Total
1398 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-32145 | 1 Dlink | 4 Dap-1360, Dap-1360 Firmware, Dap-2020 and 1 more | 2025-05-16 | N/A | 8.8 HIGH |
D-Link DAP-1360 Hardcoded Credentials Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-1360 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of login requests to the web-based user interface. The firmware contains hard-coded default credentials. An attacker can leverage this vulnerability to bypass authentication on the system. . Was ZDI-CAN-18455. | |||||
CVE-2023-38995 | 1 Schuhfried | 1 Schuhfried | 2025-05-15 | N/A | 9.8 CRITICAL |
An issue in SCHUHFRIED v.8.22.00 allows remote attacker to obtain the database password via crafted curl command. | |||||
CVE-2022-41540 | 1 Tp-link | 2 Ax10, Ax10 Firmware | 2025-05-15 | N/A | 5.9 MEDIUM |
The web app client of TP-Link AX10v1 V1_211117 uses hard-coded cryptographic keys when communicating with the router. Attackers who are able to intercept the communications between the web client and router through a man-in-the-middle attack can then obtain the sequence key via a brute-force attack, and access sensitive information. | |||||
CVE-2024-13688 | 1 Wpase | 1 Admin And Site Enhancements | 2025-05-14 | N/A | 5.3 MEDIUM |
The Admin and Site Enhancements (ASE) WordPress plugin before 7.6.10 uses a hardcoded password in its Password Protection feature, allowing attacker to bypass the protection offered via a crafted request | |||||
CVE-2023-35724 | 1 Dlink | 2 Dap-2622, Dap-2622 Firmware | 2025-05-13 | N/A | 8.8 HIGH |
D-Link DAP-2622 Telnet CLI Use of Hardcoded Credentials Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-2622 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the CLI service, which listens on TCP port 23. The server program contains hard-coded credentials. An attacker can leverage this vulnerability to bypass authentication on the system. . Was ZDI-CAN-20050. | |||||
CVE-2022-42980 | 1 Go-admin | 1 Go-admin | 2025-05-10 | N/A | 9.8 CRITICAL |
go-admin (aka GO Admin) 2.0.12 uses the string go-admin as a production JWT key. | |||||
CVE-2022-42176 | 1 Pctechsoft | 1 Pcsecure | 2025-05-08 | N/A | 7.8 HIGH |
In PCTechSoft PCSecure V5.0.8.xw, use of Hard-coded Credentials in configuration files leads to admin panel access. | |||||
CVE-2025-47730 | 2025-05-08 | N/A | 4.8 MEDIUM | ||
The TeleMessage archiving backend through 2025-05-05 accepts API calls (to request an authentication token) from the TM SGNL (aka Archive Signal) app with the credentials of logfile for the user and enRR8UVVywXYbFkqU#QDPRkO for the password. | |||||
CVE-2025-4041 | 2025-05-07 | N/A | N/A | ||
In Optigo Networks ONS NC600 versions 4.2.1-084 through 4.7.2-330, an attacker could connect with the device's ssh server and utilize the system's components to perform OS command executions. | |||||
CVE-2022-37710 | 1 Pattersondental | 1 Eaglesoft | 2025-05-02 | N/A | 7.8 HIGH |
Patterson Dental Eaglesoft 21 has AES-256 encryption but there are two ways to obtain a keyfile: (1) keybackup.data > License > Encryption Key or (2) Eaglesoft.Server.Configuration.data > DbEncryptKeyPrimary > Encryption Key. Applicable files are encrypted with keys and salt that are hardcoded into a DLL or EXE file. | |||||
CVE-2025-23179 | 2025-05-02 | N/A | 5.5 MEDIUM | ||
CWE-798: Use of Hard-coded Credentials | |||||
CVE-2024-40410 | 1 Cybelesoft | 1 Thinfinity Workspace | 2025-05-01 | N/A | 4.8 MEDIUM |
Cybele Software Thinfinity Workspace before v7.0.2.113 was discovered to contain a hardcoded cryptographic key used for encryption. | |||||
CVE-2025-2765 | 2025-04-29 | N/A | 7.6 HIGH | ||
CarlinKit CPC200-CCPA Wireless Hotspot Hard-Coded Credentials Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of CarlinKit CPC200-CCPA devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the configuration of the wireless hotspot. The issue results from the use of hard-coded credentials. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-24349. | |||||
CVE-2025-46274 | 2025-04-29 | N/A | 9.8 CRITICAL | ||
UNI-NMS-Lite uses hard-coded credentials that could allow an unauthenticated attacker to read, manipulate and create entries in the managed database. | |||||
CVE-2025-46617 | 2025-04-29 | N/A | 7.2 HIGH | ||
Quantum StorNext Web GUI API before 7.2.4 grants access to internal StorNext configuration and unauthorized modification of some software configuration parameters via undocumented user credentials. This affects StorNext RYO before 7.2.4, StorNext Xcellis Workflow Director before 7.2.4, and ActiveScale Cold Storage. | |||||
CVE-2025-46273 | 2025-04-29 | N/A | 9.8 CRITICAL | ||
UNI-NMS-Lite uses hard-coded credentials that could allow an unauthenticated attacker to gain administrative privileges to all UNI-NMS managed devices. | |||||
CVE-2022-44096 | 1 Sanitization Management System Project | 1 Sanitization Management System | 2025-04-25 | N/A | 9.8 CRITICAL |
Sanitization Management System v1.0 was discovered to contain hardcoded credentials which allows attackers to escalate privileges and access the admin panel. | |||||
CVE-2022-44097 | 1 Book Store Management System Project | 1 Book Store Management System | 2025-04-24 | N/A | 9.8 CRITICAL |
Book Store Management System v1.0 was discovered to contain hardcoded credentials which allows attackers to escalate privileges and access the admin panel. | |||||
CVE-2022-38337 | 1 Mobatek | 1 Mobaxterm | 2025-04-24 | N/A | 9.1 CRITICAL |
When aborting a SFTP connection, MobaXterm before v22.1 sends a hardcoded password to the server. The server treats this as an invalid login attempt which can result in a Denial of Service (DoS) for the user if services like fail2ban are used. | |||||
CVE-2023-40236 | 1 Pexip | 1 Virtual Meeting Rooms | 2025-04-23 | N/A | 5.3 MEDIUM |
In Pexip VMR self-service portal before 3, the same SSH host key is used across different customers' installations, which allows authentication bypass. |