Total
1490 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-55047 | 2025-09-11 | N/A | 8.4 HIGH | ||
| CWE-798 Use of Hard-coded Credentials | |||||
| CVE-2025-8570 | 2025-09-11 | N/A | 9.8 CRITICAL | ||
| The BeyondCart Connector plugin for WordPress is vulnerable to Privilege Escalation due to improper JWT secret management and authorization within the determine_current_user filter in versions 1.4.2 through 2.1.0. This makes it possible for unauthenticated attackers to craft valid tokens and assume any user’s identity. | |||||
| CVE-2025-8974 | 1 Linlinjava | 1 Litemall | 2025-09-11 | 2.6 LOW | 3.7 LOW |
| A vulnerability was determined in linlinjava litemall up to 1.8.0. Affected by this issue is some unknown functionality of the file litemall-wx-api/src/main/java/org/linlinjava/litemall/wx/util/JwtHelper.java of the component JSON Web Token Handler. The manipulation of the argument SECRET with the input X-Litemall-Token leads to hard-coded credentials. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-34509 | 1 Sitecore | 4 Experience Commerce, Experience Manager, Experience Platform and 1 more | 2025-09-08 | N/A | 8.2 HIGH |
| Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP. | |||||
| CVE-2025-35451 | 2025-09-08 | N/A | 9.8 CRITICAL | ||
| PTZOptics and possibly other ValueHD-based pan-tilt-zoom cameras use hard-coded, default administrative credentials. The passwords can readily be cracked. Many cameras have SSH or telnet listening on all interfaces. The passwords cannot be changed by the user, nor can the SSH or telnet service be disabled by the user. | |||||
| CVE-2025-35452 | 2025-09-08 | N/A | 9.8 CRITICAL | ||
| PTZOptics and possibly other ValueHD-based pan-tilt-zoom cameras use default, shared credentials for the administrative web interface. | |||||
| CVE-2014-9198 | 1 Schneider-electric | 5 Etg3000 Factorycast Hmi Gateway Firmware, Tsxetg3000, Tsxetg3010 and 2 more | 2025-09-05 | 10.0 HIGH | N/A |
| The FTP server on the Schneider Electric ETG3000 FactoryCast HMI Gateway with firmware through 1.60 IR 04 has hardcoded credentials, which makes it easier for remote attackers to obtain access via an FTP session. | |||||
| CVE-2025-9725 | 1 Cudy | 2 Lt500e, Lt500e Firmware | 2025-09-05 | 1.0 LOW | 2.5 LOW |
| A vulnerability was identified in Cudy LT500E up to 2.3.12. Affected is an unknown function of the file /squashfs-root/etc/shadow of the component Web Interface. The manipulation leads to use of hard-coded password. The attack must be carried out locally. The attack's complexity is rated as high. The exploitability is told to be difficult. The exploit is publicly available and might be used. Upgrading to version 2.3.13 is able to address this issue. It is recommended to upgrade the affected component. The vendor explains: "[T]he firmware does store a default password of 'admin'. This password has been deprecated since LT500E firmware version 2.3.13 and is no longer used. The LT500E does not have an administrator password set by default; a new password (at least 8 characters ) must be manually created upon first login the web management page." | |||||
| CVE-2025-55739 | 2025-09-05 | N/A | N/A | ||
| api is a module for FreePBX@, which is an open source GUI that controls and manages Asterisk© (PBX). In versions lower than 15.0.13, 16.0.2 through 16.0.14, 17.0.1 and 17.0.2, there is an identical OAuth private key used across multiple systems that installed the same FreePBX RPM or DEB package. An attacker with access to the shared OAuth private key could forge JWT tokens, bypass authentication, and potentially gain full access to both REST and GraphQL APIs. Systems with the "api" module enabled, configured and previously activated by an administrator for remote inbound connections may be affected. This issue is fixed in versions 15.0.13, 16.0.15 and 17.0.3. | |||||
| CVE-2025-9731 | 1 Tenda | 2 Ac9, Ac9 Firmware | 2025-09-04 | 1.0 LOW | 2.5 LOW |
| A vulnerability was determined in Tenda AC9 15.03.05.19. The impacted element is an unknown function of the file /etc_ro/shadow of the component Administrative Interface. This manipulation causes hard-coded credentials. It is possible to launch the attack on the local host. The attack's complexity is rated as high. The exploitability is regarded as difficult. The exploit has been publicly disclosed and may be utilized. | |||||
| CVE-2025-9778 | 1 Tenda | 2 W12, W12 Firmware | 2025-09-04 | 0.8 LOW | 1.9 LOW |
| A security vulnerability has been detected in Tenda W12 up to 3.0.0.6(3948). Affected is an unknown function of the file /etc_ro/shadow of the component Administrative Interface. The manipulation leads to hard-coded credentials. An attack has to be approached locally. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed publicly and may be used. | |||||
| CVE-2025-9696 | 2025-09-04 | N/A | N/A | ||
| The SunPower PVS6's BluetoothLE interface is vulnerable due to its use of hardcoded encryption parameters and publicly accessible protocol details. An attacker within Bluetooth range could exploit this vulnerability to gain full access to the device's servicing interface. This access allows the attacker to perform actions such as firmware replacement, disabling power production, modifying grid settings, creating SSH tunnels, altering firewall settings, and manipulating connected devices. | |||||
| CVE-2024-45165 | 1 Uci | 1 Idol2 | 2025-09-03 | N/A | 5.3 MEDIUM |
| An issue was discovered in UCI IDOL 2 (aka uciIDOL or IDOL2) through 2.12. Data is sent between client and server with encryption. However, the key is derived from the string "(c)2007 UCI Software GmbH B.Boll" (without quotes). The key is both static and hardcoded. With access to messages, this results in message decryption and encryption by an attacker. Thus, it enables passive and active man-in-the-middle attacks. | |||||
| CVE-2025-3831 | 1 Checkpoint | 1 Harmony Sase | 2025-09-03 | N/A | 8.1 HIGH |
| Log files uploaded during troubleshooting by the Harmony SASE agent may have been accessible to unauthorized parties. | |||||
| CVE-2025-9806 | 2025-09-02 | 0.8 LOW | 1.9 LOW | ||
| A vulnerability was determined in Tenda F1202 1.2.0.9/1.2.0.14/1.2.0.20. Impacted is an unknown function of the file /etc_ro/shadow of the component Administrative Interface. This manipulation with the input Fireitup causes hard-coded credentials. The attack can only be executed locally. A high degree of complexity is needed for the attack. The exploitability is considered difficult. The exploit has been publicly disclosed and may be utilized. | |||||
| CVE-2024-6633 | 1 Fortra | 1 Filecatalyst Workflow | 2025-08-29 | N/A | 9.8 CRITICAL |
| The default credentials for the setup HSQL database (HSQLDB) for FileCatalyst Workflow are published in a vendor knowledgebase article. Misuse of these credentials could lead to a compromise of confidentiality, integrity, or availability of the software. The HSQLDB is only included to facilitate installation, has been deprecated, and is not intended for production use per vendor guides. However, users who have not configured FileCatalyst Workflow to use an alternative database per recommendations are vulnerable to attack from any source that can reach the HSQLDB. | |||||
| CVE-2025-8857 | 2025-08-29 | N/A | 9.8 CRITICAL | ||
| Clinic Image System developed by Changing contains hard-coded Credentials, allowing unauthenticated remote attackers to log into the system using administrator credentials embedded in the source code. | |||||
| CVE-2024-3130 | 2025-08-27 | N/A | 5.7 MEDIUM | ||
| Hard-coded Credentials in CoolKit eWeLlink app are before 5.4.x on Android and IOS allows local attacker to unauthorized access to sensitive data via Decryption algorithm and key obtained after decompiling app | |||||
| CVE-2024-36248 | 2025-08-27 | N/A | 9.1 CRITICAL | ||
| API keys for some cloud services are hardcoded in the "main" binary. As for the details of affected product names, model numbers, and versions, refer to the information provided by the respective vendors listed under [References]. | |||||
| CVE-2024-35244 | 2025-08-27 | N/A | 9.1 CRITICAL | ||
| There are several hidden accounts. Some of them are intended for maintenance engineers, and with the knowledge of their passwords (e.g., by examining the coredump), these accounts can be used to re-configure the device. As for the details of affected product names, model numbers, and versions, refer to the information provided by the respective vendors listed under [References]. | |||||