Search Results (916 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-12508 2 Bizerba, Microsoft 2 Brain2, Active Directory 2026-04-15 8.4 High
When using domain users as BRAIN2 users, communication with Active Directory services is unencrypted. This can lead to the interception of authentication data and compromise confidentiality.
CVE-2025-8863 1 Yugabyte 1 Yugabytedb 2026-04-15 3.7 Low
YugabyteDB diagnostic information was transmitted over HTTP, which could expose sensitive data during transmission
CVE-2025-7731 1 Mitsubishi Electric 1 Melsec Iq-f Series 2026-04-15 7.5 High
Cleartext Transmission of Sensitive Information vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series CPU module allows a remote unauthenticated attacker to obtain credential information by intercepting SLMP communication messages, and read or write the device values of the product and stop the operations of programs by using the obtained credential information.
CVE-2025-52586 1 Eg4 Electronics 7 Eg4 12000xp, Eg4 12kpv, Eg4 18kpv and 4 more 2026-04-15 6.9 Medium
The MOD3 command traffic between the monitoring application and the inverter is transmitted in plaintext without encryption or obfuscation. This vulnerability may allow an attacker with access to a local network to intercept, manipulate, replay, or forge critical data, including read/write operations for voltage, current, and power configuration, operational status, alarms, telemetry, system reset, or inverter control commands, potentially disrupting power generation or reconfiguring inverter settings.
CVE-2025-2818 2026-04-15 3.5 Low
A vulnerability was reported in version 1.0 of the Bluetooth Transmission Alliance protocol adopted by Motorola Smart Connect Android Application that could allow a nearby attacker within the Bluetooth interaction range to intercept files when transferred to a device not paired in Smart Connect.
CVE-2025-27594 2026-04-15 7.5 High
The device uses an unencrypted, proprietary protocol for communication. Through this protocol, configuration data is transmitted and device authentication is performed. An attacker can thereby intercept the authentication hash and use it to log into the device using a pass-the-hash attack.
CVE-2025-26654 2026-04-15 6.8 Medium
SAP Commerce Cloud (Public Cloud) does not allow to disable unencrypted HTTP (port 80) entirely, but instead allows a redirect from port 80 to 443 (HTTPS). As a result, Commerce normally communicates securely over HTTPS. However, the confidentiality and integrity of data sent on the first request before the redirect may be impacted if the client is configured to use HTTP and sends confidential data on the first request before the redirect.
CVE-2025-22493 2026-04-15 5.6 Medium
Secure flag not set and SameSIte was set to Lax in the Foreseer Reporting Software (FRS). Absence of this secure flag could lead into the session cookie being transmitted over unencrypted HTTP connections. This security issue has been resolved in the latest version of FRS v1.5.100.
CVE-2020-36914 1 Qihang Media 1 Web Digital Signage 2026-04-15 7.5 High
QiHang Media Web Digital Signage 3.0.9 contains a sensitive information disclosure vulnerability that allows remote attackers to intercept user authentication credentials through cleartext cookie transmission. Attackers can perform man-in-the-middle attacks to capture and potentially misuse stored authentication credentials transmitted in an insecure manner.
CVE-2025-24849 2026-04-15 7.1 High
Lack of encryption in transit for cloud infrastructure facilitating potential for sensitive data manipulation or exposure.
CVE-2026-23662 1 Microsoft 1 Azure Iot Explorer 2026-04-14 7.5 High
Missing authentication for critical function in Azure IoT Explorer allows an unauthorized attacker to disclose information over a network.
CVE-2026-23661 1 Microsoft 1 Azure Iot Explorer 2026-04-14 7.5 High
Cleartext transmission of sensitive information in Azure IoT Explorer allows an unauthorized attacker to disclose information over a network.
CVE-2012-5562 1 Redhat 2 Network Proxy, Satellite 2026-04-09 8.6 High
A flaw was found in rhn-proxy. This vulnerability may allow the rhn-proxy to transmit user credentials in clear-text when it accesses RHN Satellite. This could lead to information disclosure, where sensitive authentication details are exposed to unauthorized parties.
CVE-2026-4820 1 Ibm 1 Maximo Application Suite 2026-04-08 4.3 Medium
IBM Maximo Application Suite 9.1, 9.0, 8.11, and 8.10 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.
CVE-2023-53881 2 Ruijie, Ruijienetworks 2 Reyee Os, Reyee Os 2026-04-07 8.1 High
ReyeeOS 1.204.1614 contains an unencrypted CWMP communication vulnerability that allows attackers to intercept and manipulate device communication through a man-in-the-middle attack. Attackers can create a fake CWMP server to inject and execute arbitrary commands on Ruijie Reyee Cloud devices by exploiting the unprotected HTTP polling requests.
CVE-2023-53875 1 Gomlab 1 Gom Player 2026-04-07 8.8 High
GOM Player 2.3.90.5360 contains a remote code execution vulnerability in its Internet Explorer component that allows attackers to execute arbitrary code through DNS spoofing. Attackers can redirect victims using a malicious URL shortcut and WebDAV technique to run a reverse shell with SMB server interaction.
CVE-2026-5115 1 Papercut 2 Papercut Mf, Papercut Mf Konica Minolta 2026-04-07 7.5 High
The PaperCut NG/MF (specifically, the embedded application for Konica Minolta devices) is vulnerable to session hijacking. The PaperCut NG/MF Embedded application is a software interface that runs directly on the touch screen of a multi-function device. It was internally discovered that the communication channel between the embedded application and the server was insecure, which could leak data including sensitive information that may be used to mount an  attack on the device. Such an attack could potentially be used to steal data or to perform a phishing attack on the end user.
CVE-2026-32745 1 Jetbrains 1 Datalore 2026-04-02 6.3 Medium
In JetBrains Datalore before 2026.1 session hijacking was possible due to missing secure attribute for cookie settings
CVE-2024-44276 1 Apple 2 Ipados, Iphone Os 2026-04-02 7.3 High
This issue was addressed by using HTTPS when sending information over the network. This issue is fixed in iOS 18.2 and iPadOS 18.2. A user in a privileged network position may be able to leak sensitive information.
CVE-2026-32309 1 Cryptomator 1 Cryptomator 2026-03-27 7.5 High
Cryptomator encrypts data being stored on cloud infrastructure. Prior to version 1.19.1, the Hub-based unlock flow explicitly supports hub+http and consumes Hub endpoints from vault metadata without enforcing HTTPS. As a result, a vault configuration can drive OAuth and key-loading traffic over plaintext HTTP or other insecure endpoint combinations. An active network attacker can tamper with or observe this traffic. Even when the vault key is encrypted for the device, bearer tokens and endpoint-level trust decisions are still exposed to downgrade and interception. This issue has been patched in version 1.19.1.