Total
1635 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-13776 | 1 Finka | 6 Finka-faktura, Finka-fk, Finka-kpr and 3 more | 2026-02-26 | N/A | 7.1 HIGH |
| Multiple Finka programs use hard-coded Firebird database credentials (shared across all instances of this software). A malicious attacker in local network who knows default credentials is able to read and edit database content. This vulnerability has been fixed in version: Finka-FK 18.5, Finka-KPR 16.6, Finka-Płace 13.4, Finka-Faktura 18.3, Finka-Magazyn 8.3, Finka-STW 12.3 | |||||
| CVE-2023-6448 | 1 Unitronics | 33 Samba 3.5, Samba 3.5 Firmware, Samba 4.3 and 30 more | 2026-02-26 | N/A | 9.8 CRITICAL |
| Unitronics VisiLogic before version 9.9.00, used in Vision and Samba PLCs and HMIs, uses a default administrative password. An unauthenticated attacker with network access can take administrative control of a vulnerable system. | |||||
| CVE-2026-27507 | 1 Binardat | 2 10g08-0800gsm, 10g08-0800gsm Firmware | 2026-02-25 | N/A | 9.8 CRITICAL |
| Binardat 10G08-0800GSM network switch firmware version V300SP10260209 and prior contain hard-coded administrative credentials that cannot be changed by users. Knowledge of these credentials allows full administrative access to the device. | |||||
| CVE-2026-26218 | 1 Newbee-mall Project | 1 Newbee-mall | 2026-02-25 | N/A | 9.8 CRITICAL |
| newbee-mall includes pre-seeded administrator accounts in its database initialization script. These accounts are provisioned with a predictable default password. Deployments that initialize or reset the database using the provided schema and fail to change the default administrative credentials may allow unauthenticated attackers to log in as an administrator and gain full administrative control of the application. | |||||
| CVE-2022-3214 | 1 Deltaww | 1 Diaenergie | 2026-02-25 | N/A | 9.8 CRITICAL |
| Delta Industrial Automation's DIAEnergy, an industrial energy management system, is vulnerable to CWE-798, Use of Hard-coded Credentials. Versions prior to 1.9.03.009 have this vulnerability. Executable files could be uploaded to certain directories using hard-coded bearer authorization, allowing remote code execution. | |||||
| CVE-2026-22769 | 1 Dell | 1 Recoverpoint For Virtual Machines | 2026-02-18 | N/A | 10.0 CRITICAL |
| Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credential vulnerability. This is considered critical as an unauthenticated remote attacker with knowledge of the hardcoded credential could potentially exploit this vulnerability leading to unauthorized access to the underlying operating system and root-level persistence. Dell recommends that customers upgrade or apply one of the remediations as soon as possible. | |||||
| CVE-2025-33089 | 1 Ibm | 1 Concert | 2026-02-18 | N/A | 6.5 MEDIUM |
| IBM Concert 1.0.0 through 2.1.0 could allow a remote attacker to obtain sensitive information or perform unauthorized actions due to the use of hard coded user credentials. | |||||
| CVE-2026-2103 | 1 Infor | 1 Syteline Erp | 2026-02-17 | N/A | 7.1 HIGH |
| Infor SyteLine ERP uses hard-coded static cryptographic keys to encrypt stored credentials, including user passwords, database connection strings, and API keys. The encryption keys are identical across all installations. An attacker with access to the application binary and database can decrypt all stored credentials. | |||||
| CVE-2025-58744 | 2 Microsoft, Milner | 2 Windows, Imagedirector Capture | 2026-02-10 | N/A | 7.5 HIGH |
| Use of Default Credentials, Hard-coded Credentials vulnerability in C2SGlobalSettings.dll in Milner ImageDirector Capture on Windows allows decryption of document archive files using credentials decrypted with hard-coded application encryption key. This issue affects ImageDirector Capture: from 7.0.9.0 before 7.6.3.25808. | |||||
| CVE-2026-24346 | 1 Nimbletech | 2 Ezcast Pro Dongle Ii, Ezcast Pro Dongle Ii Firmware | 2026-02-05 | N/A | 9.1 CRITICAL |
| Use of well-known default credentials in Admin UI of EZCast Pro II version 1.17478.146 allows attackers to access protected areas in the web application | |||||
| CVE-2026-24840 | 1 Dokploy | 1 Dokploy | 2026-02-04 | N/A | 8.0 HIGH |
| Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, a hardcoded credential in the provided installation script (located at https://dokploy.com/install.sh, line 154) uses a hardcoded password when creating the database container. This means that nearly all Dokploy installations use the same database credentials and could be compromised. Version 0.26.6 contains a patch for the issue. | |||||
| CVE-2026-0622 | 1 Open5gs | 1 Open5gs | 2026-02-03 | N/A | 6.5 MEDIUM |
| Open 5GS WebUI uses a hard-coded JWT signing key (change-me) whenever the environment variable JWT_SECRET_KEY is unset | |||||
| CVE-2025-40537 | 1 Solarwinds | 1 Web Help Desk | 2026-02-03 | N/A | 7.5 HIGH |
| SolarWinds Web Help Desk was found to be susceptible to a hardcoded credentials vulnerability that, under certain situations, could allow access to administrative functions. | |||||
| CVE-2025-56157 | 1 Langgenius | 1 Dify | 2026-01-29 | N/A | 9.8 CRITICAL |
| Default credentials in Dify thru 1.5.1. PostgreSQL username and password specified in the docker-compose.yaml file included in its source code. NOTE: the Supplier reports that the Docker configuration does not make PostgreSQL (on TCP port 5432) exposed by default in version 1.0.1 or later. | |||||
| CVE-2020-36911 | 1 Cobbr | 1 Covenant | 2026-01-29 | N/A | 9.8 CRITICAL |
| Covenant 0.1.3 - 0.5 contains a remote code execution vulnerability that allows attackers to craft malicious JWT tokens with administrative privileges. Attackers can generate forged tokens with admin roles and upload custom DLL payloads to execute arbitrary commands on the target system. | |||||
| CVE-2024-50377 | 1 Advantech | 6 Eki-6333ac-1gpo, Eki-6333ac-1gpo Firmware, Eki-6333ac-2g and 3 more | 2026-01-23 | N/A | 6.5 MEDIUM |
| A CWE-798 "Use of Hard-coded Credentials" was discovered affecting the following devices manufactured by Advantech: EKI-6333AC-2G (<= 1.6.3), EKI-6333AC-2GD (<= v1.6.3) and EKI-6333AC-1GPO (<= v1.2.1). The vulnerability is associated to the backup configuration functionality that by default encrypts the archives using a static password. | |||||
| CVE-2026-22911 | 1 Sick | 2 Tdc-x401gl, Tdc-x401gl Firmware | 2026-01-23 | N/A | 5.3 MEDIUM |
| Firmware update files may expose password hashes for system accounts, which could allow a remote attacker to recover credentials and gain unauthorized access to the device. | |||||
| CVE-2025-65823 | 1 Meatmeet | 2 Meatmeet Pro Wifi \& Bluetooth Meat Thermometer, Meatmeet Pro Wifi \& Bluetooth Meat Thermometer Firmware | 2026-01-21 | N/A | 9.8 CRITICAL |
| The Meatmeet Pro was found to be shipped with hardcoded Wi-Fi credentials in the firmware, for the test network it was developed on. If an attacker retrieved this, and found the physical location of the Wi-Fi network, they could gain unauthorized access to the Wi-Fi network of the vendor. Additionally, if an attacker were located in close physical proximity to the device when it was first set up, they may be able to force the device to auto-connect to an attacker-controlled access point by setting the SSID and password to the same as which was found in the firmware file. | |||||
| CVE-2025-68926 | 1 Rustfs | 1 Rustfs | 2026-01-16 | N/A | 9.8 CRITICAL |
| RustFS is a distributed object storage system built in Rust. In versions prior to 1.0.0-alpha.78, RustFS implements gRPC authentication using a hardcoded static token `"rustfs rpc"` that is publicly exposed in the source code repository, hardcoded on both client and server sides, non-configurable with no mechanism for token rotation, and universally valid across all RustFS deployments. Any attacker with network access to the gRPC port can authenticate using this publicly known token and execute privileged operations including data destruction, policy manipulation, and cluster configuration changes. Version 1.0.0-alpha.78 contains a fix for the issue. | |||||
| CVE-2023-53983 | 1 Ateme | 6 Flamingo Xl, Flamingo Xl Firmware, Flamingo Xs and 3 more | 2026-01-16 | N/A | 9.8 CRITICAL |
| Anevia Flamingo XL/XS 3.6.20 contains a critical vulnerability with weak default administrative credentials that can be easily guessed. Attackers can leverage these hard-coded credentials to gain full remote system control without complex authentication mechanisms. | |||||