Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-256 (明文存储口令) — Vulnerability Class 160

160 vulnerabilities classified as CWE-256 (明文存储口令). AI Chinese analysis included.

CWE-256 represents a critical data exposure weakness where sensitive authentication credentials are stored in an unencrypted, readable format within system memory, configuration files, or databases. This vulnerability is typically exploited by attackers who gain unauthorized access to the underlying storage medium, allowing them to directly retrieve user passwords without needing to bypass complex cryptographic defenses. Once obtained, these plaintext credentials can be used for immediate account takeover, lateral movement within a network, or credential stuffing attacks against other services. To mitigate this risk, developers must never store raw passwords. Instead, they should implement robust hashing algorithms, such as bcrypt or Argon2, with unique salts for each user. Additionally, employing secure key management systems and ensuring strict access controls over storage resources further reduces the likelihood of accidental exposure or malicious extraction.

MITRE CWE Description
The product stores a password in plaintext within resources such as memory or files.
Common Consequences (1)
Access ControlGain Privileges or Assume Identity
Storing a plaintext password in a configuration file allows anyone who can read the file to access the password-protected resource. In some contexts, even storage of a plaintext password in memory is considered a security risk if the password is not cleared immediately after it is used.
Mitigations (3)
Architecture and DesignAvoid storing passwords in easily accessible locations.
Architecture and DesignConsider storing cryptographic hashes of passwords as an alternative to storing in plaintext.
A programmer might attempt to remedy the password management problem by obscuring the password with an encoding function, such as base 64 encoding, but this effort does not adequately protect the password because the encoding can be detected and decoded easily.
Effectiveness: None
Examples (2)
The following code reads a password from a properties file and uses the password to connect to a database.
... Properties prop = new Properties(); prop.load(new FileInputStream("config.properties")); String password = prop.getProperty("password"); DriverManager.getConnection(url, usr, password); ...
Bad · Java
The following code reads a password from the registry and uses the password to create a new network credential.
... String password = regKey.GetValue(passKey).toString(); NetworkCredential netCred = new NetworkCredential(username,password,domain); ...
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2026-6500 ILM Informatique OpenConcerto 安全漏洞 — OpenConcerto 7.5 -2026-05-04
CVE-2025-36335 Vulnerabilities found — watsonx.data intelligence 6.2 Medium2026-04-30
CVE-2026-6597 langflow-ai langflow Flow Using API core.py has_api_terms credentials storage — langflow 2.7 Low2026-04-20
CVE-2025-15624 Plaintext Storage of a Password in Sparx Pro Cloud Server. — Sparx Pro Cloud Server 6.2AIMediumAI2026-04-17
CVE-2021-47961 Synology SSL VPN Client 安全漏洞 — Synology SSL VPN Client 8.1 High2026-04-10
CVE-2026-35556 Plaintext storage of a password in OpenPLC_V3 — OpenPLC_V3 9.8AICriticalAI2026-04-09
CVE-2025-36258 IBM InfoSphere Information Server is vulnerable due to plaintext storage of a password — InfoSphere Information Server 7.1 High2026-03-25
CVE-2026-33216 NATS has MQTT plaintext password disclosure — nats-server 8.6 High2026-03-25
CVE-2026-31850 Plaintext Storage of Credentials in Configuration Backup in Nexxt Nebula 300+ — Nebula 300+ 8.1 -2026-03-23
CVE-2026-4251 CityData CityChat ai.citydata.citychat credentials.json credentials storage — CityChat 2.5 Low2026-03-16
CVE-2026-4250 Albert Sağlık Hizmetleri ve Ticaret Albert Health Google Cloud Service Account Key service-account.json credentials storage — Albert Health 2.5 Low2026-03-16
CVE-2026-4243 La Nacion App app.lanacion.activity BuildConfig.java credentials storage — La Nacion App 2.5 Low2026-03-16
CVE-2026-4242 BabyChakra Pregnancy & Parenting App app.babychakra.babychakra Configuration.java credentials storage — Pregnancy & Parenting App 2.5 Low2026-03-16
CVE-2026-4217 XREAL Nebula App ai.nreal.nebula.universal CloudStoragePlugin.java credentials storage — Nebula App 2.5 Low2026-03-16
CVE-2026-22285 Dell Device Management Agent 安全漏洞 — Device Management Agent (DDMA) 4.4 Medium2026-03-04
CVE-2026-28360 NocoDB: Plaintext Storage of Shared View Passwords — nocodb 6.5AIMediumAI2026-03-02
CVE-2026-21660 Johnson Controls-Frick Quantum HD-Hardcoded Email Credentials Saved as Plaintext in Firmware — Frick Controls Quantum HD 9.8 -2026-02-27
CVE-2025-36425 IBM Db2 Information Disclosure — Db2 for Linux, UNIX and Windows 5.3 Medium2026-02-17
CVE-2026-23797 Plaintext password display in Quick.Cart — Quick.Cart 4.9AIMediumAI2026-02-05
CVE-2020-37115 GUnet OpenEclass 1.7.3 E-learning platform - Plaintext Password Storage — GUnet OpenEclass 6.5 Medium2026-02-03
CVE-2025-12680 Brocade SANnav DataBase plaintext password is logged in failover logs (CVE-2025-12680) — SANnav 6.5AIMediumAI2026-02-02
CVE-2026-21417 Dell CloudBoost Virtual Appliance 安全漏洞 — CloudBoost Virtual Appliance 7.0 High2026-01-27
CVE-2025-25051 AutomationDirect CLICK Programmable Logic Controller Plaintext Storage of a Password — CLICK Programmable Logic Controller 6.1 Medium2026-01-22
CVE-2025-15113 Ksenia Security lares Home Automation 1.6 Remote Code Execution via MPFS Upload — lares 8.4 High2025-12-30
CVE-2025-15128 ZKTeco BioTime Endpoint safe_setting credentials storage — BioTime 5.3 Medium2025-12-28
CVE-2018-25130 Beward Intercom 2.3.1 Local Credentials Disclosure via Unencrypted Database — BEWARD Intercom 6.2 Medium2025-12-24
CVE-2025-65009 Insecure Password Storage in WODESYS WD-R608U router — WD-R608U 7.5AIHighAI2025-12-18
CVE-2024-42197 HCL Workload Scheduler is vulnerable to plain text storage of a password — Workload Scheduler 5.5 Medium2025-12-11
CVE-2025-14183 SGAI Space1 NAS N1211DS gsaiagent JSONAPI GET_USER_INFO credentials storage — Space1 NAS N1211DS 4.3 Medium2025-12-07
CVE-2025-13221 Intelbras UnniTI usuarios.xml credentials storage — UnniTI 5.3 Medium2025-11-15

Vulnerabilities classified as CWE-256 (明文存储口令) represent 160 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.