Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-522 (不充分的凭证保护机制) — Vulnerability Class 373

373 vulnerabilities classified as CWE-522 (不充分的凭证保护机制). AI Chinese analysis included.

CWE-522 represents a critical security weakness where authentication credentials are transmitted or stored using insecure methods, leaving them vulnerable to unauthorized interception or retrieval. Attackers typically exploit this flaw by employing network sniffing tools to capture unencrypted data in transit or by accessing poorly secured local storage to extract plaintext passwords. This exposure allows malicious actors to gain unauthorized access to user accounts, bypassing intended security controls and compromising system integrity. To prevent such vulnerabilities, developers must implement robust cryptographic standards, ensuring that all credentials are encrypted both during transmission via protocols like TLS and while at rest using strong hashing algorithms. Additionally, adhering to the principle of least privilege and regularly auditing authentication mechanisms helps mitigate the risk of credential theft, ensuring that sensitive data remains protected against common interception techniques.

MITRE CWE Description
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
Common Consequences (1)
Access ControlGain Privileges or Assume Identity
An attacker could gain access to user accounts and access sensitive data used by the user accounts.
Mitigations (3)
Architecture and DesignUse an appropriate security mechanism to protect the credentials.
Architecture and DesignMake appropriate use of cryptography to protect the credentials.
ImplementationUse industry standards to protect the credentials (e.g. LDAP, keystore, etc.).
Examples (2)
This code changes a user's password.
$user = $_GET['user']; $pass = $_GET['pass']; $checkpass = $_GET['checkpass']; if ($pass == $checkpass) { SetUserPassword($user, $pass); }
Bad · PHP
The following code reads a password from a properties file and uses the password to connect to a database.
... Properties prop = new Properties(); prop.load(new FileInputStream("config.properties")); String password = prop.getProperty("password"); DriverManager.getConnection(url, usr, password); ...
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2026-28714 Acronis Cyber Protect 安全漏洞 — Acronis Cyber Protect 17 7.5 -2026-03-05
CVE-2026-27770 ePower epower.ie Insufficiently Protected Credentials — epower.ie 6.5 Medium2026-03-05
CVE-2026-29128 IDC SFX2100 Satellite Receiver bgpd/ospfd/ripd/zebra Config Credential Disclosure via World-Readable Files — SFX2100 Satellite Receiver 9.8 -2026-03-05
CVE-2026-0689 XIQ‑SE NAC Admin Credential Exposure via HTTP Response — ExtremeCloud IQ - Site Engine 4.9AIMediumAI2026-03-02
CVE-2026-20435 MediaTek Chipsets 安全漏洞 — MediaTek chipset 4.2AIMediumAI2026-03-02
CVE-2026-22878 Mobility46 mobility46.se Insufficiently Protected Credentials — mobility46.se 6.5 Medium2026-02-27
CVE-2026-25774 EV Energy ev.energy Insufficiently Protected Credentials — ev.energy 6.5 Medium2026-02-27
CVE-2026-27773 SWITCH EV swtchenergy.com Insufficiently Protected Credentials — swtchenergy.com 6.5 Medium2026-02-27
CVE-2026-22890 EV2GO ev2go.io Insufficiently Protected Credentials — ev2go.io 6.5 Medium2026-02-26
CVE-2026-20733 CloudCharge cloudcharge.se Insufficiently Protected Credentials — cloudcharge.se 6.5 Medium2026-02-26
CVE-2026-20791 Chargemap chargemap.com Insufficiently Protected Credentials — chargemap.com 6.5 Medium2026-02-26
CVE-2025-67860 NeuVector scanner insecurely handles passwords as command arguments — harvester 3.8 Low2026-02-25
CVE-2026-26049 Jinan USR IOT Technology Limited (PUSR) USR-W610 Insufficiently Protected Credentials — USR-W610 5.7 Medium2026-02-20
CVE-2026-27003 OpenClaw: Telegram bot token exposure via logs — openclaw 9.8 -2026-02-19
CVE-2026-0715 MOXA UC Series 安全漏洞 — UC-1200A Series 6.8AIMediumAI2026-02-05
CVE-2026-1966 YugabyteDB Anywhere Exposes LDAP Credentials in Cleartext in Web UI — YugabyteDB Anywhere 8.1AIHighAI2026-02-05
CVE-2020-37097 Edimax EW-7438RPn 1.13 - Information Disclosure (WiFi Password) — EW-7438RPn Mini 7.5 High2026-02-03
CVE-2025-52623 HCL AION is affected by an Autocomplete HTML Attribute Not Disabled for Password Field vulnerability — AION 3.7 Low2026-02-03
CVE-2026-24845 malcontent's OCI image scanning could expose registry credentials — malcontent 6.5 Medium2026-01-29
CVE-2020-36968 M/Monit 3.7.4 - Password Disclosure — M/Monit 6.5 Medium2026-01-28
CVE-2025-9521 Password Confirmation Bypass in Omada Controller — Omada Controller 7.5AIHighAI2026-01-26
CVE-2026-23958 DataEase Vulnerable to Brute-Force Attack on Admin JWT Secret Derived from Password that Enables Full Account Takeover — dataease 9.8AICriticalAI2026-01-22
CVE-2026-21852 Claude Code Leaks Data via Malicious Environment Configuration Before Trust Confirmation — claude-code 6.5AIMediumAI2026-01-21
CVE-2025-58742 Insufficient Configuration Protections Enable Database Credential Interception in Milner ImageDirector Capture — ImageDirector Capture 5.9AIMediumAI2026-01-20
CVE-2025-58741 Insecure Masked Credential Fields Enable Database Credential Access in Milner ImageDirector Capture — ImageDirector Capture 7.5AIHighAI2026-01-20
CVE-2026-1223 BROWAN COMMUNICATIONS |PrismX MX100 AP controller - Insufficiently Protected Credentials — PrismX MX100 AP controller 4.9 Medium2026-01-20
CVE-2021-47759 MTPutty 1.0.1.21 - SSH Password Disclosure — MTPutty 6.2 Medium2026-01-15
CVE-2025-69271 Spectrum basic authentication in use — DX NetOps Spectrum 8.1AIHighAI2026-01-12
CVE-2025-62327 HCL DevOps Deploy is susceptible to insufficiently protected credentials — DevOps Deploy 4.9 Medium2026-01-07
CVE-2025-64420 Coolify members can see private key of root user — coolify 10.0 Critical2026-01-05

Vulnerabilities classified as CWE-522 (不充分的凭证保护机制) represent 373 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.