CWE-522: Insufficiently Protected Credentials — known CVE vulnerabilities
CVEs classified under CWE-522 (Insufficiently Protected Credentials), ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (50)
CVE-2026-7312 — CVSS 10.0 (critical): CWE‑522: Insufficiently Protected Credentials in web services in Progress Sitefinity version from 14.0.7700 to 14.4.8152, and 15.0.8200…
CVE-2025-54863 — CVSS 10.0 (critical): Radiometrics VizAir is vulnerable to exposure of the system's REST API key through a publicly accessible configuration file. This allows…
CVE-2024-12799: Insufficiently Protected Credentials vulnerability in OpenText Identity Manager Advanced Edition on Windows, Linux, 64 bit allows Privilege…
CVE-2024-51545 — CVSS 10.0 (critical): Username Enumeration vulnerabilities allow access to application level username add, delete, modify and list functions. Affected products…
CVE-2023-1778 — CVSS 10.0 (critical): This vulnerability exists in GajShield Data Security Firewall firmware versions prior to v4.28 (except v4.21) due to insecure default…
CVE-2020-6961 — CVSS 10.0 (critical): In ApexPro Telemetry Server, Versions 4.2 and prior, CARESCAPE Telemetry Server v4.2 & prior, Clinical Information Center (CIC) Versions…
CVE-2026-56843 — CVSS 9.9 (critical): Incorrect authorization in the XML-RPC API of WebPros Plesk before 18.0.78.4 allows a low-privileged authenticated customer to look up…
CVE-2025-64420 — CVSS 9.9 (critical): Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions prior to and…
CVE-2025-0867 — CVSS 9.9 (critical): The standard user uses the run as function to start the MEAC applications with administrative privileges. To ensure that the system can…
CVE-2024-9014 — CVSS 9.9 (critical): pgAdmin versions 8.11 and earlier are vulnerable to a security flaw in OAuth2 authentication. This vulnerability allows an attacker to…
CVE-2019-1384 — CVSS 9.9 (critical): A security feature bypass vulnerability exists where a NETLOGON message is able to obtain the session key and sign messages.To exploit this…
CVE-2026-9079 — CVSS 9.8 (critical): libcurl had a flaw that when instructed to clear proxy authentication credentials which made it not do so, leaving the old credentials…
CVE-2026-21660 — CVSS 9.8 (critical): Hardcoded Email Credentials Saved as Plaintext in Firmware (CWE-256: Plaintext Storage of a Password) vulnerability in Frick Controls…
CVE-2026-23958 — CVSS 9.8 (critical): Dataease is an open source data visualization analysis tool. Prior to version 2.10.19, DataEase uses the MD5 hash of the user’s password…
CVE-2026-22043 — CVSS 9.8 (critical): RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.13 through 1.0.0-alpha.78, a flawed `deny_only`…
CVE-2025-34196 — CVSS 9.8 (critical): Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 25.1.102 and Application prior to 25.1.1413 (Windows client…
CVE-2025-6519 — CVSS 9.8 (critical): E3 Site Supervisor (firmware version < 2.31F01) has a default admin user "ONEDAY" with a daily generated password. An attacker can…
CVE-2025-52549 — CVSS 9.8 (critical): E3 Site Supervisor Control (firmware version < 2.31F01) generates the root linux password on each boot. An attacker can generate the root…
CVE-2025-52095 — CVSS 9.8 (critical): An issue in PDQ Smart Deploy V.3.0.2040 allows an attacker to escalate privileges via the Credential encryption routines in SDCommon.dll
CVE-2025-55306 — CVSS 9.8 (critical): GenX_FX is an advance IA trading platform that will focus on forex trading. A vulnerability was identified in the GenX FX backend where API…
CVE-2025-54428 — CVSS 9.8 (critical): RevelaCode is an AI-powered faith-tech project that decodes biblical verses, prophecies and global events into accessible language. In…
CVE-2025-25570 — CVSS 9.8 (critical): Vue Vben Admin 2.10.1 allows unauthorized login to the backend due to an issue with hardcoded credentials.
CVE-2025-0890 — CVSS 9.8 (critical): **UNSUPPORTED WHEN ASSIGNED** Insecure default credentials for the Telnet function in the legacy DSL CPE Zyxel VMG4325-B10A firmware…
CVE-2025-0498 — CVSS 9.8 (critical): A data exposure vulnerability exists in all versions prior to V15.00.001 of Rockwell Automation FactoryTalk® AssetCentre. The…
CVE-2025-0497 — CVSS 9.8 (critical): A data exposure vulnerability exists in all versions prior to V15.00.001 of Rockwell Automation FactoryTalk® AssetCentre. The…
CVE-2025-0477 — CVSS 9.8 (critical): An encryption vulnerability exists in all versions prior to V15.00.001 of Rockwell Automation FactoryTalk® AssetCentre. The vulnerability…
CVE-2024-57395 — CVSS 9.8 (critical): Password Vulnerability in Safety production process management system v1.0 allows a remote attacker to escalate privileges, execute…
CVE-2023-48010 — CVSS 9.8 (critical): STMicroelectronics SPC58 is vulnerable to Missing Protection Mechanism for Alternate Hardware Interface. Code running as Supervisor on the…
CVE-2024-32238 — CVSS 9.8 (critical): H3C ER8300G2-X is vulnerable to Incorrect Access Control. The password for the router's management system can be accessed via the…
CVE-2023-47577 — CVSS 9.8 (critical): An issue discovered in Relyum RELY-PCIe 22.2.1 and RELY-REC 23.1.0 allows for unauthorized password changes due to no check for current…
CVE-2023-27132 — CVSS 9.8 (critical): TSplus Remote Work 16.0.0.0 places a cleartext password on the "var pass" line of the HTML source code for the secure single sign-on web…
CVE-2022-45611 — CVSS 9.8 (critical): An issue was discovered in Fresenius Kabi PharmaHelp 5.1.759.0 allows attackers to gain escalated privileges via via capture of user login…
CVE-2023-20965 — CVSS 9.8 (critical): In processMessageImpl of ClientModeImpl.java, there is a possible credential disclosure in the TOFU flow due to a logic error in the code…
CVE-2023-36082 — CVSS 9.8 (critical): An isssue in GatesAIr Flexiva FM Transmitter/Exiter Fax 150W allows a remote attacker to gain privileges via the LDAP and SMTP credentials.
CVE-2023-34128 — CVSS 9.8 (critical): Tomcat application credentials are hardcoded in SonicWall GMS and Analytics configuration file. This issue affects GMS: 9.3.2-SP1 and…
CVE-2022-45599 — CVSS 9.8 (critical): Aztech WMB250AC Mesh Routers Firmware Version 016 2020 is vulnerable to PHP Type Juggling in file /var/www/login.php, allows attackers to…
CVE-2022-46967 — CVSS 9.8 (critical): An access control issue in Revenue Collection System v1.0 allows unauthenticated attackers to view the contents of /admin/DBbackup/…
CVE-2022-4693 — CVSS 9.8 (critical): The User Verification WordPress plugin before 1.0.94 was affected by an Auth Bypass security vulnerability. To bypass authentication, we…
CVE-2022-37109 — CVSS 9.8 (critical): patrickfuller camp up to and including commit bbd53a256ed70e79bd8758080936afbf6d738767 is vulnerable to Incorrect Access Control. Access to…
CVE-2022-30601 — CVSS 9.8 (critical): Insufficiently protected credentials for Intel(R) AMT and Intel(R) Standard Manageability may allow an unauthenticated user to potentially…
CVE-2022-35411 — CVSS 9.8 (critical): rpc.py through 0.6.0 allows Remote Code Execution because an unpickle occurs when the "serializer: pickle" HTTP header is sent. In other…
CVE-2022-31887 — CVSS 9.8 (critical): Marval MSM v14.19.0.12476 has a 0-Click Account Takeover vulnerability which allows an attacker to change any user's password in the…
CVE-2022-2103 — CVSS 9.8 (critical): An attacker with weak credentials could access the TCP port via an open FTP port, allowing an attacker to read sensitive files and write to…