Total
272 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-40464 | 1 Sierrawireless | 8 Aleos, Es450, Gx450 and 5 more | 2026-02-25 | 8.1 High |
| Several versions of ALEOS, including ALEOS 4.16.0, use a hardcoded SSL certificate and private key. An attacker with access to these items could potentially perform a man in the middle attack between the ACEManager client and ACEManager server. | ||||
| CVE-2023-44318 | 1 Siemens | 142 6ag1206-2bb00-7ac2, 6ag1206-2bb00-7ac2 Firmware, 6ag1206-2bs00-7ac2 and 139 more | 2026-02-25 | 4.9 Medium |
| Affected devices use a hardcoded key to obfuscate the configuration backup that an administrator can export from the device. This could allow an authenticated attacker with administrative privileges or an attacker that obtains a configuration backup to extract configuration information from the exported file. | ||||
| CVE-2025-11609 | 2 Code-projects, Fabian | 2 Hospital Management System, Hospital Management System | 2026-02-24 | 3.7 Low |
| A flaw has been found in code-projects Hospital Management System 1.0. Affected is the function session of the component express-session. This manipulation of the argument secret with the input secret causes use of hard-coded cryptographic key . The attack can be initiated remotely. The attack is considered to have high complexity. The exploitability is told to be difficult. The exploit has been published and may be used. | ||||
| CVE-2025-11290 | 1 Crmeb | 1 Crmeb | 2026-02-24 | 5.6 Medium |
| A vulnerability was identified in CRMEB up to 5.6.1. This affects an unknown function of the component JWT HMAC Secret Handler. Such manipulation of the argument secret with the input default leads to use of hard-coded cryptographic key . It is possible to launch the attack remotely. Attacks of this nature are highly complex. The exploitability is reported as difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-12615 | 1 Phpgurukul | 1 News Portal | 2026-02-24 | 5 Medium |
| A security vulnerability has been detected in PHPGurukul News Portal 1.0. The affected element is an unknown function of the file /onps/settings.py. Such manipulation of the argument SECRET_KEY leads to use of hard-coded cryptographic key . The attack may be performed from remote. The attack requires a high level of complexity. The exploitability is described as difficult. The exploit has been disclosed publicly and may be used. | ||||
| CVE-2025-15005 | 1 Couchcms | 1 Couchcms | 2026-02-24 | 3.7 Low |
| A security flaw has been discovered in CouchCMS up to 2.4. Affected is an unknown function of the file couch/config.example.php of the component reCAPTCHA Handler. The manipulation of the argument K_RECAPTCHA_SITE_KEY/K_RECAPTCHA_SECRET_KEY results in use of hard-coded cryptographic key . It is possible to launch the attack remotely. This attack is characterized by high complexity. The exploitability is told to be difficult. The exploit has been released to the public and may be used for attacks. | ||||
| CVE-2024-54855 | 1 Fabricators | 2 Vanilla Os 2 Core Image, Vanilla Os Core Image | 2026-02-10 | 6.4 Medium |
| fabricators Ltd Vanilla OS 2 Core image v1.1.0 was discovered to contain static keys for the SSH service, allowing attackers to possibly execute a man-in-the-middle attack during connections with other hosts. | ||||
| CVE-2025-58740 | 2 Microsoft, Milner | 2 Windows, Imagedirector Capture | 2026-02-10 | 5.5 Medium |
| The use of a hard-coded encryption key in calls to the Password function in C2SGlobalSettings.dll in Milner ImageDirector Capture on Windows allows a local attacker to decrypt database credentials by reading the cryptographic key from the executable. This issue affects ImageDirector Capture: from 7.0.9 before 7.6.3.25808. | ||||
| CVE-2025-62581 | 2 Delta Electronics, Deltaww | 2 Diaview, Diaview | 2026-01-20 | 9.8 Critical |
| Delta Electronics DIAView has multiple vulnerabilities. | ||||
| CVE-2025-38741 | 1 Dell | 1 Enterprise Sonic Os | 2026-01-14 | 7.5 High |
| Dell Enterprise SONiC OS, version 4.5.0, contains a cryptographic key vulnerability in SSH. An unauthenticated remote attacker could potentially exploit this vulnerability, leading to unauthorized access to communication. | ||||
| CVE-2025-52601 | 1 Hanwhavision | 513 Device Manager, Knb-2000, Knb-2000 Firmware and 510 more | 2026-01-07 | 7.5 High |
| Cybersecurity Nozomi Networks Labs, a specialized security company focused on Industrial Control Systems (ICS) and OT/IoT security, has discovered a vulnerability in Device Manager that a hardcoded encryption key for sensitive information. An attacker can use key to decrypt sensitive information. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and workarounds. | ||||
| CVE-2025-63289 | 2 Google, Sogexia | 3 Android, Android App, Sogexia | 2026-01-05 | 9.1 Critical |
| Sogexia Android App Compile Affected SDK v35, Max SDK 32 and fixed in v36, was discovered to contain hardcoded encryption keys in the encryption_helper.dart file | ||||
| CVE-2025-68948 | 2 B3log, Siyuan | 2 Siyuan, Siyuan | 2026-01-02 | 8.1 High |
| SiYuan is self-hosted, open source personal knowledge management software. In versions 3.5.1 and prior, the SiYuan Note application utilizes a hardcoded cryptographic secret for its session store. This unsafe practice renders the session encryption ineffective. Since the sensitive AccessAuthCode is stored within the session cookie, an attacker who intercepts or obtains a user's encrypted session cookie (e.g., via session hijacking) can locally decrypt it using the public key. Once decrypted, the attacker can retrieve the AccessAuthCode in plain text and use it to authenticate or take over the session. | ||||
| CVE-2025-8759 | 2 Lighttpd, Trendnet | 3 Lighttpd, Tn-200, Tn-200 Firmware | 2026-01-02 | 3.7 Low |
| A vulnerability was found in TRENDnet TN-200 1.02b02. It has been declared as problematic. This vulnerability affects unknown code of the component Lighttpd. The manipulation of the argument secdownload.secret with the input neV3rUseMe leads to use of hard-coded cryptographic key . The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-15107 | 2 Actionsky, Actiontech | 2 Sqle, Sqle | 2025-12-31 | 3.7 Low |
| A security vulnerability has been detected in actiontech sqle up to 4.2511.0. The impacted element is an unknown function of the file sqle/utils/jwt.go of the component JWT Secret Handler. The manipulation of the argument JWTSecretKey leads to use of hard-coded cryptographic key . The attack is possible to be carried out remotely. The attack's complexity is rated as high. The exploitability is regarded as difficult. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report and is planning to fix this flaw in an upcoming release. | ||||
| CVE-2025-15105 | 2 Getmaxun, Maxun | 2 Maxun, Maxun | 2025-12-31 | 3.7 Low |
| A security flaw has been discovered in getmaxun maxun up to 0.0.28. Impacted is an unknown function of the file /getmaxun/maxun/blob/develop/server/src/routes/auth.ts. Performing manipulation of the argument api_key results in use of hard-coded cryptographic key . Remote exploitation of the attack is possible. The attack is considered to have high complexity. The exploitability is considered difficult. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-15016 | 1 Ragic | 1 Enterprise Cloud Database | 2025-12-23 | 9.8 Critical |
| Enterprise Cloud Database developed by Ragic has a Hard-coded Cryptographic Key vulnerability, allowing unauthenticated remote attackers to exploit the fixed key to generate verification information and log into the system as any user. | ||||
| CVE-2025-54947 | 1 Apache | 1 Streampark | 2025-12-15 | 5.3 Medium |
| In Apache StreamPark versions 2.0.0 through 2.1.7, a security vulnerability involving a hard-coded encryption key exists. This vulnerability occurs because the system uses a fixed, immutable key for encryption instead of dynamically generating or securely configuring the key. Attackers may obtain this key through reverse engineering or code analysis, potentially decrypting sensitive data or forging encrypted information, leading to information disclosure or unauthorized system access. This issue affects Apache StreamPark: from 2.0.0 before 2.1.7. Users are recommended to upgrade to version 2.1.7, which fixes the issue. | ||||
| CVE-2024-1631 | 1 Dfinity | 1 Icp-js-core | 2025-12-10 | 9.1 Critical |
| Impact: The library offers a function to generate an ed25519 key pair via Ed25519KeyIdentity.generate with an optional param to provide a 32 byte seed value, which will then be used as the secret key. When no seed value is provided, it is expected that the library generates the secret key using secure randomness. However, a recent change broke this guarantee and uses an insecure seed for key pair generation. Since the private key of this identity (535yc-uxytb-gfk7h-tny7p-vjkoe-i4krp-3qmcl-uqfgr-cpgej-yqtjq-rqe) is compromised, one could lose funds associated with the principal on ledgers or lose access to a canister where this principal is the controller. | ||||
| CVE-2025-11781 | 2 Circutor, Sge-plc1000 Sge-plc50 | 5 Sge-plc1000, Sge-plc1000 Firmware, Sge-plc50 and 2 more | 2025-12-03 | 7.8 High |
| Use of hardcoded cryptographic keys in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. The affected firmware contains a hardcoded static authentication key. An attacker with local access to the device can extract this key (e.g., by analysing the firmware image or memory dump) and create valid firmware update packages. This bypasses all intended access controls and grants full administrative privileges. | ||||