Total
1704 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-57578 | 2026-06-17 | N/A | 8.0 HIGH | ||
| An issue in H3C Magic M Device M2V100R006 allows a remote attacker to execute arbitrary code via the default password | |||||
| CVE-2025-57577 | 2026-06-17 | N/A | 8.0 HIGH | ||
| An issue in H3C Device R365V300R004 allows a remote attacker to execute arbitrary code via the default password. NOTE: the Supplier's position is that their "product lines enforce or clearly prompt users to change any initial credentials upon first use. At most, this would be a case of misconfiguration if an administrator deliberately ignored the prompts, which is outside the scope of CVE definitions." | |||||
| CVE-2025-57434 | 1 Creacast | 1 Creabox Manager | 2026-06-17 | N/A | 8.8 HIGH |
| Creacast Creabox Manager contains a critical authentication flaw that allows an attacker to bypass login validation. The system grants access when the username is creabox and the password begins with the string creacast, regardless of what follows. | |||||
| CVE-2025-56749 | 1 Creativeitem | 1 Academy Lms | 2026-06-17 | N/A | 9.4 CRITICAL |
| Creativeitem Academy LMS up to and including 6.14 uses a hardcoded default JWT secret for token signing. This predictable secret allows attackers to forge valid JWT tokens, leading to authentication bypass and unauthorized access to any user account. | |||||
| CVE-2025-56466 | 1 Masterlifecrm | 1 Dietly | 2026-06-17 | N/A | 7.5 HIGH |
| Hardcoded credentials in Dietly v1.25.0 for android allows attackers to gain sensitive information. | |||||
| CVE-2025-56157 | 1 Langgenius | 1 Dify | 2026-06-17 | N/A | 9.8 CRITICAL |
| Default credentials in Dify thru 1.5.1. PostgreSQL username and password specified in the docker-compose.yaml file included in its source code. NOTE: the Supplier reports that the Docker configuration does not make PostgreSQL (on TCP port 5432) exposed by default in version 1.0.1 or later. | |||||
| CVE-2025-55739 | 2026-06-17 | N/A | N/A | ||
| api is a module for FreePBX@, which is an open source GUI that controls and manages Asterisk© (PBX). In versions lower than 15.0.13, 16.0.2 through 16.0.14, 17.0.1 and 17.0.2, there is an identical OAuth private key used across multiple systems that installed the same FreePBX RPM or DEB package. An attacker with access to the shared OAuth private key could forge JWT tokens, bypass authentication, and potentially gain full access to both REST and GraphQL APIs. Systems with the "api" module enabled, configured and previously activated by an administrator for remote inbound connections may be affected. This issue is fixed in versions 15.0.13, 16.0.15 and 17.0.3. | |||||
| CVE-2025-55279 | 2026-06-17 | N/A | N/A | ||
| This vulnerability exists in ZKTeco WL20 due to hard-coded private key stored in plaintext within the device firmware. An attacker with physical access could exploit this vulnerability by extracting the firmware and analyzing the binary data to retrieve private key stored in the firmware of the targeted device. Successful exploitation of this vulnerability could allow the attacker to perform unauthorized decryption of sensitive data and Man-in-the-Middle (MitM) attacks on the targeted device. | |||||
| CVE-2025-55263 | 1 Hcltech | 1 Aftermarket Cloud | 2026-06-17 | N/A | 7.3 HIGH |
| HCL Aftermarket DPC is affected by Hardcoded Sensitive Data which allows attacker to gain access to the source code or if it is stored in insecure repositories, they can easily retrieve these hardcoded secrets. | |||||
| CVE-2025-55262 | 1 Hcltech | 1 Aftermarket Cloud | 2026-06-17 | N/A | 8.3 HIGH |
| HCL Aftermarket DPC is affected by SQL Injection which allows attacker to exploit this vulnerability to retrieve sensitive information from the database. | |||||
| CVE-2025-55047 | 2026-06-17 | N/A | 8.4 HIGH | ||
| CWE-798 Use of Hard-coded Credentials | |||||
| CVE-2025-54947 | 1 Apache | 1 Streampark | 2026-06-17 | N/A | 9.8 CRITICAL |
| In Apache StreamPark versions 2.0.0 through 2.1.7, a security vulnerability involving a hard-coded encryption key exists. This vulnerability occurs because the system uses a fixed, immutable key for encryption instead of dynamically generating or securely configuring the key. Attackers may obtain this key through reverse engineering or code analysis, potentially decrypting sensitive data or forging encrypted information, leading to information disclosure or unauthorized system access. This issue affects Apache StreamPark: from 2.0.0 before 2.1.7. Users are recommended to upgrade to version 2.1.7, which fixes the issue. | |||||
| CVE-2025-54872 | 2026-06-17 | N/A | N/A | ||
| onion-site-template is a complete, scalable tor hidden service self-hosting sample. Versions which include commit 3196bd89 contain a baked-in tor image if the secrets were copied from an existing onion domain. A website could be compromised if a user shared the baked-in image, or if someone were able to acquire access to the user's device outside of a containerized environment. This is fixed by commit bc9ba0fd. | |||||
| CVE-2025-54465 | 2026-06-17 | N/A | N/A | ||
| This vulnerability exists in ZKTeco WL20 due to hard-coded MQTT credentials and endpoints stored in plaintext within the device firmware. An attacker with physical access could exploit this vulnerability by extracting the firmware and analyzing the binary data to retrieve the hard-coded MQTT credentials and endpoints from the targeted device. Successful exploitation of this vulnerability could allow the attacker to gain unauthorized access to the MQTT broker and manipulate the communications of the targeted device. | |||||
| CVE-2025-54455 | 1 Samsung | 1 Magicinfo 9 Server | 2026-06-17 | N/A | 9.1 CRITICAL |
| Use of Hard-coded Credentials vulnerability in Samsung Electronics MagicINFO 9 Server allows Authentication Bypass.This issue affects MagicINFO 9 Server: less than 21.1080.0. | |||||
| CVE-2025-54454 | 1 Samsung | 1 Magicinfo 9 Server | 2026-06-17 | N/A | 9.1 CRITICAL |
| Use of Hard-coded Credentials vulnerability in Samsung Electronics MagicINFO 9 Server allows Authentication Bypass.This issue affects MagicINFO 9 Server: less than 21.1080.0. | |||||
| CVE-2025-54341 | 1 Desktopalert | 1 Pingalert Application Server | 2026-06-17 | N/A | 5.3 MEDIUM |
| A vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2. There are Hard-coded configuration values. | |||||
| CVE-2025-53842 | 2026-06-17 | N/A | 4.5 MEDIUM | ||
| Use of hard-coded credentials issue exists in ZWX-2000CSW2-HN prior to 0.3.19 and ZWX-2000CS2-HN firmware all versions. If this vulnerability is exploited, an attacker may tamper with the settings of the device by obtaining the credentials. This vulnerability is caused by an insufficient fix for CVE-2024-39838. | |||||
| CVE-2025-53754 | 2026-06-17 | N/A | N/A | ||
| This vulnerability exists in Digisol DG-GR6821AC Router due to hard-coded Root Access Credentials in system configuration of the device firmware. An attacker with physical access could exploit this vulnerability by extracting the firmware and analyzing the binary data to obtain the stored root access credentials. Successful exploitation of this vulnerability could allow the attacker to gain admin access to the targeted device. | |||||
| CVE-2025-52492 | 2026-06-17 | N/A | 7.5 HIGH | ||
| A vulnerability has been discovered in the firmware of Paxton Paxton10 before 4.6 SR6. The firmware file, rootfs.tar.gz, contains hard-coded credentials for the Twilio API. A remote attacker who obtains a copy of the firmware can extract these credentials. This could allow the attacker to gain unauthorized access to the associated Twilio account, leading to information disclosure, potential service disruption, and unauthorized use of the Twilio services. | |||||
