Total
1530 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-41722 | 1 Sauter | 2 Ey-modulo 5 Devices, Modulo 6 Devices | 2025-10-23 | 7.5 High |
| The wsc server uses a hard-coded certificate to check the authenticity of SOAP messages. An unauthenticated remote attacker can extract private keys from the Software of the affected devices. | ||||
| CVE-2025-47730 | 1 Smarsh | 1 Telemessage | 2025-10-22 | 4.8 Medium |
| The TeleMessage archiving backend through 2025-05-05 accepts API calls (to request an authentication token) from the TM SGNL (aka Archive Signal) app with the credentials of logfile for the user and enRR8UVVywXYbFkqU#QDPRkO for the password. | ||||
| CVE-2021-44207 | 1 Acclaimsystems | 1 Usaherds | 2025-10-22 | 8.1 High |
| Acclaim USAHERDS through 7.4.0.1 uses hard-coded credentials. | ||||
| CVE-2020-8657 | 1 Eyesofnetwork | 1 Eyesofnetwork | 2025-10-22 | 9.8 Critical |
| An issue was discovered in EyesOfNetwork 5.3. The installation uses the same API key (hardcoded as EONAPI_KEY in include/api_functions.php for API version 2.4.2) by default for all installations, hence allowing an attacker to calculate/guess the admin access token. | ||||
| CVE-2025-60639 | 2025-10-21 | 6.5 Medium | ||
| Hardcoded credentials in gsigel14 ATLAS-EPIC commit f29312c (2025-05-26). | ||||
| CVE-2025-6950 | 1 Moxa | 7 Edf-g1002-bp, Edr-8010, Edr-g9010 and 4 more | 2025-10-21 | N/A |
| An Use of Hard-coded Credentials vulnerability has been identified in Moxa’s network security appliances and routers. The system employs a hard-coded secret key to sign JSON Web Tokens (JWT) used for authentication. This insecure implementation allows an unauthenticated attacker to forge valid tokens, thereby bypassing authentication controls and impersonating any user. Exploitation of this vulnerability can result in complete system compromise, enabling unauthorized access, data theft, and full administrative control over the affected device. While successful exploitation can severely impact the confidentiality, integrity, and availability of the affected device itself, there is no loss of confidentiality or integrity within any subsequent systems. | ||||
| CVE-2025-56749 | 1 Creativeitem | 1 Academy Lms | 2025-10-21 | 9.4 Critical |
| Creativeitem Academy LMS up to and including 6.14 uses a hardcoded default JWT secret for token signing. This predictable secret allows attackers to forge valid JWT tokens, leading to authentication bypass and unauthorized access to any user account. | ||||
| CVE-2025-9806 | 1 Tenda | 2 F1202, Fh1202 Firmware | 2025-10-21 | 1.9 Low |
| A vulnerability was determined in Tenda F1202 1.2.0.9/1.2.0.14/1.2.0.20. Impacted is an unknown function of the file /etc_ro/shadow of the component Administrative Interface. This manipulation with the input Fireitup causes hard-coded credentials. The attack can only be executed locally. A high degree of complexity is needed for the attack. The exploitability is considered difficult. The exploit has been publicly disclosed and may be utilized. | ||||
| CVE-2025-36087 | 1 Ibm | 3 Security Verify Access, Security Verify Access Docker, Verify Identity Access | 2025-10-20 | 8.1 High |
| IBM Security Verify Access 10.0.0 through 10.0.9, 11.0.0, IBM Verify Identity Access Container 10.0.0 through 10.0.9, and 11.0.0, under certain configurations, contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. | ||||
| CVE-2025-10850 | 1 Wordpress | 1 Wordpress | 2025-10-20 | 9.8 Critical |
| The Felan Framework plugin for WordPress is vulnerable to improper authentication in versions up to, and including, 1.1.4. This is due to the hardcoded password in the 'fb_ajax_login_or_register' function and in the 'google_ajax_login_or_register' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, if they registered with facebook or google social login and did not change their password. | ||||
| CVE-2025-61926 | 1 Allstar | 1 Reviewbot | 2025-10-16 | N/A |
| Allstar is a GitHub App to set and enforce security policies. In versions prior to 4.5, a vulnerability in Allstar’s Reviewbot component caused inbound webhook requests to be validated against a hard-coded, shared secret. The value used for the secret token was compiled into the Allstar binary and could not be configured at runtime. In practice, this meant that every deployment using Reviewbot would validate requests with the same secret unless the operator modified source code and rebuilt the component - an expectation that is not documented and is easy to miss. All Allstar releases prior to v4.5 that include the Reviewbot code path are affected. Deployments on v4.5 and later are not affected. Those who have not enabled or exposed the Reviewbot endpoint are not exposed to this issue. | ||||
| CVE-2025-34196 | 2 Microsoft, Vasion | 4 Windows, Print Application, Virtual Appliance Application and 1 more | 2025-10-16 | 9.8 Critical |
| Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 25.1.102 and Application prior to 25.1.1413 (Windows client deployments) contain a hardcoded private key for the PrinterLogic Certificate Authority (CA) and a hardcoded password in product configuration files. The Windows client ships the CA certificate and its associated private key (and other sensitive settings such as a configured password) directly in shipped configuration files (for example clientsettings.dat and defaults.ini). An attacker who obtains these files can impersonate the CA, sign arbitrary certificates trusted by the Windows client, intercept or decrypt TLS-protected communications, and otherwise perform man-in-the-middle or impersonation attacks against the product's network communications. This vulnerability has been identified by the vendor as: V-2022-001 — Configuration File Contains CA & Private Key. | ||||
| CVE-2025-57434 | 1 Creacast | 1 Creabox Manager | 2025-10-14 | 8.8 High |
| Creacast Creabox Manager contains a critical authentication flaw that allows an attacker to bypass login validation. The system grants access when the username is creabox and the password begins with the string creacast, regardless of what follows. | ||||
| CVE-2024-0949 | 1 Talya Informatics | 1 Elektraweb | 2025-10-14 | 9.8 Critical |
| Missing Authentication, Files or Directories Accessible to External Parties, Use of Hard-coded Credentials vulnerability in Talya Informatics Elektraweb allows Authentication Bypass.This issue affects Elektraweb: before v17.0.68. | ||||
| CVE-2025-45813 | 1 Enensys | 2 Ipguardv2, Ipguardv2 Firmware | 2025-10-10 | 9.8 Critical |
| ENENSYS IPGuard v2 2.10.0 was discovered to contain hardcoded credentials. | ||||
| CVE-2025-31953 | 1 Hcltech | 1 Dryice Iautomate | 2025-10-10 | 7.1 High |
| HCL iAutomate includes hardcoded credentials which may result in potential exposure of confidential data if intercepted or accessed by unauthorized parties. | ||||
| CVE-2025-34223 | 1 Vasion | 2 Virtual Appliance Application, Virtual Appliance Host | 2025-10-09 | 9.8 Critical |
| Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.1049 and Application prior to version 20.0.2786 (VA/SaaS deployments) contain a default admin account and an installation‑time endpoint at `/admin/query/update_database.php` that can be accessed without authentication. An attacker who can reach the installation web interface can POST arbitrary `root_user` and `root_password` values, causing the script to replace the default admin credentials with attacker‑controlled ones. The script also contains hard‑coded SHA‑512 and SHA‑1 hashes of the default password, allowing the attacker to bypass password‑policy validation. As a result, an unauthenticated remote attacker can obtain full administrative control of the system during the initial setup. This vulnerability has been identified by the vendor as: V-2024-022 — Insecure Installation Credentials. | ||||
| CVE-2023-36013 | 1 Microsoft | 1 Powershell | 2025-10-09 | 6.5 Medium |
| PowerShell Information Disclosure Vulnerability | ||||
| CVE-2025-58385 | 1 Doxense | 1 Watchdoc | 2025-10-07 | 7.1 High |
| In DOXENSE WATCHDOC before 6.1.0.5094, private user puk codes can be disclosed for Active Directory registered users (there is hard-coded and predictable data). | ||||
| CVE-2024-4996 | 2025-10-07 | 9.8 Critical | ||
| Use of a hard-coded password for a database administrator account created during Wapro ERP installation allows an attacker to retrieve embedded sensitive data stored in the database. The password is same among all Wapro ERP installations. This issue affects Wapro ERP Desktop versions before 8.90.0. | ||||