Total
1564 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-1610 | 2026-01-29 | 7.6 HIGH | 8.1 HIGH | ||
| A vulnerability was found in Tenda AX12 Pro V2 16.03.49.24_cn. Affected by this issue is some unknown functionality of the component Telnet Service. Performing a manipulation results in hard-coded credentials. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. The exploitation is known to be difficult. The exploit has been made public and could be used. | |||||
| CVE-2025-56157 | 1 Langgenius | 1 Dify | 2026-01-29 | N/A | 9.8 CRITICAL |
| Default credentials in Dify thru 1.5.1. PostgreSQL username and password specified in the docker-compose.yaml file included in its source code. NOTE: the Supplier reports that the Docker configuration does not make PostgreSQL (on TCP port 5432) exposed by default in version 1.0.1 or later. | |||||
| CVE-2026-24840 | 2026-01-29 | N/A | 8.0 HIGH | ||
| Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, a hardcoded credential in the provided installation script (located at https://dokploy.com/install.sh, line 154) uses a hardcoded password when creating the database container. This means that nearly all Dokploy installations use the same database credentials and could be compromised. Version 0.26.6 contains a patch for the issue. | |||||
| CVE-2025-40537 | 2026-01-29 | N/A | 7.5 HIGH | ||
| SolarWinds Web Help Desk was found to be susceptible to a hardcoded credentials vulnerability that, under certain situations, could allow access to administrative functions. | |||||
| CVE-2020-36911 | 1 Cobbr | 1 Covenant | 2026-01-29 | N/A | 9.8 CRITICAL |
| Covenant 0.1.3 - 0.5 contains a remote code execution vulnerability that allows attackers to craft malicious JWT tokens with administrative privileges. Attackers can generate forged tokens with admin roles and upload custom DLL payloads to execute arbitrary commands on the target system. | |||||
| CVE-2026-24346 | 2026-01-27 | N/A | N/A | ||
| Use of well-known default credentials in Admin UI of EZCast Pro II version 1.17478.146 allows attackers to access protected areas in the web application | |||||
| CVE-2026-1221 | 2026-01-26 | N/A | 9.8 CRITICAL | ||
| PrismX MX100 AP controller developed by BROWAN COMMUNICATIONS has a Use of Hard-coded Credentials vulnerability, allowing unauthenticated remote attackers to log in to the database using hardcoded database credentials stored in the firmware. | |||||
| CVE-2025-58744 | 2026-01-26 | N/A | N/A | ||
| Use of Default Credentials, Hard-coded Credentials vulnerability in C2SGlobalSettings.dll in Milner ImageDirector Capture on Windows allows decryption of document archive files using credentials decrypted with hard-coded application encryption key. This issue affects ImageDirector Capture: from 7.0.9.0 before 7.6.3.25808. | |||||
| CVE-2025-14115 | 2026-01-26 | N/A | 8.4 HIGH | ||
| IBM Sterling Connect:Direct for UNIX Container 6.3.0.0 through 6.3.0.6 Interim Fix 016, and 6.4.0.0 through 6.4.0.3 Interim Fix 019 IBM® Sterling Connect:Direct for UNIX contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. | |||||
| CVE-2025-59095 | 2026-01-26 | N/A | N/A | ||
| The program libraries (DLL) and binaries used by exos 9300 contain multiple hard-coded secrets. One notable example is the function "EncryptAndDecrypt" in the library Kaba.EXOS.common.dll. This algorithm uses a simple XOR encryption technique combined with a cryptographic key (cryptoKey) to transform each character of the input string. However, it's important to note that this implementation does not provide strong encryption and should not be considered secure for sensitive data. It's more of a custom encryption approach rather than a common algorithm used in cryptographic applications. The key itself is static and based on the founder's name of the company. The functionality is for example used to encrypt the user PINs before storing them in the MSSQL database. | |||||
| CVE-2025-59107 | 2026-01-26 | N/A | N/A | ||
| Dormakaba provides the software FWServiceTool to update the firmware version of the Access Managers via the network. The firmware in some instances is provided in an encrypted ZIP file. Within this tool, the password used to decrypt the ZIP and extract the firmware is set statically and can be extracted. This password was valid for multiple observed firmware versions. | |||||
| CVE-2025-59092 | 2026-01-26 | N/A | N/A | ||
| An RPC service, which is part of exos 9300, is reachable on port 4000, run by the process FSMobilePhoneInterface.exe. This service is used for interprocess communication between services and the Kaba exos 9300 GUI, containing status information about the Access Managers. Interacting with the service does not require any authentication. Therefore, it is possible to send arbitrary status information about door contacts etc. without prior authentication. | |||||
| CVE-2025-59096 | 2026-01-26 | N/A | N/A | ||
| The default password for the extended admin user mode in the application U9ExosAdmin.exe ("Kaba 9300 Administration") is hard-coded in multiple locations as well as documented in the locally stored user documentation. | |||||
| CVE-2025-59091 | 2026-01-26 | N/A | N/A | ||
| Multiple hardcoded credentials have been identified, which are allowed to sign-in to the exos 9300 datapoint server running on port 1004 and 1005. This server is used for relaying status information from and to the Access Managers. This information, among other things, is used to graphically visualize open doors and alerts. However, controlling the Access Managers via this interface is also possible. To send and receive status information, authentication is necessary. The Kaba exos 9300 application contains hard-coded credentials for four different users, which are allowed to login to the datapoint server and receive as well as send information, including commands to open arbitrary doors. | |||||
| CVE-2024-50377 | 1 Advantech | 6 Eki-6333ac-1gpo, Eki-6333ac-1gpo Firmware, Eki-6333ac-2g and 3 more | 2026-01-23 | N/A | 6.5 MEDIUM |
| A CWE-798 "Use of Hard-coded Credentials" was discovered affecting the following devices manufactured by Advantech: EKI-6333AC-2G (<= 1.6.3), EKI-6333AC-2GD (<= v1.6.3) and EKI-6333AC-1GPO (<= v1.2.1). The vulnerability is associated to the backup configuration functionality that by default encrypts the archives using a static password. | |||||
| CVE-2026-22911 | 1 Sick | 2 Tdc-x401gl, Tdc-x401gl Firmware | 2026-01-23 | N/A | 5.3 MEDIUM |
| Firmware update files may expose password hashes for system accounts, which could allow a remote attacker to recover credentials and gain unauthorized access to the device. | |||||
| CVE-2025-65823 | 1 Meatmeet | 2 Meatmeet Pro Wifi \& Bluetooth Meat Thermometer, Meatmeet Pro Wifi \& Bluetooth Meat Thermometer Firmware | 2026-01-21 | N/A | 9.8 CRITICAL |
| The Meatmeet Pro was found to be shipped with hardcoded Wi-Fi credentials in the firmware, for the test network it was developed on. If an attacker retrieved this, and found the physical location of the Wi-Fi network, they could gain unauthorized access to the Wi-Fi network of the vendor. Additionally, if an attacker were located in close physical proximity to the device when it was first set up, they may be able to force the device to auto-connect to an attacker-controlled access point by setting the SSID and password to the same as which was found in the firmware file. | |||||
| CVE-2025-68926 | 1 Rustfs | 1 Rustfs | 2026-01-16 | N/A | 9.8 CRITICAL |
| RustFS is a distributed object storage system built in Rust. In versions prior to 1.0.0-alpha.78, RustFS implements gRPC authentication using a hardcoded static token `"rustfs rpc"` that is publicly exposed in the source code repository, hardcoded on both client and server sides, non-configurable with no mechanism for token rotation, and universally valid across all RustFS deployments. Any attacker with network access to the gRPC port can authenticate using this publicly known token and execute privileged operations including data destruction, policy manipulation, and cluster configuration changes. Version 1.0.0-alpha.78 contains a fix for the issue. | |||||
| CVE-2025-15111 | 1 Kseniasecurity | 2 Lares, Lares Firmware | 2026-01-16 | N/A | 9.8 CRITICAL |
| Ksenia Security Lares 4.0 Home Automation version 1.6 contains a default credentials vulnerability that allows unauthorized attackers to gain administrative access. Attackers can exploit the weak default administrative credentials to obtain full control of the home automation system. | |||||
| CVE-2023-53983 | 1 Ateme | 6 Flamingo Xl, Flamingo Xl Firmware, Flamingo Xs and 3 more | 2026-01-16 | N/A | 9.8 CRITICAL |
| Anevia Flamingo XL/XS 3.6.20 contains a critical vulnerability with weak default administrative credentials that can be easily guessed. Attackers can leverage these hard-coded credentials to gain full remote system control without complex authentication mechanisms. | |||||