Total
1390 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-26511 | 1 Propius | 1 Machineselector | 2025-02-27 | N/A | 9.8 CRITICAL |
| A Hard Coded Admin Credentials issue in the Web-UI Admin Panel in Propius MachineSelector 6.6.0 and 6.6.1 allows remote attackers to gain access to the admin panel Propiusadmin.php, which allows taking control of the affected system. | |||||
| CVE-2024-9334 | 2025-02-27 | N/A | 8.2 HIGH | ||
| Use of Hard-coded Credentials, Storage of Sensitive Data in a Mechanism without Access Control vulnerability in E-Kent Pallium Vehicle Tracking allows Authentication Bypass.This issue affects Pallium Vehicle Tracking: before 17.10.2024. | |||||
| CVE-2023-0391 | 1 Mgt-commerce | 1 Cloudpanel | 2025-02-26 | N/A | 8.1 HIGH |
| MGT-COMMERCE CloudPanel ships with a static SSL certificate to encrypt communications to the administrative interface, shared across every installation of CloudPanel. This behavior was observed in version 2.2.0. There has been no indication from the vendor this has been addressed in version 2.2.1. | |||||
| CVE-2024-28989 | 1 Solarwinds | 1 Web Help Desk | 2025-02-25 | N/A | 5.5 MEDIUM |
| SolarWinds Web Help Desk was found to have a hardcoded cryptographic key that could allow the disclosure of sensitive information from the software. | |||||
| CVE-2024-55927 | 2025-02-24 | N/A | 7.6 HIGH | ||
| A vulnerability in Xerox Workplace Suite arises from flawed token generation and the use of hard-coded keys. These weaknesses allow attackers to predict or forge tokens, leading to unauthorized access to sensitive functions. | |||||
| CVE-2024-52295 | 1 Dataease | 1 Dataease | 2025-02-20 | N/A | 9.8 CRITICAL |
| DataEase is an open source data visualization analysis tool. Prior to 2.10.2, DataEase allows attackers to forge jwt and take over services. The JWT secret is hardcoded in the code, and the UID and OID are hardcoded. The vulnerability has been fixed in v2.10.2. | |||||
| CVE-2022-26138 | 1 Atlassian | 3 Confluence Data Center, Confluence Server, Questions For Confluence | 2025-02-19 | N/A | 9.8 CRITICAL |
| The Atlassian Questions For Confluence app for Confluence Server and Data Center creates a Confluence user account in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content accessible to users in the confluence-users group. This user account is created when installing versions 2.7.34, 2.7.35, and 3.0.2 of the app. | |||||
| CVE-2024-52902 | 2025-02-19 | N/A | 8.8 HIGH | ||
| IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 client application contains hard coded database passwords in source code which could be used for unauthorized access to the system. | |||||
| CVE-2025-1143 | 2025-02-18 | N/A | 8.4 HIGH | ||
| Certain models of routers from Billion Electric has hard-coded embedded linux credentials, allowing attackers to log in through the SSH service using these credentials and obtain root privilege of the system. | |||||
| CVE-2024-8893 | 2025-02-14 | N/A | 7.3 HIGH | ||
| Use of Hard-coded Credentials vulnerability in GoodWe Technologies Co., Ltd. GW1500‑XS allows anyone in physical proximity to the device to fully access the web interface of the inverter via Wi‑Fi.This issue affects GW1500‑XS: 1.1.2.1. | |||||
| CVE-2023-30801 | 1 Qbittorrent | 1 Qbittorrent | 2025-02-13 | N/A | 9.8 CRITICAL |
| All versions of the qBittorrent client through 4.5.5 use default credentials when the web user interface is enabled. The administrator is not forced to change the default credentials. As of 4.5.5, this issue has not been fixed. A remote attacker can use the default credentials to authenticate and execute arbitrary operating system commands using the "external program" feature in the web user interface. This was reportedly exploited in the wild in March 2023. | |||||
| CVE-2023-22429 | 1 Wolt | 1 Wolt Delivery | 2025-02-11 | N/A | 7.8 HIGH |
| Android App 'Wolt Delivery: Food and more' version 4.27.2 and earlier uses hard-coded credentials (API key for an external service), which may allow a local attacker to obtain the hard-coded API key via reverse-engineering the application binary. | |||||
| CVE-2024-23473 | 1 Solarwinds | 1 Access Rights Manager | 2025-02-10 | N/A | 8.6 HIGH |
| The SolarWinds Access Rights Manager was found to contain a hard-coded credential authentication bypass vulnerability. If exploited, this vulnerability allows access to the RabbitMQ management console. We thank Trend Micro Zero Day Initiative (ZDI) for its ongoing partnership in coordinating with SolarWinds on responsible disclosure of this and other potential vulnerabilities. | |||||
| CVE-2024-21990 | 1 Netapp | 1 Ontap Select Deploy Administration Utility | 2025-02-10 | N/A | 5.4 MEDIUM |
| ONTAP Select Deploy administration utility versions 9.12.1.x, 9.13.1.x and 9.14.1.x contain hard-coded credentials that could allow an attacker to view Deploy configuration information and modify the account credentials. | |||||
| CVE-2024-36556 | 2025-02-10 | N/A | 9.1 CRITICAL | ||
| Forever KidsWatch Call Me KW50 R36_YDR_A3PW_GM7S_V1.0_2019_07_15_16.19.24_cob_h, and Forever KidsWatch Call Me 2 KW60 R36CW_YDE_S4_A29_2_V1.0_2023.05.24_22.49.44_cob_b have a Hardcoded password vulnerability. | |||||
| CVE-2022-37255 | 1 Tp-link | 2 Tapo C310, Tapo C310 Firmware | 2025-02-06 | N/A | 7.5 HIGH |
| TP-Link Tapo C310 1.3.0 devices allow access to the RTSP video feed via credentials of User --- and Password TPL075526460603. | |||||
| CVE-2023-24501 | 1 Electra-air | 2 Central Ac Unit, Central Ac Unit Firmware | 2025-02-06 | N/A | 9.8 CRITICAL |
| Electra Central AC unit – Hardcoded Credentials in unspecified code used by the unit. | |||||
| CVE-2020-8657 | 1 Eyesofnetwork | 1 Eyesofnetwork | 2025-02-04 | 5.0 MEDIUM | 9.8 CRITICAL |
| An issue was discovered in EyesOfNetwork 5.3. The installation uses the same API key (hardcoded as EONAPI_KEY in include/api_functions.php for API version 2.4.2) by default for all installations, hence allowing an attacker to calculate/guess the admin access token. | |||||
| CVE-2022-45291 | 1 Pwsdashboard | 1 Personal Weather Station Dashboard | 2025-02-04 | N/A | 7.2 HIGH |
| PWS Personal Weather Station Dashboard (PWS_Dashboard) LTS December 2020 (2012_lts) allows remote code execution by injecting PHP code into settings.php. Attacks can use the PWS_printfile.php, PWS_frame_text.php, PWS_listfile.php, PWS_winter.php, and PWS_easyweathersetup.php endpoints. A contributing factor is a hardcoded login password of support, which is not documented. (This is not the same as the documented setup password, which is 12345.) The issue was fixed in late 2022. | |||||
| CVE-2024-9643 | 2025-02-04 | N/A | 9.8 CRITICAL | ||
| The Four-Faith F3x36 router using firmware v2.0.0 is vulnerable to authentication bypass due to hard-coded credentials in the administrative web server. An attacker with knowledge of the credentials can gain administrative access via crafted HTTP requests. This issue appears similar to CVE-2023-32645. | |||||