Vulnerabilities (CVE)

Filtered by CWE-798
Total 1704 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2025-2394 2026-06-17 N/A N/A
Ecovacs Home Android and iOS Mobile Applications up to version 3.3.0 contained embedded access keys and secrets for Alibaba Object Storage Service (OSS), leading to sensitive data disclosure.
CVE-2025-2343 2026-06-17 6.8 MEDIUM 7.5 HIGH
A vulnerability classified as critical was found in IROAD Dash Cam X5 and Dash Cam X6 up to 20250308. Affected by this vulnerability is an unknown functionality of the component Device Pairing. The manipulation leads to hard-coded credentials. Access to the local network is required for this attack to succeed. The complexity of an attack is rather high. The exploitation appears to be difficult. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-2342 2026-06-17 5.0 MEDIUM 5.3 MEDIUM
A vulnerability classified as critical has been found in IROAD X5 Mobile App up to 5.2.5 on Android. Affected is an unknown function of the component API Endpoint. The manipulation leads to hard-coded credentials. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-2322 1 274056675 1 Springboot-openai-chatgpt 2026-06-17 7.5 HIGH 7.3 HIGH
A vulnerability was found in 274056675 springboot-openai-chatgpt e84f6f5. It has been classified as critical. This affects an unknown part of the file /chatgpt-boot/src/main/java/org/springblade/modules/mjkj/controller/OpenController.java. The manipulation leads to hard-coded credentials. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-29268 1 Allnet 2 All-rut22gw, All-rut22gw Firmware 2026-06-17 N/A 9.8 CRITICAL
ALLNET ALL-RUT22GW v3.3.8 was discovered to store hardcoded credentials in the libicos.so library.
CVE-2025-28388 1 Openc3 1 Cosmos 2026-06-17 N/A 9.8 CRITICAL
OpenC3 COSMOS before v6.0.2 was discovered to contain hardcoded credentials for the Service Account.
CVE-2025-28230 1 Jmbroadcast 2 Jmb0150, Jmb0150 Firmware 2026-06-17 N/A 9.1 CRITICAL
Incorrect access control in JMBroadcast JMB0150 Firmware v1.0 allows attackers to access hardcoded administrator credentials.
CVE-2025-27643 1 Printerlogic 2 Vasion Print, Virtual Appliance 2026-06-17 N/A 9.8 CRITICAL
Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.933 Application 20.0.2368 allows Hardcoded AWS API Key V-2024-006.
CVE-2025-27488 1 Microsoft 12 Windows 10 1809, Windows 10 2004, Windows 10 20h2 and 9 more 2026-06-17 N/A 6.7 MEDIUM
Use of hard-coded credentials in Windows Hardware Lab Kit allows an authorized attacker to elevate privileges locally.
CVE-2025-27255 2026-06-17 N/A 8.0 HIGH
Use of Hard-coded Credentials vulnerability in GE Vernova EnerVista UR Setup allows Privilege Escalation. The local user database is encrypted using an hardcoded password retrievable by an attacker analyzing the application code.
CVE-2025-26476 1 Dell 2 Elastic Cloud Storage, Objectscale 2026-06-17 N/A 8.4 HIGH
Dell ECS versions prior to 3.8.1.5/ ObjectScale version 4.0.0.0, contain a Use of Hard-coded Cryptographic Key vulnerability. An unauthenticated attacker with local access could potentially exploit this vulnerability, leading to Unauthorized access.
CVE-2025-26410 2026-06-17 N/A 9.8 CRITICAL
The firmware of all Wattsense Bridge devices contain the same hard-coded user and root credentials. The user password can be easily recovered via password cracking attempts. The recovered credentials can be used to log into the device via the login shell that is exposed by the serial interface. The backdoor user has been removed in firmware BSP >= 6.4.1.
CVE-2025-26398 1 Solarwinds 1 Database Performance Analyzer 2026-06-17 N/A 5.6 MEDIUM
SolarWinds Database Performance Analyzer was found to contain a hard-coded cryptographic key. If exploited, this vulnerability could lead to a machine-in-the-middle (MITM) attack against users. This vulnerability requires additional software not installed by default, local access to the server and administrator level privileges on the host.
CVE-2025-25570 2026-06-17 N/A 9.8 CRITICAL
Vue Vben Admin 2.10.1 allows unauthorized login to the backend due to an issue with hardcoded credentials.
CVE-2025-23179 2026-06-17 N/A 5.5 MEDIUM
CWE-798: Use of Hard-coded Credentials
CVE-2025-20309 1 Cisco 1 Unified Communications Manager 2026-06-17 N/A 10.0 CRITICAL
A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to log in to an affected device using the root account, which has default, static credentials that cannot be changed or deleted. This vulnerability is due to the presence of static user credentials for the root account that are reserved for use during development. An attacker could exploit this vulnerability by using the account to log in to an affected system. A successful exploit could allow the attacker to log in to the affected system and execute arbitrary commands as the root user.
CVE-2025-20188 1 Cisco 1 Ios Xe 2026-06-17 N/A 10.0 CRITICAL
A vulnerability in the Out-of-Band Access Point (AP) Image Download, the Clean Air Spectral Recording, and the client debug bundles features of Cisco IOS XE Software for Wireless LAN Controllers (WLCs) could allow an unauthenticated, remote attacker to upload arbitrary files to an affected system. This vulnerability is due to the presence of a hard-coded JSON Web Token (JWT) on an affected system. An attacker could exploit this vulnerability by sending crafted HTTPS requests to the AP file upload interface. A successful exploit could allow the attacker to upload files, perform path traversal, and execute arbitrary commands with root privileges.
CVE-2025-1879 1 I-drive 4 I11, I11 Firmware, I12 and 1 more 2026-06-17 2.1 LOW 2.4 LOW
A vulnerability was found in i-Drive i11 and i12 up to 20250227 and classified as problematic. This issue affects some unknown processing of the component APK. The manipulation leads to hard-coded credentials. It is possible to launch the attack on the physical device. It was not possible to identify the current maintainer of the product. It must be assumed that the product is end-of-life.
CVE-2025-1724 2026-06-17 N/A 7.4 HIGH
Zohocorp's ManageEngine Analytics Plus and Zoho Analytics on-premise versions older than 6130 are vulnerable to an AD only account takeover because of a hardcoded sensitive token.
CVE-2025-1393 2026-06-17 N/A 9.8 CRITICAL
An unauthenticated remote attacker can use hard-coded credentials to gain full administration privileges on the affected product.