CWE-319— Cleartext Transmission of Sensitive Information
The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.— MITRE CWE catalog
863 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-319page 17 of 18
- CVE-2025-7731HIGHCVSS 7.5EG 7.52025-09-01
Cleartext Transmission of Sensitive Information vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series CPU module allows a remote unauthenticated attacker to obtain credential information by intercepting SLMP communication mes…
- CVE-2025-7743CRITICALCVSS 9.6EG 9.62025-09-16
Cleartext Transmission of Sensitive Information vulnerability in Dolusoft Omaspot allows Interception, Privilege Escalation. This issue affects Omaspot: before 12.09.2025.
- CVE-2025-8205LOWCVSS 3.7EG 3.72025-07-26
A vulnerability, which was classified as problematic, has been found in Comodo Dragon up to 134.0.6998.179. Affected by this issue is some unknown functionality of the component IP DNS Leakage Detector. The manipulation leads to cleartext …
- CVE-2025-8741MEDIUMCVSS 5.9EG 3.72025-08-08
A vulnerability was found in macrozheng mall up to 1.0.3. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /admin/login. The manipulation leads to cleartext transmission of sensiti…
- CVE-2025-8863HIGHCVSS 7.0EG 7.02025-08-11
YugabyteDB diagnostic information was transmitted over HTTP, which could expose sensitive data during transmission
- CVE-2026-0714MEDIUMCVSS 6.8EG 6.82026-02-05
A physical attack vulnerability exists in certain Moxa industrial computers using TPM-backed LUKS full-disk encryption on Moxa Industrial Linux 3, where the discrete TPM is connected to the CPU via an SPI bus. Exploitation requires invasi…
- CVE-2026-0767MEDIUMCVSS 6.5EG 5.32026-01-23
Open WebUI Cleartext Transmission of Credentials Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of Open WebUI. Authentication is not re…
- CVE-2026-10584MEDIUMCVSS 5.9EG 5.92026-06-02
Proxy server in Graph Explorer before 3.0.1 falls back to HTTP when certificate files are missing, which might allow remote threat actors to obtain sensitive information via interception of requests intended to be sent over HTTPS. To re…
- CVE-2026-11833HIGHCVSS 8.2EG 8.22026-06-23
Overview: A vulnerability has been found in FAST/TOOLS and CI Server. The web server may return a response containing the CI Server setting information. This information could be exploited by an attacker for other attacks. The affected…
- CVE-2026-1777HIGHCVSS 7.2EG 7.22026-02-02
The Amazon SageMaker Python SDK before v3.2.0 and v2.256.0 includes the ModelBuilder HMAC signing key in the cleartext response elements of the DescribeTrainingJob function. A third party with permissions to both call this API and permissi…
- CVE-2026-21742MEDIUMCVSS 6.5EG 5.72026-04-14
A cleartext transmission of sensitive information vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.3, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.…
- CVE-2026-22079HIGHCVSS 8.7EG 8.72026-01-09
This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the plaintext transmission of login credentials during the initial login or post-factory reset setup through the web-based a…
- CVE-2026-22080HIGHCVSS 8.7EG 8.72026-01-09
This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the transmission of credentials encoded using reversible Base64 encoding through the web-based administrative interface. An …
- CVE-2026-22155HIGHCVSS 7.5EG 6.52026-04-14
A cleartext transmission of sensitive information vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.3, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.…
- CVE-2026-22271HIGHCVSS 7.5EG 7.52026-01-23
Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains a Cleartext Transmission of Sensitive Information vulnerability. An unauthenticated attacker with remote access could potentially exploit …
- CVE-2026-22274MEDIUMCVSS 6.5EG 6.52026-01-23
Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains a Cleartext Transmission of Sensitive Information vulnerability in the Fabric Syslog. An unauthenticated attacker with remote access could…
- CVE-2026-22544HIGHCVSS 8.7EG 8.72026-01-07
An attacker with a network connection could detect credentials in clear text.
- CVE-2026-23564MEDIUMCVSS 6.5EG 6.52026-01-29
A vulnerability in TeamViewer DEX Client (former 1E Client) - Content Distribution Service (NomadBranch.exe) prior version 26.1 for Windows allows an attacker on the adjacent network to cause normally encrypted UDP traffic to be sent in cl…
- CVE-2026-23661HIGHCVSS 7.5EG 7.52026-03-10
Cleartext transmission of sensitive information in Azure IoT Explorer allows an unauthorized attacker to disclose information over a network.
- CVE-2026-23662HIGHCVSS 7.5EG 7.52026-03-10
Missing authentication for critical function in Azure IoT Explorer allows an unauthorized attacker to disclose information over a network.
- CVE-2026-24212HIGHCVSS 7.5EG 7.52026-05-26
NVIDIA Isaac Launchable for Linux contains a vulnerability where sensitive information is transmitted in clear text. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure,…
- CVE-2026-24441MEDIUMCVSS 5.9EG 5.92026-02-03
Shenzhen Tenda AC7 firmware version V03.03.03.01_cn and prior expose account credentials in plaintext within HTTP responses, allowing an on-path attacker to obtain sensitive authentication material.
- CVE-2026-24455HIGHCVSS 7.5EG 7.52026-02-20
The embedded web interface of the device does not support HTTPS/TLS for authentication and uses HTTP Basic Authentication. Traffic is encoded but not encrypted, exposing user credentials to passive interception by attackers on the same …
- CVE-2026-2539MEDIUMCVSS 5.7EG 5.72026-02-15
The RF communication protocol in the Micca KE700 car alarm system does not encrypt its data frames. An attacker with a radio interception tool (e.g., SDR) can capture the random number and counters transmitted in cleartext, which is sensi…
- CVE-2026-25599MEDIUMCVSS 6.3EG 6.32026-06-01
Missing authentication and clear‑text transmission of data from the heat pumps to the control server, combined with the absence of input validation on aggregated data, can lead to stored XSS that enables theft of cookies from the pump’…
- CVE-2026-25608LOWCVSS 2.3EG 2.32026-05-22
STER uses unencrypted TCP traffic to transmit data over the network. It allows an attacker to conduct a Man-In-The-Middle attack and obtain sensitive data such as passwords, personal data, or authentication tokens. This issue was fixed …
- CVE-2026-30796HIGHCVSS 7.5EG 7.52026-03-05
Cleartext Transmission of Sensitive Information, Insufficiently Protected Credentials vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Address book sync, Heartbeat sync loop modules) …
- CVE-2026-31923HIGHCVSS 7.5EG 7.52026-04-14
Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX. This can occur due to `ssl_verify` in openid-connect plugin configuration being set to false by default. This issue affects Apache APISIX: from 0.7 through 3.…
- CVE-2026-31924MEDIUMCVSS 5.3EG 5.32026-04-14
Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX. tencent-cloud-cls log export uses plaintext HTTP This issue affects Apache APISIX: from 2.99.0 through 3.15.0. Users are recommended to upgrade to version 3.…
- CVE-2026-32683MEDIUMCVSS 5.3EG 5.32026-05-09
Some EZVIZ products utilize older versions of cloud feature modules with legacy API interfaces, which pose a data transmission risk. Attackers can exploit this by eavesdropping on network requests to obtain data.Users are advised to upgrad…
- CVE-2026-32745MEDIUMCVSS 6.3EG 6.32026-03-13
In JetBrains Datalore before 2026.1 session hijacking was possible due to missing secure attribute for cookie settings
- CVE-2026-33472MEDIUMCVSS 4.8EG 4.82026-04-16
Cryptomator is an open-source client-side encryption application for cloud storage. Version 1.19.1 contains a logic flaw in CheckHostTrustController.getAuthority() that allows an attacker to bypass the security fix for CVE-2026-32303. The …
- CVE-2026-33569MEDIUMCVSS 6.5EG 6.52026-04-17
Anviz CX2 Lite and CX7 administrative sessions occur over HTTP, enabling on‑path attackers to sniff credentials and session data, which can be used to compromise the device.
- CVE-2026-34126HIGHCVSS 7.5EG 7.52026-05-28
TP-Link has identified a vulnerability in Tapo L535E v1.0 and v3.0, Tapo P300 v1.0, and Tapo D100C v1.0, where Bluetooth communication during the initial setup phase is transmitted in cleartext without encryption. Bluetooth is only used d…
- CVE-2026-36610MEDIUMCVSS 5.9EG 5.92026-06-03
Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 transmits DDNS credentials over plaintext HTTP with only Base64 encoding. The firmware contains no TLS implementation, allowing man-in-the-middle interception of DDNS service credent…
- CVE-2026-38740MEDIUMCVSS 5.3EG 5.32026-05-14
Foscam VD1 Video Doorbell before V5.3.13_1072 is vulnerable to Cleartext Transmission of Sensitive Information. The device transmits sensitive Session Description Protocol (SDP), including ICE credentials and candidates, in cleartext over …
- CVE-2026-40045MEDIUMCVSS 5.7EG 5.72026-04-21
OpenClaw before 2026.4.2 accepts non-loopback cleartext ws:// gateway endpoints and transmits stored gateway credentials over unencrypted connections. Attackers can forge discovery results or craft setup codes to redirect clients to malici…
- CVE-2026-40431MEDIUMCVSS 5.3EG 5.32026-04-24
A vulnerability exists in SenseLive X3050’s web management interface due to its reliance on unencrypted HTTP for all administrative communication. Because management traffic, including authentication attempts and configuration data, is…
- CVE-2026-41275HIGHCVSS 7.5EG 7.52026-04-23
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the password reset functionality on cloud.flowiseai.com sends a reset password link over the unsecured HTTP protocol instead of HTTPS.…
- CVE-2026-41281MEDIUMCVSS 4.8EG 4.82026-05-14
Android App "あんしんフィルター for au" provided by KDDI CORPORATION contains Cleartext Transmission of Sensitive Information (CWE-319) vulnerability. A man-in-the-middle attacker may access and modify communications transmitted i…
- CVE-2026-42514HIGHCVSS 8.8EG 8.82026-04-29
This vulnerability exists in e-Sushrut due to exposure of OTPs in plaintext within API responses. A remote attacker could exploit this vulnerability by intercepting API responses containing valid OTPs. Successful exploitation of this vuln…
- CVE-2026-43625MEDIUMCVSS 5.9EG 5.92026-06-01
CodexBar prior to 0.32.0 contains a session cookie leakage vulnerability that allows network attackers to intercept imported browser session cookies by exploiting improper redirect handling for Amp and Ollama provider sessions. Attackers c…
- CVE-2026-44726CRITICALCVSS 9.1EG 9.12026-05-27
Deno is a JavaScript, TypeScript, and WebAssembly runtime. From 2.0.0 until 2.7.8, a flaw in Deno's Node.js tls compatibility layer could cause a TLS client to transmit application data in plaintext after a connection retry. When `autoSele…
- CVE-2026-45179MEDIUMCVSS 5.3EG 5.32026-05-10
Plack::Middleware::Statsd versions before 0.9.0 for Perl may leak user IP addresses. If the communication channel to the statsd daemon is not secured (for example, by sending UDP packets to a host on another network), then users' IP addre…
- CVE-2026-45180HIGHCVSS 7.5EG 7.52026-05-10
Catalyst::Plugin::Statsd versions through 0.10.0 for Perl may leak session ids. If the communication channel to the statsd daemon is not secured (for example, by sending UDP packets to a host on another network), then users' session ids m…
- CVE-2026-45432HIGHCVSS 8.7EG 8.72026-06-04
This vulnerability exists in GX Earth ONT models due to the transmission of user credentials in plaintext over HTTP in its web management interface. A remote attacker could exploit this vulnerability by intercepting network traffic to obta…
- CVE-2026-4820MEDIUMCVSS 4.3EG 4.32026-04-01
IBM Maximo Application Suite 9.1, 9.0, 8.11, and 8.10 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link…
- CVE-2026-4873MEDIUMCVSS 5.9EG 5.92026-05-13
A vulnerability exists where a connection requiring TLS incorrectly reuses an existing unencrypted connection from the same connection pool. If an initial transfer is made in clear-text (via IMAP, SMTP, or POP3), a subsequent request to th…
- CVE-2026-48902CRITICALCVSS 9.8EG 9.82026-05-26
The password and username reset features created plain http links for https connections if the "Force SSL" flag wasn't explicitly set.
- CVE-2026-49486HIGHCVSS 7.5EG 7.52026-06-26
The Apache Airflow FTP provider's `FTPSHook.get_conn()` created an `ftplib.FTP_TLS` connection but never called `prot_p()`, so although the control channel was TLS-protected the data channel was transmitted in cleartext. Any deployment usi…
Map vulnerabilities like CWE-319 to your infrastructure
EchelonGraph correlates every CVE — across CWE-319 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →