VYPR

CWE-1391

Use of Weak Credentials

ClassIncomplete

Description

The product uses weak credentials (such as a default key or hard-coded password) that can be calculated, derived, reused, or guessed by an attacker.

Hierarchy (View 1000)

CVEs mapped to this weakness (35)

page 2 of 2
  • CVE-2026-47325MedJun 3, 2026
    risk 0.45cvss epss 0.00

    ProjectsAndPrograms school-management-system uses predictable credentials by generating student's and teacher's passwords solely from the user’s date of birth (e.g., 12072000 for 12 July 2000). The application does not require or prompt users to change the password upon first…

  • CVE-2024-42027MedOct 7, 2024
    risk 0.44cvss 6.7epss 0.01

    The E2EE password entropy generated by Rocket.Chat Mobile prior to version 4.5.1 is insufficient, allowing attackers to crack it if they have the appropriate time and resources.

  • CVE-2024-33849MedMay 28, 2024
    risk 0.42cvss 6.5epss 0.00

    ci solution CI-Out-of-Office Manager through 6.0.0.77 uses a Hard-coded Cryptographic Key.

  • CVE-2024-21865MedMar 25, 2024
    risk 0.42cvss 6.5epss 0.00

    HGW BL1500HM Ver 002.001.013 and earlier contains a use of week credentials issue. A network-adjacent unauthenticated attacker may connect to the product via SSH and use a shell.

  • CVE-2024-11717MedJan 2, 2025
    risk 0.41cvss epss 0.01

    Tokens in CTFd used for account activation and password resetting can be used interchangeably for these operations. When used, they are sent to the server as a GET parameter and they are not single use, which means, that during token expiration time an on-path attacker might…

  • CVE-2026-4377MedMay 28, 2026
    risk 0.39cvss epss 0.00

    Dlink DWR-X1820 router uses weak default password generated from its IMEI number and does not require users to change it. An attacker who knows how passwords are generated can easily crack the default password if they have the device IMEI number. This issue was fixed in…

  • CVE-2026-45363higMay 18, 2026
    risk 0.39cvss epss 0.00

    `JWT.decode(token, '', true, algorithm: 'HS256')` accepts an attacker-forged token. `OpenSSL::HMAC.digest('SHA256', '', payload)` returns a valid digest under an empty key, and no `raise InvalidKeyError if key.empty?` precondition exists in the HMAC algorithm. ```…

  • CVE-2025-22936MedFeb 6, 2025
    risk 0.37cvss 5.7epss 0.00

    An issue in Smartcom Bulgaria AD Smartcom Ralink CPE/WiFi router SAM-4G1G-TT-W-VC, SAM-4F1F-TT-W-A1 allows a remote attacker to obtain sensitive information via the Weak default WiFi password generation algorithm in WiFi routers.

  • CVE-2026-24449MedFeb 3, 2026
    risk 0.30cvss 4.6epss 0.00

    For WRC-X1500GS-B and WRC-X1500GSA-B, the initial passwords can be calculated easily from the system information.

  • CVE-2025-4057MedMay 26, 2025
    risk 0.29cvss 5.5epss 0.00

    A flaw was found in ActiveMQ Artemis. The password generated by activemq-artemis-operator does not regenerate between separated CR dependencies.

  • CVE-2025-32471LowApr 28, 2025
    risk 0.24cvss 3.7epss 0.00

    The device’s passwords have not been adequately salted, making them vulnerable to password extraction attacks.

  • CVE-2025-1081LowFeb 6, 2025
    risk 0.20cvss 3.1epss 0.00

    A vulnerability was found in Bharti Airtel Xstream Fiber up to 20250123. It has been rated as problematic. This issue affects some unknown processing of the component WiFi Password Handler. The manipulation leads to use of weak credentials. The attack needs to be done within the…

  • CVE-2024-7558Oct 2, 2024
    risk 0.00cvss epss 0.01

    JUJU_CONTEXT_ID is a predictable authentication secret. On a Juju machine (non-Kubernetes) or Juju charm container (on Kubernetes), an unprivileged user in the same network namespace can connect to an abstract domain socket and guess the JUJU_CONTEXT_ID value. This gives the…

  • CVE-2023-37266Jul 17, 2023
    risk 0.00cvss epss 0.06

    CasaOS is an open-source Personal Cloud system. Unauthenticated attackers can craft arbitrary JWTs and access features that usually require authentication and execute arbitrary commands as `root` on CasaOS instances. This problem was addressed by improving the validation of JWTs…

  • CVE-2014-7845Nov 24, 2014
    risk 0.00cvss epss 0.02

    The generate_password function in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not provide a sufficient number of possible temporary passwords, which allows remote attackers to obtain access via a brute-force attack.