CWE-319 · Cleartext Transmission of Sensitive Information
892 CVEs classified under CWE-319 (Cleartext Transmission of Sensitive Information). Browse by severity and year.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2025-61481 | Critical | 10.0 | 2025-10-27 | An issue in MikroTik RouterOS v.7.14.2 and SwOS v.2.18 exposes the WebFig management interface over cleartext HTTP by default, allowing an on-path attacker to… |
CVE-2025-4378 | Critical | 10.0 | 2025-06-24 | Cleartext Transmission of Sensitive Information, Use of Hard-coded Credentials vulnerability in Ataturk University ATA-AOF Mobile Application allows Authentica… |
CVE-2023-6248 | Critical | 10.0 | 2023-11-21 | The Syrus4 IoT gateway utilizes an unsecured MQTT server to download and execute arbitrary commands, allowing a remote unauthenticated attacker to execute code… |
CVE-2015-0987 | Critical | 10.0 | 2015-10-06 | Omron CX-One CX-Programmer before 9.6, CJ2M PLC devices before 2.1, and CJ2H PLC devices before 1.5 rely on cleartext password transmission, which allows remot… |
CVE-2026-48902 | Critical | 9.8 | 2026-05-26 | The password and username reset features created plain http links for https connections if the "Force SSL" flag wasn't explicitly set. |
CVE-2025-34271 | Critical | 9.8 | 2025-10-30 | Nagios Log Server versions prior to 2024R2.0.2 contain a vulnerability in the cluster manager component when requesting sensitive credentials from peer nodes o… |
CVE-2025-56447 | Critical | 9.8 | 2025-10-22 | TM2 Monitoring v3.04 contains an authentication bypass and plaintext credential disclosure. |
CVE-2025-32880 | Critical | 9.8 | 2025-06-20 | An issue was discovered on COROS PACE 3 devices through 3.0808.0. It implements a function to connect the watch to a WLAN. With WLAN access, the COROS Pace 3 d… |
CVE-2025-26199 | Critical | 9.8 | 2025-06-18 | CloudClassroom-PHP-Project v1.0 is affected by an insecure credential transmission vulnerability. The application transmits passwords over unencrypted HTTP dur… |
CVE-2023-39245 | Critical | 9.8 | 2024-02-15 | DELL ESI (Enterprise Storage Integrator) for SAP LAMA, version 10.0, contains an information disclosure vulnerability in EHAC component. An remote unauthentic… |
CVE-2023-31410 | Critical | 9.8 | 2023-06-19 | A remote unprivileged attacker can intercept the communication via e.g. Man-In-The-Middle, due to the absence of Transport Layer Security (TLS) in the SICK Eve… |
CVE-2023-33730 | Critical | 9.8 | 2023-05-31 | Privilege Escalation in the "GetUserCurrentPwd" function in Microworld Technologies eScan Management Console 14.0.1400.2281 allows any remote attacker to retri… |
CVE-2023-30354 | Critical | 9.8 | 2023-05-10 | Shenzen Tenda Technology IP Camera CP3 V11.10.00.2211041355 does not defend against physical access to U-Boot via the UART: the Wi-Fi password is shown, and th… |
CVE-2022-47714 | Critical | 9.8 | 2023-02-01 | Last Yard 22.09.8-1 does not enforce HSTS headers |
CVE-2022-43724 | Critical | 9.8 | 2022-12-13 | A vulnerability has been identified in SICAM PAS/PQS (All versions < V7.0). Affected software transmits the database credentials for the inbuilt SQL server in… |
CVE-2022-33321 | Critical | 9.8 | 2022-11-08 | Cleartext Transmission of Sensitive Information vulnerability due to the use of Basic Authentication for HTTP connections in Mitsubishi Electric consumer elect… |
CVE-2022-21829 | Critical | 9.8 | 2022-06-24 | Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from those zip files which could lead to an RCE… |
CVE-2021-4161 | Critical | 9.8 | 2021-12-27 | The affected products contain vulnerable firmware, which could allow an attacker to sniff the traffic and decrypt login credential details. This could give an… |
CVE-2021-20623 | Critical | 9.8 | 2021-02-05 | Video Insight VMS versions prior to 7.8 allows a remote attacker to execute arbitrary code with the system user privilege by sending a specially crafted reques… |
CVE-2020-5426 | Critical | 9.8 | 2020-11-11 | Scheduler for TAS prior to version 1.4.0 was permitting plaintext transmission of UAA client token by sending it over a non-TLS connection. This also depended… |