CWE-259
Use of Hard-coded Password
Description
The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.
Hierarchy (View 1000)
Parents
Children
none
CVEs mapped to this weakness (77)
page 3 of 4| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-26388 | Med | 0.42 | 6.4 | 0.00 | Feb 7, 2025 | A use of hard-coded password vulnerability may allow authentication abuse.This issue affects ELI 380 Resting Electrocardiograph: Versions 2.6.0 and prior; ELI 280/BUR280/MLBUR 280 Resting Electrocardiograph: Versions 2.3.1 and prior; ELI 250c/BUR 250c Resting… | ||
| CVE-2024-46959 | Med | 0.42 | 6.5 | 0.00 | Sep 18, 2024 | runofast Indoor Security Camera for Baby Monitor has a default password of password for the root account. This allows access to the /stream1 URI via the rtsp:// protocol to receive the video and audio stream. | ||
| CVE-2018-8870 | Med | 0.42 | 6.4 | 0.00 | Jul 3, 2018 | Medtronic 24950 MyCareLink Monitor and 24952 MyCareLink Monitor contains a hard-coded operating system password. An attacker with physical access can remove the case of the device, connect to the debug port, and use the password to gain privileged access to the operating system. | ||
| CVE-2024-28023 | — | Med | 0.37 | 5.7 | 0.00 | Jun 11, 2024 | A vulnerability exists in the message queueing mechanism that if exploited can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or even execute arbitrary code. | |
| CVE-2026-6578 | — | Med | 0.36 | 5.6 | 0.00 | Apr 19, 2026 | A security flaw has been discovered in liangliangyy DjangoBlog up to 2.1.0.0. This affects an unknown function of the file djangoblog/settings.py of the component Setting Handler. The manipulation of the argument SECRET_KEY results in hard-coded credentials. The attack can be… | |
| CVE-2017-6039 | Med | 0.35 | 5.3 | 0.01 | Jun 2, 2017 | A Use of Hard-Coded Password issue was discovered in Phoenix Broadband PowerAgent SC3 BMS, all versions prior to v6.87. Use of a hard-coded password may allow unauthorized access to the device. | ||
| CVE-2026-11552 | Med | 0.34 | 5.3 | 0.00 | Jun 8, 2026 | A vulnerability has been found in SourceCodester Onlne Examination & Learning Management System and Syllabus-aligned Learning Management and Examination System 1.0. Affected by this issue is some unknown functionality of the file import_users.php. The manipulation of the… | ||
| CVE-2026-11515 | Med | 0.34 | 5.3 | 0.00 | Jun 8, 2026 | A vulnerability has been found in SourceCodester Barangay Resident Profiling and Information Management System 1.0. The impacted element is an unknown function of the file passsword_reset.php of the component Password Reset Handler. Such manipulation of the argument new_password… | ||
| CVE-2026-22055 | Med | 0.34 | — | 0.00 | Jun 3, 2026 | Active IQ OneCollect version 2.7.3 contains hard-coded credentials that could allow an authenticated attacker with low privileges to perform unauthorized AutoSupport operations. | ||
| CVE-2026-22054 | Med | 0.34 | — | 0.00 | Jun 3, 2026 | Active IQ Config Advisor version 6.7.3 contains hard-coded credentials that could allow an authenticated attacker with low privileges to perform unauthorized AutoSupport operations. | ||
| CVE-2026-4216 | Med | 0.34 | 5.3 | 0.00 | Mar 16, 2026 | A weakness has been identified in i-SENS SmartLog App up to 2.6.8 on Android. This affects an unknown function of the component air.SmartLog.android. This manipulation causes hard-coded credentials. The attack can only be executed locally. The exploit has been made available to… | ||
| CVE-2025-12676 | Med | 0.34 | 5.3 | 0.00 | Nov 5, 2025 | The KiotViet Sync plugin for WordPress is vulnerable to authorizarion bypass in all versions up to, and including, 1.8.5. This is due to the plugin using a hardcoded password for authentication in the QueryControllerAdmin::authenticated function. This makes it possible for… | ||
| CVE-2025-2342 | Med | 0.34 | 5.3 | 0.00 | Mar 16, 2025 | A vulnerability classified as critical has been found in IROAD X5 Mobile App up to 5.2.5 on Android. Affected is an unknown function of the component API Endpoint. The manipulation leads to hard-coded credentials. It is possible to launch the attack remotely. The exploit has… | ||
| CVE-2025-5379 | Med | 0.28 | 4.3 | 0.00 | May 31, 2025 | A vulnerability classified as critical was found in NuCom NC-WR744G 8.5.5 Build 20200530.307. This vulnerability affects unknown code of the component Console Application. The manipulation of the argument CMCCAdmin/useradmin/CUAdmin leads to hard-coded credentials. The attack… | ||
| CVE-2025-2556 | Med | 0.28 | 4.3 | 0.00 | Mar 20, 2025 | A vulnerability classified as problematic was found in Audi UTR Dashcam 2.0. Affected by this vulnerability is an unknown functionality of the component Video Stream Handler. The manipulation leads to hard-coded credentials. The attack can only be initiated within the local… | ||
| CVE-2024-2197 | Med | 0.28 | 4.3 | 0.00 | Mar 20, 2024 | The Chirp Access app contains a hard-coded password, BEACON_PASSWORD. An attacker within Bluetooth range could change configuration settings within the Bluetooth beacon, effectively disabling the application's ability to notify users when they are near a Beacon-enabled access… | ||
| CVE-2025-6139 | Low | 0.25 | 3.9 | 0.00 | Jun 16, 2025 | A vulnerability, which was classified as problematic, has been found in TOTOLINK T10 4.1.8cu.5207. Affected by this issue is some unknown functionality of the file /etc/shadow.sample. The manipulation leads to use of hard-coded password. The attack can only be initiated within… | ||
| CVE-2026-6610 | — | Low | 0.24 | 3.7 | 0.00 | Apr 20, 2026 | A vulnerability has been found in liangliangyy DjangoBlog up to 2.1.0.0. The impacted element is an unknown function of the file djangoblog/settings.py of the component Setting Handler. Such manipulation of the argument USER/PASSWORD leads to hard-coded credentials. The attack… | |
| CVE-2025-8974 | Low | 0.24 | 3.7 | 0.00 | Aug 14, 2025 | A vulnerability was determined in linlinjava litemall up to 1.8.0. Affected by this issue is some unknown functionality of the file litemall-wx-api/src/main/java/org/linlinjava/litemall/wx/util/JwtHelper.java of the component JSON Web Token Handler. The manipulation of the… | ||
| CVE-2025-7577 | Low | 0.24 | 3.7 | 0.00 | Jul 14, 2025 | A vulnerability was found in Teledyne FLIR FB-Series O and FLIR FH-Series ID 1.3.2.16. It has been classified as problematic. This affects an unknown part. The manipulation leads to use of hard-coded password. It is possible to initiate the attack remotely. The complexity of an… |
- risk 0.42cvss 6.4epss 0.00
A use of hard-coded password vulnerability may allow authentication abuse.This issue affects ELI 380 Resting Electrocardiograph: Versions 2.6.0 and prior; ELI 280/BUR280/MLBUR 280 Resting Electrocardiograph: Versions 2.3.1 and prior; ELI 250c/BUR 250c Resting…
- risk 0.42cvss 6.5epss 0.00
runofast Indoor Security Camera for Baby Monitor has a default password of password for the root account. This allows access to the /stream1 URI via the rtsp:// protocol to receive the video and audio stream.
- risk 0.42cvss 6.4epss 0.00
Medtronic 24950 MyCareLink Monitor and 24952 MyCareLink Monitor contains a hard-coded operating system password. An attacker with physical access can remove the case of the device, connect to the debug port, and use the password to gain privileged access to the operating system.
- risk 0.37cvss 5.7epss 0.00
A vulnerability exists in the message queueing mechanism that if exploited can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or even execute arbitrary code.
- risk 0.36cvss 5.6epss 0.00
A security flaw has been discovered in liangliangyy DjangoBlog up to 2.1.0.0. This affects an unknown function of the file djangoblog/settings.py of the component Setting Handler. The manipulation of the argument SECRET_KEY results in hard-coded credentials. The attack can be…
- risk 0.35cvss 5.3epss 0.01
A Use of Hard-Coded Password issue was discovered in Phoenix Broadband PowerAgent SC3 BMS, all versions prior to v6.87. Use of a hard-coded password may allow unauthorized access to the device.
- risk 0.34cvss 5.3epss 0.00
A vulnerability has been found in SourceCodester Onlne Examination & Learning Management System and Syllabus-aligned Learning Management and Examination System 1.0. Affected by this issue is some unknown functionality of the file import_users.php. The manipulation of the…
- risk 0.34cvss 5.3epss 0.00
A vulnerability has been found in SourceCodester Barangay Resident Profiling and Information Management System 1.0. The impacted element is an unknown function of the file passsword_reset.php of the component Password Reset Handler. Such manipulation of the argument new_password…
- risk 0.34cvss —epss 0.00
Active IQ OneCollect version 2.7.3 contains hard-coded credentials that could allow an authenticated attacker with low privileges to perform unauthorized AutoSupport operations.
- risk 0.34cvss —epss 0.00
Active IQ Config Advisor version 6.7.3 contains hard-coded credentials that could allow an authenticated attacker with low privileges to perform unauthorized AutoSupport operations.
- risk 0.34cvss 5.3epss 0.00
A weakness has been identified in i-SENS SmartLog App up to 2.6.8 on Android. This affects an unknown function of the component air.SmartLog.android. This manipulation causes hard-coded credentials. The attack can only be executed locally. The exploit has been made available to…
- risk 0.34cvss 5.3epss 0.00
The KiotViet Sync plugin for WordPress is vulnerable to authorizarion bypass in all versions up to, and including, 1.8.5. This is due to the plugin using a hardcoded password for authentication in the QueryControllerAdmin::authenticated function. This makes it possible for…
- risk 0.34cvss 5.3epss 0.00
A vulnerability classified as critical has been found in IROAD X5 Mobile App up to 5.2.5 on Android. Affected is an unknown function of the component API Endpoint. The manipulation leads to hard-coded credentials. It is possible to launch the attack remotely. The exploit has…
- risk 0.28cvss 4.3epss 0.00
A vulnerability classified as critical was found in NuCom NC-WR744G 8.5.5 Build 20200530.307. This vulnerability affects unknown code of the component Console Application. The manipulation of the argument CMCCAdmin/useradmin/CUAdmin leads to hard-coded credentials. The attack…
- risk 0.28cvss 4.3epss 0.00
A vulnerability classified as problematic was found in Audi UTR Dashcam 2.0. Affected by this vulnerability is an unknown functionality of the component Video Stream Handler. The manipulation leads to hard-coded credentials. The attack can only be initiated within the local…
- risk 0.28cvss 4.3epss 0.00
The Chirp Access app contains a hard-coded password, BEACON_PASSWORD. An attacker within Bluetooth range could change configuration settings within the Bluetooth beacon, effectively disabling the application's ability to notify users when they are near a Beacon-enabled access…
- risk 0.25cvss 3.9epss 0.00
A vulnerability, which was classified as problematic, has been found in TOTOLINK T10 4.1.8cu.5207. Affected by this issue is some unknown functionality of the file /etc/shadow.sample. The manipulation leads to use of hard-coded password. The attack can only be initiated within…
- risk 0.24cvss 3.7epss 0.00
A vulnerability has been found in liangliangyy DjangoBlog up to 2.1.0.0. The impacted element is an unknown function of the file djangoblog/settings.py of the component Setting Handler. Such manipulation of the argument USER/PASSWORD leads to hard-coded credentials. The attack…
- risk 0.24cvss 3.7epss 0.00
A vulnerability was determined in linlinjava litemall up to 1.8.0. Affected by this issue is some unknown functionality of the file litemall-wx-api/src/main/java/org/linlinjava/litemall/wx/util/JwtHelper.java of the component JSON Web Token Handler. The manipulation of the…
- risk 0.24cvss 3.7epss 0.00
A vulnerability was found in Teledyne FLIR FB-Series O and FLIR FH-Series ID 1.3.2.16. It has been classified as problematic. This affects an unknown part. The manipulation leads to use of hard-coded password. It is possible to initiate the attack remotely. The complexity of an…