Search Results (1732 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-8893 2026-04-15 7.3 High
Use of Hard-coded Credentials vulnerability in GoodWe Technologies Co., Ltd. GW1500‑XS allows anyone in physical proximity to the device to fully access the web interface of the inverter via Wi‑Fi.This issue affects GW1500‑XS: 1.1.2.1.
CVE-2025-57602 1 Aikaan 1 Iot Management Platform 2026-04-15 9.8 Critical
Insufficient hardening of the proxyuser account in the AiKaan IoT management platform, combined with the use of a shared, hardcoded SSH private key, allows remote attackers to authenticate to the cloud controller, gain interactive shell access, and pivot into other connected IoT devices. This can lead to remote code execution, information disclosure, and privilege escalation across customer environments.
CVE-2025-46273 2026-04-15 9.8 Critical
UNI-NMS-Lite uses hard-coded credentials that could allow an unauthenticated attacker to gain administrative privileges to all UNI-NMS managed devices.
CVE-2023-20512 2026-04-15 1.9 Low
A hardcoded AES key in PMFW may result in a privileged attacker gaining access to the key, potentially resulting in internal debug information leakage.
CVE-2024-5810 1 Wp2speed 1 Wp2speed 2026-04-15 5.3 Medium
The WP2Speed Faster – Optimize PageSpeed Insights Score 90-100 plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.0.1. This is due to the use of hardcoded credentials to authenticate all the incoming API requests. This makes it possible for unauthenticated attackers to overwrite CSS, update the trial settings, purge the cache, and find attachments.
CVE-2025-3426 1 Philips 1 Intellispace Portal 2026-04-15 N/A
We observed that Intellispace Portal binaries doesn’t have any protection mechanisms to prevent reverse engineering. Specifically, the app’s code is not obfuscated, and no measures are in place to protect against decompilation, disassembly, or debugging. As a result, attackers can reverse-engineer the application to gain insights into its internal workings, which can potentially lead to the discovery of sensitive information, business logic flaws, and other vulnerabilities. Utilizing this flaw, the attacker was able to identify the Hardcoded credentials from PortalUsersDatabase.dll, which contains .NET remoting definition. Inside the namespace PortalUsersDatabase, the class Users contains the functions CreateAdmin and CreateService that are used to initialize accounts in the Portal service. Both CreateAdmin and CreateService functions contain a hardcoded encrypted password along with its respective salt that are set with the function SetInitialPasswordAndSalt. This issue affects IntelliSpace Portal: 12 and prior; Advanced Visualization Workspace: 15.
CVE-2025-53842 2026-04-15 N/A
Use of hard-coded credentials issue exists in ZWX-2000CSW2-HN prior to 0.3.19 and ZWX-2000CS2-HN firmware all versions. If this vulnerability is exploited, an attacker may tamper with the settings of the device by obtaining the credentials. This vulnerability is caused by an insufficient fix for CVE-2024-39838.
CVE-2025-23179 2026-04-15 5.5 Medium
CWE-798: Use of Hard-coded Credentials
CVE-2017-20214 1 Flir 1 Thermal Camera 2026-04-15 7.5 High
FLIR Thermal Camera F/FC/PT/D firmware version 8.0.0.64 contains hard-coded SSH credentials that cannot be changed through normal camera operations. Attackers can leverage these persistent, unmodifiable credentials to gain unauthorized remote access to the thermal camera system.
CVE-2025-48414 2026-04-15 6.5 Medium
There are several scripts in the web interface that are accessible via undocumented hard-coded credentials. The scripts provide access to additional administrative/debug functionality and are likely intended for debugging during development and provides an additional attack surface.
CVE-2024-54750 1 Ui 1 U6-lr Firmware 2026-04-15 9.8 Critical
Ubiquiti U6-LR 6.6.65 was discovered to contain a hardcoded password vulnerability in /etc/shadow, which allows attackers to log in as root. NOTE: In Ubiquiti's view there is no vulnerability as the Hardcoded Password should be after setup not before.
CVE-2025-41722 1 Sauter 2 Ey-modulo 5 Devices, Modulo 6 Devices 2026-04-15 7.5 High
The wsc server uses a hard-coded certificate to check the authenticity of SOAP messages. An unauthenticated remote attacker can extract private keys from the Software of the affected devices.
CVE-2025-55279 2026-04-15 N/A
This vulnerability exists in ZKTeco WL20 due to hard-coded private key stored in plaintext within the device firmware. An attacker with physical access could exploit this vulnerability by extracting the firmware and analyzing the binary data to retrieve private key stored in the firmware of the targeted device. Successful exploitation of this vulnerability could allow the attacker to perform unauthorized decryption of sensitive data and Man-in-the-Middle (MitM) attacks on the targeted device.
CVE-2024-45832 2026-04-15 4.3 Medium
Hard-coded credentials were included as part of the application binary. These credentials served as part of the application authentication flow and communication with the mobile application. An attacker could access unauthorized information.
CVE-2024-53484 1 Ever 1 Traduora 2026-04-15 8.8 High
Ever Traduora 0.20.0 and below is vulnerable to Privilege Escalation due to the use of a hard-coded JWT signing key.
CVE-2025-4633 2026-04-15 6.5 Medium
Default credentials were present in the web portal for Airpointer 2.4.107-2, allowing an unauthenticated malicious actor to log in via the web portal
CVE-2025-2394 2026-04-15 N/A
Ecovacs Home Android and iOS Mobile Applications up to version 3.3.0 contained embedded access keys and secrets for Alibaba Object Storage Service (OSS), leading to sensitive data disclosure.
CVE-2025-51606 2026-04-15 8.8 High
hippo4j 1.0.0 to 1.5.0, uses a hard-coded secret key in its JWT (JSON Web Token) creation. This allows attackers with access to the source code or compiled binary to forge valid access tokens and impersonate any user, including privileged ones such as "admin". The vulnerability poses a critical security risk in systems where authentication and authorization rely on the integrity of JWTs.
CVE-2021-47796 1 Denver 1 Smart Wifi Camera 2026-04-15 9.8 Critical
Denver SHC-150 Smart Wifi Camera contains a hardcoded telnet credential vulnerability that allows unauthenticated attackers to access a Linux shell. Attackers can connect to port 23 using the default credential to execute arbitrary commands on the camera's operating system.
CVE-2024-36556 2026-04-15 9.1 Critical
Forever KidsWatch Call Me KW50 R36_YDR_A3PW_GM7S_V1.0_2019_07_15_16.19.24_cob_h, and Forever KidsWatch Call Me 2 KW60 R36CW_YDE_S4_A29_2_V1.0_2023.05.24_22.49.44_cob_b have a Hardcoded password vulnerability.