Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CWE-312 (敏感数据的明文存储) — Vulnerability Class 255

255 vulnerabilities classified as CWE-312 (敏感数据的明文存储). AI Chinese analysis included.

CWE-312 represents a critical data protection weakness where sensitive information is stored in an unencrypted, readable format within a resource accessible to unauthorized entities. This flaw typically arises when developers fail to apply adequate cryptographic safeguards to data at rest, such as configuration files, logs, or local databases. Attackers exploit this vulnerability by gaining direct access to the storage medium, allowing them to easily extract credentials, personal identifiable information, or financial data without needing to bypass complex encryption algorithms. To mitigate this risk, developers must implement robust encryption standards, such as AES-256, for all sensitive data stored locally. Additionally, utilizing secure key management systems and ensuring that storage resources are strictly isolated from other control spheres helps prevent unauthorized access, thereby maintaining data confidentiality and integrity throughout its lifecycle.

MITRE CWE Description
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
Common Consequences (1)
ConfidentialityRead Application Data
An attacker with access to the system could read sensitive information stored in cleartext (i.e., unencrypted). Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information.
Mitigations (2)
Implementation, System Configuration, OperationWhen storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]
Implementation, System Configuration, OperationIn some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.
Examples (2)
The following code excerpt stores a plaintext user account ID in a browser cookie.
response.addCookie( new Cookie("userAccountID", acctID);
Bad · Java
This code writes a user's login information to a cookie so the user does not have to login again later.
function persistLogin($username, $password){ $data = array("username" => $username, "password"=> $password); setcookie ("userdata", $data); }
Bad · PHP
CVE IDTitleCVSSSeverityPublished
CVE-2026-55885 Grav: Admin Backup Zip File Exposes Account Credentials and Configuration Secrets — grav 6.8 Medium2026-07-10
CVE-2026-50267 Steeltoe: TLS private keys written to /tmp with default permissions, never deleted — Steeltoe.Configuration.Abstractions 4.7 Medium2026-06-17
CVE-2026-46622 SolidInvoice: API tokens stored as plaintext in the database allowing full credential compromise on database breach — SolidInvoice 8.1 High2026-06-11
CVE-2026-10786 Devolutions Server 安全漏洞 — Server--2026-06-08
CVE-2026-4387 Unencrypted storage of authentication state in StrongDM Desktop Application state.kv file — StrongDM Desktop Application--2026-05-29
CVE-2026-45040 RustFS: Sensitive Information Leakage (SessionToken and SecretAccessKey) in RustFS Logs [Debug Mode] — rustfs--2026-05-28
CVE-2026-9274 Information Exposure Vulnerability in CP-Plus Wi-Fi Camera — Wi-Fi Camera CP-E38Q, CP-E48Q, CP-E25Q, CP-E35Q, CP-E45Q, CP-E28Q, CP-E21Q, CP-E31Q, CP-E41Q, CP-E24Q, CP-Z43Q, CP-E34Q, CP-E44Q, CP-T31Q, CP-V48Q, CP-V41Q, CP-Z45Q--2026-05-25
CVE-2026-8596 Cleartext storage of HMAC signing key in Amazon SageMaker Python SDK ModelBuilder/Serve path — AWS 7.2 High2026-05-14
CVE-2026-6332 Clear Text Storage of Sensitive Information on EcoStruxure™ Machine Expert HVAC — Ecostruxure™ Machine Expert HVAC--2026-05-14
CVE-2026-42408 BIG-IP DNS tmsh vulnerability — BIG-IP 4.4 Medium2026-05-13
CVE-2026-28758 BIG-IP iControl REST vulnerability — BIG-IP 4.4 Medium2026-05-13
CVE-2026-45362 Sangoma Technologies Switchvox 安全漏洞 — Switchvox 3.2 Low2026-05-12
CVE-2026-7163 Assisted-service: assisted-service: authenticated users can gain administrative access to openshift clusters via credential disclosure — multicluster engine for Kubernetes 2.10 6.1 Medium2026-04-30
CVE-2026-41385 OpenClaw < 2026.3.31 - Nostr Private Key Exposure via config.get Redaction Bypass — OpenClaw 6.5 Medium2026-04-28
CVE-2026-6553 TYPO3 CMS Stores Cleartext Password in User Settings Module — TYPO3 CMS 6.5AIMediumAI2026-04-21
CVE-2026-35644 OpenClaw < 2026.3.22 - Credential Exposure via baseUrl Fields in Gateway Snapshots — OpenClaw 6.5 Medium2026-04-09
CVE-2025-14815 Information Disclosure, Tampering, and Denial-of-Service Vulnerabilities in GENESIS64, ICONICS Suite, MobileHMI, Hyper Historian, AnalytiX, GENESIS, and MC Works64 — GENESIS64 6.2AIMediumAI2026-04-08
CVE-2026-34833 Bulwark Webmail: Information Exposure: password returned in /api/auth/session — webmail 7.5AIHighAI2026-04-02
CVE-2026-33026 nginx-ui Backup Restore Allows Tampering with Encrypted Backups — nginx-ui 8.8 -2026-03-30
CVE-2026-33867 AVideo has Plaintext Video Password Storage — AVideo 8.1 -2026-03-27
CVE-2026-4346 Cleartext Storage of Administrative and Wi-Fi Credentials via Accessible Serial Interface in TP Link's TL-WR850N — TL-WR850N v3 6.8AIMediumAI2026-03-26
CVE-2026-31848 Reversible ecos_pw Cookie Allows Authentication Bypass in Nexxt Nebula 300+ — Nebula 300+ 9.8 -2026-03-23
CVE-2026-32842 Edimax GS-5008PL <= 1.00.54 Admin Credentials Stored in Cleartext — Edimax GS-5008PL 6.5 Medium2026-03-17
CVE-2025-55717 Fortinet多款产品 安全漏洞 — FortiVoice 3.8 Medium2026-03-10
CVE-2026-24311 Insecure Storage Protection vulnerability in SAP Customer Checkout 2.0 — SAP Customer Checkout 2.0 5.6 Medium2026-03-10
CVE-2025-47147 Gallagher Command Centre Mobile Client 安全漏洞 — Command Centre Mobile Client 5.7 Medium2026-03-03
CVE-2026-3277 Devolutions PowerShell Universal 安全漏洞 — PowerShell Universal 5.5 -2026-02-27
CVE-2026-3221 Devolutions Server 安全漏洞 — Server 6.5AIMediumAI2026-02-25
CVE-2026-27520 Binardat 10G08-0800GSM Network Switch Base64-encoded Password Stored in Cookie — 10G08-0800GSM Network Switch 7.5 High2026-02-24
CVE-2026-23655 Microsoft ACI Confidential Containers Information Disclosure Vulnerability — Microsoft ACI Confidential Containers 6.5 Medium2026-02-10

Vulnerabilities classified as CWE-312 (敏感数据的明文存储) represent 255 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.