VYPR

CWE-319

Cleartext Transmission of Sensitive Information

BaseDraftLikelihood: High

Description

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-102 · CAPEC-117 · CAPEC-383 · CAPEC-477 · CAPEC-65

CVEs mapped to this weakness (302)

page 6 of 16
  • CVE-2026-8874HigJun 3, 2026
    risk 0.46cvss 7.1epss 0.00

    Version 3.0.7 of the Securly Chrome Extension downloads JSON files containing crisis alert keywords and filtering rules over unencrypted HTTP via the Fetch API. Other endpoints in the same extension correctly fetch IWF and CIPA data over HTTPS, demonstrating an inconsistent…

  • CVE-2026-6066HigApr 20, 2026
    risk 0.46cvss 7.1epss 0.00

    ConnectWise has released a security update for ConnectWise Automate™ that addresses a behavior in the ConnectWise Automate Solution Center where certain client-to-server communications could occur without transport-layer encryption. This could allow network‑based…

  • CVE-2025-10641HigOct 21, 2025
    risk 0.46cvss 7.1epss 0.00

    All WorkExaminer Professional traffic between monitoring client, console and server is transmitted as plain text. This allows an attacker with access to the network to read the transmitted sensitive data. An attacker can also freely modify the data on the wire. The monitoring…

  • CVE-2025-8863HigAug 11, 2025
    risk 0.46cvss epss 0.00

    YugabyteDB diagnostic information was transmitted over HTTP, which could expose sensitive data during transmission

  • CVE-2025-24849HigFeb 28, 2025
    risk 0.46cvss 7.1epss 0.00

    Lack of encryption in transit for cloud infrastructure facilitating potential for sensitive data manipulation or exposure.

  • CVE-2022-32510HigMay 14, 2024
    risk 0.46cvss 7.1epss 0.00

    An issue was discovered on certain Nuki Home Solutions devices. The HTTP API exposed by a Bridge used an unencrypted channel to provide an administrative interface. A token can be easily eavesdropped by a malicious actor to impersonate a legitimate user and gain access to the…

  • CVE-2024-31206HigApr 4, 2024
    risk 0.46cvss 8.2epss 0.00

    dectalk-tts is a Node package to interact with the aeiou Dectalk web API. In `dectalk-tts@1.0.0`, network requests to the third-party API are sent over HTTP, which is unencrypted. Unencrypted traffic can be easily intercepted and modified by attackers. Anyone who uses the…

  • CVE-2017-1181HigJul 17, 2017
    risk 0.46cvss 7.0epss 0.00

    IBM Tivoli Monitoring Portal V6 client could allow a local attacker to gain elevated privileges for IBM Tivoli Monitoring, caused by the default console connection not being encrypted. IBM X-Force ID: 123487.

  • CVE-2025-52586MedAug 8, 2025
    risk 0.45cvss 6.9epss 0.00

    The MOD3 command traffic between the monitoring application and the inverter is transmitted in plaintext without encryption or obfuscation. This vulnerability may allow an attacker with access to a local network to intercept, manipulate, replay, or forge critical data,…

  • CVE-2025-26654MedApr 8, 2025
    risk 0.44cvss 6.8epss 0.00

    SAP Commerce Cloud (Public Cloud) does not allow to disable unencrypted HTTP (port 80) entirely, but instead allows a redirect from port 80 to 443 (HTTPS). As a result, Commerce normally communicates securely over HTTPS. However, the confidentiality and integrity of data sent on…

  • CVE-2024-45102MedJan 14, 2025
    risk 0.44cvss 6.8epss 0.00

    A privilege escalation vulnerability was discovered that could allow a valid, authenticated LXCA user to escalate their permissions for a connected XCC instance when using LXCA as a Single Sign On (SSO) provider for XCC instances.

  • CVE-2024-45101MedSep 13, 2024
    risk 0.44cvss 6.8epss 0.00

    A privilege escalation vulnerability was discovered when Single Sign On (SSO) is enabled that could allow an attacker to intercept a valid, authenticated LXCA user’s XCC session if they can convince the user to click on a specially crafted URL.

  • CVE-2018-11402MedMay 24, 2018
    risk 0.43cvss 6.6epss 0.00

    SimpliSafe Original has Unencrypted Keypad Transmissions, which allows physically proximate attackers to discover the PIN.

  • CVE-2026-9741MedJun 9, 2026
    risk 0.42cvss 6.5epss 0.00

    A bug in query analysis processing of the $vectorSearch aggregation stage for Queryable Encryption (QE) or Client-Side Field Level Encryption (CSFLE) results in literal values for encrypted fields within the $vectorSearch stage filter expressions to be sent to the server as…

  • CVE-2026-6276HigMay 13, 2026
    risk 0.42cvss 7.5epss 0.00

    Using libcurl, when a custom `Host:` header is first set for an HTTP request and a second request is subsequently done using the same *easy handle* but without the custom `Host:` header set, the second request would use stale information and pass on cookies meant for the first…

  • CVE-2026-45180HigMay 10, 2026
    risk 0.42cvss 7.5epss 0.00

    Catalyst::Plugin::Statsd versions through 0.10.0 for Perl may leak session ids. If the communication channel to the statsd daemon is not secured (for example, by sending UDP packets to a host on another network), then users' session ids may be leaked. This may allow an…

  • CVE-2026-33569MedApr 17, 2026
    risk 0.42cvss 6.5epss 0.00

    Anviz CX2 Lite and CX7 administrative sessions occur over HTTP, enabling on‑path attackers to sniff credentials and session data, which can be used to compromise the device.

  • CVE-2026-22155MedApr 14, 2026
    risk 0.42cvss 6.5epss 0.00

    A cleartext transmission of sensitive information vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.3, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 through 7.6.2, FortiSOAR on-premise…

  • CVE-2026-31923HigApr 14, 2026
    risk 0.42cvss 7.5epss 0.00

    Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX. This can occur due to `ssl_verify` in openid-connect plugin configuration being set to false by default. This issue affects Apache APISIX: from 0.7 through 3.15.0. Users are recommended to upgrade…

  • CVE-2025-10540MedSep 25, 2025
    risk 0.42cvss 6.5epss 0.00

    iMonitor EAM 9.6394 transmits communication between the EAM client agent and the EAM server, as well as between the EAM monitor management software and the server, in plaintext without authentication or encryption. An attacker with network access can intercept sensitive…