Total
1662 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-37111 | 1 Hpe | 1 Telco Network Function Virtual Orchestrator | 2026-04-15 | 6 Medium |
| A vulnerability was discovered in the storage policy for certain sets of authentication keys in the HPE Telco Network Function Virtual Orchestrator. Successful Exploitation could lead to unauthorized parties gaining access to sensitive system information. | ||||
| CVE-2025-64766 | 2 Nixos, Onlyoffice | 2 Nixos, Onlyoffice | 2026-04-15 | 5.3 Medium |
| NixOS's Onlyoffice is a software suite that offers online and offline tools for document editing, collaboration, and management. In versions from 22.11 to before 25.05 and versions before Unstable 25.11, a hard-coded secret was used in the NixOS module for the OnlyOffice document server to protect its file cache. An attacker with knowledge of an existing revision ID could use this secret to obtain a document. In practice, an arbitrary revision ID should be hard to obtain. The primary impact is likely the access to known documents from users with expired access. This issue was resolved in NixOS unstable version 25.11 and version 25.05. | ||||
| CVE-2025-42890 | 1 Sap | 1 Sql Anywhere | 2026-04-15 | 10 Critical |
| SQL Anywhere Monitor (Non-GUI) baked credentials into the code,exposing the resources or functionality to unintended users and providing attackers with the possibility of arbitrary code execution.This could cause high impact on confidentiality integrity and availability of the system. | ||||
| CVE-2014-125115 | 3 Artica, Pandora Fms, Pandorafms | 3 Pandora Fms, Pandora Fms, Pandora Fms | 2026-04-15 | N/A |
| An unauthenticated SQL injection vulnerability exists in Pandora FMS version 5.0 SP2 and earlier. The mobile/index.php endpoint fails to properly sanitize user input in the loginhash_data parameter, allowing attackers to extract administrator credentials or active session tokens via crafted requests. This occurs because input is directly concatenated into an SQL query without adequate validation, enabling SQL injection. After authentication is bypassed, a second vulnerability in the File Manager component permits arbitrary PHP file uploads. The file upload functionality does not enforce MIME-type or file extension restrictions, allowing authenticated users to upload web shells into a publicly accessible directory and achieve remote code execution. | ||||
| CVE-2018-25126 | 1 Tvt | 1 Nvms-9000 Firmware | 2026-04-15 | N/A |
| Shenzhen TVT Digital Technology Co., Ltd. NVMS-9000 firmware (used by many white-labeled DVR/NVR/IPC products) contains hardcoded API credentials and an OS command injection flaw in its configuration services. The web/API interface accepts HTTP/XML requests authenticated with a fixed vendor credential string and passes user-controlled fields into shell execution contexts without proper argument sanitization. An unauthenticated remote attacker can leverage the hard-coded credential to access endpoints such as /editBlackAndWhiteList and inject shell metacharacters inside XML parameters, resulting in arbitrary command execution as root. The same vulnerable backend is also reachable in some models through a proprietary TCP service on port 4567 that accepts a magic GUID preface and base64-encoded XML, enabling the same command injection sink. Firmware releases from mid-February 2018 and later are reported to have addressed this issue. Exploitation evidence was observed by the Shadowserver Foundation on 2025-01-28 UTC. | ||||
| CVE-2024-33329 | 1 Lumis | 1 Lumis Experience Platform | 2026-04-15 | 7.5 High |
| A hardcoded privileged ID within Lumisxp v15.0.x to v16.1.x allows attackers to bypass authentication and access internal pages and other sensitive information. | ||||
| CVE-2025-57602 | 1 Aikaan | 1 Iot Management Platform | 2026-04-15 | 9.8 Critical |
| Insufficient hardening of the proxyuser account in the AiKaan IoT management platform, combined with the use of a shared, hardcoded SSH private key, allows remote attackers to authenticate to the cloud controller, gain interactive shell access, and pivot into other connected IoT devices. This can lead to remote code execution, information disclosure, and privilege escalation across customer environments. | ||||
| CVE-2024-55557 | 2026-04-15 | 9.8 Critical | ||
| ui/pref/ProxyPrefView.java in weasis-core in Weasis 4.5.1 has a hardcoded key for symmetric encryption of proxy credentials. | ||||
| CVE-2025-2394 | 2026-04-15 | N/A | ||
| Ecovacs Home Android and iOS Mobile Applications up to version 3.3.0 contained embedded access keys and secrets for Alibaba Object Storage Service (OSS), leading to sensitive data disclosure. | ||||
| CVE-2025-57601 | 1 Aikaan | 1 Cloud Controller | 2026-04-15 | 9.8 Critical |
| AiKaan Cloud Controller uses a single hardcoded SSH private key and the username `proxyuser` for remote terminal access to all managed IoT/edge devices. When an administrator initiates "Open Remote Terminal" from the AiKaan dashboard, the controller sends this same static private key to the target device. The device then uses it to establish a reverse SSH tunnel to a remote access server, enabling browser-based SSH access for the administrator. Because the same `proxyuser` account and SSH key are reused across all customer environments: - An attacker who obtains the key (e.g., by intercepting it in transit, extracting it from the remote access server, or from a compromised admin account) can impersonate any managed device. - They can establish unauthorized reverse SSH tunnels and interact with devices without the owner's consent. This is a design flaw in the authentication model: compromise of a single key compromises the trust boundary between the controller and devices. | ||||
| CVE-2024-39208 | 1 Luciapplucky | 1 Luci-app-lucky | 2026-04-15 | 9.8 Critical |
| luci-app-lucky v2.8.3 was discovered to contain hardcoded credentials. | ||||
| CVE-2014-125121 | 1 Arraynetworks | 2 Vapv, Vxag | 2026-04-15 | N/A |
| Array Networks vAPV (version 8.3.2.17) and vxAG (version 9.2.0.34) appliances are affected by a privilege escalation vulnerability caused by a combination of hardcoded SSH credentials (or SSH private key) and insecure permissions on a startup script. The devices ship with a default SSH login or a hardcoded DSA private key, allowing an attacker to authenticate remotely with limited privileges. Once authenticated, an attacker can overwrite the world-writable /ca/bin/monitor.sh script with arbitrary commands. Since this script is executed with elevated privileges through the backend binary, enabling the debug monitor via backend -c "debug monitor on" triggers execution of the attacker's payload as root. This allows full system compromise. | ||||
| CVE-2025-46352 | 2026-04-15 | 9.8 Critical | ||
| The CS5000 Fire Panel is vulnerable due to a hard-coded password that runs on a VNC server and is visible as a string in the binary responsible for running VNC. This password cannot be altered, allowing anyone with knowledge of it to gain remote access to the panel. Such access could enable an attacker to operate the panel remotely, potentially putting the fire panel into a non-functional state and causing serious safety issues. | ||||
| CVE-2025-8570 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 9.8 Critical |
| The BeyondCart Connector plugin for WordPress is vulnerable to Privilege Escalation due to improper JWT secret management and authorization within the determine_current_user filter in versions 1.4.2 through 3.0.1. This makes it possible for unauthenticated attackers to craft valid tokens and assume any user’s identity. | ||||
| CVE-2025-10609 | 1 Logo Software | 1 Tigerwings Erp | 2026-04-15 | 5.9 Medium |
| Use of Hard-coded Credentials vulnerability in Logo Software Inc. TigerWings ERP allows Read Sensitive Constants Within an Executable.This issue affects TigerWings ERP: from 01.01.00 before 3.03.00. | ||||
| CVE-2025-4378 | 2026-04-15 | 10 Critical | ||
| Cleartext Transmission of Sensitive Information, Use of Hard-coded Credentials vulnerability in Ataturk University ATA-AOF Mobile Application allows Authentication Abuse, Authentication Bypass.This issue affects ATA-AOF Mobile Application: before 20.06.2025. | ||||
| CVE-2023-26566 | 1 Sangoma | 1 Freepbx | 2026-04-15 | 8.6 High |
| Sangoma FreePBX 1805 through 2203 on Linux contains hardcoded credentials for the Asterisk REST Interface (ARI), which allows remote attackers to reconfigure Asterisk and make external and internal calls via HTTP and WebSocket requests sent to the API. | ||||
| CVE-2024-10025 | 1 Sick | 52 Clv620 Firmware, Clv621 Firmware, Clv622 Firmware and 49 more | 2026-04-15 | 9.1 Critical |
| A vulnerability in the .sdd file allows an attacker to read default passwords stored in plain text within the code. By exploiting these plaintext credentials, an attacker can log into affected SICK products as an “Authorized Client” if the customer has not changed the default password. | ||||
| CVE-2023-49222 | 2026-04-15 | 8.8 High | ||
| Precor touchscreen console P82 contains a private SSH key that corresponds to a default public key. A remote attacker could exploit this to gain root privileges. | ||||
| CVE-2021-47796 | 1 Denver | 1 Smart Wifi Camera | 2026-04-15 | 9.8 Critical |
| Denver SHC-150 Smart Wifi Camera contains a hardcoded telnet credential vulnerability that allows unauthenticated attackers to access a Linux shell. Attackers can connect to port 23 using the default credential to execute arbitrary commands on the camera's operating system. | ||||