Export limit exceeded: 334365 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (1611 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-6950 | 1 Moxa | 7 Edf-g1002-bp, Edr-8010, Edr-g9010 and 4 more | 2025-10-21 | N/A |
| An Use of Hard-coded Credentials vulnerability has been identified in Moxa’s network security appliances and routers. The system employs a hard-coded secret key to sign JSON Web Tokens (JWT) used for authentication. This insecure implementation allows an unauthenticated attacker to forge valid tokens, thereby bypassing authentication controls and impersonating any user. Exploitation of this vulnerability can result in complete system compromise, enabling unauthorized access, data theft, and full administrative control over the affected device. While successful exploitation can severely impact the confidentiality, integrity, and availability of the affected device itself, there is no loss of confidentiality or integrity within any subsequent systems. | ||||
| CVE-2025-56749 | 1 Creativeitem | 1 Academy Lms | 2025-10-21 | 9.4 Critical |
| Creativeitem Academy LMS up to and including 6.14 uses a hardcoded default JWT secret for token signing. This predictable secret allows attackers to forge valid JWT tokens, leading to authentication bypass and unauthorized access to any user account. | ||||
| CVE-2025-36087 | 1 Ibm | 3 Security Verify Access, Security Verify Access Docker, Verify Identity Access | 2025-10-20 | 8.1 High |
| IBM Security Verify Access 10.0.0 through 10.0.9, 11.0.0, IBM Verify Identity Access Container 10.0.0 through 10.0.9, and 11.0.0, under certain configurations, contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. | ||||
| CVE-2025-10850 | 1 Wordpress | 1 Wordpress | 2025-10-20 | 9.8 Critical |
| The Felan Framework plugin for WordPress is vulnerable to improper authentication in versions up to, and including, 1.1.4. This is due to the hardcoded password in the 'fb_ajax_login_or_register' function and in the 'google_ajax_login_or_register' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, if they registered with facebook or google social login and did not change their password. | ||||
| CVE-2025-61926 | 1 Allstar | 1 Reviewbot | 2025-10-16 | N/A |
| Allstar is a GitHub App to set and enforce security policies. In versions prior to 4.5, a vulnerability in Allstar’s Reviewbot component caused inbound webhook requests to be validated against a hard-coded, shared secret. The value used for the secret token was compiled into the Allstar binary and could not be configured at runtime. In practice, this meant that every deployment using Reviewbot would validate requests with the same secret unless the operator modified source code and rebuilt the component - an expectation that is not documented and is easy to miss. All Allstar releases prior to v4.5 that include the Reviewbot code path are affected. Deployments on v4.5 and later are not affected. Those who have not enabled or exposed the Reviewbot endpoint are not exposed to this issue. | ||||
| CVE-2025-57434 | 1 Creacast | 1 Creabox Manager | 2025-10-14 | 8.8 High |
| Creacast Creabox Manager contains a critical authentication flaw that allows an attacker to bypass login validation. The system grants access when the username is creabox and the password begins with the string creacast, regardless of what follows. | ||||
| CVE-2024-0949 | 1 Talya Informatics | 1 Elektraweb | 2025-10-14 | 9.8 Critical |
| Missing Authentication, Files or Directories Accessible to External Parties, Use of Hard-coded Credentials vulnerability in Talya Informatics Elektraweb allows Authentication Bypass.This issue affects Elektraweb: before v17.0.68. | ||||
| CVE-2025-45813 | 1 Enensys | 2 Ipguardv2, Ipguardv2 Firmware | 2025-10-10 | 9.8 Critical |
| ENENSYS IPGuard v2 2.10.0 was discovered to contain hardcoded credentials. | ||||
| CVE-2025-31953 | 1 Hcltech | 1 Dryice Iautomate | 2025-10-10 | 7.1 High |
| HCL iAutomate includes hardcoded credentials which may result in potential exposure of confidential data if intercepted or accessed by unauthorized parties. | ||||
| CVE-2023-36013 | 1 Microsoft | 1 Powershell | 2025-10-09 | 6.5 Medium |
| PowerShell Information Disclosure Vulnerability | ||||
| CVE-2025-58385 | 1 Doxense | 1 Watchdoc | 2025-10-07 | 7.1 High |
| In DOXENSE WATCHDOC before 6.1.0.5094, private user puk codes can be disclosed for Active Directory registered users (there is hard-coded and predictable data). | ||||
| CVE-2024-4996 | 2025-10-07 | 9.8 Critical | ||
| Use of a hard-coded password for a database administrator account created during Wapro ERP installation allows an attacker to retrieve embedded sensitive data stored in the database. The password is same among all Wapro ERP installations. This issue affects Wapro ERP Desktop versions before 8.90.0. | ||||
| CVE-2024-1228 | 2 Eurosoft, Eurosoftsp.zo.o | 2 Przychodnia, Eurosoft Przychodina | 2025-10-07 | 9.8 Critical |
| Use of hard-coded password to the patients' database allows an attacker to retrieve sensitive data stored in the database. The password is the same among all Eurosoft Przychodnia installations. This issue affects Eurosoft Przychodnia software before version 20240417.001 (from that version vulnerability is fixed). | ||||
| CVE-2025-56466 | 2 Google, Masterlifecrm | 2 Android, Dietly | 2025-10-06 | 7.5 High |
| Hardcoded credentials in Dietly v1.25.0 for android allows attackers to gain sensitive information. | ||||
| CVE-2025-10609 | 1 Logo Software | 1 Tigerwings Erp | 2025-10-06 | 5.9 Medium |
| Use of Hard-coded Credentials vulnerability in Logo Software Inc. TigerWings ERP allows Read Sensitive Constants Within an Executable.This issue affects TigerWings ERP: from 01.01.00 before 3.03.00. | ||||
| CVE-2024-3700 | 1 Estomed | 1 Simple Care | 2025-10-03 | 9.8 Critical |
| Use of hard-coded password to the patients' database allows an attacker to retrieve sensitive data stored in the database. The password is the same among all Simple Care software installations. This issue affects Estomed Sp. z o.o. Simple Care software in all versions. The software is no longer supported. | ||||
| CVE-2024-3699 | 1 Dreryk | 1 Gabinet | 2025-10-03 | 9.8 Critical |
| Use of hard-coded password to the patients' database allows an attacker to retrieve sensitive data stored in the database. The password is the same among all drEryk Gabinet installations.This issue affects drEryk Gabinet software versions from 7.0.0.0 through 9.17.0.0. | ||||
| CVE-2025-0642 | 1 Poscube | 1 Assist | 2025-10-03 | 6.3 Medium |
| Use of Hard-coded Credentials, Authorization Bypass Through User-Controlled Key vulnerability in PosCube Hardware Software and Consulting Ltd. Co. Assist allows Excavation, Authentication Bypass.This issue affects Assist: through 10.02.2025. | ||||
| CVE-2025-57579 | 1 Totolink | 2 X2000r, X2000r Firmware | 2025-10-02 | 8 High |
| An issue in TOTOLINK Wi-Fi 6 Router Series Device X2000R-Gh-V2.0.0 allows a remote attacker to execute arbitrary code via the default password | ||||
| CVE-2025-7079 | 1 Mao888 | 1 Bluebell-plus | 2025-10-01 | 3.7 Low |
| A vulnerability, which was classified as problematic, has been found in mao888 bluebell-plus up to 2.3.0. This issue affects some unknown processing of the file bluebell_backend/pkg/jwt/jwt.go of the component JWT Token Handler. The manipulation of the argument mySecret with the input bluebell-plus leads to use of hard-coded password. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. | ||||