Skip to main content

CWE-523

Unprotected Transport of Credentials

18 CVEs Avg CVSS 6.9 MITRE
1
CRITICAL
10
HIGH
6
MEDIUM
1
LOW
2
POC
0
KEV

Monthly

CVE-2026-8668 LOW PATCH Monitor

Hardcoded static credentials in Chef 360 prior to v1.7.0 exposed internal message queue infrastructure to unauthorized network access, disclosing tenant-specific identifiers across the multi-tenant platform. The credential was embedded in the product itself, making it accessible to any party with possession of the software. Progress Chef confirmed the issue and eliminated the static credential entirely in v1.7.0 by replacing it with per-tenant access controls. No public exploit identified at time of analysis, though the CVSS 4.0 supplemental vector flags this as automatable (AU:Y) with proof-of-concept exploit maturity (E:P), elevating its realistic urgency beyond the low base score of 2.3.

Information Disclosure Chef360
NVD VulDB
CVSS 4.0
2.3
EPSS
0.2%
CVE-2026-8673 MEDIUM PATCH This Month

Unprotected credential transport in syslink software AG Avantra before version 25.3.0 exposes authentication material to network-layer interception on both Linux and Windows deployments. The vulnerability, classified under CWE-523, allows a suitably positioned network adversary to capture credentials in transit, with the CVSS vector indicating high confidentiality and integrity impact upon successful exploitation. No public exploit code and no CISA KEV listing have been identified at time of analysis, and the high attack complexity and high privilege prerequisite meaningfully constrain the realistic attacker population.

Microsoft Information Disclosure
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-23635 MEDIUM PATCH This Month

Kiteworks Secure Data Forms prior to version 9.2.1 contains a misconfiguration of security attributes that allows unprotected transport of credentials over the network. This vulnerability affects all versions below 9.2.1 and enables attackers to intercept sensitive authentication material in transit, potentially leading to account compromise and unauthorized access to the private data network. No active exploitation in the wild (KEV) or public proof-of-concept has been reported, though the CVSS 6.5 score and high confidentiality impact indicate meaningful risk.

Information Disclosure Secure Data Forms
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-64309 MEDIUM This Month

Brightpick Mission Control discloses device telemetry, configuration, and credential information via WebSocket traffic to unauthenticated users when they connect to a specific URL. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.1%
CVE-2025-64308 HIGH This Week

Credential disclosure in the Brightpick Mission Control web application allows anyone able to retrieve the application's client-side JavaScript bundle to extract hardcoded credentials embedded in that code. Because the secrets ship to the browser, any user or adjacent-network actor who loads the front-end can recover them and potentially authenticate to back-end services in this warehouse-automation/ICS-OT product. Reported by CISA ICS-CERT (ICSA-25-317-04); no public exploit has been identified and EPSS exploitation probability is very low (0.06%, 17th percentile).

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.1%
CVE-2025-57800 HIGH POC PATCH This Week

Audiobookshelf is an open-source self-hosted audiobook server. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Audiobookshelf
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2024-1509 HIGH This Week

Brocade ASCG before 3.2.0 Web Interface is not enforcing HSTS, as defined by RFC 6797. Rated high severity (CVSS 7.6), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 4.0
7.6
EPSS
0.1%
CVE-2024-4188 HIGH This Week

Unprotected Transport of Credentials vulnerability in OpenText™ Documentum™ Server could allow Credential Stuffing.7 through 23.4. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 4.0
7.1
EPSS
0.2%
CVE-2024-20395 HIGH This Week

A vulnerability in the media retrieval functionality of Cisco Webex App could allow an unauthenticated, adjacent attacker to gain access to sensitive session information. Rated high severity (CVSS 7.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Cisco Information Disclosure Webex Teams
NVD
CVSS 3.1
7.3
EPSS
0.2%
CVE-2024-1102 Maven MEDIUM POC PATCH This Month

A vulnerability was found in jberet-core logging. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Jberet Jboss Enterprise Application Platform
NVD GitHub
CVSS 3.1
6.5
EPSS
0.8%
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Hardcoded static credentials in Chef 360 prior to v1.7.0 exposed internal message queue infrastructure to unauthorized network access, disclosing tenant-specific identifiers across the multi-tenant platform. The credential was embedded in the product itself, making it accessible to any party with possession of the software. Progress Chef confirmed the issue and eliminated the static credential entirely in v1.7.0 by replacing it with per-tenant access controls. No public exploit identified at time of analysis, though the CVSS 4.0 supplemental vector flags this as automatable (AU:Y) with proof-of-concept exploit maturity (E:P), elevating its realistic urgency beyond the low base score of 2.3.

Information Disclosure Chef360
NVD VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Unprotected credential transport in syslink software AG Avantra before version 25.3.0 exposes authentication material to network-layer interception on both Linux and Windows deployments. The vulnerability, classified under CWE-523, allows a suitably positioned network adversary to capture credentials in transit, with the CVSS vector indicating high confidentiality and integrity impact upon successful exploitation. No public exploit code and no CISA KEV listing have been identified at time of analysis, and the high attack complexity and high privilege prerequisite meaningfully constrain the realistic attacker population.

Microsoft Information Disclosure
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Kiteworks Secure Data Forms prior to version 9.2.1 contains a misconfiguration of security attributes that allows unprotected transport of credentials over the network. This vulnerability affects all versions below 9.2.1 and enables attackers to intercept sensitive authentication material in transit, potentially leading to account compromise and unauthorized access to the private data network. No active exploitation in the wild (KEV) or public proof-of-concept has been reported, though the CVSS 6.5 score and high confidentiality impact indicate meaningful risk.

Information Disclosure Secure Data Forms
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM This Month

Brightpick Mission Control discloses device telemetry, configuration, and credential information via WebSocket traffic to unauthenticated users when they connect to a specific URL. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Credential disclosure in the Brightpick Mission Control web application allows anyone able to retrieve the application's client-side JavaScript bundle to extract hardcoded credentials embedded in that code. Because the secrets ship to the browser, any user or adjacent-network actor who loads the front-end can recover them and potentially authenticate to back-end services in this warehouse-automation/ICS-OT product. Reported by CISA ICS-CERT (ICSA-25-317-04); no public exploit has been identified and EPSS exploitation probability is very low (0.06%, 17th percentile).

Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

Audiobookshelf is an open-source self-hosted audiobook server. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Audiobookshelf
NVD GitHub
EPSS 0% CVSS 7.6
HIGH This Week

Brocade ASCG before 3.2.0 Web Interface is not enforcing HSTS, as defined by RFC 6797. Rated high severity (CVSS 7.6), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Unprotected Transport of Credentials vulnerability in OpenText™ Documentum™ Server could allow Credential Stuffing.7 through 23.4. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure
NVD
EPSS 0% CVSS 7.3
HIGH This Week

A vulnerability in the media retrieval functionality of Cisco Webex App could allow an unauthenticated, adjacent attacker to gain access to sensitive session information. Rated high severity (CVSS 7.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Cisco Information Disclosure Webex Teams
NVD
EPSS 1% CVSS 6.5
MEDIUM POC PATCH This Month

A vulnerability was found in jberet-core logging. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Jberet Jboss Enterprise Application Platform
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy