Vulnerabilities (CVE)

Filtered by CWE-798
Total 1704 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2025-57578 2026-06-17 N/A 8.0 HIGH
An issue in H3C Magic M Device M2V100R006 allows a remote attacker to execute arbitrary code via the default password
CVE-2025-57577 2026-06-17 N/A 8.0 HIGH
An issue in H3C Device R365V300R004 allows a remote attacker to execute arbitrary code via the default password. NOTE: the Supplier's position is that their "product lines enforce or clearly prompt users to change any initial credentials upon first use. At most, this would be a case of misconfiguration if an administrator deliberately ignored the prompts, which is outside the scope of CVE definitions."
CVE-2025-57434 1 Creacast 1 Creabox Manager 2026-06-17 N/A 8.8 HIGH
Creacast Creabox Manager contains a critical authentication flaw that allows an attacker to bypass login validation. The system grants access when the username is creabox and the password begins with the string creacast, regardless of what follows.
CVE-2025-56749 1 Creativeitem 1 Academy Lms 2026-06-17 N/A 9.4 CRITICAL
Creativeitem Academy LMS up to and including 6.14 uses a hardcoded default JWT secret for token signing. This predictable secret allows attackers to forge valid JWT tokens, leading to authentication bypass and unauthorized access to any user account.
CVE-2025-56466 1 Masterlifecrm 1 Dietly 2026-06-17 N/A 7.5 HIGH
Hardcoded credentials in Dietly v1.25.0 for android allows attackers to gain sensitive information.
CVE-2025-56157 1 Langgenius 1 Dify 2026-06-17 N/A 9.8 CRITICAL
Default credentials in Dify thru 1.5.1. PostgreSQL username and password specified in the docker-compose.yaml file included in its source code. NOTE: the Supplier reports that the Docker configuration does not make PostgreSQL (on TCP port 5432) exposed by default in version 1.0.1 or later.
CVE-2025-55739 2026-06-17 N/A N/A
api is a module for FreePBX@, which is an open source GUI that controls and manages Asterisk© (PBX). In versions lower than 15.0.13, 16.0.2 through 16.0.14, 17.0.1 and 17.0.2, there is an identical OAuth private key used across multiple systems that installed the same FreePBX RPM or DEB package. An attacker with access to the shared OAuth private key could forge JWT tokens, bypass authentication, and potentially gain full access to both REST and GraphQL APIs. Systems with the "api" module enabled, configured and previously activated by an administrator for remote inbound connections may be affected. This issue is fixed in versions 15.0.13, 16.0.15 and 17.0.3.
CVE-2025-55279 2026-06-17 N/A N/A
This vulnerability exists in ZKTeco WL20 due to hard-coded private key stored in plaintext within the device firmware. An attacker with physical access could exploit this vulnerability by extracting the firmware and analyzing the binary data to retrieve private key stored in the firmware of the targeted device. Successful exploitation of this vulnerability could allow the attacker to perform unauthorized decryption of sensitive data and Man-in-the-Middle (MitM) attacks on the targeted device.
CVE-2025-55263 1 Hcltech 1 Aftermarket Cloud 2026-06-17 N/A 7.3 HIGH
HCL Aftermarket DPC is affected by Hardcoded Sensitive Data which allows attacker to gain access to the source code or if it is stored in insecure repositories, they can easily retrieve these hardcoded secrets.
CVE-2025-55262 1 Hcltech 1 Aftermarket Cloud 2026-06-17 N/A 8.3 HIGH
HCL Aftermarket DPC is affected by SQL Injection which allows attacker to exploit this vulnerability to retrieve sensitive information from the database.
CVE-2025-55047 2026-06-17 N/A 8.4 HIGH
CWE-798 Use of Hard-coded Credentials
CVE-2025-54947 1 Apache 1 Streampark 2026-06-17 N/A 9.8 CRITICAL
In Apache StreamPark versions 2.0.0 through 2.1.7, a security vulnerability involving a hard-coded encryption key exists. This vulnerability occurs because the system uses a fixed, immutable key for encryption instead of dynamically generating or securely configuring the key. Attackers may obtain this key through reverse engineering or code analysis, potentially decrypting sensitive data or forging encrypted information, leading to information disclosure or unauthorized system access. This issue affects Apache StreamPark: from 2.0.0 before 2.1.7. Users are recommended to upgrade to version 2.1.7, which fixes the issue.
CVE-2025-54872 2026-06-17 N/A N/A
onion-site-template is a complete, scalable tor hidden service self-hosting sample. Versions which include commit 3196bd89 contain a baked-in tor image if the secrets were copied from an existing onion domain. A website could be compromised if a user shared the baked-in image, or if someone were able to acquire access to the user's device outside of a containerized environment. This is fixed by commit bc9ba0fd.
CVE-2025-54465 2026-06-17 N/A N/A
This vulnerability exists in ZKTeco WL20 due to hard-coded MQTT credentials and endpoints stored in plaintext within the device firmware. An attacker with physical access could exploit this vulnerability by extracting the firmware and analyzing the binary data to retrieve the hard-coded MQTT credentials and endpoints from the targeted device. Successful exploitation of this vulnerability could allow the attacker to gain unauthorized access to the MQTT broker and manipulate the communications of the targeted device.
CVE-2025-54455 1 Samsung 1 Magicinfo 9 Server 2026-06-17 N/A 9.1 CRITICAL
Use of Hard-coded Credentials vulnerability in Samsung Electronics MagicINFO 9 Server allows Authentication Bypass.This issue affects MagicINFO 9 Server: less than 21.1080.0.
CVE-2025-54454 1 Samsung 1 Magicinfo 9 Server 2026-06-17 N/A 9.1 CRITICAL
Use of Hard-coded Credentials vulnerability in Samsung Electronics MagicINFO 9 Server allows Authentication Bypass.This issue affects MagicINFO 9 Server: less than 21.1080.0.
CVE-2025-54341 1 Desktopalert 1 Pingalert Application Server 2026-06-17 N/A 5.3 MEDIUM
A vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2. There are Hard-coded configuration values.
CVE-2025-53842 2026-06-17 N/A 4.5 MEDIUM
Use of hard-coded credentials issue exists in ZWX-2000CSW2-HN prior to 0.3.19 and ZWX-2000CS2-HN firmware all versions. If this vulnerability is exploited, an attacker may tamper with the settings of the device by obtaining the credentials. This vulnerability is caused by an insufficient fix for CVE-2024-39838.
CVE-2025-53754 2026-06-17 N/A N/A
This vulnerability exists in Digisol DG-GR6821AC Router due to hard-coded Root Access Credentials in system configuration of the device firmware. An attacker with physical access could exploit this vulnerability by extracting the firmware and analyzing the binary data to obtain the stored root access credentials. Successful exploitation of this vulnerability could allow the attacker to gain admin access to the targeted device.
CVE-2025-52492 2026-06-17 N/A 7.5 HIGH
A vulnerability has been discovered in the firmware of Paxton Paxton10 before 4.6 SR6. The firmware file, rootfs.tar.gz, contains hard-coded credentials for the Twilio API. A remote attacker who obtains a copy of the firmware can extract these credentials. This could allow the attacker to gain unauthorized access to the associated Twilio account, leading to information disclosure, potential service disruption, and unauthorized use of the Twilio services.