CWE-311— Missing Encryption of Sensitive Data

A potential vulnerability was reported in some ThinkPlus USB drives that could allow a user with physical access to read data stored on the drive.

Exposure of Sensitive Information to an Unauthorized Actor, Missing Encryption of Sensitive Data, Files or Directories Accessible to External Parties vulnerability in Kings Information & Network Co. KESS Enterprise on Windows allows Privil…

Some VX800v v1.0 web interface endpoints transmit sensitive information over unencrypted HTTP due to missing application layer encryption, allowing a network adjacent attacker to intercept this traffic and compromise its confidentiality.

A vulnerability has been identified in SIRIUS 3RK3 Modular Safety System (MSS) (All versions), SIRIUS Safety Relays 3SK2 (All versions). The affected devices do not encrypt data in transit. An attacker with network access could eavesdrop t…

Insecure Shiro cookie configurations in OpenDaylight Service Function Chaining (SFC) Subproject SFC Sodium-SR4 and below allow attackers to access sensitive information via a man-in-the-middle attack.

Jenkins AsakusaSatellite Plugin 0.1.1 and earlier does not mask AsakusaSatellite API keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them.

HCL BigFix SM is affected by cryptographic weakness due to weak or outdated encryption algorithms.  An attacker with network access could exploit this weakness to decrypt or manipulate encrypted communications under certain conditions.

An issue was discovered in the COROS application through 3.8.12 for Android. Bluetooth pairing and bonding is neither initiated nor enforced by the application itself. Also, the watch does not enforce pairing and bonding. As a result, any …

IBM Engineering Systems Design Rhapsody 9.0.2, 10.0, and 10.0.1 transmits sensitive information without encryption that could allow an attacker to obtain highly sensitive information.

IBM Cognos Analytics Mobile (iOS) 1.1.0 through 1.1.22 could be vulnerable to information exposure due to the use of unencrypted network traffic.

Encryption is missing on the configuration interface for Growatt ShineLan-X and MIC 3300TL-X. This allows an attacker with access to the network to intercept and potentially manipulate communication requests between the inverter and its …

Lack of sensitive data encryption in CapillaryScope v2.5.0 of Capillary io, which stores both the proxy credentials and the JWT session token in plain text within different registry keys on the Windows operating system. Any authenticated l…

A privacy issue was addressed by removing the vulnerable code. This issue is fixed in macOS Sequoia 15.6. A sandboxed process may be able to circumvent sandbox restrictions.

pyjwt v2.10.1 was discovered to contain weak encryption. NOTE: this is disputed by the Supplier because the key length is chosen by the application that uses the library (admittedly, library users may benefit from a minimum value and a mec…

ToolHive is a utility designed to simplify the deployment and management of Model Context Protocol (MCP) servers. Due to the ordering of code used to start an MCP server container, versions of ToolHive prior to 0.0.33 inadvertently store s…

Ambiguous wording in the web interface of the ctrlX OS setup mechanism could lead the user to believe that the backup file is encrypted when a password is set. However, only the private key - if available in the backup - is encrypted, whi…

An insecure implementation of the proprietary protocol DNET in Product CGM MEDICO allows attackers within the intranet to eavesdrop and manipulate data on the protocol because encryption is optional for this connection.

Jenkins Aqua Security Scanner Plugin 3.2.8 and earlier stores Scanner Tokens for Aqua API unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the …

Jenkins QMetry Test Management Plugin 1.13 and earlier stores Qmetry Automation API Keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the J…

Jenkins IBM Cloud DevOps Plugin 2.0.16 and earlier stores SonarQube authentication tokens unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the …

Jenkins Dead Man's Snitch Plugin 0.1 stores Dead Man's Snitch tokens unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller fi…

Jenkins VAddy Plugin 1.2.8 and earlier stores Vaddy API Auth Keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file …

Jenkins Sensedia Api Platform tools Plugin 1.0 stores the Sensedia API Manager integration token unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to the Jenkins controller …

Jenkins Xooa Plugin 0.0.7 and earlier stores the Xooa Deployment Token unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to the Jenkins controller file system.

Jenkins User1st uTester Plugin 1.1 and earlier stores the uTester JWT token unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to the Jenkins controller file system.

Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the code in the scheduler for downloading a tiny file is hard coded to use the HTTP protocol, rather than HTTPS. This means that an atta…

Jenkins OpenShift Pipeline Plugin 1.0.57 and earlier stores authorization tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission, or access to the Jenkins c…

Jenkins ByteGuard Build Actions Plugin 1.0 stores API tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission, or access to the Jenkins controller file syste…

Jenkins ByteGuard Build Actions Plugin 1.0 does not mask API tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them.

Jenkins Curseforge Publisher Plugin 1.0 stores API Keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission, or access to the Jenkins controller file system.

Jenkins Curseforge Publisher Plugin 1.0 does not mask API Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them.

Typebot is an open-source chatbot builder. In versions prior to 3.13.2, client-side script execution in Typebot allows stealing all stored credentials from any user. When a victim previews a malicious typebot by clicking "Run", JavaScript …

The firmware on the basestation of the Meatmeet is not encrypted. An adversary with physical access to the Meatmeet device can disassemble the device, connect over UART, and retrieve the firmware dump for analysis. Within the NVS partition…

A vulnerability was found in Ruijie EG306MG 3.0(1)B11P309. It has been rated as problematic. This issue affects some unknown processing of the file /etc/strongswan.conf of the component strongSwan. The manipulation of the argument i_dont_c…

Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor. This issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116. Users are recommended to u…

Antrea is a Kubernetes networking solution intended to be Kubernetes native. Prior to 2.4.5 and 2.5.2, a missing encryption vulnerability affects inter-Node Pod traffic. In Antrea clusters configured for dual-stack networking with IPsec en…