Total
1564 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-50696 | 1 Sound4 | 17 Big Voice2, Big Voice2 Firmware, Big Voice4 and 14 more | 2026-01-16 | N/A | 9.8 CRITICAL |
| SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below contain hardcoded credentials embedded in server binaries that cannot be modified through normal device operations. Attackers can leverage these static credentials to gain unauthorized access to the device across Linux and Windows distributions without requiring user interaction. | |||||
| CVE-2021-47796 | 2026-01-16 | N/A | 9.8 CRITICAL | ||
| Denver SHC-150 Smart Wifi Camera contains a hardcoded telnet credential vulnerability that allows unauthenticated attackers to access a Linux shell. Attackers can connect to port 23 using the default credential to execute arbitrary commands on the camera's operating system. | |||||
| CVE-2025-1029 | 1 Utarit | 1 Soliclub | 2026-01-16 | N/A | 7.5 HIGH |
| Use of Hard-coded Credentials vulnerability in Utarit Information Services Inc. SoliClub allows Read Sensitive Constants Within an Executable.This issue affects SoliClub: from 5.2.4 before 5.3.7. | |||||
| CVE-2025-7358 | 1 Utarit | 1 Soliclub | 2026-01-16 | N/A | 7.5 HIGH |
| Use of Hard-coded Credentials vulnerability in Utarit Informatics Services Inc. SoliClub allows Authentication Abuse.This issue affects SoliClub: before 5.3.7. | |||||
| CVE-2025-33222 | 1 Nvidia | 1 Isaac Launchable | 2026-01-15 | N/A | 9.8 CRITICAL |
| NVIDIA Isaac Launchable contains a vulnerability where an attacker could exploit a hard-coded credential issue. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, denial of service, and data tampering. | |||||
| CVE-2022-26138 | 1 Atlassian | 3 Confluence Data Center, Confluence Server, Questions For Confluence | 2026-01-14 | N/A | 9.8 CRITICAL |
| The Atlassian Questions For Confluence app for Confluence Server and Data Center creates a Confluence user account in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content accessible to users in the confluence-users group. This user account is created when installing versions 2.7.34, 2.7.35, and 3.0.2 of the app. | |||||
| CVE-2025-36747 | 1 Growatt | 2 Shine Lan-x, Shine Lan-x Firmware | 2026-01-14 | N/A | 9.8 CRITICAL |
| ShineLan-X contains a set of credentials for an FTP server was found within the firmware, allowing testers to establish an insecure FTP connection with the server. This may allow an attacker to replace legitimate files being deployed to devices with their own malicious versions, since the firmware signature verification is not enforced. | |||||
| CVE-2025-36752 | 1 Growatt | 2 Shine Lan-x, Shine Lan-x Firmware | 2026-01-14 | N/A | 9.8 CRITICAL |
| Growatt ShineLan-X communication dongle has an undocumented backup account with undocumented credentials which allows significant level access to the device, such as allowing any attacker to access the Setting Center. This means that this is effectively backdoor for all devices utilizing a Growatt ShineLan-X communication dongle. | |||||
| CVE-2025-26476 | 1 Dell | 2 Elastic Cloud Storage, Objectscale | 2026-01-14 | N/A | 8.4 HIGH |
| Dell ECS versions prior to 3.8.1.5/ ObjectScale version 4.0.0.0, contain a Use of Hard-coded Cryptographic Key vulnerability. An unauthenticated attacker with local access could potentially exploit this vulnerability, leading to Unauthorized access. | |||||
| CVE-2025-38741 | 1 Dell | 1 Enterprise Sonic Os | 2026-01-14 | N/A | 7.5 HIGH |
| Dell Enterprise SONiC OS, version 4.5.0, contains a cryptographic key vulnerability in SSH. An unauthenticated remote attacker could potentially exploit this vulnerability, leading to unauthorized access to communication. | |||||
| CVE-2025-35451 | 4 Multicam-systems, Ptzoptics, Smtav and 1 more | 102 Mcamii Ptz, Mcamii Ptz Firmware, Ndi Fixed Camera and 99 more | 2026-01-14 | N/A | 9.8 CRITICAL |
| PTZOptics and possibly other ValueHD-based pan-tilt-zoom cameras use hard-coded, default administrative credentials. The passwords can readily be cracked. Many cameras have SSH or telnet listening on all interfaces. The passwords cannot be changed by the user, nor can the SSH or telnet service be disabled by the user. | |||||
| CVE-2025-69425 | 2026-01-13 | N/A | N/A | ||
| The Ruckus vRIoT IoT Controller firmware versions prior to 3.0.0.0 (GA) expose a command execution service on TCP port 2004 running with root privileges. Authentication to this service relies on a hardcoded Time-based One-Time Password (TOTP) secret and an embedded static token. An attacker who extracts these credentials from the appliance or a compromised device can generate valid authentication tokens and execute arbitrary OS commands with root privileges, resulting in complete system compromise. | |||||
| CVE-2025-69426 | 2026-01-13 | N/A | N/A | ||
| The Ruckus vRIoT IoT Controller firmware versions prior to 3.0.0.0 (GA) contain hardcoded credentials for an operating system user account within an initialization script. The SSH service is network-accessible without IP-based restrictions. Although the configuration disables SCP and pseudo-TTY allocation, an attacker can authenticate using the hardcoded credentials and establish SSH local port forwarding to access the Docker socket. By mounting the host filesystem via Docker, an attacker can escape the container and execute arbitrary OS commands as root on the underlying vRIoT controller, resulting in complete system compromise. | |||||
| CVE-2025-7072 | 2026-01-13 | N/A | N/A | ||
| The firmware in KAON CG3000TC and CG3000T routers contains hard-coded credentials in clear text (shared across all routers of this model) that an unauthenticated remote attacker could use to execute commands with root privileges. This vulnerability has been fixed in firmware version: 1.00.67 for CG3000TC and 1.00.27 for CG3000T. | |||||
| CVE-2025-45466 | 1 Unitree | 2 Go1, Go1 Firmware | 2026-01-12 | N/A | 8.8 HIGH |
| Unitree Go1 <= Go1_2022_05_11 is vulnerale to Incorrect Access Control due to authentication credentials being hardcoded in plaintext. | |||||
| CVE-2017-20214 | 2026-01-08 | N/A | 7.5 HIGH | ||
| FLIR Thermal Camera F/FC/PT/D firmware version 8.0.0.64 contains hard-coded SSH credentials that cannot be changed through normal camera operations. Attackers can leverage these persistent, unmodifiable credentials to gain unauthorized remote access to the thermal camera system. | |||||
| CVE-2020-36915 | 2026-01-08 | N/A | 7.5 HIGH | ||
| Adtec Digital SignEdje Digital Signage Player v2.08.28 contains multiple hardcoded default credentials that allow unauthenticated remote access to web, telnet, and SSH interfaces. Attackers can exploit these credentials to gain root-level access and execute system commands across multiple Adtec Digital product versions. | |||||
| CVE-2019-25291 | 2026-01-08 | N/A | 7.5 HIGH | ||
| INIM Electronics Smartliving SmartLAN/G/SI <=6.x contains hard-coded credentials in its Linux distribution image that cannot be changed through normal device operations. Attackers can exploit these persistent credentials to log in and gain unauthorized system access across multiple SmartLiving device models. | |||||
| CVE-2025-65855 | 1 Netun | 2 Helpflash Iot, Helpflash Iot Firmware | 2026-01-06 | N/A | 6.6 MEDIUM |
| The OTA firmware update mechanism in Netun Solutions HelpFlash IoT (firmware v18_178_221102_ASCII_PRO_1R5_50) uses hard-coded WiFi credentials identical across all devices and does not authenticate update servers or validate firmware signatures. An attacker with brief physical access can activate OTA mode (8-second button press), create a malicious WiFi AP using the known credentials, and serve malicious firmware via unauthenticated HTTP to achieve arbitrary code execution on this safety-critical emergency signaling device. | |||||
| CVE-2018-25138 | 1 Flir | 2 Flir Ax8, Flir Ax8 Firmware | 2026-01-05 | N/A | 9.8 CRITICAL |
| FLIR AX8 Thermal Camera 1.32.16 contains hard-coded SSH and web panel credentials that cannot be changed through normal camera operations. Attackers can exploit these persistent credentials to gain unauthorized shell access and login to multiple camera interfaces using predefined username and password combinations. | |||||