Total
489 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2014-6274 | 1 Git-annex Project | 1 Git-annex | 2025-08-06 | N/A | 7.5 HIGH |
| git-annex had a bug in the S3 and Glacier remotes where if embedcreds=yes was set, and the remote used encryption=pubkey or encryption=hybrid, the embedded AWS credentials were stored in the git repository in (effectively) plaintext, not encrypted as they were supposed to be. This issue affects git-annex: from 3.20121126 before 5.20140919. | |||||
| CVE-2024-20515 | 1 Cisco | 1 Identity Services Engine | 2025-08-05 | N/A | 6.5 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to obtain sensitive information from an affected device. This vulnerability is due to a lack of proper data protection mechanisms for certain configuration settings. An attacker with Read-Only Administrator privileges could exploit this vulnerability by browsing to a page that contains sensitive data. A successful exploit could allow the attacker to view device credentials that are normally not visible to Read-Only Administrators. | |||||
| CVE-2025-43274 | 1 Apple | 1 Macos | 2025-07-31 | N/A | 4.4 MEDIUM |
| A privacy issue was addressed by removing the vulnerable code. This issue is fixed in macOS Sequoia 15.6. A sandboxed process may be able to circumvent sandbox restrictions. | |||||
| CVE-2025-32874 | 2025-07-29 | N/A | 7.4 HIGH | ||
| An issue was discovered in Kaseya Rapid Fire Tools Network Detective through 2.0.16.0. A vulnerability exists in the EncryptionUtil class because symmetric encryption is implemented in a deterministic and non-randomized fashion. The method Encrypt(byte[] clearData) derives both the encryption key and the IV from a fixed, hardcoded input by using a static salt value. As a result, identical plaintext inputs always produce identical ciphertext outputs. This is true for both FIPS and non-FIPS generated passwords. In other words, there is a cryptographic implementation flaw in the password encryption mechanism. Although there are multiple encryption methods grouped under FIPS and non-FIPS classifications, the logic consistently results in predictable and reversible encrypted outputs due to the lack of per-operation randomness and encryption authentication. | |||||
| CVE-2025-40680 | 2025-07-25 | N/A | N/A | ||
| Lack of sensitive data encryption in CapillaryScope v2.5.0 of Capillary io, which stores both the proxy credentials and the JWT session token in plain text within different registry keys on the Windows operating system. Any authenticated local user with read access to the registry can extract these sensitive values. | |||||
| CVE-2025-53668 | 1 Jenkins | 1 Vaddy | 2025-07-18 | N/A | 6.5 MEDIUM |
| Jenkins VAddy Plugin 1.2.8 and earlier stores Vaddy API Auth Keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. | |||||
| CVE-2025-53666 | 1 Jenkins | 1 Dead Man\'s Snitch | 2025-07-18 | N/A | 6.5 MEDIUM |
| Jenkins Dead Man's Snitch Plugin 0.1 stores Dead Man's Snitch tokens unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. | |||||
| CVE-2025-53653 | 1 Jenkins | 1 Aqua Security Scanner | 2025-07-18 | N/A | 4.3 MEDIUM |
| Jenkins Aqua Security Scanner Plugin 3.2.8 and earlier stores Scanner Tokens for Aqua API unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. | |||||
| CVE-2025-53659 | 1 Jenkins | 1 Qmetry Test Management | 2025-07-18 | N/A | 6.5 MEDIUM |
| Jenkins QMetry Test Management Plugin 1.13 and earlier stores Qmetry Automation API Keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. | |||||
| CVE-2025-53663 | 1 Jenkins | 1 Ibm Cloud Devops | 2025-07-18 | N/A | 6.5 MEDIUM |
| Jenkins IBM Cloud DevOps Plugin 2.0.16 and earlier stores SonarQube authentication tokens unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. | |||||
| CVE-2018-8849 | 1 Medtronic | 4 N\'vision 8840, N\'vision 8840 Firmware, N\'vision 8870 and 1 more | 2025-06-27 | 2.1 LOW | 4.6 MEDIUM |
| Medtronic N'Vision Clinician Programmer 8840 N'Vision Clinician Programme and 8870 N'Vision removable Application Card do not encrypt PII and PHI while at rest. | |||||
| CVE-2012-1977 | 1 Wellintech | 1 Kingview | 2025-06-26 | 7.1 HIGH | N/A |
| WellinTech KingSCADA 3.0 uses a cleartext base64 format for storage of passwords in user.db, which allows context-dependent attackers to obtain sensitive information by reading this file. | |||||
| CVE-2025-32875 | 2025-06-23 | N/A | 5.7 MEDIUM | ||
| An issue was discovered in the COROS application through 3.8.12 for Android. Bluetooth pairing and bonding is neither initiated nor enforced by the application itself. Also, the watch does not enforce pairing and bonding. As a result, any data transmitted via BLE remains unencrypted, allowing attackers within Bluetooth range to eavesdrop on the communication. Furthermore, even if a user manually initiates pairing and bonding in the Android settings, the application continues to transmit data without requiring the watch to be bonded. This fallback behavior enables attackers to exploit the communication, for example, by conducting an active machine-in-the-middle attack. | |||||
| CVE-2023-50129 | 1 Flient | 2 Smart Lock Advanced, Smart Lock Advanced Firmware | 2025-06-20 | N/A | 6.5 MEDIUM |
| Missing encryption in the NFC tags of the Flient Smart Door Lock v1.0 allows attackers to create a cloned tag via brief physical proximity to the original tags, which results in an attacker gaining access to the perimeter. | |||||
| CVE-2023-50126 | 1 Hozard | 1 Alarm System | 2025-06-03 | N/A | 6.5 MEDIUM |
| Missing encryption in the RFID tags of the Hozard alarm system (Alarmsysteem) v1.0 allow attackers to create a cloned tag via brief physical proximity to one of the original tags, which results in an attacker being able to bring the alarm system to a disarmed state. | |||||
| CVE-2024-35061 | 1 Nasa | 1 Ait Core | 2025-06-03 | N/A | 7.3 HIGH |
| NASA AIT-Core v2.5.2 was discovered to use unencrypted channels to exchange data over the network, allowing attackers to execute a man-in-the-middle attack. When chained with CVE-2024-35059, the CVE in subject leads to an unauthenticated, fully remote code execution. | |||||
| CVE-2018-18984 | 1 Medtronic | 6 29901 Encore Programmer, 29901 Encore Programmer Firmware, Carelink 2090 Programmer and 3 more | 2025-05-22 | 2.1 LOW | 4.6 MEDIUM |
| Medtronic CareLink and Encore Programmers do not encrypt or do not sufficiently encrypt sensitive PII and PHI information while at rest . | |||||
| CVE-2025-24008 | 2025-05-13 | N/A | 6.5 MEDIUM | ||
| A vulnerability has been identified in SIRIUS 3RK3 Modular Safety System (MSS) (All versions), SIRIUS Safety Relays 3SK2 (All versions). The affected devices do not encrypt data in transit. An attacker with network access could eavesdrop the connection and retrieve sensitive information, including obfuscated safety passwords. | |||||
| CVE-2025-47274 | 2025-05-12 | N/A | N/A | ||
| ToolHive is a utility designed to simplify the deployment and management of Model Context Protocol (MCP) servers. Due to the ordering of code used to start an MCP server container, versions of ToolHive prior to 0.0.33 inadvertently store secrets in the run config files which are used to restart stopped containers. This means that an attacker who has access to the home folder of the user who starts the MCP server can read secrets without needing access to the secrets store itself. This only applies to secrets which were used in containers whose run configs exist at a point in time - other secrets remaining inaccessible. ToolHive 0.0.33 fixes the issue. Some workarounds are available. Stop and delete any running MCP servers, or manually remove any runconfigs from `$HOME/Library/Application Support/toolhive/runconfigs/` (macOS) or `$HOME/.state/toolhive/runconfigs/` (Linux). | |||||
| CVE-2022-35860 | 1 Corsair | 2 K63, K63 Firmware | 2025-05-09 | N/A | 6.8 MEDIUM |
| Missing AES encryption in Corsair K63 Wireless 3.1.3 allows physically proximate attackers to inject and sniff keystrokes via 2.4 GHz radio transmissions. | |||||