VYPR

CWE-319

Cleartext Transmission of Sensitive Information

BaseDraftLikelihood: High

Description

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-102 · CAPEC-117 · CAPEC-383 · CAPEC-477 · CAPEC-65

CVEs mapped to this weakness (302)

page 11 of 16
  • CVE-2026-45179MedMay 10, 2026
    risk 0.27cvss 5.3epss 0.00

    Plack::Middleware::Statsd versions before 0.9.0 for Perl may leak user IP addresses. If the communication channel to the statsd daemon is not secured (for example, by sending UDP packets to a host on another network), then users' IP addresses may be leaked. Since version…

  • CVE-2026-31924MedApr 14, 2026
    risk 0.27cvss 5.3epss 0.00

    Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX. tencent-cloud-cls log export uses plaintext HTTP This issue affects Apache APISIX: from 2.99.0 through 3.15.0. Users are recommended to upgrade to version 3.16.0, which fixes the issue.

  • CVE-2017-9637MedMay 18, 2018
    risk 0.27cvss 4.1epss 0.00

    Schneider Electric Ampla MES 6.4 provides capability to interact with data from third party databases. When connectivity to those databases is configured to use a SQL user name and password, an attacker may be able to sniff details from the connection string. Schneider Electric…

  • CVE-2025-59852LowMay 6, 2026
    risk 0.24cvss 3.7epss 0.00

    HCL DFXAnalytics is affected by an Insufficient Transport Layer Protection vulnerability where data is transmitted over the network without encryption, which could allow an attacker to compromise the confidentiality, integrity, and authentication of sensitive information.

  • CVE-2026-7610LowMay 2, 2026
    risk 0.24cvss 3.7epss 0.00

    A vulnerability has been found in TRENDnet TEW-821DAP 1.12B01. This affects an unknown function of the file /www/cgi/ssi of the component Firmware Update. Such manipulation leads to cleartext transmission of sensitive information. The attack can be executed remotely. This attack…

  • CVE-2026-33472MedApr 16, 2026
    risk 0.24cvss 4.8epss 0.00

    Cryptomator is an open-source client-side encryption application for cloud storage. Version 1.19.1 contains a logic flaw in CheckHostTrustController.getAuthority() that allows an attacker to bypass the security fix for CVE-2026-32303. The method hardcodes the URI scheme based on…

  • CVE-2017-20200LowSep 23, 2025
    risk 0.24cvss 3.7epss 0.00

    A vulnerability has been found in Coinomi up to 1.7.6. This issue affects some unknown processing. Such manipulation leads to cleartext transmission of sensitive information. The attack can be launched remotely. This attack is characterized by high complexity. The exploitability…

  • CVE-2025-10776LowSep 22, 2025
    risk 0.24cvss 3.7epss 0.00

    A vulnerability was detected in LionCoders SalePro POS up to 5.5.0. This issue affects some unknown processing of the component Login. Performing manipulation results in cleartext transmission of sensitive information. The attack can be initiated remotely. The attack is…

  • CVE-2025-8741LowAug 8, 2025
    risk 0.24cvss 3.7epss 0.00

    A vulnerability was found in macrozheng mall up to 1.0.3. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /admin/login. The manipulation leads to cleartext transmission of sensitive information. The attack can be…

  • CVE-2025-8205LowJul 26, 2025
    risk 0.24cvss 3.7epss 0.00

    A vulnerability, which was classified as problematic, has been found in Comodo Dragon up to 134.0.6998.179. Affected by this issue is some unknown functionality of the component IP DNS Leakage Detector. The manipulation leads to cleartext transmission of sensitive information.…

  • CVE-2025-2818LowJul 17, 2025
    risk 0.23cvss 3.5epss 0.00

    A vulnerability was reported in version 1.0 of the Bluetooth Transmission Alliance protocol adopted by Motorola Smart Connect Android Application that could allow a nearby attacker within the Bluetooth interaction range to intercept files when transferred to a device not paired…

  • CVE-2026-7666LowJun 3, 2026
    risk 0.20cvss 3.1epss 0.00

    An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. `django.core.mail.backends.smtp.EmailBackend` in Django fails to prevent reuse of a partially-initialized connection after a failed `STARTTLS` handshake when `fail_silently=True`, which allows on-path…

  • CVE-2026-4584LowMar 23, 2026
    risk 0.20cvss 3.1epss 0.00

    A flaw has been found in Shenzhen HCC Technology MPOS M6 PLUS 1V.31-N. This affects an unknown part of the component Cardholder Data Handler. Executing a manipulation can lead to cleartext transmission of sensitive information. The attack requires access to the local network.…

  • CVE-2026-2671LowMar 7, 2026
    risk 0.20cvss 3.1epss 0.00

    A vulnerability was detected in Mendi Neurofeedback Headset V4. Affected by this vulnerability is an unknown functionality of the component Bluetooth Low Energy Handler. Performing a manipulation results in cleartext transmission of sensitive information. The attack can only be…

  • CVE-2024-47577LowDec 10, 2024
    risk 0.18cvss 2.7epss 0.00

    Webservice API endpoints for Assisted Service Module within SAP Commerce Cloud has information disclosure vulnerability. When an authorized agent searches for customer to manage their accounts, the request url includes customer data and it is recorded in server logs. If an…

  • CVE-2026-25608LowMay 22, 2026
    risk 0.15cvss epss 0.00

    STER uses unencrypted TCP traffic to transmit data over the network. It allows an attacker to conduct a Man-In-The-Middle attack and obtain sensitive data such as passwords, personal data, or authentication tokens. This issue was fixed in version 9.5.

  • CVE-2025-61738LowDec 22, 2025
    risk 0.15cvss epss 0.00

    Under certain circumstances, attacker can capture the network key, read or write encrypted packets on the PowerG network.

  • CVE-2025-54799LowAug 7, 2025
    risk 0.08cvss epss 0.00

    Let's Encrypt client and ACME library written in Go (Lego). In versions 4.25.1 and below, the github.com/go-acme/lego/v4/acme/api package (thus the lego library and the lego cli as well) don't enforce HTTPS when talking to CAs as an ACME client. Unlike the http-01 challenge…

  • CVE-2026-55568Jun 19, 2026
    risk 0.00cvss epss 0.00

    ### Impact The built-in cURL handlers (`GuzzleHttp\Handler\CurlHandler` and `GuzzleHttp\Handler\CurlMultiHandler`, used by default whenever the PHP cURL extension is available) accept an `https://` proxy — a proxy reached over a TLS-encrypted connection — through the…

  • CVE-2026-48022Jun 11, 2026
    risk 0.00cvss epss 0.00

    ### Impact Wreck strips credential headers (Authorization, Cookie, Proxy-Authorization) before following a cross-origin redirect, but the origin check compares hostnames only and ignores scheme and port. As a result, credentials are forwarded intact across same-host port changes…