CWE-257 (Storing Passwords in a Recoverable Format) documents a weakness type used across vulnerability databases and security assessments. Use the sections below for definition, context, and mapped CVEs.
The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts.
| Kind | Name | Class | Prevalence | OS / CPE |
|---|---|---|---|---|
| language | — | Not Language-Specific | Undetermined | — |
These CVEs are mapped to this weakness in this database and kept for traceability and search.
| CVE | Published | Summary |
|---|---|---|
| CVE-2026-1836 | 2026-06-12 | The system stores the username and password from the login form after submitting the request. This could allow an attacker with access to the platform to return to the browser and view the login crede… |
| CVE-2026-22576 | 2026-04-14 | A storing passwords in a recoverable format vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.4, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all ve… |
| CVE-2026-22574 | 2026-04-14 | A storing passwords in a recoverable format vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.4, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all ve… |
| CVE-2025-8095 | 2026-04-14 | The OECH1 prefix encoding is intended to obfuscate values across the OpenEdge platform. It has been identified as cryptographically weak and unsuitable for stored encodings and enterprise application… |
| CVE-2016-15058 | 2026-04-03 | Hirschmann HiLCOS Classic Platform switches Classic L2E, L2P, L3E, L3P versions prior to 09.0.06 and Classic L2B prior to 05.3.07 contain a credential exposure vulnerability where user passwords are s… |
| CVE-2026-22614 | 2026-03-10 | The encryption mechanism used in Eaton's EasySoft project file was insecure and susceptible to brute force attacks, an attacker with access to this file and the local host machine could potentially re… |
| CVE-2026-30785 | 2026-03-05 | Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution'), Use of Password Hash With Insufficient Computational Effort vulnerability in rustdesk-client RustDesk Client … |
| CVE-2026-20128 | 2026-02-25 | A vulnerability in the Data Collection Agent (DCA) feature of Cisco Catalyst SD-WAN Manager could allow an unauthenticated, remote attacker to gain DCA user privileges on an affected system. This v… |
| CVE-2025-57796 | 2026-01-28 | Explorance Blue versions prior to 8.14.12 use reversible symmetric encryption with a hardcoded static key to protect sensitive data, including user passwords and system configurations. This approach a… |
| CVE-2025-14295 | 2026-01-22 | Storing Passwords in a Recoverable Format vulnerability in Automated Logic WebCTRL on Windows, Carrier i-Vu on Windows. Storing Passwords in a Recoverable Format vulnerability (CWE-257) in the Web ses… |
| CVE-2025-8307 | 2026-01-08 | Asseco InfoMedica is a comprehensive solution used to manage both administrative and medical tasks in the healthcare sector. Passwords of all users are stored in a database in an encoded format. An at… |
| CVE-2025-34180 | 2025-12-15 | NetSupport Manager < 14.12.0001 relies on a shared Gateway Key for authentication between Manager/Control, Client, and Connectivity Server components. The key is stored using a reversible encoding sc… |
| CVE-2025-40774 | 2025-10-14 | A vulnerability has been identified in SiPass integrated (All versions < V3.0). Affected server applications store user passwords encrypted in its database. Decryption keys are accessible to users wit… |
| CVE-2025-35054 | 2025-10-09 | Newforma Info Exchange (NIX) stores credentials used to configure NPCS in 'HKLM\Software\WOW6432Node\Newforma\<version>\Credentials'. The credentials are encrypted but the encryption key is stored in… |
| CVE-2025-0280 | 2025-09-03 | A security vulnerability in HCL Compass can allow attacker to gain unauthorized database access. |
| CVE-2025-58049 | 2025-08-28 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions from 14.4.2 to before 16.4.8, 16.5.0-rc-1 to before 16.10.7, and 17.0.0-rc-1 to bef… |
| CVE-2025-57789 | 2025-08-20 | During the brief window between installation and the first administrator login, remote attackers may exploit the default credential to gain admin control. This is limited to the setup phase, before an… |
| CVE-2025-8904 | 2025-08-13 | Amazon EMR Secret Agent creates a keytab file containing Kerberos credentials. This file is stored in the /tmp/ directory. A user with access to this directory and another account can potentially decr… |
| CVE-2025-44958 | 2025-08-04 | RUCKUS Network Director (RND) before 4.5 stores passwords in a recoverable format. |
| CVE-2025-6996 | 2025-07-08 | Improper use of encryption in the agent of Ivanti Endpoint Manager before version 2024 SU3 and 2022 SU8 Security Update 1 allows a local authenticated attacker to decrypt other users’ passwords. |
| Date | Name | Version | Importance | Comment |
|---|---|---|---|---|
| 2008-09-08 | CWE Content Team | 1.0 | — | updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities |
| 2008-10-14 | CWE Content Team | 1.0.1 | — | updated Demonstrative_Examples, Description, Maintenance_Notes, Potential_Mitigations |
| 2010-02-16 | CWE Content Team | 1.8 | — | updated Relationships |
| 2011-06-01 | CWE Content Team | 1.13 | — | updated Common_Consequences, Demonstrative_Examples |
| 2012-05-11 | CWE Content Team | 2.2 | — | updated Demonstrative_Examples, Relationships |
| 2012-10-30 | CWE Content Team | 2.3 | — | updated Demonstrative_Examples |
| 2014-06-23 | CWE Content Team | 2.7 | — | updated Description, Other_Notes |
| 2014-07-30 | CWE Content Team | 2.8 | — | updated Relationships, Taxonomy_Mappings |
| 2017-11-08 | CWE Content Team | 3.0 | — | updated Applicable_Platforms, Causal_Nature, Demonstrative_Examples, Likelihood_of_Exploit, Modes_of_Introduction, Relationships |
| 2020-02-24 | CWE Content Team | 4.0 | — | updated References, Relationships |
| 2021-03-15 | CWE Content Team | 4.4 | — | updated Demonstrative_Examples, Maintenance_Notes |
| 2021-10-28 | CWE Content Team | 4.6 | — | updated Relationships |
| 2023-04-27 | CWE Content Team | 4.11 | — | updated Detection_Factors, Relationships |
| 2023-06-29 | CWE Content Team | 4.12 | — | updated Mapping_Notes |
| 2023-10-26 | CWE Content Team | 4.13 | — | updated Observed_Examples |