CWE-256
Plaintext Storage of a Password
Description
The product stores a password in plaintext within resources such as memory or files.
Hierarchy (View 1000)
Parents
Children
none
CVEs mapped to this weakness (153)
page 4 of 8| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-4232 | Med | 0.27 | 4.1 | 0.00 | May 14, 2024 | This vulnerability exists in Digisol Router (DG-GR1321: Hardware version 3.7L; Firmware version : v3.2.02) due to lack of encryption or hashing in storing of passwords within the router's firmware/ database. An attacker with physical access could exploit this by extracting the… | ||
| CVE-2025-24375 | Med | 0.26 | 5.0 | 0.00 | Apr 9, 2025 | Charmed MySQL K8s operator is a Charmed Operator for running MySQL on Kubernetes. Before revision 221, the method for calling a SQL DDL or python based mysql-shell scripts can leak database users credentials. The method mysql-operator calls mysql-shell application rely on… | ||
| CVE-2025-5760 | Med | 0.25 | 4.9 | 0.00 | Jun 6, 2025 | The Simple History plugin for WordPress is vulnerable to sensitive data exposure via Detective Mode due to improper sanitization within the append_debug_info_to_context() function in versions prior to 5.8.1. When Detective Mode is enabled, the plugin’s logger captures the… | ||
| CVE-2017-9856 | Low | 0.22 | 3.4 | 0.01 | Aug 5, 2017 | An issue was discovered in SMA Solar Technology products. Sniffed passwords from SMAdata2+ communication can be decrypted very easily. The passwords are "encrypted" using a very simple encryption algorithm. This enables an attacker to find the plaintext passwords and… | ||
| CVE-2025-2355 | Low | 0.21 | 3.3 | 0.00 | Mar 17, 2025 | A vulnerability was found in BlackVue App 3.65 on Android and classified as problematic. Affected by this issue is some unknown functionality of the component API Endpoint Handler. The manipulation of the argument BCS_TOKEN/SECRET_KEY leads to unprotected storage of credentials.… | ||
| CVE-2026-6597 | — | Low | 0.18 | 2.7 | 0.00 | Apr 20, 2026 | A weakness has been identified in langflow-ai langflow up to 1.8.3. Impacted is the function remove_api_keys/has_api_terms of the file src/backend/base/langflow/api/utils/core.py of the component Flow Using API. This manipulation causes unprotected storage of credentials. The… | |
| CVE-2026-4251 | Low | 0.16 | 2.5 | 0.00 | Mar 16, 2026 | A vulnerability was determined in CityData CityChat up to 0.12.6 on Android. Affected by this vulnerability is an unknown functionality of the file resources/assets/flutter_assets/assets/credentials.json of the component ai.citydata.citychat. Executing a manipulation can lead to… | ||
| CVE-2026-4250 | Low | 0.16 | 2.5 | 0.00 | Mar 16, 2026 | A vulnerability was found in Albert Sağlık Hizmetleri ve Ticaret Albert Health up to 1.7.3 on Android. Affected is an unknown function of the file resources/assets/service-account.json of the component Google Cloud Service Account Key Handler. Performing a manipulation results… | ||
| CVE-2026-4243 | Low | 0.16 | 2.5 | 0.00 | Mar 16, 2026 | A weakness has been identified in La Nacion App 10.2.25 on Android. This impacts an unknown function of the file source/app/lanacion/clublanacion/BuildConfig.java of the component app.lanacion.activity. Executing a manipulation of the argument API_KEY_WEBSOCKET_CV can lead to… | ||
| CVE-2026-4242 | Low | 0.16 | 2.5 | 0.00 | Mar 16, 2026 | A security flaw has been discovered in BabyChakra Pregnancy & Parenting App up to 5.4.3.0 on Android. This affects an unknown function of the file file app/babychakra/babychakra/Configuration.java of the component app.babychakra.babychakra. Performing a manipulation of the… | ||
| CVE-2026-4217 | Low | 0.16 | 2.5 | 0.00 | Mar 16, 2026 | A security vulnerability has been detected in XREAL Nebula App up to 3.2.1 on Android. This impacts an unknown function of the file in ai/nreal/nebula/flutterPlugin/CloudStoragePlugin.java of the component ai.nreal.nebula.universal. Such manipulation of the argument… | ||
| CVE-2024-42496 | Low | 0.16 | 2.4 | 0.00 | Sep 30, 2024 | Smart-tab Android app installed April 2023 or earlier contains an issue with plaintext storage of a password. If this vulnerability is exploited, an attacker with physical access to the device may retrieve the credential information and spoof the device to access the related… | ||
| CVE-2023-5775 | Low | 0.07 | 2.2 | 0.00 | Feb 26, 2024 | The BackWPup plugin for WordPress is vulnerable to Plaintext Storage of Backup Destination Password in all versions up to, and including, 4.0.2. This is due to to the plugin improperly storing backup destination passwords in plaintext. This makes it possible for authenticated… | ||
| CVE-2026-33216 | 0.00 | — | 0.00 | Mar 25, 2026 | NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, for MQTT deployments using usercodes/passwords: MQTT passwords are incorrectly classified as a non-authenticating identity statement (JWT) and… | |||
| CVE-2026-28360 | 0.00 | — | 0.00 | Mar 2, 2026 | NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, shared view passwords were stored in plaintext in the database and compared using direct string equality. This issue has been patched in version 0.301.3. | |||
| CVE-2025-53677 | 0.00 | — | 0.00 | Jul 9, 2025 | Jenkins Xooa Plugin 0.0.7 and earlier does not mask the Xooa Deployment Token on the global configuration form, increasing the potential for attackers to observe and capture it. | |||
| CVE-2025-53675 | 0.00 | — | 0.00 | Jul 9, 2025 | Jenkins Warrior Framework Plugin 1.2 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. | |||
| CVE-2025-53674 | 0.00 | — | 0.00 | Jul 9, 2025 | Jenkins Sensedia Api Platform tools Plugin 1.0 does not mask the Sensedia API Manager integration token on the global configuration form, increasing the potential for attackers to observe and capture it. | |||
| CVE-2025-53671 | 0.00 | — | 0.00 | Jul 9, 2025 | Jenkins Nouvola DiveCloud Plugin 1.08 and earlier does not mask DiveCloud API Keys and Credentials Encryption Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them. | |||
| CVE-2025-53669 | 0.00 | — | 0.00 | Jul 9, 2025 | Jenkins VAddy Plugin 1.2.8 and earlier does not mask Vaddy API Auth Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them. |
- risk 0.27cvss 4.1epss 0.00
This vulnerability exists in Digisol Router (DG-GR1321: Hardware version 3.7L; Firmware version : v3.2.02) due to lack of encryption or hashing in storing of passwords within the router's firmware/ database. An attacker with physical access could exploit this by extracting the…
- risk 0.26cvss 5.0epss 0.00
Charmed MySQL K8s operator is a Charmed Operator for running MySQL on Kubernetes. Before revision 221, the method for calling a SQL DDL or python based mysql-shell scripts can leak database users credentials. The method mysql-operator calls mysql-shell application rely on…
- risk 0.25cvss 4.9epss 0.00
The Simple History plugin for WordPress is vulnerable to sensitive data exposure via Detective Mode due to improper sanitization within the append_debug_info_to_context() function in versions prior to 5.8.1. When Detective Mode is enabled, the plugin’s logger captures the…
- risk 0.22cvss 3.4epss 0.01
An issue was discovered in SMA Solar Technology products. Sniffed passwords from SMAdata2+ communication can be decrypted very easily. The passwords are "encrypted" using a very simple encryption algorithm. This enables an attacker to find the plaintext passwords and…
- risk 0.21cvss 3.3epss 0.00
A vulnerability was found in BlackVue App 3.65 on Android and classified as problematic. Affected by this issue is some unknown functionality of the component API Endpoint Handler. The manipulation of the argument BCS_TOKEN/SECRET_KEY leads to unprotected storage of credentials.…
- risk 0.18cvss 2.7epss 0.00
A weakness has been identified in langflow-ai langflow up to 1.8.3. Impacted is the function remove_api_keys/has_api_terms of the file src/backend/base/langflow/api/utils/core.py of the component Flow Using API. This manipulation causes unprotected storage of credentials. The…
- risk 0.16cvss 2.5epss 0.00
A vulnerability was determined in CityData CityChat up to 0.12.6 on Android. Affected by this vulnerability is an unknown functionality of the file resources/assets/flutter_assets/assets/credentials.json of the component ai.citydata.citychat. Executing a manipulation can lead to…
- risk 0.16cvss 2.5epss 0.00
A vulnerability was found in Albert Sağlık Hizmetleri ve Ticaret Albert Health up to 1.7.3 on Android. Affected is an unknown function of the file resources/assets/service-account.json of the component Google Cloud Service Account Key Handler. Performing a manipulation results…
- risk 0.16cvss 2.5epss 0.00
A weakness has been identified in La Nacion App 10.2.25 on Android. This impacts an unknown function of the file source/app/lanacion/clublanacion/BuildConfig.java of the component app.lanacion.activity. Executing a manipulation of the argument API_KEY_WEBSOCKET_CV can lead to…
- risk 0.16cvss 2.5epss 0.00
A security flaw has been discovered in BabyChakra Pregnancy & Parenting App up to 5.4.3.0 on Android. This affects an unknown function of the file file app/babychakra/babychakra/Configuration.java of the component app.babychakra.babychakra. Performing a manipulation of the…
- risk 0.16cvss 2.5epss 0.00
A security vulnerability has been detected in XREAL Nebula App up to 3.2.1 on Android. This impacts an unknown function of the file in ai/nreal/nebula/flutterPlugin/CloudStoragePlugin.java of the component ai.nreal.nebula.universal. Such manipulation of the argument…
- risk 0.16cvss 2.4epss 0.00
Smart-tab Android app installed April 2023 or earlier contains an issue with plaintext storage of a password. If this vulnerability is exploited, an attacker with physical access to the device may retrieve the credential information and spoof the device to access the related…
- risk 0.07cvss 2.2epss 0.00
The BackWPup plugin for WordPress is vulnerable to Plaintext Storage of Backup Destination Password in all versions up to, and including, 4.0.2. This is due to to the plugin improperly storing backup destination passwords in plaintext. This makes it possible for authenticated…
- CVE-2026-33216Mar 25, 2026risk 0.00cvss —epss 0.00
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, for MQTT deployments using usercodes/passwords: MQTT passwords are incorrectly classified as a non-authenticating identity statement (JWT) and…
- CVE-2026-28360Mar 2, 2026risk 0.00cvss —epss 0.00
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, shared view passwords were stored in plaintext in the database and compared using direct string equality. This issue has been patched in version 0.301.3.
- CVE-2025-53677Jul 9, 2025risk 0.00cvss —epss 0.00
Jenkins Xooa Plugin 0.0.7 and earlier does not mask the Xooa Deployment Token on the global configuration form, increasing the potential for attackers to observe and capture it.
- CVE-2025-53675Jul 9, 2025risk 0.00cvss —epss 0.00
Jenkins Warrior Framework Plugin 1.2 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
- CVE-2025-53674Jul 9, 2025risk 0.00cvss —epss 0.00
Jenkins Sensedia Api Platform tools Plugin 1.0 does not mask the Sensedia API Manager integration token on the global configuration form, increasing the potential for attackers to observe and capture it.
- CVE-2025-53671Jul 9, 2025risk 0.00cvss —epss 0.00
Jenkins Nouvola DiveCloud Plugin 1.08 and earlier does not mask DiveCloud API Keys and Credentials Encryption Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them.
- CVE-2025-53669Jul 9, 2025risk 0.00cvss —epss 0.00
Jenkins VAddy Plugin 1.2.8 and earlier does not mask Vaddy API Auth Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them.