Search Results (912 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-24441 1 Tenda 2 Ac7, Ac7 Firmware 2026-04-18 5.9 Medium
Shenzhen Tenda AC7 firmware version V03.03.03.01_cn and prior expose account credentials in plaintext within HTTP responses, allowing an on-path attacker to obtain sensitive authentication material.
CVE-2026-0714 1 Moxa 71 Uc-1200a Series, Uc-1222a, Uc-1222a Firmware and 68 more 2026-04-17 6.8 Medium
A physical attack vulnerability exists in certain Moxa industrial computers using TPM-backed LUKS full-disk encryption on Moxa Industrial Linux 3, where the discrete TPM is connected to the CPU via an SPI bus. Exploitation requires invasive physical access, including opening the device and attaching external equipment to the SPI bus to capture TPM communications. If successful, the captured data may allow offline decryption of eMMC contents. This attack cannot be performed through brief or opportunistic physical access and requires extended physical access, possession of the device, appropriate equipment, and sufficient time for signal capture and analysis. Remote exploitation is not possible.
CVE-2026-31923 1 Apache 1 Apisix 2026-04-17 7.5 High
Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX. This can occur due to `ssl_verify` in openid-connect plugin configuration being set to false by default. This issue affects Apache APISIX: from 0.7 through 3.15.0. Users are recommended to upgrade to version 3.16.0, which fixes the issue.
CVE-2026-31924 1 Apache 1 Apisix 2026-04-17 5.3 Medium
Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX. tencent-cloud-cls log export uses plaintext HTTP This issue affects Apache APISIX: from 2.99.0 through 3.15.0. Users are recommended to upgrade to version 3.16.0, which fixes the issue.
CVE-2026-27752 3 Shenzhen Hongyavision Technology Co, Sodola-network, Sodolanetworks 4 Sodola Sl902-swtgw124as, Sl902-swtgw124as, Sl902-swtgw124as Firmware and 1 more 2026-04-16 5.9 Medium
SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 transmit authentication credentials over unencrypted HTTP, allowing attackers to capture credentials. An attacker positioned to observe network traffic between a user and the device can intercept credentials and reuse them to gain administrative access to the gateway.
CVE-2021-22947 9 Apple, Debian, Fedoraproject and 6 more 37 Macos, Debian Linux, Fedora and 34 more 2026-04-16 5.9 Medium
When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 server to retrieve data using STARTTLS to upgrade to TLS security, the server can respond and send back multiple responses at once that curl caches. curl would then upgrade to TLS but not flush the in-queue of cached responses but instead continue using and trustingthe responses it got *before* the TLS handshake as if they were authenticated.Using this flaw, it allows a Man-In-The-Middle attacker to first inject the fake responses, then pass-through the TLS traffic from the legitimate server and trick curl into sending data back to the user thinking the attacker's injected data comes from the TLS-protected server.
CVE-2021-22946 9 Apple, Debian, Fedoraproject and 6 more 40 Macos, Debian Linux, Fedora and 37 more 2026-04-16 7.5 High
A user can tell curl >= 7.20.0 and <= 7.78.0 to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server (`--ssl-reqd` on the command line or`CURLOPT_USE_SSL` set to `CURLUSESSL_CONTROL` or `CURLUSESSL_ALL` withlibcurl). This requirement could be bypassed if the server would return a properly crafted but perfectly legitimate response.This flaw would then make curl silently continue its operations **withoutTLS** contrary to the instructions and expectations, exposing possibly sensitive data in clear text over the network.
CVE-2026-20801 1 Gallagher 1 Nxwitness Vms And Hanwha Vms Integrations 2026-04-16 5.6 Medium
Cleartext Transmission of Sensitive Information (CWE-319) in a component used in the Gallagher Hanwha VMS and Gallagher NxWitness VMS integrations allows unprivileged users with local network access to view live video streams. This issue affects all versions of Gallagher NxWitness VMS integration prior to 9.10.017 and Gallagher Hanwha VMS integration prior to 9.10.025.
CVE-2026-30795 6 Apple, Google, Linux and 3 more 7 Iphone Os, Macos, Android and 4 more 2026-04-16 7.5 High
Cleartext Transmission of Sensitive Information vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Heartbeat sync loop modules) allows Sniffing Attacks. This vulnerability is associated with program files src/hbbs_http/sync.Rs and program routines Heartbeat JSON payload construction (preset-address-book-password). This issue affects RustDesk Client: through 1.4.5.
CVE-2005-2069 3 Openldap, Padl, Redhat 4 Openldap, Nss Ldap, Pam Ldap and 1 more 2026-04-16 N/A
pam_ldap and nss_ldap, when used with OpenLDAP and connecting to a slave using TLS, does not use TLS for the subsequent connection if the client is referred to a master, which may cause a password to be sent in cleartext and allows remote attackers to sniff the password.
CVE-2002-1949 1 Iomega 2 Nas A300u, Nas A300u Firmware 2026-04-16 7.5 High
The Network Attached Storage (NAS) Administration Web Page for Iomega NAS A300U transmits passwords in cleartext, which allows remote attackers to sniff the administrative password.
CVE-2004-1852 1 Solarwinds 1 Dameware Mini Remote Control 2026-04-16 N/A
DameWare Mini Remote Control 3.x before 3.74 and 4.x before 4.2 transmits the Blowfish encryption key in plaintext, which allows remote attackers to gain sensitive information.
CVE-2005-3140 1 Procom 2 Netforce 800, Netforce 800 Firmware 2026-04-16 7.5 High
Procom NetFORCE 800 4.02 M10 Build 20 and possibly other versions sends the NIS password map (passwd.nis) as a file attachment in diagnostic e-mail messages, which allows remote attackers to obtain the cleartext NIS password hashes.
CVE-2025-8863 1 Yugabyte 1 Yugabytedb 2026-04-15 3.7 Low
YugabyteDB diagnostic information was transmitted over HTTP, which could expose sensitive data during transmission
CVE-2024-36426 1 Targit 1 Decision Suite 23.2.15007.0 2026-04-15 7.5 High
In TARGIT Decision Suite 23.2.15007.0 before Autumn 2023, the session token is part of the URL and may be sent in a cleartext HTTP session.
CVE-2025-12508 2 Bizerba, Microsoft 2 Brain2, Active Directory 2026-04-15 8.4 High
When using domain users as BRAIN2 users, communication with Active Directory services is unencrypted. This can lead to the interception of authentication data and compromise confidentiality.
CVE-2025-53703 2026-04-15 7.5 High
DuraComm SPM-500 DP-10iN-100-MU transmits sensitive data without encryption over a channel that could be intercepted by attackers.
CVE-2025-27720 2026-04-15 7.4 High
The Pixmeo Osirix MD Web Portal sends credential information without encryption, which could allow an attacker to steal credentials.
CVE-2024-41124 2026-04-15 6.3 Medium
Puncia is the Official CLI utility for Subdomain Center & Exploit Observer. `API_URLS` is utilizing HTTP instead of HTTPS for communication that can lead to issues like Eavesdropping, Data Tampering, Unauthorized Data Access & MITM Attacks. This issue has been addressed in release version 0.21 by using https rather than http connections. All users are advised to upgrade. There is no known workarounds for this vulnerability.
CVE-2024-27163 2026-04-15 6.5 Medium
Toshiba printers will display the password of the admin user in clear-text and additional passwords when sending 2 specific HTTP requests to the internal API. An attacker stealing the cookie of an admin or abusing a XSS vulnerability can recover this password in clear-text and compromise the printer. This vulnerability can be executed in combination with other vulnerabilities and difficult to execute alone. So, the CVSS score for this vulnerability alone is lower than the score listed in the "Base Score" of this vulnerability. For detail on related other vulnerabilities, please ask to the below contact point. https://www.toshibatec.com/contacts/products/ As for the affected products/models/versions, see the reference URL.