Search Results (916 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-36558 2026-04-15 7.5 High
Forever KidsWatch Call Me KW-50 R36_YDR_A3PW_GM7S_V1.0_2019_07_15_16.19.24_cob_h suffers from Cleartext Transmission of Sensitive Information due to lack of encryption in device-server communication.
CVE-2025-6180 1 Strongdm 1 Sdm-cli 2026-04-15 N/A
The StrongDM Client insufficiently protected a pre-authentication token. Attackers could exploit this to intercept and reuse the token, potentially redeeming valid authentication credentials through a race condition.
CVE-2025-64389 1 Circutor 1 Tcprs1plus 2026-04-15 N/A
The web server of the device performs exchanges of sensitive information in clear text through an insecure protocol.
CVE-2025-47698 1 Cognex 1 In-sight Explorer 2026-04-15 N/A
An adjacent attacker without authentication can exploit this vulnerability to retrieve a set of user-privileged credentials. These credentials are present during the firmware upgrade procedure.
CVE-2025-47419 2026-04-15 N/A
Cleartext Transmission of Sensitive Information vulnerability in Crestron Automate VX allows Sniffing Network Traffic. The device allows Web UI and API access over non-secure network ports which exposes sensitive information such as user passwords. This issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49.
CVE-2025-56447 1 Tm2 1 Monitoring 2026-04-15 9.8 Critical
TM2 Monitoring v3.04 contains an authentication bypass and plaintext credential disclosure.
CVE-2025-50110 2026-04-15 8.8 High
An issue was discovered in the method push.lite.avtech.com.AvtechLib.GetHttpsResponse in AVTECH EagleEyes Lite 2.0.0, the GetHttpsResponse method transmits sensitive information - including internal server URLs, account IDs, passwords, and device tokens - as plaintext query parameters over HTTPS
CVE-2025-61738 1 Johnsoncontrols 5 Iq Panels2, Iq Panels2+, Iqhub and 2 more 2026-04-15 N/A
Under certain circumstances, attacker can capture the network key, read or write encrypted packets on the PowerG network.
CVE-2025-54799 1 Lego Project 1 Lego 2026-04-15 5.3 Medium
Let's Encrypt client and ACME library written in Go (Lego). In versions 4.25.1 and below, the github.com/go-acme/lego/v4/acme/api package (thus the lego library and the lego cli as well) don't enforce HTTPS when talking to CAs as an ACME client. Unlike the http-01 challenge which solves an ACME challenge over unencrypted HTTP, the ACME protocol requires HTTPS when a client communicates with the CA to performs ACME functions. However, the library fails to enforce HTTPS both in the original discover URL (configured by the library user) and in the subsequent addresses returned by the CAs in the directory and order objects. If users input HTTP URLs or CAs misconfigure endpoints, protocol operations occur over HTTP instead of HTTPS. This compromises privacy by exposing request/response details like account and request identifiers to network attackers. This was fixed in version 4.25.2.
CVE-2025-54818 1 Cognex 2 In-sight Camera Firmware, In-sight Explorer 2026-04-15 8 High
Cognex In-Sight Explorer and In-Sight Camera Firmware expose a proprietary protocol on TCP port 1069 to perform management operations such as modifying system properties. The user management functionality handles sensitive data such as registered usernames and passwords over an unencrypted channel, allowing an adjacent attacker to intercept valid credentials to gain access to the device.
CVE-2026-23662 1 Microsoft 1 Azure Iot Explorer 2026-04-14 7.5 High
Missing authentication for critical function in Azure IoT Explorer allows an unauthorized attacker to disclose information over a network.
CVE-2026-23661 1 Microsoft 1 Azure Iot Explorer 2026-04-14 7.5 High
Cleartext transmission of sensitive information in Azure IoT Explorer allows an unauthorized attacker to disclose information over a network.
CVE-2012-5562 1 Redhat 2 Network Proxy, Satellite 2026-04-09 8.6 High
A flaw was found in rhn-proxy. This vulnerability may allow the rhn-proxy to transmit user credentials in clear-text when it accesses RHN Satellite. This could lead to information disclosure, where sensitive authentication details are exposed to unauthorized parties.
CVE-2026-4820 1 Ibm 1 Maximo Application Suite 2026-04-08 4.3 Medium
IBM Maximo Application Suite 9.1, 9.0, 8.11, and 8.10 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.
CVE-2023-53881 2 Ruijie, Ruijienetworks 2 Reyee Os, Reyee Os 2026-04-07 8.1 High
ReyeeOS 1.204.1614 contains an unencrypted CWMP communication vulnerability that allows attackers to intercept and manipulate device communication through a man-in-the-middle attack. Attackers can create a fake CWMP server to inject and execute arbitrary commands on Ruijie Reyee Cloud devices by exploiting the unprotected HTTP polling requests.
CVE-2023-53875 1 Gomlab 1 Gom Player 2026-04-07 8.8 High
GOM Player 2.3.90.5360 contains a remote code execution vulnerability in its Internet Explorer component that allows attackers to execute arbitrary code through DNS spoofing. Attackers can redirect victims using a malicious URL shortcut and WebDAV technique to run a reverse shell with SMB server interaction.
CVE-2026-5115 1 Papercut 2 Papercut Mf, Papercut Mf Konica Minolta 2026-04-07 7.5 High
The PaperCut NG/MF (specifically, the embedded application for Konica Minolta devices) is vulnerable to session hijacking. The PaperCut NG/MF Embedded application is a software interface that runs directly on the touch screen of a multi-function device. It was internally discovered that the communication channel between the embedded application and the server was insecure, which could leak data including sensitive information that may be used to mount an  attack on the device. Such an attack could potentially be used to steal data or to perform a phishing attack on the end user.
CVE-2026-32745 1 Jetbrains 1 Datalore 2026-04-02 6.3 Medium
In JetBrains Datalore before 2026.1 session hijacking was possible due to missing secure attribute for cookie settings
CVE-2024-44276 1 Apple 2 Ipados, Iphone Os 2026-04-02 7.3 High
This issue was addressed by using HTTPS when sending information over the network. This issue is fixed in iOS 18.2 and iPadOS 18.2. A user in a privileged network position may be able to leak sensitive information.
CVE-2026-32309 1 Cryptomator 1 Cryptomator 2026-03-27 7.5 High
Cryptomator encrypts data being stored on cloud infrastructure. Prior to version 1.19.1, the Hub-based unlock flow explicitly supports hub+http and consumes Hub endpoints from vault metadata without enforcing HTTPS. As a result, a vault configuration can drive OAuth and key-loading traffic over plaintext HTTP or other insecure endpoint combinations. An active network attacker can tamper with or observe this traffic. Even when the vault key is encrypted for the device, bearer tokens and endpoint-level trust decisions are still exposed to downgrade and interception. This issue has been patched in version 1.19.1.