Vulnerabilities (CVE)

Filtered by CWE-798
Total 1704 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2025-52376 2026-06-17 N/A 9.8 CRITICAL
An authentication bypass vulnerability in the /web/um_open_telnet.cgi endpoint in Nexxt Solutions NCM-X1800 Mesh Router firmware UV1.2.7 and below, allowing an attacker to remotely enable the Telnet service without authentication, bypassing security controls. The Telnet server is then accessible with hard-coded credentials, allowing attackers to gain administrative shell access and execute arbitrary commands on the device.
CVE-2025-52363 1 Tenda 2 Cp3 Pro, Cp3 Pro Firmware 2026-06-17 N/A 6.8 MEDIUM
Tenda CP3 Pro Firmware V22.5.4.93 contains a hardcoded root password hash in the /etc/passwd file and /etc/passwd-. An attacker with access to the firmware image can extract and attempt to crack the root password hash, potentially obtaining administrative access
CVE-2025-52159 1 Yandaozi 1 Ppress 2026-06-17 N/A 8.8 HIGH
Hardcoded credentials in default configuration of PPress 0.0.9.
CVE-2025-51606 2026-06-17 N/A 8.8 HIGH
hippo4j 1.0.0 to 1.5.0, uses a hard-coded secret key in its JWT (JSON Web Token) creation. This allows attackers with access to the source code or compiled binary to forge valid access tokens and impersonate any user, including privileged ones such as "admin". The vulnerability poses a critical security risk in systems where authentication and authorization rely on the integrity of JWTs.
CVE-2025-51536 1 Craws 1 Openatlas 2026-06-17 N/A 9.8 CRITICAL
Austrian Archaeological Institute (AI) OpenAtlas v8.11.0 as discovered to contain a hardcoded Administrator password.
CVE-2025-4633 2026-06-17 N/A 6.5 MEDIUM
Default credentials were present in the web portal for Airpointer 2.4.107-2, allowing an unauthenticated malicious actor to log in via the web portal
CVE-2025-4570 2026-06-17 N/A N/A
An insecure sensitive key storage issue was found in MyASUS. potentially allowing unauthorized actor to obtain a token that could be used to communicate with certain services. Refer to the 'Security Update for for MyASUS' section on the ASUS Security Advisory for more information.
CVE-2025-4569 2026-06-17 N/A N/A
An insecure sensitive key storage issue was found in MyASUS. potentially allowing unauthorized actor to obtain a token that could be used to communicate with certain services. Refer to the 'Security Update for for MyASUS' section on the ASUS Security Advisory for more information.
CVE-2025-4378 2026-06-17 N/A 10.0 CRITICAL
Cleartext Transmission of Sensitive Information, Use of Hard-coded Credentials vulnerability in Ataturk University ATA-AOF Mobile Application allows Authentication Abuse, Authentication Bypass. This issue affects ATA-AOF Mobile Application: before 20.06.2025.
CVE-2025-4130 2026-06-17 N/A 7.5 HIGH
Use of Hard-coded Credentials vulnerability in PAVO Inc. PAVO Pay allows Read Sensitive Constants Within an Executable. This issue affects PAVO Pay: before 13.05.2025.
CVE-2025-4049 2026-06-17 N/A N/A
Use of hard-coded, the same among all vulnerable installations SQLite credentials vulnerability in SIGNUM-NET FARA allows to read and manipulate local-stored database.This issue affects FARA: through 5.0.80.34.
CVE-2025-4041 2026-06-17 N/A N/A
In Optigo Networks ONS NC600 versions 4.2.1-084 through 4.7.2-330, an attacker could connect with the device's ssh server and utilize the system's components to perform OS command executions.
CVE-2025-49551 1 Adobe 1 Coldfusion 2026-06-17 N/A 8.8 HIGH
ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by a Use of Hard-coded Credentials vulnerability that could result in privilege escalation. An attacker could leverage this vulnerability to gain unauthorized access to sensitive systems or data. Exploitation of this issue does not require user interaction. The vulnerable component is restricted to internal IP addresses.
CVE-2025-48748 1 Netwrix 1 Directory Manager 2026-06-17 N/A 10.0 CRITICAL
Netwrix Directory Manager (formerly Imanami GroupID) through v.10.0.7784.0 has a hard-coded password.
CVE-2025-48491 2026-06-17 N/A N/A
Project AI is a platform designed to create AI agents. Prior to the pre-beta version, a hardcoded API key was present in the source code. This issue has been patched in the pre-beta version.
CVE-2025-48414 2026-06-17 N/A 6.5 MEDIUM
There are several scripts in the web interface that are accessible via undocumented hard-coded credentials. The scripts provide access to additional administrative/debug functionality and are likely intended for debugging during development and provides an additional attack surface.
CVE-2025-48413 2026-06-17 N/A 7.7 HIGH
The `/etc/passwd` and `/etc/shadow` files reveal hard-coded password hashes for the operating system "root" user. The credentials are shipped with the update files. There is no option for deleting or changing their passwords for an enduser. An attacker can use the credentials to log into the device. Authentication can be performed via SSH backdoor or likely via physical access (UART shell).
CVE-2025-47730 1 Smarsh 1 Telemessage 2026-06-17 N/A 4.8 MEDIUM
The TeleMessage archiving backend through 2025-05-05 accepts API calls (to request an authentication token) from the TM SGNL (aka Archive Signal) app with the credentials of logfile for the user and enRR8UVVywXYbFkqU#QDPRkO for the password.
CVE-2025-46617 2026-06-17 N/A 7.2 HIGH
Quantum StorNext Web GUI API before 7.2.4 grants access to internal StorNext configuration and unauthorized modification of some software configuration parameters via undocumented user credentials. This affects StorNext RYO before 7.2.4, StorNext Xcellis Workflow Director before 7.2.4, and ActiveScale Cold Storage.
CVE-2025-46352 2026-06-17 N/A 9.8 CRITICAL
The CS5000 Fire Panel is vulnerable due to a hard-coded password that runs on a VNC server and is visible as a string in the binary responsible for running VNC. This password cannot be altered, allowing anyone with knowledge of it to gain remote access to the panel. Such access could enable an attacker to operate the panel remotely, potentially putting the fire panel into a non-functional state and causing serious safety issues.