Total
1684 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-50083 | 2026-06-12 | N/A | 9.1 CRITICAL | ||
| The Aqara IAM/SSO Gateway (gw-builder.aqara.com) used a hardcoded OAuth client credential, which is an instance of "CWE-798: Use of Hard-coded Credentials." This issue has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (9.1 Critical). When combined with CVE-2026-50082, CVE-50084, and CVE-50085, this can lead to a fully unauthenticated, remote takeover of affected devices. | |||||
| CVE-2026-10557 | 2026-06-12 | N/A | 9.8 CRITICAL | ||
| The Yarbo Android and iOS applications contain hard-coded MQTT broker credentials that are identical for all users and all devices. These credentials are embedded in the application binary and are readily extractable via APK decompilation. The credentials provide access to cloud MQTT brokers carrying real-time telemetry for the entire global Yarbo robot fleet. They allow both wildcard subscription to all robot telemetry topics and publishing to any robot's command topic using only the robot's serial number. | |||||
| CVE-2026-11849 | 2026-06-12 | N/A | 9.8 CRITICAL | ||
| The iRM-IEI Remote Management developed by IEI Integration Corp has a Hardcoded Credentials vulnerability, allowing unauthenticated remote attackers to exploit hard-coded credentials to gain administrative privileges on the database. | |||||
| CVE-2026-47281 | 2026-06-09 | N/A | 9.6 CRITICAL | ||
| Improper input validation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network. | |||||
| CVE-2016-20031 | 2026-06-08 | N/A | 5.5 MEDIUM | ||
| ZKTeco ZKBioSecurity 3.0 contains a local authorization bypass vulnerability in visLogin.jsp that allows attackers to authenticate without valid credentials by spoofing localhost requests. Attackers can exploit the EnvironmentUtil.getClientIp() method which treats IPv6 loopback address 0:0:0:0:0:0:0:1 as 127.0.0.1 and authenticates using the IP as username with hardcoded password 123456 to access sensitive information and perform unauthorized actions. | |||||
| CVE-2016-20026 | 2026-06-08 | N/A | 9.8 CRITICAL | ||
| ZKTeco ZKBioSecurity 3.0 contains hardcoded credentials in the bundled Apache Tomcat server that allow unauthenticated attackers to access the manager application. Attackers can authenticate with hardcoded credentials stored in tomcat-users.xml to upload malicious WAR archives containing JSP applications and execute arbitrary code with SYSTEM privileges. | |||||
| CVE-2026-49201 | 1 Acer | 2 Wave 7, Wave 7 Firmware | 2026-06-08 | N/A | 9.8 CRITICAL |
| The upload.cgi binary, responsible for processing device backups, contains a hardcoded AES encryption key. This allows an attacker to decrypt, modify, and re-encrypt system backups, facilitating persistent backdoor injection. | |||||
| CVE-2025-1029 | 1 Utarit | 1 Soliclub | 2026-06-06 | N/A | 7.5 HIGH |
| Use of Hard-coded Credentials vulnerability in Utarit Information Services Inc. SoliClub allows Read Sensitive Constants Within an Executable. This issue affects SoliClub: from 5.2.4 before 5.3.7. | |||||
| CVE-2025-0642 | 2026-06-06 | N/A | 6.3 MEDIUM | ||
| Use of Hard-coded Credentials, Authorization Bypass Through User-Controlled Key vulnerability in PosCube Hardware Software and Consulting Ltd. Co. Assist allows Excavation, Authentication Bypass. This issue affects Assist: through 10.02.2025. | |||||
| CVE-2026-11414 | 2026-06-05 | N/A | N/A | ||
| A hard-coded cryptographic key is used by Altium Enterprise Server to sign file download URLs in the Vault service. Because the key is identical across all installations, an unauthenticated network attacker who can reach the server can forge valid download signatures and retrieve files from the Vault storage area without any authentication, session, or credentials. A separate path traversal vulnerability in the same download endpoint allows the configured storage root to be escaped, enabling reads of arbitrary files on the server filesystem. Combined, these issues allow an unauthenticated attacker to obtain sensitive server configuration and key material, which can lead to full server compromise. The vulnerability can be chained with CVE-2026-9152 to enumerate and bulk-download stored content. Altium 365 cloud deployments are not impacted in practice, as file storage uses object storage rather than the local filesystem. | |||||
| CVE-2025-71317 | 2026-06-05 | N/A | 9.8 CRITICAL | ||
| NetMan 204 contains a hard-coded backdoor account with the username and password 'eurek' that grants administrative access. A remote, unauthenticated attacker can authenticate through the cgi-bin/login.cgi endpoint (for example /cgi-bin/login.cgi?username=eurek&password=eurek, which due to lax parameter validation can be shortened to /cgi-bin/login.cgi?username=eurek%20eurek) to obtain administrator privileges, allowing them to alter device configuration, enable the telnet/SSH services, and reset local user credentials. | |||||
| CVE-2025-4130 | 2026-06-05 | N/A | 7.5 HIGH | ||
| Use of Hard-coded Credentials vulnerability in PAVO Inc. PAVO Pay allows Read Sensitive Constants Within an Executable. This issue affects PAVO Pay: before 13.05.2025. | |||||
| CVE-2025-4378 | 2026-06-05 | N/A | 10.0 CRITICAL | ||
| Cleartext Transmission of Sensitive Information, Use of Hard-coded Credentials vulnerability in Ataturk University ATA-AOF Mobile Application allows Authentication Abuse, Authentication Bypass. This issue affects ATA-AOF Mobile Application: before 20.06.2025. | |||||
| CVE-2026-21404 | 2026-06-05 | N/A | 6.3 MEDIUM | ||
| NAVTOR NavBox through version 4.16.1.20 contains hard-coded credentials within its Windows Communication Foundation (SOAP) implementation. If the SOAP functionality is enabled, a local attacker can extract credentials to bypass the intended transfer workflow. Successful authentication against the SOAP interface grants access to privileged WCF methods, enabling an attacker to write or overwrite files within application-defined paths. | |||||
| CVE-2025-7358 | 1 Utarit | 1 Soliclub | 2026-06-05 | N/A | 7.5 HIGH |
| Use of Hard-coded Credentials vulnerability in Utarit Informatics Services Inc. SoliClub allows Authentication Abuse. This issue affects SoliClub: before 5.3.7. | |||||
| CVE-2025-10609 | 2026-06-05 | N/A | 5.9 MEDIUM | ||
| Use of Hard-coded Credentials vulnerability in Logo Software Inc. TigerWings ERP allows Read Sensitive Constants Within an Executable. This issue affects TigerWings ERP: from 01.01.00 before 3.03.00. | |||||
| CVE-2026-49204 | 1 Acer | 2 Connect M6e 5g, Connect M6e 5g Firmware | 2026-06-04 | N/A | 6.5 MEDIUM |
| Leftover debug modules contain fixed credentials for internal AWS Cognito test sandboxes, risking asset exploitation. | |||||
| CVE-2026-50213 | 1 Acer | 2 Connect M6e 5g, Connect M6e 5g Firmware | 2026-06-04 | N/A | 7.5 HIGH |
| The account validation endpoint /v1/User/validate returns comprehensive user profile data sheets, which can be crawled by iterating predictable identification strings. | |||||
| CVE-2026-8876 | 1 Securly | 1 Securly | 2026-06-04 | N/A | 7.3 HIGH |
| Version 3.0.7 of the Securly Chrome Extension contains hardcoded, plaintext AES passphrases in securly.min.js. These keys decrypt crisis alert keyword data and intervention site data. | |||||
| CVE-2026-42929 | 1 Macgregor | 2 Interschalt Vdr G4e, Interschalt Vdr G4e Firmware | 2026-06-04 | N/A | 8.3 HIGH |
| Danelec MacGregor Voyage Data Recorder includes default accounts with hard-coded credentials. | |||||