Total
1480 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-3130 | 1 Coolkit | 1 Ewelink App | 2025-03-12 | 5.7 Medium |
| Hard-coded Credentials in CoolKit eWeLlink app are before 5.4.x on Android and IOS allows local attacker to unauthorized access to sensitive data via Decryption algorithm and key obtained after decompiling app | ||||
| CVE-2023-26462 | 1 Thingsboard | 1 Thingsboard | 2025-03-12 | 8.1 High |
| ThingsBoard 3.4.1 could allow a remote attacker to gain elevated privileges because hard-coded service credentials (usable for privilege escalation) are stored in an insecure format. (To read this stored data, the attacker needs access to the application server or its source code.) | ||||
| CVE-2025-27255 | 2025-03-12 | 8 High | ||
| Use of Hard-coded Credentials vulnerability in GE Vernova EnerVista UR Setup allows Privilege Escalation. The local user database is encrypted using an hardcoded password retrievable by an attacker analyzing the application code. | ||||
| CVE-2023-22463 | 1 Fit2cloud | 1 Kubepi | 2025-03-10 | 9.8 Critical |
| KubePi is a k8s panel. The jwt authentication function of KubePi through version 1.6.2 uses hard-coded Jwtsigkeys, resulting in the same Jwtsigkeys for all online projects. This means that an attacker can forge any jwt token to take over the administrator account of any online project. Furthermore, they may use the administrator to take over the k8s cluster of the target enterprise. `session.go`, the use of hard-coded JwtSigKey, allows an attacker to use this value to forge jwt tokens arbitrarily. The JwtSigKey is confidential and should not be hard-coded in the code. The vulnerability has been fixed in 1.6.3. In the patch, JWT key is specified in app.yml. If the user leaves it blank, a random key will be used. There are no workarounds aside from upgrading. | ||||
| CVE-2023-22495 | 1 Maif | 1 Izanami | 2025-03-10 | 9.8 Critical |
| Izanami is a shared configuration service well-suited for micro-service architecture implementation. Attackers can bypass the authentication in this application when deployed using the official Docker image. Because a hard coded secret is used to sign the authentication token (JWT), an attacker could compromise another instance of Izanami. This issue has been patched in version 1.11.0. | ||||
| CVE-2023-25823 | 1 Gradio Project | 1 Gradio | 2025-03-10 | 5.4 Medium |
| Gradio is an open-source Python library to build machine learning and data science demos and web applications. Versions prior to 3.13.1 contain Use of Hard-coded Credentials. When using Gradio's share links (i.e. creating a Gradio app and then setting `share=True`), a private SSH key is sent to any user that connects to the Gradio machine, which means that a user could access other users' shared Gradio demos. From there, other exploits are possible depending on the level of access/exposure the Gradio app provides. This issue is patched in version 3.13.1, however, users are recommended to update to 3.19.1 or later where the FRP solution has been properly tested. | ||||
| CVE-2024-27774 | 1 Unitronics | 1 Unilogic | 2025-03-10 | 7.5 High |
| Unitronics Unistream Unilogic – Versions prior to 1.35.227 - CWE-259: Use of Hard-coded Password may allow disclosing Sensitive Information Embedded inside Device's Firmware | ||||
| CVE-2023-22344 | 1 Dos-osaka | 2 Rakuraku Pc Cloud Agent, Ss1 | 2025-03-06 | 9.8 Critical |
| Use of hard-coded credentials vulnerability in SS1 Ver.13.0.0.40 and earlier and Rakuraku PC Cloud Agent Ver.2.1.8 and earlier allows a remote attacker to obtain the password of the debug tool and execute it. As a result of exploiting this vulnerability with CVE-2023-22335 and CVE-2023-22336 vulnerabilities together, it may allow a remote attacker to execute an arbitrary code with SYSTEM privileges by sending a specially crafted script to the affected device. | ||||
| CVE-2023-1269 | 1 Easyappointments | 1 Easyappointments | 2025-03-05 | 9.8 Critical |
| Use of Hard-coded Credentials in GitHub repository alextselegidis/easyappointments prior to 1.5.0. | ||||
| CVE-2023-2061 | 1 Mitsubishielectric | 8 Fx5-enet\/ip, Fx5-enet\/ip Firmware, Rj71eip91 and 5 more | 2025-03-05 | 6.2 Medium |
| Use of Hard-coded Password vulnerability in FTP function on Mitsubishi Electric Corporation MELSEC iQ-R Series EtherNet/IP module RJ71EIP91 and MELSEC iQ-F Series EtherNet/IP module FX5-ENET/IP allows a remote unauthenticated attacker to obtain a hard-coded password and access to the module via FTP. | ||||
| CVE-2025-1393 | 2025-03-05 | 9.8 Critical | ||
| An unauthenticated remote attacker can use hard-coded credentials to gain full administration privileges on the affected product. | ||||
| CVE-2025-25570 | 2025-02-28 | 9.8 Critical | ||
| Vue Vben Admin 2.10.1 allows unauthorized login to the backend due to an issue with hardcoded credentials. | ||||
| CVE-2023-26511 | 1 Propius | 1 Machineselector | 2025-02-27 | 9.8 Critical |
| A Hard Coded Admin Credentials issue in the Web-UI Admin Panel in Propius MachineSelector 6.6.0 and 6.6.1 allows remote attackers to gain access to the admin panel Propiusadmin.php, which allows taking control of the affected system. | ||||
| CVE-2023-36380 | 1 Siemens | 4 Cp-8031, Cp-8031 Firmware, Cp-8050 and 1 more | 2025-02-27 | 9.8 Critical |
| A vulnerability has been identified in CP-8031 MASTER MODULE (All versions < CPCI85 V05.11 (only with activated debug support)), CP-8050 MASTER MODULE (All versions < CPCI85 V05.11 (only with activated debug support)). The affected devices contain a hard-coded ID in the SSH `authorized_keys` configuration file. An attacker with knowledge of the corresponding private key could login to the device via SSH. Only devices with activated debug support are affected. | ||||
| CVE-2024-9334 | 2025-02-27 | 8.2 High | ||
| Use of Hard-coded Credentials, Storage of Sensitive Data in a Mechanism without Access Control vulnerability in E-Kent Pallium Vehicle Tracking allows Authentication Bypass.This issue affects Pallium Vehicle Tracking: before 17.10.2024. | ||||
| CVE-2023-0391 | 1 Mgt-commerce | 1 Cloudpanel | 2025-02-26 | 8.1 High |
| MGT-COMMERCE CloudPanel ships with a static SSL certificate to encrypt communications to the administrative interface, shared across every installation of CloudPanel. This behavior was observed in version 2.2.0. There has been no indication from the vendor this has been addressed in version 2.2.1. | ||||
| CVE-2022-22512 | 1 Varta | 16 Element Backup, Element Backup Firmware, Element S1 and 13 more | 2025-02-25 | 9.8 Critical |
| Hard-coded credentials in Web-UI of multiple VARTA Storage products in multiple versions allows an unauthorized attacker to gain administrative access to the Web-UI via network. | ||||
| CVE-2024-28989 | 1 Solarwinds | 1 Web Help Desk | 2025-02-25 | 5.5 Medium |
| SolarWinds Web Help Desk was found to have a hardcoded cryptographic key that could allow the disclosure of sensitive information from the software. | ||||
| CVE-2023-27583 | 1 Panindex Project | 1 Panindex | 2025-02-25 | 9.8 Critical |
| PanIndex is a network disk directory index. In Panindex prior to version 3.1.3, a hard-coded JWT key `PanIndex` is used. An attacker can use the hard-coded JWT key to sign JWT token and perform any actions as a user with admin privileges. Version 3.1.3 has a patch for the issue. As a workaround, one may change the JWT key in the source code before compiling the project. | ||||
| CVE-2024-55927 | 2025-02-24 | 7.6 High | ||
| A vulnerability in Xerox Workplace Suite arises from flawed token generation and the use of hard-coded keys. These weaknesses allow attackers to predict or forge tokens, leading to unauthorized access to sensitive functions. | ||||