CWE-319: Cleartext Transmission of Sensitive Information — known CVE vulnerabilities
CVEs classified under CWE-319 (Cleartext Transmission of Sensitive Information), ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (50)
CVE-2025-4378 — CVSS 10.0 (critical): Cleartext Transmission of Sensitive Information, Use of Hard-coded Credentials vulnerability in Ataturk University ATA-AOF Mobile…
CVE-2025-47419: Cleartext Transmission of Sensitive Information vulnerability in Crestron Automate VX allows Sniffing Network Traffic. The device allows…
CVE-2026-48902 — CVSS 9.8 (critical): The password and username reset features created plain http links for https connections if the "Force SSL" flag wasn't explicitly set.
CVE-2025-34271 — CVSS 9.8 (critical): Nagios Log Server versions prior to 2024R2.0.2 contain a vulnerability in the cluster manager component when requesting sensitive…
CVE-2025-32880 — CVSS 9.8 (critical): An issue was discovered on COROS PACE 3 devices through 3.0808.0. It implements a function to connect the watch to a WLAN. With WLAN…
CVE-2025-26199 — CVSS 9.8 (critical): CloudClassroom-PHP-Project v1.0 is affected by an insecure credential transmission vulnerability. The application transmits passwords over…
CVE-2023-39245 — CVSS 9.8 (critical): DELL ESI (Enterprise Storage Integrator) for SAP LAMA, version 10.0, contains an information disclosure vulnerability in EHAC component. An…
CVE-2023-31410 — CVSS 9.8 (critical): A remote unprivileged attacker can intercept the communication via e.g. Man-In-The-Middle, due to the absence of Transport Layer Security…
CVE-2023-33730 — CVSS 9.8 (critical): Privilege Escalation in the "GetUserCurrentPwd" function in Microworld Technologies eScan Management Console 14.0.1400.2281 allows any…
CVE-2023-30354 — CVSS 9.8 (critical): Shenzen Tenda Technology IP Camera CP3 V11.10.00.2211041355 does not defend against physical access to U-Boot via the UART: the Wi-Fi…
CVE-2022-43724 — CVSS 9.8 (critical): A vulnerability has been identified in SICAM PAS/PQS (All versions < V7.0). Affected software transmits the database credentials for the…
CVE-2022-33321 — CVSS 9.8 (critical): Cleartext Transmission of Sensitive Information vulnerability due to the use of Basic Authentication for HTTP connections in Mitsubishi…
CVE-2022-21829 — CVSS 9.8 (critical): Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from those zip files which…
CVE-2021-4161 — CVSS 9.8 (critical): The affected products contain vulnerable firmware, which could allow an attacker to sniff the traffic and decrypt login credential details…
CVE-2021-20623 — CVSS 9.8 (critical): Video Insight VMS versions prior to 7.8 allows a remote attacker to execute arbitrary code with the system user privilege by sending a…
CVE-2020-5426 — CVSS 9.8 (critical): Scheduler for TAS prior to version 1.4.0 was permitting plaintext transmission of UAA client token by sending it over a non-TLS connection…
CVE-2020-12040 — CVSS 9.8 (critical): Sigma Spectrum Infusion System v's6.x (model 35700BAX) and Baxter Spectrum Infusion System Version(s) 8.x (model 35700BAX2) at the…
CVE-2020-5594 — CVSS 9.8 (critical): Mitsubishi Electric MELSEC iQ-R, iQ-F, Q, L, and FX series CPU modules all versions contain a vulnerability that allows cleartext…
CVE-2020-6195 — CVSS 9.8 (critical): SAP Business Objects Business Intelligence Platform (CMC), version 4.1, 4.2, shows cleartext password in the response, leading to…
CVE-2019-13394 — CVSS 9.8 (critical): The Voo branded NETGEAR CG3700b custom firmware V2.02.03 uses HTTP Basic Authentication over cleartext HTTP.
CVE-2020-10376 — CVSS 9.8 (critical): Technicolor TC7337NET 08.89.17.23.03 devices allow remote attackers to discover passwords by sniffing the network for an "Authorization…
CVE-2020-9550 — CVSS 9.8 (critical): Rubetek SmartHome 2020 devices use unencrypted 433 MHz communication between controllers and beacons, allowing an attacker to sniff and…
CVE-2020-9477 — CVSS 9.8 (critical): An issue was discovered on HUMAX HGA12R-02 BRGCAA 1.1.53 devices. A vulnerability in the authentication functionality in the web-based…
CVE-2019-15911 — CVSS 9.8 (critical): An issue was discovered on ASUS HG100, MW100, WS-101, TS-101, AS-101, MS-101, DL-101 devices using ZigBee PRO. Because of insecure key…
CVE-2019-16672 — CVSS 9.8 (critical): An issue was discovered on Weidmueller IE-SW-VL05M 3.6.6 Build 16102415, IE-SW-VL08MT 3.5.2 Build 16102415, and IE-SW-PL10M 3.3.16 Build…
CVE-2019-18852 — CVSS 9.8 (critical): Certain D-Link devices have a hardcoded Alphanetworks user account with TELNET access because of /etc/config/image_sign or…
CVE-2019-17393 — CVSS 9.8 (critical): The Customer's Tomedo Server in Version 1.7.3 communicates to the Vendor Tomedo Server via HTTP (in cleartext) that can be sniffed by…
CVE-2019-5505 — CVSS 9.8 (critical): ONTAP Select Deploy administration utility versions 2.2 through 2.12.1 transmit credentials in plaintext.
CVE-2018-11422 — CVSS 9.8 (critical): Moxa OnCell G3100-HSPA Series version 1.6 Build 17100315 and prior use a proprietary configuration protocol that does not provide…
CVE-2018-11421 — CVSS 9.8 (critical): Moxa OnCell G3100-HSPA Series version 1.6 Build 17100315 and prior use a proprietary monitoring protocol that does not provide…
CVE-2019-3801 — CVSS 9.8 (critical): Cloud Foundry cf-deployment, versions prior to 7.9.0, contain java components that are using an insecure protocol to fetch dependencies…
CVE-2019-3793 — CVSS 9.8 (critical): Pivotal Apps Manager Release, versions 665.0.x prior to 665.0.28, versions 666.0.x prior to 666.0.21, versions 667.0.x prior to 667.0.7…
CVE-2019-6526 — CVSS 9.8 (critical): Moxa IKS-G6824A series Versions 4.5 and prior, EDS-405A series Version 3.8 and prior, EDS-408A series Version 3.8 and prior, and EDS-510A…
CVE-2018-11749 — CVSS 9.8 (critical): When users are configured to use startTLS with RBAC LDAP, at login time, the user's credentials are sent via plaintext to the LDAP server…
CVE-2018-8855 — CVSS 9.8 (critical): Echelon SmartServer 1 all versions, SmartServer 2 all versions prior to release 4.11.007, i.LON 100 all versions, and i.LON 600 all…
CVE-2018-7246 — CVSS 9.8 (critical): A cleartext transmission of sensitive information vulnerability exists in Schneider Electric's 66074 MGE Network Management Card Transverse…
CVE-2018-7259 — CVSS 9.8 (critical): The FSX / P3Dv4 installer 2.0.1.231 for Flight Sim Labs A320-X sends a user's Google account credentials to http://installLog.flightsimlabs…
CVE-2018-1297 — CVSS 9.8 (critical): When using Distributed Test only (RMI based), Apache JMeter 2.x and 3.x uses an unsecured RMI connection. This could allow an attacker to…
CVE-2017-15999 — CVSS 9.8 (critical): In the "NQ Contacts Backup & Restore" application 1.1 for Android, no HTTPS is used for transmitting login and synced user data. When…
CVE-2025-11492 — CVSS 9.6 (critical): In the ConnectWise Automate Agent, communications could be configured to use HTTP instead of HTTPS. In such cases, an on-path threat actor…
CVE-2025-7743 — CVSS 9.6 (critical): Cleartext Transmission of Sensitive Information vulnerability in Dolusoft Omaspot allows Interception, Privilege Escalation. This issue…
CVE-2024-6515 — CVSS 9.6 (critical): Web browser interface may manipulate application username/password in clear text or Base64 encoding providing a higher probability of…
CVE-2024-30209 — CVSS 9.6 (critical): A vulnerability has been identified in SIMATIC RTLS Locating Manager (6GT2780-0DA00) (All versions < V3.0.1.1), SIMATIC RTLS Locating…
CVE-2022-2485 — CVSS 9.6 (critical): Any attempt (good or bad) to log into AutomationDirect Stride Field I/O with a web browser may result in the device responding with its…
CVE-2024-9834 — CVSS 9.3 (critical): Improper data protection on the ventilator's serial interface could allow an attacker to send and receive messages that result in…
CVE-2026-24060 — CVSS 9.1 (critical): Service information is not encrypted when transmitted as BACnet packets over the wire, and can be sniffed, intercepted, and modified by an…
CVE-2025-65827 — CVSS 9.1 (critical): The mobile application is configured to allow clear text traffic to all domains and communicates with an API server over HTTP. As a result…
CVE-2024-12378 — CVSS 9.1 (critical): On affected platforms running Arista EOS with secure Vxlan configured, restarting the Tunnelsec agent will result in packets being sent…