CWE-260
21 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-260page 1 of 1
- CVE-2014-5400NONECVSS 0.0EG 0.02015-04-03
The installation component in Hospira MedNet before 6.1 places cleartext credentials in configuration files, which allows local users to obtain sensitive information by reading a file.
- CVE-2016-7043MEDIUMCVSS 5.9EG 5.92019-05-15
It has been reported that KIE server and Busitess Central before version 7.21.0.Final contain username and password as plaintext Java properties. Any app deployed on the same server would have access to these properties, thus granting acce…
- CVE-2019-3780HIGHCVSS 8.8EG 8.82019-03-08
Cloud Foundry Container Runtime, versions prior to 0.28.0, deploys K8s worker nodes that contains a configuration file with IAAS credentials. A malicious user with access to the k8s nodes can obtain IAAS credentials allowing the user to es…
- CVE-2020-5721MEDIUMCVSS 5.5EG 5.52020-04-15
MikroTik WinBox 3.22 and below stores the user's cleartext password in the settings.cfg.viw configuration file when the Keep Password field is set and no Master Password is set. Keep Password is set by default and, by default Master Passwo…
- CVE-2021-35033HIGHCVSS 7.8EG 7.82021-11-23
A vulnerability in specific versions of Zyxel NBG6818, NBG7815, WSQ20, WSQ50, WSQ60, and WSR30 firmware with pre-configured password management could allow an attacker to obtain root access of the device, if the local attacker dismantles t…
- CVE-2023-2790LOWCVSS 2.3EG 2.32023-05-18
A vulnerability classified as problematic has been found in TOTOLINK N200RE 9.3.5u.6255_B20211224. Affected is an unknown function of the file /squashfs-root/etc_ro/custom.conf of the component Telnet Service. The manipulation leads to pas…
- CVE-2023-34128CRITICALCVSS 9.8EG 9.82023-07-13
Tomcat application credentials are hardcoded in SonicWall GMS and Analytics configuration file. This issue affects GMS: 9.3.2-SP1 and earlier versions; Analytics: 2.5.0.4-R7 and earlier versions.
- CVE-2023-53739CRITICALCVSS 9.9EG 0.02025-12-09
Tinycontrol LAN Controller v3 LK3 version 1.58a contains an unauthenticated vulnerability that allows remote attackers to download configuration backup files containing sensitive credentials. Attackers can retrieve the lk3_settings.bin fil…
- CVE-2023-53770HIGHCVSS 7.5EG 7.52025-12-09
MiniDVBLinux 5.4 contains an unauthenticated configuration download vulnerability that allows remote attackers to access sensitive system configuration files through a direct object reference. Attackers can exploit the backup download endp…
- CVE-2024-45673MEDIUMCVSS 5.5EG 5.52025-02-21
IBM Security Verify Bridge Directory Sync 1.0.1 through 1.0.12, IBM Security Verify Gateway for Windows Login 1.0.1 through 1.0.10, and IBM Security Verify Gateway for Radius 1.0.1 through 1.0.11 stores user credentials in configuration fi…
- CVE-2024-49817MEDIUMCVSS 4.4EG 4.42024-12-17
IBM Security Guardium Key Lifecycle Manager 4.1, 4.1.1, 4.2.0, and 4.2.1 stores user credentials in configuration files which can be read by a local privileged user.
- CVE-2025-15151LOWCVSS 3.7EG 3.72025-12-28
A vulnerability was determined in TaleLin Lin-CMS up to 0.6.0. This affects an unknown part of the file /tests/config.py of the component Tests Folder. This manipulation of the argument username/password causes password in configuration fi…
- CVE-2025-25022CRITICALCVSS 9.6EG 9.62025-06-03
IBM QRadar Suite Software 1.10.12.0 through 1.11.2.0 and IBM Cloud Pak for Security 1.10.0.0 through 1.10.11.0 could allow an unauthenticated user in the environment to obtain highly sensitive information in configuration files.
- CVE-2025-32111HIGHCVSS 8.7EG 8.72025-04-04
The Docker image from acme.sh before 40b6db6 is based on a .github/workflows/dockerhub.yml file that lacks "persist-credentials: false" for actions/checkout.
- CVE-2025-33093HIGHCVSS 7.5EG 7.52025-05-07
IBM Sterling Partner Engagement Manager 6.1.0, 6.2.0, 6.2.2 JWT secret is stored in public Helm Charts and is not stored as a Kubernetes secret.
- CVE-2025-33119MEDIUMCVSS 6.5EG 6.52025-11-12
IBM QRadar SIEM 7.5 through 7.5.0 UP14 stores user credentials in configuration files in source control which can be read by an authenticated user.
- CVE-2025-36002MEDIUMCVSS 5.5EG 5.52025-10-16
IBM Sterling B2B Integrator 6.2.0.0 through 6.2.0.5, and 6.2.1.0 and IBM Sterling File Gateway 6.2.0.0 through 6.2.0.5, and 6.2.1.0 stores user credentials in configuration files which can be read by a local user.
- CVE-2025-36100MEDIUMCVSS 5.1EG 5.12025-09-07
IBM MQ LTS 9.1.0.0 through 9.1.0.29, 9.2.0.0 through 9.2.0.36, 9.3.0.0 through 9.3.0.30 and 9.4.0.0 through 9.4.0.12 and IBM MQ CD 9.3.0.0 through 9.3.5.1 and 9.4.0.0 through 9.4.3.0 Java and JMS stores a password in client configuration…
- CVE-2025-51540MEDIUMCVSS 5.3EG 5.32025-08-19
EzGED3 3.5.0 stores user passwords using an insecure hashing scheme: md5(md5(password)). This hashing method is cryptographically weak and allows attackers to perform efficient offline brute-force attacks if password hashes are disclosed. …
- CVE-2025-57754CRITICALCVSS 9.8EG 9.82025-08-21
eslint-ban-moment is an Eslint plugin for final assignment in VIHU. In 3.0.0 and earlier, a sensitive Supabase URI is exposed in .env. A valid Supabase URI with embedded username and password will allow an attacker complete unauthorized ac…
- CVE-2025-6513CRITICALCVSS 9.3EG 9.32025-06-23
Standard Windows users can access the configuration file for database access of the BRAIN2 application and decrypt it.
Map vulnerabilities like CWE-260 to your infrastructure
EchelonGraph correlates every CVE — across CWE-260 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →