CWE-312: Cleartext Storage of Sensitive Information — known CVE vulnerabilities
CVEs classified under CWE-312 (Cleartext Storage of Sensitive Information), ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (50)
CVE-2022-43757 — CVSS 9.9 (critical): A Cleartext Storage of Sensitive Information vulnerability in SUSE Rancher allows users on managed clusters to gain access to credentials…
CVE-2021-36782 — CVSS 9.9 (critical): A Cleartext Storage of Sensitive Information vulnerability in SUSE Rancher allows authenticated Cluster Owners, Cluster Members, Project…
CVE-2020-9045 — CVSS 9.9 (critical): During installation or upgrade to Software House C•CURE 9000 v2.70 and American Dynamics victor Video Management System v5.2, the…
CVE-2026-31848 — CVSS 9.8 (critical): Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 uses the ecos_pw cookie for authentication, which contains Base64-encoded…
CVE-2025-65826 — CVSS 9.8 (critical): The mobile application was found to contain stored credentials for the network it was developed on. If an attacker retrieved this, and…
CVE-2025-34206 — CVSS 9.8 (critical): Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application (VA and SaaS deployments) mount host configuration and secret…
CVE-2025-30124 — CVSS 9.8 (critical): An issue was discovered on Marbella KR8s Dashcam FF 2.0.8 devices. When a new SD card is inserted into the dashcam, the existing password…
CVE-2024-46340 — CVSS 9.8 (critical): TL-WR845N(UN)_V4_201214, TP-Link TL-WR845N(UN)_V4_200909, and TL-WR845N(UN)_V4_190219 was discovered to transmit user credentials in…
CVE-2023-31069 — CVSS 9.8 (critical): An issue was discovered in TSplus Remote Access through 16.0.2.14. Credentials are stored as cleartext within the HTML source code of the…
CVE-2023-33373 — CVSS 9.8 (critical): Connected IO v2.1.0 and prior keeps passwords and credentials in clear-text format, allowing attackers to exfiltrate the credentials and…
CVE-2022-26148 — CVSS 9.8 (critical): An issue was discovered in Grafana through 7.3.4, when integrated with Zabbix. The Zabbix password can be found in the api_jsonrpc.php HTML…
CVE-2021-29954 — CVSS 9.8 (critical): Proxy functionality built into Hubs Cloud’s Reticulum software allowed access to internal URLs, including the metadata service. This…
CVE-2019-18868 — CVSS 9.8 (critical): Blaauw Remote Kiln Control through v3.00r4 allows an unauthenticated attacker to access MySQL credentials in cleartext in /engine/db.inc…
CVE-2020-5723 — CVSS 9.8 (critical): The UCM6200 series 1.0.20.22 and below stores unencrypted user passwords in an SQLite database. This could allow an attacker to retrieve…
CVE-2019-19228 — CVSS 9.8 (critical): Fronius Solar Inverter devices before 3.14.1 (HM 1.12.1) allow attackers to bypass authentication because the password for the today…
CVE-2019-13096 — CVSS 9.8 (critical): TronLink Wallet 2.2.0 stores user wallet keystore in plaintext and places them in insecure storage. An attacker can read and reuse the user…
CVE-2019-9873 — CVSS 9.8 (critical): In several versions of JetBrains IntelliJ IDEA Ultimate, creating Task Servers configurations leads to saving a cleartext unencrypted…
CVE-2019-9823 — CVSS 9.8 (critical): In several JetBrains IntelliJ IDEA versions, creating remote run configurations of JavaEE application servers leads to saving a cleartext…
CVE-2019-11384 — CVSS 9.8 (critical): The Zalora application 6.15.1 for Android stores confidential information insecurely on the system (i.e. plain text), which allows a…
CVE-2019-0285 — CVSS 9.8 (critical): The .NET SDK WebForm Viewer in SAP Crystal Reports for Visual Studio (fixed in version 2010) discloses sensitive database information…
CVE-2018-18641 — CVSS 9.8 (critical): An issue was discovered in GitLab Community and Enterprise Edition before 11.2.7, 11.3.x before 11.3.8, and 11.4.x before 11.4.3. It has…
CVE-2018-18394 — CVSS 9.8 (critical): Sensitive Information Stored in Clear Text in Moxa ThingsPro IIoT Gateway and Device Management Software Solutions version 2.1.
CVE-2017-5250 — CVSS 9.8 (critical): In version 1.9.7 and prior of Insteon's Insteon for Hub Android app, the OAuth token used by the app to authorize user access is not stored…
CVE-2017-5249 — CVSS 9.8 (critical): In version 6.1.0.19 and prior of Wink Labs's Wink - Smart Home Android app, the OAuth token used by the app to authorize user access is not…
CVE-2008-0174 — CVSS 9.8 (critical): GE Fanuc Proficy Real-Time Information Portal 2.6 and earlier uses HTTP Basic Authentication, which transmits usernames and passwords in…
CVE-2001-1481 — CVSS 9.8 (critical): Xitami 2.4 through 2.5 b4 stores the Administrator password in plaintext in the default.aut file, whose default permissions are…
CVE-2023-1897 — CVSS 9.4 (critical): Atlas Copco Power Focus 6000 web server does not sanitize the login information stored by the authenticated user’s browser, which could…
CVE-2025-14815: Cleartext Storage of Sensitive Information vulnerability in Mitsubishi Electric GENESIS64 versions 10.97.3 and prior, Mitsubishi Electric…
CVE-2026-33026 — CVSS 9.1 (critical): Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui backup restore mechanism allows attackers…
CVE-2025-55443 — CVSS 9.1 (critical): Telpo MDM 1.4.6 thru 1.4.9 for Android contains sensitive administrator credentials and MQTT server connection details (IP/port) that are…
CVE-2024-40457 — CVSS 9.1 (critical): No-IP Dynamic Update Client (DUC) v3.x uses cleartext credentials that may occur on a command line or in a file. NOTE: the vendor's…
CVE-2024-36497 — CVSS 9.1 (critical): The decrypted configuration file contains the password in cleartext which is used to configure WINSelect. It can be used to remove the…
CVE-2022-25158 — CVSS 9.1 (critical): Cleartext Storage of Sensitive Information vulnerability in Mitsubishi Electric MELSEC iQ-F series FX5U(C) CPU all versions, Mitsubishi…
CVE-2020-12032 — CVSS 9.1 (critical): Baxter ExactaMix EM 2400 Versions 1.10, 1.11 and ExactaMix EM1200 Versions 1.1, 1.2 systems store device data with sensitive information in…
CVE-2024-9798 — CVSS 9.0 (critical): The health endpoint is public so everybody can see a list of all services. It is potentially valuable information for attackers.
CVE-2025-14377: A security issue was discovered within the legacy Ansible playbook component of Verve Asset Manager, caused by plaintext secrets…
CVE-2024-28809 — CVSS 8.8 (high): An issue was discovered in Infinera hiT 7300 5.60.50. Cleartext storage of sensitive password in firmware update packages allows attackers…
CVE-2024-36790 — CVSS 8.8 (high): Netgear WNR614 JNR1010V2/N300-V1.1.0.54_1.0.1 was discovered to store credentials in plaintext.
CVE-2021-37157 — CVSS 8.8 (high): An issue was discovered in OpenGamePanel OGP-Agent-Linux through 2021-08-14. $HOME/OGP/Cfg/Config.pm has the root password in cleartext.
CVE-2020-5805 — CVSS 8.8 (high): In Marvell QConvergeConsole GUI <= 5.5.0.74, credentials are stored in cleartext in tomcat-users.xml. OS-level users on the QCC host who…
CVE-2019-10449 — CVSS 8.8 (high): Jenkins Fortify on Demand Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by…
CVE-2019-10443 — CVSS 8.8 (high): Jenkins iceScrum Plugin 1.1.4 and earlier stored credentials unencrypted in job config.xml files on the Jenkins master where they could be…
CVE-2019-10440 — CVSS 8.8 (high): Jenkins NeoLoad Plugin 2.2.5 and earlier stored credentials unencrypted in its global configuration file and in job config.xml files on the…
CVE-2019-10351 — CVSS 8.8 (high): Jenkins Caliper CI Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users…
CVE-2019-10350 — CVSS 8.8 (high): Jenkins Port Allocator Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by…
CVE-2019-10348 — CVSS 8.8 (high): Jenkins Gogs Plugin stored credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with…
CVE-2019-11966 — CVSS 8.8 (high): A remote privilege escalation vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3…
CVE-2024-58277: R Radio Network FM Transmitter 1.07 allows unauthenticated attackers to access the admin user's password through the system.cgi endpoint…