CWE-256— Plaintext Storage of a Password
The product stores a password in plaintext within resources such as memory or files.— MITRE CWE catalog
234 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-256page 5 of 5
- CVE-2025-52164HIGHCVSS 8.2EG 8.22025-07-18
Software GmbH Agorum core open v11.9.2 & v11.10.1 was discovered to store credentials in plaintext.
- CVE-2025-53655MEDIUMCVSS 5.3EG 4.32025-07-09
Jenkins Statistics Gatherer Plugin 2.0.3 and earlier does not mask the AWS Secret Key on the global configuration form, increasing the potential for attackers to observe and capture it.
- CVE-2025-53656MEDIUMCVSS 6.5EG 4.32025-07-09
Jenkins ReadyAPI Functional Testing Plugin 1.11 and earlier stores SLM License Access Keys, client secrets, and passwords unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended R…
- CVE-2025-53660MEDIUMCVSS 4.3EG 4.32025-07-09
Jenkins QMetry Test Management Plugin 1.13 and earlier does not mask Qmetry Automation API Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them.
- CVE-2025-53662MEDIUMCVSS 6.5EG 4.32025-07-09
Jenkins IFTTT Build Notifier Plugin 1.2 and earlier stores IFTTT Maker Channel Keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkin…
- CVE-2025-53664MEDIUMCVSS 6.5EG 4.32025-07-09
Jenkins Apica Loadtest Plugin 1.10 and earlier stores Apica Loadtest LTP authentication tokens unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to…
- CVE-2025-53665MEDIUMCVSS 4.3EG 4.32025-07-09
Jenkins Apica Loadtest Plugin 1.10 and earlier does not mask Apica Loadtest LTP authentication tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them.
- CVE-2025-53669MEDIUMCVSS 4.3EG 4.32025-07-09
Jenkins VAddy Plugin 1.2.8 and earlier does not mask Vaddy API Auth Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them.
- CVE-2025-53671MEDIUMCVSS 6.5EG 4.32025-07-09
Jenkins Nouvola DiveCloud Plugin 1.08 and earlier does not mask DiveCloud API Keys and Credentials Encryption Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them.
- CVE-2025-53674MEDIUMCVSS 5.3EG 4.32025-07-09
Jenkins Sensedia Api Platform tools Plugin 1.0 does not mask the Sensedia API Manager integration token on the global configuration form, increasing the potential for attackers to observe and capture it.
- CVE-2025-53675MEDIUMCVSS 6.5EG 4.32025-07-09
Jenkins Warrior Framework Plugin 1.2 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file …
- CVE-2025-53677MEDIUMCVSS 5.3EG 4.32025-07-09
Jenkins Xooa Plugin 0.0.7 and earlier does not mask the Xooa Deployment Token on the global configuration form, increasing the potential for attackers to observe and capture it.
- CVE-2025-56527HIGHCVSS 7.5EG 7.52025-11-18
Plaintext password storage in Kotaemon 0.11.0 in the client's localStorage.
- CVE-2025-5760MEDIUMCVSS 4.9EG 4.92025-06-06
The Simple History plugin for WordPress is vulnerable to sensitive data exposure via Detective Mode due to improper sanitization within the append_debug_info_to_context() function in versions prior to 5.8.1. When Detective Mode is enabled,…
- CVE-2025-5893CRITICALCVSS 9.8EG 9.82025-06-09
Smart Parking Management System from Honding Technology has an Exposure of Sensitive Information vulnerability, allowing unauthenticated remote attackers to access a specific page and obtain plaintext administrator credentials.
- CVE-2025-61680MEDIUMCVSS 6.6EG 6.62025-10-03
Minecraft RCON Terminal is a VS Code extension that streamlines Minecraft server management. Versions 0.1.0 through 2.0.6 stores passwords using VS Code's configuration API which writes to settings.json in plaintext. This issue is fixed in…
- CVE-2025-65009HIGHCVSS 7.1EG 7.12025-12-18
In WODESYS WD-R608U router (also known as WDR122B V2.0 and WDR28) admin password is stored in configuration file as plaintext and can be obtained by unauthorized user by direct references to the resource in question. The vendor was noti…
- CVE-2025-6560CRITICALCVSS 9.8EG 9.82025-06-24
Multiple wireless router models from Sapido have an Exposure of Sensitive Information vulnerability, allowing unauthenticated remote attackers to directly access a system configuration file and obtain plaintext administrator credentials. …
- CVE-2025-6561CRITICALCVSS 9.8EG 9.82025-06-26
Certain hybrid DVR models ((HBF-09KD and HBF-16NK)) from Hunt Electronic have an Exposure of Sensitive Information vulnerability, allowing unauthenticated remote attackers to directly access a system configuration file and obtain plaintext…
- CVE-2025-66910MEDIUMCVSS 6.0EG 6.02025-12-19
Turms Server v0.10.0-SNAPSHOT and earlier contains a plaintext password storage vulnerability in the administrator authentication system. The BaseAdminService class caches administrator passwords in plaintext within AdminInfo objects to op…
- CVE-2025-7357HIGHCVSS 8.7EG 8.72025-07-16
LITEON IC48A firmware versions prior to 01.00.19r and LITEON IC80A firmware versions prior to 01.01.12e store FTP-server-access-credentials in cleartext in their system logs.
- CVE-2025-9982HIGHCVSS 7.5EG 7.52025-11-14
A vulnerability exists in QuickCMS version 6.8 where sensitive admin credentials are hardcoded in a configuration file and stored in plaintext. This flaw allows attackers with access to the source code or the server file system to retrieve…
- CVE-2026-14867MEDIUMCVSS 5.5EG 5.52026-07-07
Credentials of built-in users are insecurely stored in the User directory of PcVue projects, all versions prior to 17.0.0. A local attacker could retrieve users’ credentials. Active Directory accounts are not affected by this vulnera…
- CVE-2026-21417HIGHCVSS 7.0EG 7.02026-01-27
Dell CloudBoost Virtual Appliance, versions prior to 19.14.0.0, contains a Plaintext Storage of Password vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Elevation of pri…
- CVE-2026-23797MEDIUMCVSS 4.9EG 4.92026-02-05
In Quick.Cart user passwords are stored in plaintext form. An attacker with high privileges can display users' password in user editing page. The vendor was notified early about this vulnerability, but didn't respond with the details of v…
- CVE-2026-31850MEDIUMCVSS 4.9EG 4.92026-03-23
Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 stores sensitive information, including administrative credentials and WiFi pre-shared keys, in plaintext within exported configuration backup files. These backup files can b…
- CVE-2026-33216HIGHCVSS 7.5EG 7.52026-03-25
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, for MQTT deployments using usercodes/passwords: MQTT passwords are incorrectly classified as a non-authen…
- CVE-2026-35556HIGHCVSS 7.5EG 7.52026-04-09
OpenPLC_V3 is vulnerable to a Plaintext Storage of a Password vulnerability that could allow an attacker to retrieve credentials and access sensitive information.
- CVE-2026-36174MEDIUMCVSS 4.6EG 4.62026-06-04
GNCC GP5 v7.1.76 was discovered to store sensitive wireless network information in plaintext during routine operations to the serial console. This issue allows physically-proximate attackers to obtain sensitive information, including netwo…
- CVE-2026-42151HIGHCVSS 7.5EG 7.52026-05-04
Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the client_secret field in the Azure AD remote write OAuth configuration (storage/remote/azuread) was typed as string instead of S…
- CVE-2026-50268LOWCVSS 1.9EG 1.92026-06-17
Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Configuration.Encryption 4.0.0 through 4.1.0, configuring `encrypt:rsa:algorithm=OAEP` does not enable…
- CVE-2026-57302MEDIUMCVSS 4.3EG 4.32026-06-24
Jenkins FitNesse Plugin 1.36 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Extended Read permission or access to the Jenkins controller file system.
- CVE-2026-6500MEDIUMCVSS 4.8EG 4.82026-05-04
Plaintext storage of a password vulnerability in ILM Informatique OpenConcerto allows Retrieve Embedded Sensitive Data. This issue affects OpenConcerto: 1.7.5.
- CVE-2026-6597LOWCVSS 2.7EG 2.72026-04-20
A weakness has been identified in langflow-ai langflow up to 1.8.3. Impacted is the function remove_api_keys/has_api_terms of the file src/backend/base/langflow/api/utils/core.py of the component Flow Using API. This manipulation causes un…
Map vulnerabilities like CWE-256 to your infrastructure
EchelonGraph correlates every CVE — across CWE-256 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →