024-45744 | 1 Topquadrant | 1 Topbraid Edg | 2025-10-02 | 3 Low |
| TopQuadrant TopBraid EDG stores external credentials insecurely. An authenticated attacker with file system access can read edg-setup.properites and obtain the secret to decrypt external passwords stored in edg-vault.properties. An authenticated attacker could gain file system access using a separate vulnerability such as CVE-2024-45745. At least version 7.1.3 is affected. Version 7.3 adds HashiCorp Vault integration that does not store external passwords locally. Version 8.3.0 warns when using plain text secrets. | ||||
| CVE-2025-49728 | 1 Microsoft | 1 Pc Manager | 2025-10-01 | 4 Medium |
| Cleartext storage of sensitive information in Microsoft PC Manager allows an unauthorized attacker to bypass a security feature locally. | ||||
| CVE-2025-53672 | 1 Jenkins | 1 Kryptowire | 2025-10-01 | 6.5 Medium |
| Jenkins Kryptowire Plugin 0.2 and earlier stores the Kryptowire API key unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to the Jenkins controller file system. | ||||
| CVE-2025-47824 | 1 Flocksafety | 2 License Plate Reader, License Plate Reader Firmware | 2025-10-01 | 2 Low |
| Flock Safety LPR (License Plate Reader) devices with firmware through 2.2 have cleartext storage of code. | ||||
| CVE-2025-54855 | 1 Automationdirect | 1 Click Plus | 2025-09-25 | 4.2 Medium |
| Cleartext storage of sensitive information was discovered in Click Programming Software version v3.60. The vulnerability can be exploited by a local user with access to the file system, while an administrator session is active, to steal credentials stored in clear text. | ||||
| CVE-2025-34200 | 2 Printerlogic, Vasion | 4 Vasion Print, Virtual Appliance, Virtual Appliance Application and 1 more | 2025-09-24 | 7.8 High |
| Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application (VA and SaaS deployments) provision the appliance with the network account credentials in clear-text inside /etc/issue, and the file is world-readable by default. An attacker with local shell access can read /etc/issue to obtain the network account username and password. Using the network account an attacker can change network parameters via the appliance interface, enabling local misconfiguration, network disruption or further escalation depending on deployment. | ||||
| CVE-2025-34206 | 2 Printerlogic, Vasion | 4 Vasion Print, Virtual Appliance, Virtual Appliance Application and 1 more | 2025-09-24 | 9.8 Critical |
| Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application (VA and SaaS deployments) mount host configuration and secret material under /var/www/efs_storage into many Docker containers with overly-permissive filesystem permissions. Files such as secrets.env, GPG-encrypted blobs in .secrets, MySQL client keys, and application session files are accessible from multiple containers. An attacker who controls or reaches any container can read or modify these artifacts, leading to credential theft, RCE via Laravel APP_KEY, Portainer takeover, and full compromise. | ||||
| CVE-2024-12079 | 1 Ecovacs | 28 Airbot Andy, Airbot Andy Firmware, Airbot Ava and 25 more | 2025-09-23 | 3.3 Low |
| ECOVACS robot lawnmowers store the anti-theft PIN in cleartext on the device filesystem. An attacker can steal a lawnmower, read the PIN, and reset the anti-theft mechanism. | ||||
| CVE-2024-28387 | 1 Axonaut | 1 Axonaut | 2025-09-18 | 7.5 High |
| An issue in axonaut v.3.1.23 and before allows a remote attacker to obtain sensitive information via the log.txt component. | ||||
| CVE-2025-34078 | 1 Nsclient | 1 Nsclient\+\+ | 2025-09-17 | 7.8 High |
| A local privilege escalation vulnerability exists in NSClient++ 0.5.2.35 when both the web interface and ExternalScripts features are enabled. The configuration file (nsclient.ini) stores the administrative password in plaintext and is readable by local users. By extracting this password, an attacker can authenticate to the NSClient++ web interface (typically accessible on port 8443) and abuse the ExternalScripts plugin to inject and execute arbitrary commands as SYSTEM by registering a custom script, saving the configuration, and triggering it via the API. This behavior is documented but insecure, as the plaintext credential exposure undermines access isolation between local users and administrative functions. | ||||
| CVE-2024-32474 | 2 Getsentry, Sentry | 2 Sentry, Sentry | 2025-09-15 | 7.3 High |
| Sentry is an error tracking and performance monitoring platform. Prior to 24.4.1, when authenticating as a superuser to Sentry with a username and password, the password is leaked as cleartext in logs under the _event_: `auth-index.validate_superuser`. An attacker with access to the log data could use these leaked credentials to login to the Sentry system as superuser. Self-hosted users on affected versions should upgrade to 24.4.1 or later. Users can configure the logging level to exclude logs of the `INFO` level and only generate logs for levels at `WARNING` or more. | ||||
| CVE-2024-12604 | 1 Tapandsign | 1 Tap\&sign | 2025-09-12 | 6.5 Medium |
| Cleartext Storage of Sensitive Information in an Environment Variable, Weak Password Recovery Mechanism for Forgotten Password vulnerability in Tapandsign Technologies Tap&Sign App allows Password Recovery Exploitation, Functionality Misuse.This issue affects Tap&Sign App: before V.1.025. | ||||
| CVE-2025-6224 | 1 Canonical | 1 Juju\/utils | 2025-09-10 | 6.5 Medium |
| Certificate generation in juju/utils using the cert.NewLeaf function could include private information. If this certificate were then transferred over the network in plaintext, an attacker listening on that network could sniff the certificate and trivially extract the private key from it. | ||||
| CVE-2025-53742 | 1 Jenkins | 1 Applitools Eyes | 2025-09-10 | 6.5 Medium |
| Jenkins Applitools Eyes Plugin 1.16.5 and earlier stores Applitools API keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. | ||||