CWE · MITRE source
CWE-523Unprotected Transport of Credentials
Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server.
Last updated: 09 May 2026 03:25 UTC
NIST 800-53 r5 controls that address this weakness (3)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
SC-37 | Out-of-band Channels | SC | Using a distinct channel for credential transmission prevents unprotected transport over the application's normal communication path. |
SC-8 | Transmission Confidentiality and Integrity | SC | Requiring protected transport for credentials directly mitigates unprotected credential transmission over networks. |
SC-9 | Transmission Confidentiality | SC | Prevents unprotected transport of credentials by mandating confidentiality mechanisms such as TLS for all sensitive data flows. |
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2020-25175 | 2.0 | 9.8 | 0.0024 | 2020-12-14 |
CVE-2017-16731 | 1.8 | 8.8 | 0.0010 | 2017-12-20 |
CVE-2024-1509 | 1.8 | 9.1 | 0.0009 | 2025-02-28 |
CVE-2025-57800 | 1.8 | 8.8 | 0.0010 | 2025-08-22 |
CVE-2025-64309 | 1.7 | 8.6 | 0.0010 | 2025-11-15 |
CVE-2021-32003 | 1.6 | 8.0 | 0.0004 | 2021-08-05 |
CVE-2025-61916 | 1.6 | 7.9 | 0.0002 | 2026-01-05 |
CVE-2021-38460 | 1.5 | 7.5 | 0.0064 | 2021-10-12 |
CVE-2022-31805 | 1.5 | 7.5 | 0.0028 | 2022-06-24 |
CVE-2023-31277 | 1.5 | 7.5 | 0.0010 | 2023-07-06 |
CVE-2025-61121 | 1.5 | 7.5 | 0.0004 | 2025-10-30 |
CVE-2025-64308 | 1.5 | 7.5 | 0.0004 | 2025-11-15 |
CVE-2025-66029 | 1.5 | 7.6 | 0.0006 | 2025-12-17 |
CVE-2025-41705 | 1.4 | 6.8 | 0.0003 | 2025-10-14 |
CVE-2024-1102 | 1.3 | 6.5 | 0.0009 | 2024-04-25 |
CVE-2024-20395 | 1.3 | 6.4 | 0.0021 | 2024-07-17 |
CVE-2026-23635 | 1.3 | 6.5 | 0.0004 | 2026-03-25 |
CVE-2023-22862 | 1.2 | 5.9 | 0.0009 | 2023-06-05 |
CVE-2023-28708 | 0.9 | 4.3 | 0.0010 | 2023-03-22 |
CVE-2024-4188 | 0.0 | 0.0 | 0.0008 | 2024-07-30 |