Total
1634 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-27168 | 2026-04-15 | N/A | 7.1 HIGH | ||
| It appears that some hardcoded keys are used for authentication to internal API. Knowing these private keys may allow attackers to bypass authentication and reach administrative interfaces. As for the affected products/models/versions, see the reference URL. | |||||
| CVE-2024-4996 | 2026-04-15 | N/A | 9.8 CRITICAL | ||
| Use of a hard-coded password for a database administrator account created during Wapro ERP installation allows an attacker to retrieve embedded sensitive data stored in the database. The password is same among all Wapro ERP installations. This issue affects Wapro ERP Desktop versions before 8.90.0. | |||||
| CVE-2024-28747 | 2026-04-15 | N/A | 9.8 CRITICAL | ||
| An unauthenticated remote attacker can use the hard-coded credentials to access the SmartSPS devices with high privileges. | |||||
| CVE-2024-39208 | 2026-04-15 | N/A | 9.8 CRITICAL | ||
| luci-app-lucky v2.8.3 was discovered to contain hardcoded credentials. | |||||
| CVE-2019-25291 | 2026-04-15 | N/A | 7.5 HIGH | ||
| INIM Electronics Smartliving SmartLAN/G/SI <=6.x contains hard-coded credentials in its Linux distribution image that cannot be changed through normal device operations. Attackers can exploit these persistent credentials to log in and gain unauthorized system access across multiple SmartLiving device models. | |||||
| CVE-2025-57602 | 2026-04-15 | N/A | 9.8 CRITICAL | ||
| Insufficient hardening of the proxyuser account in the AiKaan IoT management platform, combined with the use of a shared, hardcoded SSH private key, allows remote attackers to authenticate to the cloud controller, gain interactive shell access, and pivot into other connected IoT devices. This can lead to remote code execution, information disclosure, and privilege escalation across customer environments. | |||||
| CVE-2023-49224 | 2026-04-15 | N/A | 8.0 HIGH | ||
| Precor touchscreen console P62, P80, and P82 contains a default SSH public key in the authorized_keys file. A remote attacker could use this key to gain root privileges. | |||||
| CVE-2025-53842 | 2026-04-15 | N/A | 4.5 MEDIUM | ||
| Use of hard-coded credentials issue exists in ZWX-2000CSW2-HN prior to 0.3.19 and ZWX-2000CS2-HN firmware all versions. If this vulnerability is exploited, an attacker may tamper with the settings of the device by obtaining the credentials. This vulnerability is caused by an insufficient fix for CVE-2024-39838. | |||||
| CVE-2025-8857 | 2026-04-15 | N/A | 9.8 CRITICAL | ||
| Clinic Image System developed by Changing contains hard-coded Credentials, allowing unauthenticated remote attackers to log into the system using administrator credentials embedded in the source code. | |||||
| CVE-2025-25570 | 2026-04-15 | N/A | 9.8 CRITICAL | ||
| Vue Vben Admin 2.10.1 allows unauthorized login to the backend due to an issue with hardcoded credentials. | |||||
| CVE-2025-46273 | 2026-04-15 | N/A | 9.8 CRITICAL | ||
| UNI-NMS-Lite uses hard-coded credentials that could allow an unauthenticated attacker to gain administrative privileges to all UNI-NMS managed devices. | |||||
| CVE-2025-57577 | 2026-04-15 | N/A | 8.0 HIGH | ||
| An issue in H3C Device R365V300R004 allows a remote attacker to execute arbitrary code via the default password. NOTE: the Supplier's position is that their "product lines enforce or clearly prompt users to change any initial credentials upon first use. At most, this would be a case of misconfiguration if an administrator deliberately ignored the prompts, which is outside the scope of CVE definitions." | |||||
| CVE-2024-48971 | 2026-04-15 | N/A | 9.3 CRITICAL | ||
| The Clinician Password and Serial Number Clinician Password are hard-coded into the ventilator in plaintext form. This could allow an attacker to obtain the password off the ventilator and use it to gain unauthorized access to the device, with clinician privileges. | |||||
| CVE-2025-60639 | 2026-04-15 | N/A | 6.5 MEDIUM | ||
| Hardcoded credentials in gsigel14 ATLAS-EPIC commit f29312c (2025-05-26). | |||||
| CVE-2024-50593 | 2026-04-15 | N/A | 7.8 HIGH | ||
| An attacker with local access to the medical office computer can access restricted functions of the Elefant Service tool by using a hard-coded "Hotline" password in the Elefant service binary, which is shipped with the software. | |||||
| CVE-2017-20214 | 2026-04-15 | N/A | 7.5 HIGH | ||
| FLIR Thermal Camera F/FC/PT/D firmware version 8.0.0.64 contains hard-coded SSH credentials that cannot be changed through normal camera operations. Attackers can leverage these persistent, unmodifiable credentials to gain unauthorized remote access to the thermal camera system. | |||||
| CVE-2024-0949 | 2026-04-15 | N/A | 9.8 CRITICAL | ||
| Missing Authentication, Files or Directories Accessible to External Parties, Use of Hard-coded Credentials vulnerability in Talya Informatics Elektraweb allows Authentication Bypass.This issue affects Elektraweb: before v17.0.68. | |||||
| CVE-2025-6950 | 2026-04-15 | N/A | N/A | ||
| An Use of Hard-coded Credentials vulnerability has been identified in Moxa’s network security appliances and routers. The system employs a hard-coded secret key to sign JSON Web Tokens (JWT) used for authentication. This insecure implementation allows an unauthenticated attacker to forge valid tokens, thereby bypassing authentication controls and impersonating any user. Exploitation of this vulnerability can result in complete system compromise, enabling unauthorized access, data theft, and full administrative control over the affected device. While successful exploitation can severely impact the confidentiality, integrity, and availability of the affected device itself, there is no loss of confidentiality or integrity within any subsequent systems. | |||||
| CVE-2024-7206 | 2026-04-15 | N/A | N/A | ||
| SSL Pinning Bypass in eWeLink Some hardware products allows local ATTACKER to Decrypt TLS communication and Extract secrets to clone the device via Flash the modified firmware | |||||
| CVE-2024-5810 | 2026-04-15 | N/A | 5.3 MEDIUM | ||
| The WP2Speed Faster – Optimize PageSpeed Insights Score 90-100 plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.0.1. This is due to the use of hardcoded credentials to authenticate all the incoming API requests. This makes it possible for unauthenticated attackers to overwrite CSS, update the trial settings, purge the cache, and find attachments. | |||||