Total
1704 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-52376 | 2026-06-17 | N/A | 9.8 CRITICAL | ||
| An authentication bypass vulnerability in the /web/um_open_telnet.cgi endpoint in Nexxt Solutions NCM-X1800 Mesh Router firmware UV1.2.7 and below, allowing an attacker to remotely enable the Telnet service without authentication, bypassing security controls. The Telnet server is then accessible with hard-coded credentials, allowing attackers to gain administrative shell access and execute arbitrary commands on the device. | |||||
| CVE-2025-52363 | 1 Tenda | 2 Cp3 Pro, Cp3 Pro Firmware | 2026-06-17 | N/A | 6.8 MEDIUM |
| Tenda CP3 Pro Firmware V22.5.4.93 contains a hardcoded root password hash in the /etc/passwd file and /etc/passwd-. An attacker with access to the firmware image can extract and attempt to crack the root password hash, potentially obtaining administrative access | |||||
| CVE-2025-52159 | 1 Yandaozi | 1 Ppress | 2026-06-17 | N/A | 8.8 HIGH |
| Hardcoded credentials in default configuration of PPress 0.0.9. | |||||
| CVE-2025-51606 | 2026-06-17 | N/A | 8.8 HIGH | ||
| hippo4j 1.0.0 to 1.5.0, uses a hard-coded secret key in its JWT (JSON Web Token) creation. This allows attackers with access to the source code or compiled binary to forge valid access tokens and impersonate any user, including privileged ones such as "admin". The vulnerability poses a critical security risk in systems where authentication and authorization rely on the integrity of JWTs. | |||||
| CVE-2025-51536 | 1 Craws | 1 Openatlas | 2026-06-17 | N/A | 9.8 CRITICAL |
| Austrian Archaeological Institute (AI) OpenAtlas v8.11.0 as discovered to contain a hardcoded Administrator password. | |||||
| CVE-2025-4633 | 2026-06-17 | N/A | 6.5 MEDIUM | ||
| Default credentials were present in the web portal for Airpointer 2.4.107-2, allowing an unauthenticated malicious actor to log in via the web portal | |||||
| CVE-2025-4570 | 2026-06-17 | N/A | N/A | ||
| An insecure sensitive key storage issue was found in MyASUS. potentially allowing unauthorized actor to obtain a token that could be used to communicate with certain services. Refer to the 'Security Update for for MyASUS' section on the ASUS Security Advisory for more information. | |||||
| CVE-2025-4569 | 2026-06-17 | N/A | N/A | ||
| An insecure sensitive key storage issue was found in MyASUS. potentially allowing unauthorized actor to obtain a token that could be used to communicate with certain services. Refer to the 'Security Update for for MyASUS' section on the ASUS Security Advisory for more information. | |||||
| CVE-2025-4378 | 2026-06-17 | N/A | 10.0 CRITICAL | ||
| Cleartext Transmission of Sensitive Information, Use of Hard-coded Credentials vulnerability in Ataturk University ATA-AOF Mobile Application allows Authentication Abuse, Authentication Bypass. This issue affects ATA-AOF Mobile Application: before 20.06.2025. | |||||
| CVE-2025-4130 | 2026-06-17 | N/A | 7.5 HIGH | ||
| Use of Hard-coded Credentials vulnerability in PAVO Inc. PAVO Pay allows Read Sensitive Constants Within an Executable. This issue affects PAVO Pay: before 13.05.2025. | |||||
| CVE-2025-4049 | 2026-06-17 | N/A | N/A | ||
| Use of hard-coded, the same among all vulnerable installations SQLite credentials vulnerability in SIGNUM-NET FARA allows to read and manipulate local-stored database.This issue affects FARA: through 5.0.80.34. | |||||
| CVE-2025-4041 | 2026-06-17 | N/A | N/A | ||
| In Optigo Networks ONS NC600 versions 4.2.1-084 through 4.7.2-330, an attacker could connect with the device's ssh server and utilize the system's components to perform OS command executions. | |||||
| CVE-2025-49551 | 1 Adobe | 1 Coldfusion | 2026-06-17 | N/A | 8.8 HIGH |
| ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by a Use of Hard-coded Credentials vulnerability that could result in privilege escalation. An attacker could leverage this vulnerability to gain unauthorized access to sensitive systems or data. Exploitation of this issue does not require user interaction. The vulnerable component is restricted to internal IP addresses. | |||||
| CVE-2025-48748 | 1 Netwrix | 1 Directory Manager | 2026-06-17 | N/A | 10.0 CRITICAL |
| Netwrix Directory Manager (formerly Imanami GroupID) through v.10.0.7784.0 has a hard-coded password. | |||||
| CVE-2025-48491 | 2026-06-17 | N/A | N/A | ||
| Project AI is a platform designed to create AI agents. Prior to the pre-beta version, a hardcoded API key was present in the source code. This issue has been patched in the pre-beta version. | |||||
| CVE-2025-48414 | 2026-06-17 | N/A | 6.5 MEDIUM | ||
| There are several scripts in the web interface that are accessible via undocumented hard-coded credentials. The scripts provide access to additional administrative/debug functionality and are likely intended for debugging during development and provides an additional attack surface. | |||||
| CVE-2025-48413 | 2026-06-17 | N/A | 7.7 HIGH | ||
| The `/etc/passwd` and `/etc/shadow` files reveal hard-coded password hashes for the operating system "root" user. The credentials are shipped with the update files. There is no option for deleting or changing their passwords for an enduser. An attacker can use the credentials to log into the device. Authentication can be performed via SSH backdoor or likely via physical access (UART shell). | |||||
| CVE-2025-47730 | 1 Smarsh | 1 Telemessage | 2026-06-17 | N/A | 4.8 MEDIUM |
| The TeleMessage archiving backend through 2025-05-05 accepts API calls (to request an authentication token) from the TM SGNL (aka Archive Signal) app with the credentials of logfile for the user and enRR8UVVywXYbFkqU#QDPRkO for the password. | |||||
| CVE-2025-46617 | 2026-06-17 | N/A | 7.2 HIGH | ||
| Quantum StorNext Web GUI API before 7.2.4 grants access to internal StorNext configuration and unauthorized modification of some software configuration parameters via undocumented user credentials. This affects StorNext RYO before 7.2.4, StorNext Xcellis Workflow Director before 7.2.4, and ActiveScale Cold Storage. | |||||
| CVE-2025-46352 | 2026-06-17 | N/A | 9.8 CRITICAL | ||
| The CS5000 Fire Panel is vulnerable due to a hard-coded password that runs on a VNC server and is visible as a string in the binary responsible for running VNC. This password cannot be altered, allowing anyone with knowledge of it to gain remote access to the panel. Such access could enable an attacker to operate the panel remotely, potentially putting the fire panel into a non-functional state and causing serious safety issues. | |||||
