Export limit exceeded: 29948 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (1409 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-23733 | 2026-04-15 | 7.5 High | ||
| The /WmAdmin/,/invoke/vm.server/login login page in the Integration Server in Software AG webMethods 10.15.0 before Core_Fix7 allows remote attackers to reach the administration panel and discover hostname and version information by sending an arbitrary username and a blank password to the /WmAdmin/#/login/ URI. | ||||
| CVE-2024-43812 | 1 Kieback\&peter | 10 Ddc4002 Firmware, Ddc4002e Firmware, Ddc4020e Firmware and 7 more | 2026-04-15 | 8.4 High |
| Kieback & Peter's DDC4000 series has an insufficiently protected credentials vulnerability, which may allow an unauthenticated attacker with access to /etc/passwd to read the password hashes of all users on the system. | ||||
| CVE-2021-47759 | 1 Ttyplus | 1 Mtputty | 2026-04-15 | 6.2 Medium |
| MTPutty 1.0.1.21 contains a sensitive information disclosure vulnerability that allows local attackers to view SSH connection passwords through Windows PowerShell process listing. Attackers can run a PowerShell command to retrieve the full command line of MTPutty processes, exposing plaintext SSH credentials. | ||||
| CVE-2025-6571 | 2 Axis, Axis Communications Ab | 2 Axis Os, Axis Os | 2026-04-15 | 6 Medium |
| A 3rd-party component exposed its password in process arguments, allowing for low-privileged users to access it. | ||||
| CVE-2025-41682 | 1 Bender | 4 Cc612, Cc613, Icc13xx and 1 more | 2026-04-15 | 8.8 High |
| An authenticated, low-privileged attacker can obtain credentials stored on the charge controller including the manufacturer password. | ||||
| CVE-2025-57806 | 2026-04-15 | N/A | ||
| Local Deep Research is an AI-powered research assistant for deep, iterative research. Versions 0.2.0 through 0.6.7 stored confidential information, including API keys, in a local SQLite database without encryption. This behavior was not clearly documented outside of the database architecture page. Users were not given the ability to configure the database location, allowing anyone with access to the container or host filesystem to retrieve sensitive data in plaintext by accessing the .db file. This is fixed in version 1.0.0. | ||||
| CVE-2025-0760 | 2026-04-15 | 2.7 Low | ||
| A Credential Disclosure vulnerability exists where an administrator could extract the stored SMTP account credentials due to lack of encryption. | ||||
| CVE-2024-28981 | 2026-04-15 | 8.5 High | ||
| Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.1.0.0 and 9.3.0.8, including 8.3.x, discloses database passwords when searching metadata injectable fields. | ||||
| CVE-2024-51240 | 1 Openwrt | 1 Luci | 2026-04-15 | 8 High |
| An issue in the luci-mod-rpc package in OpenWRT Luci LTS allows for privilege escalation from an admin account to root via the JSON-RPC-API, which is exposed by the luci-mod-rpc package | ||||
| CVE-2019-17082 | 1 Opentext | 1 Accurev For Ldap Integration | 2026-04-15 | N/A |
| Insufficiently Protected Credentials vulnerability in OpenText™ AccuRev allows Authentication Bypass. When installed on a Linux or Solaris system the vulnerability could allow anyone who knows a valid AccuRev username can use the AccuRev client to login and gain access to AccuRev source control without knowing the user’s password. This issue affects AccuRev: 2017.1. | ||||
| CVE-2024-33496 | 1 Siemens | 1 Simatic Rtls Locating Manager | 2026-04-15 | 6.3 Medium |
| A vulnerability has been identified in SIMATIC RTLS Locating Manager (6GT2780-0DA00) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA30) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA30) (All versions < V3.0.1.1). Affected SIMATIC RTLS Locating Manager Report Clients do not properly protect credentials that are used to authenticate to the server. This could allow an authenticated local attacker to extract the credentials and use them to escalate their access rights from the Manager to the Systemadministrator role. | ||||
| CVE-2024-37362 | 2026-04-15 | 6.3 Medium | ||
| The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. (CWE-522) Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.0 and 9.3.0.8, including 8.3.x, discloses database passwords when saving connections to RedShift. Products must not disclose sensitive information without cause. Disclosure of sensitive information can lead to further exploitation. | ||||
| CVE-2023-49233 | 1 Visual Planning | 1 Admin Center | 2026-04-15 | 8.8 High |
| Insufficient access checks in Visual Planning Admin Center 8 before v.1 Build 240207 allow attackers in possession of a non-administrative Visual Planning account to utilize functions normally reserved for administrators. The affected functions allow attackers to obtain different types of configured credentials and potentially elevate their privileges to administrator level. | ||||
| CVE-2025-46820 | 2026-04-15 | 7.1 High | ||
| phpgt/Dom provides access to modern DOM APIs. Versions of phpgt/Dom prior to 4.1.8 expose the GITHUB_TOKEN in the Dom workflow run artifact. The ci.yml workflow file uses actions/upload-artifact@v4 to upload the build artifact. This artifact is a zip of the current directory, which includes the automatically generated .git/config file containing the run's GITHUB_TOKEN. Seeing as the artifact can be downloaded prior to the end of the workflow, there is a few seconds where an attacker can extract the token from the artifact and use it with the GitHub API to push malicious code or rewrite release commits in your repository. Any downstream user of the repository may be affected, but the token should only be valid for the duration of the workflow run, limiting the time during which exploitation could occur. Version 4.1.8 fixes the issue. | ||||
| CVE-2025-5922 | 1 Tsplus | 1 Tsplus Remote Access | 2026-04-15 | N/A |
| Access to TSplus Remote Access Admin Tool is restricted to administrators (unless "Disable UAC" option is enabled) and requires a PIN code. In versions below v18.40.6.17 the PIN's hash is stored in a system registry accessible to regular users, making it possible to perform a brute-force attack using rainbow tables, since the hash is not salted. LTS (Long-Term Support) versions also received patches in v17.2025.6.27 and v16.2025.6.27 releases. | ||||
| CVE-2024-30119 | 1 Hcl Software | 1 Dryice Optibot Reset Station | 2026-04-15 | 3.7 Low |
| HCL DRYiCE Optibot Reset Station is impacted by a missing Strict Transport Security Header. This could allow an attacker to intercept or manipulate data during redirection. | ||||
| CVE-2024-35192 | 2026-04-15 | 5.5 Medium | ||
| Trivy is a security scanner. Prior to 0.51.2, if a malicious actor is able to trigger Trivy to scan container images from a crafted malicious registry, it could result in the leakage of credentials for legitimate registries such as AWS Elastic Container Registry (ECR), Google Cloud Artifact/Container Registry, or Azure Container Registry (ACR). These tokens can then be used to push/pull images from those registries to which the identity/user running Trivy has access. Systems are not affected if the default credential provider chain is unable to obtain valid credentials. This vulnerability only applies when scanning container images directly from a registry. This vulnerability is fixed in 0.51.2. | ||||
| CVE-2025-37728 | 1 Elastic | 1 Kibana | 2026-04-15 | 5.4 Medium |
| Insufficiently Protected Credentials in the Crowdstrike connector can lead to Crowdstrike credentials being leaked. A malicious user can access cached credentials from a Crowdstrike connector in another space by creating and running a Crowdstrike connector in a space to which they have access. | ||||
| CVE-2025-13163 | 1 Digiwin | 1 Easyflow Gp | 2026-04-15 | 4.9 Medium |
| EasyFlow GP developed by Digiwin has an Insufficiently Protected Credentials vulnerability, allowing privileged remote attackers to obtain plaintext database account credentials from the system frontend. | ||||
| CVE-2024-29216 | 2026-04-15 | 6.1 Medium | ||
| Exposed IOCTL with insufficient access control issue exists in cg6kwin2k.sys prior to 2.1.7.0. By sending a specific IOCTL request, a user without the administrator privilege may perform I/O to arbitrary hardware port or physical address, resulting in erasing or altering the firmware. | ||||