CWE-256
AllowedPlaintext Storage of a Password
Abstraction: Base · Status: Incomplete
The product stores a password in plaintext within resources such as memory or files.
397 vulnerabilities reference this CWE, most recent first.
GHSA-MPP2-X7WV-38HV
Vulnerability from github – Published: 2026-03-02 19:52 – Updated: 2026-03-02 19:52Summary
Shared view passwords were stored in plaintext in the database and compared using direct string equality.
Details
The password column in nc_views stored unhashed passwords. Verification used !== comparison across public-datas.service.ts, public-metas.service.ts, and calendar-datas.service.ts.
Impact
If the database is compromised, shared view passwords are immediately readable. Risk is limited to password reuse scenarios.
Credit
This issue was reported by @Tulgaaaaaaaa.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.301.2"
},
"package": {
"ecosystem": "npm",
"name": "nocodb"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.301.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-28360"
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-02T19:52:57Z",
"nvd_published_at": "2026-03-02T17:16:34Z",
"severity": "LOW"
},
"details": "### Summary\nShared view passwords were stored in plaintext in the database and compared using direct string equality.\n\n### Details\nThe `password` column in `nc_views` stored unhashed passwords. Verification used `!==` comparison across `public-datas.service.ts`, `public-metas.service.ts`, and `calendar-datas.service.ts`.\n\n### Impact\nIf the database is compromised, shared view passwords are immediately readable. Risk is limited to password reuse scenarios.\n\n### Credit\nThis issue was reported by [@Tulgaaaaaaaa](https://github.com/Tulgaaaaaaaa).",
"id": "GHSA-mpp2-x7wv-38hv",
"modified": "2026-03-02T19:52:57Z",
"published": "2026-03-02T19:52:57Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nocodb/nocodb/security/advisories/GHSA-mpp2-x7wv-38hv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28360"
},
{
"type": "PACKAGE",
"url": "https://github.com/nocodb/nocodb"
},
{
"type": "WEB",
"url": "https://github.com/nocodb/nocodb/releases/tag/0.301.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "NocoDB has Plaintext Storage of Shared View Passwords"
}
GHSA-MR58-Q27J-CVG9
Vulnerability from github – Published: 2023-07-07 00:30 – Updated: 2024-04-04 05:50PiiGAB M-Bus stores credentials in a plaintext file, which could allow a low-level user to gain admin credentials.
{
"affected": [],
"aliases": [
"CVE-2023-35765"
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-07T00:15:09Z",
"severity": "MODERATE"
},
"details": "\n\n\n\n\n\n\n\n\nPiiGAB M-Bus stores credentials in a plaintext file, which could allow a low-level user to gain admin credentials.\n\n\n\n\n\n\n\n\n\n",
"id": "GHSA-mr58-q27j-cvg9",
"modified": "2024-04-04T05:50:17Z",
"published": "2023-07-07T00:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35765"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-187-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MR63-X9HG-PVGJ
Vulnerability from github – Published: 2023-12-04 09:30 – Updated: 2023-12-04 09:30Dell DM5500 5.14.0.0, contain a Plain-text Password Storage Vulnerability in PPOE. A local attacker with privileges could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account.
{
"affected": [],
"aliases": [
"CVE-2023-44300"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-522"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-04T09:15:35Z",
"severity": "MODERATE"
},
"details": "\nDell DM5500 5.14.0.0, contain a Plain-text Password Storage Vulnerability in PPOE. A local attacker with privileges could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account.\n\n",
"id": "GHSA-mr63-x9hg-pvgj",
"modified": "2023-12-04T09:30:21Z",
"published": "2023-12-04T09:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44300"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000220107/dsa-2023-425-security-update-for-dell-powerprotect-data-manager-dm5500-appliance-for-multiple-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MRC3-HWPP-5WXW
Vulnerability from github – Published: 2025-12-11 21:31 – Updated: 2025-12-11 21:31HCL Workload Scheduler stores user credentials in plain text which can be read by a local user.
{
"affected": [],
"aliases": [
"CVE-2024-42197"
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-11T20:15:52Z",
"severity": "MODERATE"
},
"details": "HCL Workload Scheduler stores user credentials in plain text which can be read by a local user.",
"id": "GHSA-mrc3-hwpp-5wxw",
"modified": "2025-12-11T21:31:33Z",
"published": "2025-12-11T21:31:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42197"
},
{
"type": "WEB",
"url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0127448"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MVVR-M63M-HJ6G
Vulnerability from github – Published: 2025-10-16 15:30 – Updated: 2025-10-16 15:30IBM Sterling B2B Integrator 6.2.0.0 through 6.2.0.5, and 6.2.1.0 and IBM Sterling File Gateway 6.2.0.0 through 6.2.0.5, and 6.2.1.0 stores user credentials in configuration files which can be read by a local user.
{
"affected": [],
"aliases": [
"CVE-2025-36002"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-260"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-16T15:15:33Z",
"severity": "MODERATE"
},
"details": "IBM Sterling B2B Integrator 6.2.0.0 through 6.2.0.5, and 6.2.1.0 and IBM Sterling File Gateway 6.2.0.0 through 6.2.0.5, and 6.2.1.0 stores user credentials in configuration files which can be read by a local user.",
"id": "GHSA-mvvr-m63m-hj6g",
"modified": "2025-10-16T15:30:43Z",
"published": "2025-10-16T15:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36002"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7248129"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MXF6-V5WP-CVXX
Vulnerability from github – Published: 2024-04-25 18:30 – Updated: 2024-04-25 18:30A flaw was found when using mirror-registry to install Quay. It uses a default secret, which is stored in plain-text format in one of the configuration template files. This issue may lead to all instances of Quay deployed using mirror-registry to have the same secret key. This flaw allows a malicious actor to craft session cookies and as a consequence, it may lead to gaining access to the affected Quay instance.
{
"affected": [],
"aliases": [
"CVE-2024-3622"
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-25T18:15:09Z",
"severity": "HIGH"
},
"details": "A flaw was found when using mirror-registry to install Quay. It uses a default secret, which is stored in plain-text format in one of the configuration template files. This issue may lead to all instances of Quay deployed using mirror-registry to have the same secret key. This flaw allows a malicious actor to craft session cookies and as a consequence, it may lead to gaining access to the affected Quay instance.",
"id": "GHSA-mxf6-v5wp-cvxx",
"modified": "2024-04-25T18:30:40Z",
"published": "2024-04-25T18:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3622"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2024-3622"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2274400"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MXWH-28P4-8RR7
Vulnerability from github – Published: 2023-09-11 21:30 – Updated: 2024-04-04 07:36?Softneta MedDream PACS stores usernames and passwords in plaintext. The plaintext storage could be abused by attackers to leak legitimate user’s credentials.
{
"affected": [],
"aliases": [
"CVE-2023-39227"
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-11T20:15:09Z",
"severity": "HIGH"
},
"details": "?Softneta MedDream PACS\u00a0stores usernames and passwords in plaintext. The plaintext storage could be abused by attackers to leak legitimate user\u2019s credentials.\n\n",
"id": "GHSA-mxwh-28p4-8rr7",
"modified": "2024-04-04T07:36:03Z",
"published": "2023-09-11T21:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39227"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-23-248-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P55R-FQH8-CCWQ
Vulnerability from github – Published: 2024-05-14 18:30 – Updated: 2024-07-03 18:41This vulnerability exists in Digisol Router (DG-GR1321: Hardware version 3.7L; Firmware version : v3.2.02) due to presence of root terminal access on a serial interface without proper access control. An attacker with physical access could exploit this by identifying UART pins and accessing the root shell on the vulnerable system.
Successful exploitation of this vulnerability could allow the attacker to access the sensitive information on the targeted system.This vulnerability exists in Digisol Router (DG-GR1321: Hardware version 3.7L; Firmware version : v3.2.02) due to lack of encryption or hashing in storing of passwords within the router's firmware/ database. An attacker with physical access could exploit this by extracting the firmware and reverse engineer the binary data to access the plaintext passwords on the vulnerable system.
Successful exploitation of this vulnerability could allow the attacker to gain unauthorized access to the targeted system.
{
"affected": [],
"aliases": [
"CVE-2024-4232"
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-14T15:43:08Z",
"severity": "MODERATE"
},
"details": "This vulnerability exists in Digisol Router (DG-GR1321: Hardware version 3.7L; Firmware version : v3.2.02) due to presence of root terminal access on a serial interface without proper access control. An\u00a0attacker\u00a0with\u00a0physical\u00a0access\u00a0could exploit this by identifying UART pins and accessing the root shell on the vulnerable system.\n\nSuccessful exploitation of this vulnerability could allow the attacker to access the sensitive information on the targeted system.This vulnerability exists in Digisol Router (DG-GR1321: Hardware version 3.7L; Firmware version : v3.2.02) due to lack of encryption or hashing in storing of passwords within the router\u0027s firmware/ database. An\u00a0attacker\u00a0with\u00a0physical\u00a0access\u00a0could exploit this by extracting the firmware and reverse engineer the binary data to access the plaintext passwords on the vulnerable system.\n\nSuccessful exploitation of this vulnerability could allow the attacker to gain unauthorized access to the targeted system.",
"id": "GHSA-p55r-fqh8-ccwq",
"modified": "2024-07-03T18:41:22Z",
"published": "2024-05-14T18:30:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4232"
},
{
"type": "WEB",
"url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0158"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:P/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-P64R-6P42-XG2X
Vulnerability from github – Published: 2026-06-16 21:31 – Updated: 2026-06-16 21:31update_disk_psu_baseline.sh requires password in plain text
{
"affected": [],
"aliases": [
"CVE-2024-39575"
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-16T19:16:29Z",
"severity": "HIGH"
},
"details": "update_disk_psu_baseline.sh requires password in plain text",
"id": "GHSA-p64r-6p42-xg2x",
"modified": "2026-06-16T21:31:56Z",
"published": "2026-06-16T21:31:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39575"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000226270/dsa-2024-247-security-update-for-dell-vxrail-7-0-520-multiple-third-party-component-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P6VX-R8HX-HCQ7
Vulnerability from github – Published: 2024-09-30 09:30 – Updated: 2024-09-30 09:30Smart-tab Android app installed April 2023 or earlier contains an issue with plaintext storage of a password. If this vulnerability is exploited, an attacker with physical access to the device may retrieve the credential information and spoof the device to access the related external service.
{
"affected": [],
"aliases": [
"CVE-2024-42496"
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-30T08:15:03Z",
"severity": "LOW"
},
"details": "Smart-tab Android app installed April 2023 or earlier contains an issue with plaintext storage of a password. If this vulnerability is exploited, an attacker with physical access to the device may retrieve the credential information and spoof the device to access the related external service.",
"id": "GHSA-p6vx-r8hx-hcq7",
"modified": "2024-09-30T09:30:46Z",
"published": "2024-09-30T09:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42496"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN42445661"
},
{
"type": "WEB",
"url": "https://tsc-soft.co.jp/smart-tab"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Avoid storing passwords in easily accessible locations.
Mitigation
Consider storing cryptographic hashes of passwords as an alternative to storing in plaintext.
Mitigation
A programmer might attempt to remedy the password management problem by obscuring the password with an encoding function, such as base 64 encoding, but this effort does not adequately protect the password because the encoding can be detected and decoded easily.
No CAPEC attack patterns related to this CWE.