CWE-321
Use of Hard-coded Cryptographic Key
Description
The product uses a hard-coded, unchangeable cryptographic key.
Hierarchy (View 1000)
Parents
Children
none
CVEs mapped to this weakness (146)
page 7 of 8| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-5456 | Low | 0.21 | 3.3 | 0.00 | Apr 3, 2026 | A vulnerability was identified in Align Technology My Invisalign App 3.12.4 on Android. The impacted element is an unknown function of the file com/aligntech/myinvisalign/BuildConfig.java of the component com.aligntech.myinvisalign.emea. The manipulation of the argument… | ||
| CVE-2026-5455 | Low | 0.21 | 3.3 | 0.00 | Apr 3, 2026 | A vulnerability was determined in Dialogue App up to 4.3.2 on Android. The affected element is an unknown function of the file file res/raw/config.json of the component ca.diagram.dialogue. Executing a manipulation of the argument SEGMENT_WRITE_KEY can lead to use of hard-coded… | ||
| CVE-2026-5454 | Low | 0.21 | 3.3 | 0.00 | Apr 3, 2026 | A vulnerability was found in GRID Organiser App up to 1.0.5 on Android. Impacted is an unknown function of the file file res/raw/app.json of the component co.gridapp.organiser. Performing a manipulation of the argument SegmentWriteKey results in use of hard-coded cryptographic… | ||
| CVE-2026-5453 | Low | 0.21 | 3.3 | 0.00 | Apr 3, 2026 | A vulnerability has been found in Rico só vantagem pra investir App up to 4.58.32.12421 on Android. This issue affects some unknown processing of the file br/com/rico/mobile/di/SegmentSettingsModule.java of the component br.com.rico.mobile. Such manipulation of the argument… | ||
| CVE-2026-5452 | Low | 0.21 | 3.3 | 0.00 | Apr 3, 2026 | A flaw has been found in UCC CampusConnect App up to 14.3.5 on Android. This vulnerability affects unknown code of the file campusconnect/BuildConfig.java of the component campusconnect.ucc. This manipulation causes use of hard-coded cryptographic key . The attack can only be… | ||
| CVE-2026-6611 | — | Low | 0.20 | 3.1 | 0.00 | Apr 20, 2026 | A vulnerability was found in liangliangyy DjangoBlog up to 2.1.0.0. This affects an unknown function of the file djangoblog/settings.py of the component File Upload Endpoint. Performing a manipulation of the argument SECRET_KEY results in use of hard-coded cryptographic key .… | |
| CVE-2026-4477 | Low | 0.20 | 3.1 | 0.00 | Mar 20, 2026 | A vulnerability was determined in Yi Technology YI Home Camera 2 2.1.1_20171024151200. This affects an unknown function of the component WPA/WPS. Executing a manipulation can lead to use of hard-coded cryptographic key . The attack can only be done within the local network.… | ||
| CVE-2025-10080 | Low | 0.20 | 3.1 | 0.00 | Sep 8, 2025 | A vulnerability has been found in running-elephant Datart up to 1.0.0-rc3. Affected by this issue is the function getTokensecret of the file datart/security/src/main/java/datart/security/util/AESUtil.java of the component API. The manipulation leads to use of hard-coded… | ||
| CVE-2026-5420 | Low | 0.16 | 2.5 | 0.00 | Apr 2, 2026 | A security flaw has been discovered in Shinrays Games Goods Triple App up to 1.200. The affected element is an unknown function of the file jRwTX.java of the component cats.goods.sort.sorting.games. Performing a manipulation of the argument AES_IV/AES_PASSWORD results in use of… | ||
| CVE-2026-5310 | Low | 0.16 | 2.5 | 0.00 | Apr 1, 2026 | A vulnerability was identified in Enter Software Iperius Backup up to 8.7.2. This impacts an unknown function of the file IperiusAccounts.ini. Such manipulation leads to use of hard-coded cryptographic key . The attack must be carried out locally. This attack is characterized… | ||
| CVE-2026-44278 | Low | 0.15 | 2.3 | 0.00 | May 12, 2026 | A use of hard-coded cryptographic key vulnerability in Fortinet FortiClientWindows 7.4.0 through 7.4.2, FortiClientWindows 7.2 all versions may allow attacker to information disclosure via | ||
| CVE-2025-6666 | Low | 0.13 | 2.0 | 0.00 | Nov 29, 2025 | A vulnerability was determined in motogadget mo.lock Ignition Lock up to 20251125. Affected by this vulnerability is an unknown functionality of the component NFC Handler. Executing manipulation can lead to use of hard-coded cryptographic key . The physical device can be… | ||
| CVE-2011-5064 | 0.01 | — | 0.07 | Jan 14, 2012 | DigestAuthenticator.java in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 uses Catalina as the hard-coded server secret (aka private key), which makes it easier for remote attackers to bypass… | |||
| CVE-2026-9642 | — | 0.00 | — | 0.00 | May 26, 2026 | Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | ||
| CVE-2026-25894 | 0.00 | — | 0.01 | Feb 9, 2026 | FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An insecure default configuration in FUXA allows an unauthenticated, remote attacker to gain administrative access and execute arbitrary code on the server. This affects FUXA through version 1.2.9 when… | |||
| CVE-2026-25505 | — | 0.00 | — | 0.01 | Feb 4, 2026 | Bambuddy is a self-hosted print archive and management system for Bambu Lab 3D printers. Prior to version 0.1.7, a hardcoded secret key used for signing JWTs is checked into source code and ManyAPI routes do not check authentication. This issue has been patched in version 0.1.7. | ||
| CVE-2025-69971 | 0.00 | — | 0.02 | Feb 3, 2026 | FUXA v1.2.7 contains a hard-coded credential vulnerability in server/api/jwt-helper.js. The application uses a hard-coded secret key to sign and verify JWT Tokens. This allows remote attackers to forge valid admin tokens and bypass authentication to gain full administrative… | |||
| CVE-2025-54947 | 0.00 | — | 0.00 | Dec 12, 2025 | In Apache StreamPark versions 2.0.0 through 2.1.7, a security vulnerability involving a hard-coded encryption key exists. This vulnerability occurs because the system uses a fixed, immutable key for encryption instead of dynamically generating or securely configuring the key.… | |||
| CVE-2025-65998 | — | 0.00 | — | 0.00 | Nov 24, 2025 | Apache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the default option. When AES is configured, the default key value, hard-coded in the source code, is always used. This allows a malicious… | ||
| CVE-2023-27584 | 0.00 | — | 0.34 | Sep 19, 2024 | Dragonfly is an open source P2P-based file distribution and image acceleration system. It is hosted by the Cloud Native Computing Foundation (CNCF) as an Incubating Level Project. Dragonfly uses JWT to verify user. However, the secret key for JWT, "Secret Key", is hard coded,… |
- risk 0.21cvss 3.3epss 0.00
A vulnerability was identified in Align Technology My Invisalign App 3.12.4 on Android. The impacted element is an unknown function of the file com/aligntech/myinvisalign/BuildConfig.java of the component com.aligntech.myinvisalign.emea. The manipulation of the argument…
- risk 0.21cvss 3.3epss 0.00
A vulnerability was determined in Dialogue App up to 4.3.2 on Android. The affected element is an unknown function of the file file res/raw/config.json of the component ca.diagram.dialogue. Executing a manipulation of the argument SEGMENT_WRITE_KEY can lead to use of hard-coded…
- risk 0.21cvss 3.3epss 0.00
A vulnerability was found in GRID Organiser App up to 1.0.5 on Android. Impacted is an unknown function of the file file res/raw/app.json of the component co.gridapp.organiser. Performing a manipulation of the argument SegmentWriteKey results in use of hard-coded cryptographic…
- risk 0.21cvss 3.3epss 0.00
A vulnerability has been found in Rico só vantagem pra investir App up to 4.58.32.12421 on Android. This issue affects some unknown processing of the file br/com/rico/mobile/di/SegmentSettingsModule.java of the component br.com.rico.mobile. Such manipulation of the argument…
- risk 0.21cvss 3.3epss 0.00
A flaw has been found in UCC CampusConnect App up to 14.3.5 on Android. This vulnerability affects unknown code of the file campusconnect/BuildConfig.java of the component campusconnect.ucc. This manipulation causes use of hard-coded cryptographic key . The attack can only be…
- risk 0.20cvss 3.1epss 0.00
A vulnerability was found in liangliangyy DjangoBlog up to 2.1.0.0. This affects an unknown function of the file djangoblog/settings.py of the component File Upload Endpoint. Performing a manipulation of the argument SECRET_KEY results in use of hard-coded cryptographic key .…
- risk 0.20cvss 3.1epss 0.00
A vulnerability was determined in Yi Technology YI Home Camera 2 2.1.1_20171024151200. This affects an unknown function of the component WPA/WPS. Executing a manipulation can lead to use of hard-coded cryptographic key . The attack can only be done within the local network.…
- risk 0.20cvss 3.1epss 0.00
A vulnerability has been found in running-elephant Datart up to 1.0.0-rc3. Affected by this issue is the function getTokensecret of the file datart/security/src/main/java/datart/security/util/AESUtil.java of the component API. The manipulation leads to use of hard-coded…
- risk 0.16cvss 2.5epss 0.00
A security flaw has been discovered in Shinrays Games Goods Triple App up to 1.200. The affected element is an unknown function of the file jRwTX.java of the component cats.goods.sort.sorting.games. Performing a manipulation of the argument AES_IV/AES_PASSWORD results in use of…
- risk 0.16cvss 2.5epss 0.00
A vulnerability was identified in Enter Software Iperius Backup up to 8.7.2. This impacts an unknown function of the file IperiusAccounts.ini. Such manipulation leads to use of hard-coded cryptographic key . The attack must be carried out locally. This attack is characterized…
- risk 0.15cvss 2.3epss 0.00
A use of hard-coded cryptographic key vulnerability in Fortinet FortiClientWindows 7.4.0 through 7.4.2, FortiClientWindows 7.2 all versions may allow attacker to information disclosure via
- risk 0.13cvss 2.0epss 0.00
A vulnerability was determined in motogadget mo.lock Ignition Lock up to 20251125. Affected by this vulnerability is an unknown functionality of the component NFC Handler. Executing manipulation can lead to use of hard-coded cryptographic key . The physical device can be…
- CVE-2011-5064Jan 14, 2012risk 0.01cvss —epss 0.07
DigestAuthenticator.java in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 uses Catalina as the hard-coded server secret (aka private key), which makes it easier for remote attackers to bypass…
- CVE-2026-9642May 26, 2026risk 0.00cvss —epss 0.00
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
- CVE-2026-25894Feb 9, 2026risk 0.00cvss —epss 0.01
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An insecure default configuration in FUXA allows an unauthenticated, remote attacker to gain administrative access and execute arbitrary code on the server. This affects FUXA through version 1.2.9 when…
- CVE-2026-25505Feb 4, 2026risk 0.00cvss —epss 0.01
Bambuddy is a self-hosted print archive and management system for Bambu Lab 3D printers. Prior to version 0.1.7, a hardcoded secret key used for signing JWTs is checked into source code and ManyAPI routes do not check authentication. This issue has been patched in version 0.1.7.
- CVE-2025-69971Feb 3, 2026risk 0.00cvss —epss 0.02
FUXA v1.2.7 contains a hard-coded credential vulnerability in server/api/jwt-helper.js. The application uses a hard-coded secret key to sign and verify JWT Tokens. This allows remote attackers to forge valid admin tokens and bypass authentication to gain full administrative…
- CVE-2025-54947Dec 12, 2025risk 0.00cvss —epss 0.00
In Apache StreamPark versions 2.0.0 through 2.1.7, a security vulnerability involving a hard-coded encryption key exists. This vulnerability occurs because the system uses a fixed, immutable key for encryption instead of dynamically generating or securely configuring the key.…
- CVE-2025-65998Nov 24, 2025risk 0.00cvss —epss 0.00
Apache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the default option. When AES is configured, the default key value, hard-coded in the source code, is always used. This allows a malicious…
- CVE-2023-27584Sep 19, 2024risk 0.00cvss —epss 0.34
Dragonfly is an open source P2P-based file distribution and image acceleration system. It is hosted by the Cloud Native Computing Foundation (CNCF) as an Incubating Level Project. Dragonfly uses JWT to verify user. However, the secret key for JWT, "Secret Key", is hard coded,…