Search Results (913 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-27166 1 Toshibatec 50 E-studio-2010-ac, E-studio-2015-nc, E-studio-2018 A and 47 more 2026-04-15 7.4 High
Coredump binaries in Toshiba printers have incorrect permissions. A local attacker can steal confidential information. As for the affected products/models/versions, see the reference URL.
CVE-2020-36914 1 Qihang Media 1 Web Digital Signage 2026-04-15 7.5 High
QiHang Media Web Digital Signage 3.0.9 contains a sensitive information disclosure vulnerability that allows remote attackers to intercept user authentication credentials through cleartext cookie transmission. Attackers can perform man-in-the-middle attacks to capture and potentially misuse stored authentication credentials transmitted in an insecure manner.
CVE-2020-36917 2026-04-15 7.5 High
iDS6 DSSPro Digital Signage System 6.2 contains a sensitive information disclosure vulnerability that allows remote attackers to intercept authentication credentials through cleartext cookie transmission. Attackers can exploit the autoSave feature to capture user passwords during man-in-the-middle attacks on HTTP communications.
CVE-2024-28169 2026-04-15 5.4 Medium
Cleartext transmission of sensitive information for some BigDL software maintained by Intel(R) before version 2.5.0 may allow an authenticated user to potentially enable denial of service via adjacent access.
CVE-2024-28275 1 Puwellcloudtech 1 360eyes Pro 2026-04-15 6.5 Medium
Puwell Cloud Tech Co, Ltd 360Eyes Pro v3.9.5.16(3090516) was discovered to transmit sensitive information in cleartext. This vulnerability allows attackers to intercept and access sensitive information, including users' credentials and password change requests.
CVE-2024-36426 1 Targit 1 Decision Suite 23.2.15007.0 2026-04-15 7.5 High
In TARGIT Decision Suite 23.2.15007.0 before Autumn 2023, the session token is part of the URL and may be sent in a cleartext HTTP session.
CVE-2024-36558 2026-04-15 7.5 High
Forever KidsWatch Call Me KW-50 R36_YDR_A3PW_GM7S_V1.0_2019_07_15_16.19.24_cob_h suffers from Cleartext Transmission of Sensitive Information due to lack of encryption in device-server communication.
CVE-2024-40595 1 Oneidentity 1 Safeguard For Privileged Sessions 2026-04-15 5.3 Medium
An authentication-bypass issue in the RDP component of One Identity Safeguard for Privileged Sessions (SPS) On Premise before 7.5.1 (and LTS before 7.0.5.1) allows man-in-the-middle attackers to obtain access to privileged sessions on target resources by intercepting cleartext RDP protocol information.
CVE-2024-35495 2026-04-15 4.3 Medium
An Information Disclosure vulnerability in the Telemetry component in TP-Link Kasa KP125M V1.0.0 and Tapo P125M 1.0.0 Build 220930 Rel.143947 allows attackers to observe device state via observing network traffic.
CVE-2024-41124 2026-04-15 6.3 Medium
Puncia is the Official CLI utility for Subdomain Center & Exploit Observer. `API_URLS` is utilizing HTTP instead of HTTPS for communication that can lead to issues like Eavesdropping, Data Tampering, Unauthorized Data Access & MITM Attacks. This issue has been addressed in release version 0.21 by using https rather than http connections. All users are advised to upgrade. There is no known workarounds for this vulnerability.
CVE-2025-54799 1 Lego Project 1 Lego 2026-04-15 5.3 Medium
Let's Encrypt client and ACME library written in Go (Lego). In versions 4.25.1 and below, the github.com/go-acme/lego/v4/acme/api package (thus the lego library and the lego cli as well) don't enforce HTTPS when talking to CAs as an ACME client. Unlike the http-01 challenge which solves an ACME challenge over unencrypted HTTP, the ACME protocol requires HTTPS when a client communicates with the CA to performs ACME functions. However, the library fails to enforce HTTPS both in the original discover URL (configured by the library user) and in the subsequent addresses returned by the CAs in the directory and order objects. If users input HTTP URLs or CAs misconfigure endpoints, protocol operations occur over HTTP instead of HTTPS. This compromises privacy by exposing request/response details like account and request identifiers to network attackers. This was fixed in version 4.25.2.
CVE-2024-45361 2 Mi, Xiaomi 2 Xiaomi, Mi Connect Service 2026-04-15 6.5 Medium
A protocol flaw vulnerability exists in the Xiaomi Mi Connect Service APP. The vulnerability is caused by the validation logic is flawed and can be exploited by attackers to leak sensitive user information.
CVE-2024-47577 2026-04-15 2.7 Low
Webservice API endpoints for Assisted Service Module within SAP Commerce Cloud has information disclosure vulnerability. When an authorized agent searches for customer to manage their accounts, the request url includes customer data and it is recorded in server logs. If an attacker impersonating as authorized admin visits such server logs, then they get access to the customer data. The amount of leaked confidential data however is extremely limited, and the attacker has no control over what data is leaked.
CVE-2024-48121 2026-04-15 6.5 Medium
The HI-SCAN 6040i Hitrax HX-03-19-I was discovered to transmit user credentials in cleartext over the GIOP protocol. This allows attackers to possibly gain access to sensitive information via a man-in-the-middle attack.
CVE-2024-5631 2026-04-15 N/A
Longse NVR (Network Video Recorder) model NVR3608PGE2W, as well as products based on this device, are transmitting user's login and password to a remote control service without using any encryption. This enables an on-path attacker to eavesdrop the credentials and subsequently obtain access to the video stream.  The credentials are being sent when a user decides to change his password in router's portal.
CVE-2024-9834 1 Baxter 1 Life2000 Ventilator Firmware 2026-04-15 9.3 Critical
Improper data protection on the ventilator's serial interface could allow an attacker to send and receive messages that result in unauthorized disclosure of information and/or have unintended impacts on device settings and performance.
CVE-2025-0432 2026-04-15 5.7 Medium
EWON Flexy 202 transmits user credentials in clear text with no encryption when a user is added, or user credentials are changed via its webpage.
CVE-2025-7731 1 Mitsubishi Electric 1 Melsec Iq-f Series 2026-04-15 7.5 High
Cleartext Transmission of Sensitive Information vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series CPU module allows a remote unauthenticated attacker to obtain credential information by intercepting SLMP communication messages, and read or write the device values of the product and stop the operations of programs by using the obtained credential information.
CVE-2025-1060 2026-04-15 7.5 High
CWE-319: Cleartext Transmission of Sensitive Information vulnerability exists that could result in the exposure of data when network traffic is being sniffed by an attacker.
CVE-2025-10641 1 Efficientlab 1 Workexaminer Professional 2026-04-15 7.1 High
All WorkExaminer Professional traffic between monitoring client, console and server is transmitted as plain text. This allows an attacker with access to the network to read the transmitted sensitive data. An attacker can also freely modify the data on the wire. The monitoring clients transmit their data to the server using the unencrypted FTP. Clients connect to the FTP server on port 12304 and transmit the data unencrypted. In addition, all traffic between the console client and the server at port 12306 is unencrypted.