Total
217 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-49164 | 2026-04-15 | N/A | 4.3 MEDIUM | ||
| Arris VIP1113 devices through 2025-05-30 with KreaTV SDK have a firmware decryption key of cd1c2d78f2cba1f73ca7e697b4a485f49a8a7d0c8b0fdc9f51ced50f2530668a. | |||||
| CVE-2025-31362 | 2026-04-15 | N/A | 3.7 LOW | ||
| Use of hard-coded cryptographic key issue exists in BizRobo! all versions. Credentials inside robot files may be obtained if the encryption key is available. The vendor provides the workaround information and recommends to apply it to the deployment environment. | |||||
| CVE-2025-6074 | 2026-04-15 | N/A | 6.5 MEDIUM | ||
| Use of Hard-coded Cryptographic Key vulnerability in ABB RMC-100, ABB RMC-100 LITE. When the REST interface is enabled by the user, and an attacker gains access to source code and control network, the attacker can bypass the REST interface authentication and gain access to MQTT configuration data. This issue affects RMC-100: from 2105457-043 through 2105457-045; RMC-100 LITE: from 2106229-015 through 2106229-016. | |||||
| CVE-2024-38532 | 2026-04-15 | N/A | 7.1 HIGH | ||
| The NXP Data Co-Processor (DCP) is a built-in hardware module for specific NXP SoCs¹ that implements a dedicated AES cryptographic engine for encryption/decryption operations. The dcp_tool reference implementation included in the repository selected the test key, regardless of its `-t` argument. This issue has been patched in commit 26a7. | |||||
| CVE-2025-24525 | 2026-04-15 | N/A | 7.5 HIGH | ||
| Keysight Ixia Vision has an issue with hardcoded cryptographic material which may allow an attacker to intercept or decrypt payloads sent to the device via API calls or user authentication if the end user does not replace the TLS certificate that shipped with the device. Remediation is available in Version 6.9.1, released on September 23, 2025. | |||||
| CVE-2025-64304 | 2026-04-15 | N/A | 4.0 MEDIUM | ||
| "FOD" App uses hard-coded cryptographic keys, which may allow a local unauthenticated attacker to retrieve the cryptographic keys. | |||||
| CVE-2023-3947 | 1 Imdpen | 1 Video Conferencing With Zoom | 2026-04-08 | N/A | 3.7 LOW |
| The Video Conferencing with Zoom plugin for WordPress is vulnerable to Sensitive Information Exposure due to hardcoded encryption key on the 'vczapi_encrypt_decrypt' function in versions up to, and including, 4.2.1. This makes it possible for unauthenticated attackers to decrypt and view the meeting id and password. | |||||
| CVE-2023-3371 | 1 Wpdeveloper | 1 Embedpress | 2026-04-08 | N/A | 5.3 MEDIUM |
| The EmbedPress plugin for WordPress is vulnerable to Sensitive Information Exposure due to hardcoded encryption key on the 'lock_content_form_handler' and 'display_password_form' function in versions up to, and including, 3.7.3. This makes it possible for unauthenticated attackers to decrypt and view the password protected content. | |||||
| CVE-2023-3404 | 1 Metagauss | 1 Profilegrid | 2026-04-08 | N/A | 4.9 MEDIUM |
| The ProfileGrid plugin for WordPress is vulnerable to unauthorized decryption of private information in versions up to, and including, 5.5.0. This is due to the passphrase and iv being hardcoded in the 'pm_encrypt_decrypt_pass' function and used across all sites running the plugin. This makes it possible for authenticated attackers, with administrator-level permissions or above to decrypt and view users' passwords. If combined with another vulnerability, this can potentially grant lower-privileged users access to users' passwords. | |||||
| CVE-2015-10148 | 2026-04-07 | N/A | 8.2 HIGH | ||
| Hirschmann HiLCOS devices OpenBAT, WLC, BAT300, BAT54 prior to 8.80 and OpenBAT prior to 9.10 are shipped with identical default SSH and SSL keys that cannot be changed, allowing unauthenticated remote attackers to decrypt or intercept encrypted management communications. Attackers can perform man-in-the-middle attacks, impersonate devices, and expose sensitive information by leveraging the shared default cryptographic keys across multiple devices. | |||||
| CVE-2025-67305 | 1 Commscope | 1 Ruckus Network Director | 2026-04-03 | N/A | 9.8 CRITICAL |
| In RUCKUS Network Director (RND) < 4.5.0.56, the OVA appliance contains hardcoded SSH keys for the postgres user. These keys are identical across all deployments, allowing an attacker with network access to authenticate via SSH without a password. Once authenticated, the attacker can access the PostgreSQL database with superuser privileges, create administrative users for the web interface, and potentially escalate privileges further. | |||||
| CVE-2025-15605 | 1 Tp-link | 8 Archer Nx200, Archer Nx200 Firmware, Archer Nx210 and 5 more | 2026-03-31 | N/A | 7.3 HIGH |
| A hardcoded cryptographic key within the configuration mechanism on TP-Link Archer NX200, NX210, NX500 and NX600 enables decryption and re-encryption of device configuration data. An authenticated attacker may decrypt configuration files, modify them, and re-encrypt them, affecting the confidentiality and integrity of device configuration data. | |||||
| CVE-2023-46129 | 2 Linuxfoundation, Nats | 2 Nats-server, Nkeys | 2026-03-30 | N/A | 7.5 HIGH |
| NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The cryptographic key handling library, nkeys, recently gained support for encryption, not just for signing/authentication. This is used in nats-server 2.10 (Sep 2023) and newer for authentication callouts. In nkeys versions 0.4.0 through 0.4.5, corresponding with NATS server versions 2.10.0 through 2.10.3, the nkeys library's `xkeys` encryption handling logic mistakenly passed an array by value into an internal function, where the function mutated that buffer to populate the encryption key to use. As a result, all encryption was actually to an all-zeros key. This affects encryption only, not signing. FIXME: FILL IN IMPACT ON NATS-SERVER AUTH CALLOUT SECURITY. nkeys Go library 0.4.6, corresponding with NATS Server 2.10.4, has a patch for this issue. No known workarounds are available. For any application handling auth callouts in Go, if using the nkeys library, update the dependency, recompile and deploy that in lockstep. | |||||
| CVE-2025-67112 | 2026-03-24 | N/A | 9.8 CRITICAL | ||
| Use of a hard-coded AES-256-CBC key in the configuration backup/restore implementation of Small Cell Sercomm SCE4255W (FreedomFi Englewood) firmware before DG3934v3@2308041842 allows remote authenticated users to decrypt, modify, and re-encrypt device configurations, enabling credential manipulation and privilege escalation via the GUI import/export functions. | |||||
| CVE-2024-2413 | 1 Intumit | 1 Smartrobot | 2026-03-17 | N/A | 9.8 CRITICAL |
| Intumit SmartRobot uses a fixed encryption key for authentication. Remote attackers can use this key to encrypt a string composed of the user's name and timestamp to generate an authentication code. With this authentication code, they can obtain administrator privileges and subsequently execute arbitrary code on the remote server using built-in system functionality. | |||||
| CVE-2026-1442 | 1 Unitree | 14 Go1 Air, Go1 Air Firmware, Go1 Pro and 11 more | 2026-03-11 | N/A | 7.8 HIGH |
| Since the encryption algorithm used to protect firmware updates is itself encrypted using key material available to an attacker (or anyone paying attention), the firmware updates may be altered by an unauthorized user, and then trusted by a Unitree product, such as the Unitree Go2 and other models. This issue appears to affect all of Unitree’s current offerings as of February 26, 2026, and so should be considered a vulnerability in both the firmware generation and extraction processes. At the time of this release, there is no publicly-documented mechanism to subvert the update process and insert poisoned firmware packages without the equipment owner’s knowledge. | |||||
| CVE-2025-15016 | 1 Ragic | 1 Enterprise Cloud Database | 2026-03-05 | N/A | 9.8 CRITICAL |
| Enterprise Cloud Database developed by Ragic has a Hard-coded Cryptographic Key vulnerability, allowing unauthenticated remote attackers to exploit the fixed key to generate verification information and log into the system as any user. | |||||
| CVE-2025-14923 | 1 Ibm | 1 Websphere Application Server | 2026-03-04 | N/A | 4.7 MEDIUM |
| IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.2 IBM WebSphere Application Server Liberty could provide weaker than expected security when using the Security Utility when administering security settings. | |||||
| CVE-2026-0754 | 2026-03-03 | N/A | N/A | ||
| An embedded test key and certificate could be extracted from a Poly Voice device using specialized reverse engineering tools. This extracted certificate could be accepted by a SIP service provider if the service provider does not perform proper validation of the device certificate. | |||||
| CVE-2026-25505 | 1 Bambuddy | 1 Bambuddy | 2026-02-27 | N/A | 9.8 CRITICAL |
| Bambuddy is a self-hosted print archive and management system for Bambu Lab 3D printers. Prior to version 0.1.7, a hardcoded secret key used for signing JWTs is checked into source code and ManyAPI routes do not check authentication. This issue has been patched in version 0.1.7. | |||||