Vulnerabilities (CVE)

Filtered by CWE-798
Total 1704 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-30904 1 Hpe 1 Insight Remote Support 2026-06-17 N/A 5.5 MEDIUM
A security vulnerability in HPE Insight Remote Support may result in the local disclosure of privileged LDAP information.
CVE-2023-30801 1 Qbittorrent 1 Qbittorrent 2026-06-17 N/A 9.8 CRITICAL
All versions of the qBittorrent client through 4.5.5 use default credentials when the web user interface is enabled. The administrator is not forced to change the default credentials. As of 4.5.5, this issue has not been fixed. A remote attacker can use the default credentials to authenticate and execute arbitrary operating system commands using the "external program" feature in the web user interface. This was reportedly exploited in the wild in March 2023.
CVE-2023-30354 1 Tenda 2 Cp3, Cp3 Firmware 2026-06-17 N/A 9.8 CRITICAL
Shenzen Tenda Technology IP Camera CP3 V11.10.00.2211041355 does not defend against physical access to U-Boot via the UART: the Wi-Fi password is shown, and the hardcoded boot password can be inserted for console access.
CVE-2023-30352 1 Tenda 2 Cp3, Cp3 Firmware 2026-06-17 N/A 9.8 CRITICAL
Shenzen Tenda Technology IP Camera CP3 V11.10.00.2211041355 was discovered to contain a hard-coded default password for the RTSP feed.
CVE-2023-30351 1 Tenda 2 Cp3, Cp3 Firmware 2026-06-17 N/A 7.5 HIGH
Shenzen Tenda Technology IP Camera CP3 V11.10.00.2211041355 was discovered to contain a hard-coded default password for root which is stored using weak encryption. This vulnerability allows attackers to connect to the TELNET service (or UART) by using the exposed credentials.
CVE-2023-2637 1 Rockwellautomation 2 Factorytalk Policy Manager, Factorytalk System Services 2026-06-17 N/A 7.3 HIGH
Rockwell Automation's FactoryTalk System Services uses a hard-coded cryptographic key to generate administrator cookies.  Hard-coded cryptographic key may lead to privilege escalation.  This vulnerability may allow a local, authenticated non-admin user to generate an invalid administrator cookie giving them administrative privileges to the FactoryTalk Policy Manger database. This may allow the threat actor to make malicious changes to the database that will be deployed when a legitimate FactoryTalk Policy Manager user deploys a security policy model. User interaction is required for this vulnerability to be successfully exploited.
CVE-2023-2611 1 Advantech 1 R-seenet 2026-06-17 N/A 9.8 CRITICAL
Advantech R-SeeNet versions 2.4.22 is installed with a hidden root-level user that is not available in the users list. This hidden user has a password that cannot be changed by users.
CVE-2023-2504 1 Birddog 8 4k Quad, 4k Quad Firmware, A300 and 5 more 2026-06-17 N/A 8.4 HIGH
Files present on firmware images could allow an attacker to gain unauthorized access as a root user using hard-coded credentials.
CVE-2023-2306 1 Qognify 1 Nicevision 2026-06-17 N/A 10.0 CRITICAL
Qognify NiceVision versions 3.1 and prior are vulnerable to exposing sensitive information using hard-coded credentials. With these credentials an attacker can retrieve information about the cameras, user information, and modify database records.
CVE-2023-2291 1 Zohocorp 3 Manageengine Access Manager Plus, Manageengine Pam360, Manageengine Password Manager Pro 2026-06-17 N/A 7.8 HIGH
Static credentials exist in the PostgreSQL data used in ManageEngine Access Manager Plus (AMP) build 4309, ManageEngine Password Manager Pro, and ManageEngine PAM360. These credentials could allow a malicious actor to modify configuration data that would escalate their permissions from that of a low-privileged user to an Administrative user.
CVE-2023-2158 1 Synopsys 1 Code Dx 2026-06-17 N/A 9.8 CRITICAL
Code Dx versions prior to 2023.4.2 are vulnerable to user impersonation attack where a malicious actor is able to gain access to another user's account by crafting a custom "Remember Me" token. This is possible due to the use of a hard-coded cipher which was used when generating the token. A malicious actor who creates this token can supply it to a separate Code Dx system, provided they know the username they want to impersonate, and impersonate the user.  Score 6.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C
CVE-2023-2138 1 Nuxtlabs 1 Nuxt 2026-06-17 N/A 9.8 CRITICAL
Use of Hard-coded Credentials in GitHub repository nuxtlabs/github-module prior to 1.6.2.
CVE-2023-2061 1 Mitsubishielectric 8 Fx5-enet\/ip, Fx5-enet\/ip Firmware, Rj71eip91 and 5 more 2026-06-17 N/A 6.2 MEDIUM
Use of Hard-coded Password vulnerability in FTP function on Mitsubishi Electric Corporation MELSEC iQ-R Series EtherNet/IP module RJ71EIP91 and MELSEC iQ-F Series EtherNet/IP module FX5-ENET/IP allows a remote unauthenticated attacker to obtain a hard-coded password and access to the module via FTP.
CVE-2023-29064 2 Bd, Hp 3 Facschorus, Hp Z2 Tower G5, Hp Z2 Tower G9 2026-06-17 N/A 4.1 MEDIUM
The FACSChorus software contains sensitive information stored in plaintext. A threat actor could gain hardcoded secrets used by the application, which include tokens and passwords for administrative accounts.
CVE-2023-28937 1 Saison 1 Dataspider Servista 2026-06-17 N/A 8.8 HIGH
DataSpider Servista version 4.4 and earlier uses a hard-coded cryptographic key. DataSpider Servista is data integration software. ScriptRunner and ScriptRunner for Amazon SQS are used to start the configured processes on DataSpider Servista. The cryptographic key is embedded in ScriptRunner and ScriptRunner for Amazon SQS, which is common to all users. If an attacker who can gain access to a target DataSpider Servista instance and obtain a Launch Settings file of ScriptRunner and/or ScriptRunner for Amazon SQS, the attacker may perform operations with the user privilege encrypted in the file. Note that DataSpider Servista and some of the OEM products are affected by this vulnerability. For the details of affected products and versions, refer to the information listed in [References].
CVE-2023-28897 1 Skoda-auto 2 Superb 3, Superb 3 Firmware 2026-06-17 N/A 4.0 MEDIUM
The secret value used for access to critical UDS services of the MIB3 infotainment is hardcoded in the firmware. Vulnerability discovered on Škoda Superb III (3V3) - 2.0 TDI manufactured in 2022.
CVE-2023-28895 1 Preh 2 Mib3, Mib3 Firmware 2026-06-17 N/A 3.5 LOW
The password for access to the debugging console of the PoWer Controller chip (PWC) of the MIB3 infotainment is hard-coded in the firmware. The console allows attackers with physical access to the MIB3 unit to gain full control over the PWC chip. Vulnerability found on Škoda Superb III (3V3) - 2.0 TDI manufactured in 2022.
CVE-2023-28654 1 Propumpservice 2 Osprey Pump Controller, Osprey Pump Controller Firmware 2026-06-17 N/A 9.8 CRITICAL
Osprey Pump Controller version 1.01 has a hidden administrative account that has the hardcoded password that allows full access to the web management interface configuration. The user is not visible in Usernames and Passwords menu list of the application and the password cannot be changed through any normal operation of the device.
CVE-2023-28387 1 Uzabase 1 Newspicks 2026-06-17 N/A 5.5 MEDIUM
"NewsPicks" App for Android versions 10.4.5 and earlier and "NewsPicks" App for iOS versions 10.4.2 and earlier use hard-coded credentials, which may allow a local attacker to analyze data in the app and to obtain API key for an external service.
CVE-2023-27921 1 Jins 2 Jins Meme, Jins Meme Firmware 2026-06-17 N/A 6.5 MEDIUM
JINS MEME CORE Firmware version 2.2.0 and earlier uses a hard-coded cryptographic key, which may lead to data acquired by a sensor of the affected product being decrypted by a network-adjacent attacker.