CWE-256
Plaintext Storage of a Password
Description
The product stores a password in plaintext within resources such as memory or files.
Hierarchy (View 1000)
Parents
Children
none
CVEs mapped to this weakness (153)
page 2 of 8| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-35067 | Hig | 0.49 | 7.5 | 0.00 | Jul 25, 2023 | Plaintext Storage of a Password vulnerability in Infodrom Software E-Invoice Approval System allows Read Sensitive Strings Within an Executable.This issue affects E-Invoice Approval System: before v.20230701. | ||
| CVE-2024-39575 | Hig | 0.48 | 7.4 | 0.00 | Jun 16, 2026 | update_disk_psu_baseline.sh requires password in plain text | ||
| CVE-2025-2500 | — | Hig | 0.48 | 7.4 | 0.00 | May 30, 2025 | A vulnerability exists in the SOAP Web services of the Asset Suite versions listed below. If successfully exploited, an attacker could gain unauthorized access to the product and the time window of a possible password attack could be expanded. | |
| CVE-2024-27166 | — | Hig | 0.48 | 7.4 | 0.00 | Jun 14, 2024 | Coredump binaries in Toshiba printers have incorrect permissions. A local attacker can steal confidential information. As for the affected products/models/versions, see the reference URL. | |
| CVE-2024-10334 | Hig | 0.47 | 7.3 | 0.00 | Feb 10, 2025 | A vulnerability exists in the VideONet product included in the listed System 800xA versions, where VideONet is used. An attacker who successfully exploited the vulnerability could, in the worst case scenario, stop or manipulate the video feed. This issue affects System 800xA:… | ||
| CVE-2024-43659 | Hig | 0.47 | 7.2 | 0.01 | Jan 9, 2025 | After gaining access to the firmware of a charging station, a file at can be accessed to obtain default credentials that are the same across all Iocharger AC model EV chargers. This issue affects Iocharger firmware for AC models before firmware version 25010801. … | ||
| CVE-2024-11982 | — | Hig | 0.47 | 7.2 | 0.01 | Nov 29, 2024 | Certain models of routers from Billion Electric has a Plaintext Storage of a Password vulnerability. Remote attackers with administrator privileges can access the user settings page to retrieve plaintext passwords. | |
| CVE-2024-3625 | Hig | 0.47 | 7.3 | 0.00 | Apr 25, 2024 | A flaw was found in Quay, where Quay's database is stored in plain text in mirror-registry on Jinja's config.yaml file. This issue leaves the possibility of a malicious actor with access to this file to gain access to Quay's Redis instance. | ||
| CVE-2024-3624 | Hig | 0.47 | 7.3 | 0.00 | Apr 25, 2024 | A flaw was found in how Quay's database is stored in plain-text in mirror-registry on the jinja's config.yaml file. This flaw allows a malicious actor with access to this file to gain access to Quay's database. | ||
| CVE-2025-65009 | Hig | 0.46 | — | 0.00 | Dec 18, 2025 | In WODESYS WD-R608U router (also known as WDR122B V2.0 and WDR28) admin password is stored in configuration file as plaintext and can be obtained by unauthorized user by direct references to the resource in question. The vendor was notified early about this vulnerability, but… | ||
| CVE-2024-28736 | Hig | 0.46 | 7.1 | 0.03 | May 31, 2024 | An issue in Debezium Community debezium-ui v.2.5 allows a local attacker to execute arbitrary code via the refresh page function. | ||
| CVE-2024-43378 | Hig | 0.44 | 7.8 | 0.00 | Aug 16, 2024 | calamares-nixos-extensions provides Calamares branding and modules for NixOS, a distribution of GNU/Linux. Users who installed NixOS through the graphical installer who used manual disk partitioning to create a setup where the system was booted via legacy BIOS rather than UEFI;… | ||
| CVE-2025-61680 | Med | 0.43 | — | 0.00 | Oct 3, 2025 | Minecraft RCON Terminal is a VS Code extension that streamlines Minecraft server management. Versions 0.1.0 through 2.0.6 stores passwords using VS Code's configuration API which writes to settings.json in plaintext. This issue is fixed in version 2.1.0. | ||
| CVE-2025-0936 | Med | 0.42 | 6.5 | 0.00 | May 7, 2025 | On affected platforms running Arista EOS with a gNMI transport enabled, running the gNOI File TransferToRemote RPC with credentials for a remote server may cause these remote-server credentials to be logged or accounted on the local EOS device or possibly on other remote… | ||
| CVE-2024-22032 | Med | 0.42 | 6.5 | 0.00 | Oct 16, 2024 | A vulnerability has been identified in which an RKE1 cluster keeps constantly reconciling when secrets encryption configuration is enabled. When reconciling, the Kube API secret values are written in plaintext on the AppliedSpec. Cluster owners, Cluster members, and Project… | ||
| CVE-2024-39220 | Med | 0.42 | 6.5 | 0.00 | Jul 3, 2024 | BAS-IP AV-01D, AV-01MD, AV-01MFD, AV-01ED, AV-01KD, AV-01BD, AV-01KBD, AV-02D, AV-02IDE, AV-02IDR, AV-02IPD, AV-02FDE, AV-02FDR, AV-03D, AV-03BD, AV-04AFD, AV-04ASD, AV-04FD, AV-04SD, AV-05FD, AV-05SD, AA-07BD, AA-07BDI, BA-04BD, BA-04MD, BA-08BD, BA-08MD, BA-12BD, BA-12MD,… | ||
| CVE-2024-25138 | Med | 0.42 | 6.5 | 0.00 | Mar 26, 2024 | In AutomationDirect C-MORE EA9 HMI, credentials used by the platform are stored as plain text on the device. | ||
| CVE-2025-36335 | Med | 0.40 | 6.2 | 0.00 | Apr 30, 2026 | IBM watsonx.data intelligence 5.2.0, 5.2.1, 5.3.0, 5.3.1 stores user credentials in plain text which can be read by a local user. | ||
| CVE-2025-25051 | — | Med | 0.40 | 6.1 | 0.00 | Jan 22, 2026 | An attacker could decrypt sensitive data, impersonate legitimate users or devices, and potentially gain access to network resources for lateral attacks. | |
| CVE-2018-25130 | Med | 0.40 | 6.2 | 0.00 | Dec 24, 2025 | Beward Intercom 2.3.1 contains a credentials disclosure vulnerability that allows local attackers to access plain-text authentication credentials stored in an unencrypted database file. Attackers can read the BEWARD.INTERCOM.FDB file to extract usernames and passwords, enabling… |
- risk 0.49cvss 7.5epss 0.00
Plaintext Storage of a Password vulnerability in Infodrom Software E-Invoice Approval System allows Read Sensitive Strings Within an Executable.This issue affects E-Invoice Approval System: before v.20230701.
- risk 0.48cvss 7.4epss 0.00
update_disk_psu_baseline.sh requires password in plain text
- risk 0.48cvss 7.4epss 0.00
A vulnerability exists in the SOAP Web services of the Asset Suite versions listed below. If successfully exploited, an attacker could gain unauthorized access to the product and the time window of a possible password attack could be expanded.
- risk 0.48cvss 7.4epss 0.00
Coredump binaries in Toshiba printers have incorrect permissions. A local attacker can steal confidential information. As for the affected products/models/versions, see the reference URL.
- risk 0.47cvss 7.3epss 0.00
A vulnerability exists in the VideONet product included in the listed System 800xA versions, where VideONet is used. An attacker who successfully exploited the vulnerability could, in the worst case scenario, stop or manipulate the video feed. This issue affects System 800xA:…
- risk 0.47cvss 7.2epss 0.01
After gaining access to the firmware of a charging station, a file at can be accessed to obtain default credentials that are the same across all Iocharger AC model EV chargers. This issue affects Iocharger firmware for AC models before firmware version 25010801. …
- risk 0.47cvss 7.2epss 0.01
Certain models of routers from Billion Electric has a Plaintext Storage of a Password vulnerability. Remote attackers with administrator privileges can access the user settings page to retrieve plaintext passwords.
- risk 0.47cvss 7.3epss 0.00
A flaw was found in Quay, where Quay's database is stored in plain text in mirror-registry on Jinja's config.yaml file. This issue leaves the possibility of a malicious actor with access to this file to gain access to Quay's Redis instance.
- risk 0.47cvss 7.3epss 0.00
A flaw was found in how Quay's database is stored in plain-text in mirror-registry on the jinja's config.yaml file. This flaw allows a malicious actor with access to this file to gain access to Quay's database.
- risk 0.46cvss —epss 0.00
In WODESYS WD-R608U router (also known as WDR122B V2.0 and WDR28) admin password is stored in configuration file as plaintext and can be obtained by unauthorized user by direct references to the resource in question. The vendor was notified early about this vulnerability, but…
- risk 0.46cvss 7.1epss 0.03
An issue in Debezium Community debezium-ui v.2.5 allows a local attacker to execute arbitrary code via the refresh page function.
- risk 0.44cvss 7.8epss 0.00
calamares-nixos-extensions provides Calamares branding and modules for NixOS, a distribution of GNU/Linux. Users who installed NixOS through the graphical installer who used manual disk partitioning to create a setup where the system was booted via legacy BIOS rather than UEFI;…
- risk 0.43cvss —epss 0.00
Minecraft RCON Terminal is a VS Code extension that streamlines Minecraft server management. Versions 0.1.0 through 2.0.6 stores passwords using VS Code's configuration API which writes to settings.json in plaintext. This issue is fixed in version 2.1.0.
- risk 0.42cvss 6.5epss 0.00
On affected platforms running Arista EOS with a gNMI transport enabled, running the gNOI File TransferToRemote RPC with credentials for a remote server may cause these remote-server credentials to be logged or accounted on the local EOS device or possibly on other remote…
- risk 0.42cvss 6.5epss 0.00
A vulnerability has been identified in which an RKE1 cluster keeps constantly reconciling when secrets encryption configuration is enabled. When reconciling, the Kube API secret values are written in plaintext on the AppliedSpec. Cluster owners, Cluster members, and Project…
- risk 0.42cvss 6.5epss 0.00
BAS-IP AV-01D, AV-01MD, AV-01MFD, AV-01ED, AV-01KD, AV-01BD, AV-01KBD, AV-02D, AV-02IDE, AV-02IDR, AV-02IPD, AV-02FDE, AV-02FDR, AV-03D, AV-03BD, AV-04AFD, AV-04ASD, AV-04FD, AV-04SD, AV-05FD, AV-05SD, AA-07BD, AA-07BDI, BA-04BD, BA-04MD, BA-08BD, BA-08MD, BA-12BD, BA-12MD,…
- risk 0.42cvss 6.5epss 0.00
In AutomationDirect C-MORE EA9 HMI, credentials used by the platform are stored as plain text on the device.
- risk 0.40cvss 6.2epss 0.00
IBM watsonx.data intelligence 5.2.0, 5.2.1, 5.3.0, 5.3.1 stores user credentials in plain text which can be read by a local user.
- risk 0.40cvss 6.1epss 0.00
An attacker could decrypt sensitive data, impersonate legitimate users or devices, and potentially gain access to network resources for lateral attacks.
- risk 0.40cvss 6.2epss 0.00
Beward Intercom 2.3.1 contains a credentials disclosure vulnerability that allows local attackers to access plain-text authentication credentials stored in an unencrypted database file. Attackers can read the BEWARD.INTERCOM.FDB file to extract usernames and passwords, enabling…