CWE-547
Use of Hard-coded, Security-relevant Constants
Description
The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change.
Hierarchy (View 1000)
Parents
Children
none
CVEs mapped to this weakness (11)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-49151 | — | Cri | 0.60 | — | 0.01 | Jun 25, 2025 | The affected products could allow an unauthenticated attacker to generate forged JSON Web Tokens (JWT) to bypass authentication. | |
| CVE-2025-30206 | Cri | 0.57 | 9.8 | 0.01 | Apr 15, 2025 | Dpanel is a Docker visualization panel system which provides complete Docker management functions. The Dpanel service contains a hardcoded JWT secret in its default configuration, allowing attackers to generate valid JWT tokens and compromise the host machine. This security flaw… | ||
| CVE-2025-2081 | Hig | 0.57 | — | 0.00 | Mar 13, 2025 | Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 are vulnerable to an attacker impersonating the web application service and mislead victim clients. | ||
| CVE-2025-2079 | Hig | 0.57 | — | 0.00 | Mar 13, 2025 | Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 contain a hard coded secret key. This could allow an attacker to generate valid JWT (JSON Web Token) sessions. | ||
| CVE-2024-39888 | Hig | 0.49 | 7.5 | 0.00 | Jul 9, 2024 | A vulnerability has been identified in Mendix Encryption (All versions >= V10.0.0 < V10.0.2). Affected versions of the module define a specific hard-coded default value for the EncryptionKey constant, which is used in projects where no individual EncryptionKey was specified. … | ||
| CVE-2017-0928 | — | Med | 0.40 | 6.1 | 0.01 | Jun 4, 2018 | html-janitor node module suffers from an External Control of Critical State Data vulnerability via user-control of the '_sanitized' variable causing sanitization to be bypassed. | |
| CVE-2024-41885 | Med | 0.36 | — | 0.00 | Dec 24, 2024 | Team ENVY, a Security Research TEAM has found a flaw that allows for a remote code execution on the NVR. The seed string for the encrypt key was hardcoding. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and… | ||
| CVE-2026-6420 | — | Med | 0.34 | 6.3 | 0.00 | May 6, 2026 | A flaw was found in Keylime. An attacker with root access on an enrolled monitored machine, where the Keylime agent runs, can exploit a vulnerability in the Keylime verifier. The verifier uses a hardcoded challenge nonce for Trusted Platform Module (TPM) quote attestation… | |
| CVE-2025-23253 | Low | 0.16 | 2.5 | 0.00 | Apr 22, 2025 | NVIDIA NvContainer service for Windows contains a vulnerability in its usage of OpenSSL, where an attacker could exploit a hard-coded constant issue by copying a malicious DLL in a hard-coded path. A successful exploit of this vulnerability might lead to code execution, denial… | ||
| CVE-2023-1712 | — | 0.00 | — | 0.01 | Mar 30, 2023 | Use of Hard-coded, Security-relevant Constants in GitHub repository deepset-ai/haystack prior to 0.1.30. | ||
| CVE-2019-14837 | 0.00 | — | 0.02 | Jan 7, 2020 | A flaw was found in keycloack before version 8.0.0. The owner of 'placeholder.org' domain can setup mail server on this domain and knowing only name of a client can reset password and then log in. For example, for client name 'test' the email address will be… |
- risk 0.60cvss —epss 0.01
The affected products could allow an unauthenticated attacker to generate forged JSON Web Tokens (JWT) to bypass authentication.
- risk 0.57cvss 9.8epss 0.01
Dpanel is a Docker visualization panel system which provides complete Docker management functions. The Dpanel service contains a hardcoded JWT secret in its default configuration, allowing attackers to generate valid JWT tokens and compromise the host machine. This security flaw…
- risk 0.57cvss —epss 0.00
Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 are vulnerable to an attacker impersonating the web application service and mislead victim clients.
- risk 0.57cvss —epss 0.00
Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 contain a hard coded secret key. This could allow an attacker to generate valid JWT (JSON Web Token) sessions.
- risk 0.49cvss 7.5epss 0.00
A vulnerability has been identified in Mendix Encryption (All versions >= V10.0.0 < V10.0.2). Affected versions of the module define a specific hard-coded default value for the EncryptionKey constant, which is used in projects where no individual EncryptionKey was specified. …
- risk 0.40cvss 6.1epss 0.01
html-janitor node module suffers from an External Control of Critical State Data vulnerability via user-control of the '_sanitized' variable causing sanitization to be bypassed.
- risk 0.36cvss —epss 0.00
Team ENVY, a Security Research TEAM has found a flaw that allows for a remote code execution on the NVR. The seed string for the encrypt key was hardcoding. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and…
- risk 0.34cvss 6.3epss 0.00
A flaw was found in Keylime. An attacker with root access on an enrolled monitored machine, where the Keylime agent runs, can exploit a vulnerability in the Keylime verifier. The verifier uses a hardcoded challenge nonce for Trusted Platform Module (TPM) quote attestation…
- risk 0.16cvss 2.5epss 0.00
NVIDIA NvContainer service for Windows contains a vulnerability in its usage of OpenSSL, where an attacker could exploit a hard-coded constant issue by copying a malicious DLL in a hard-coded path. A successful exploit of this vulnerability might lead to code execution, denial…
- CVE-2023-1712Mar 30, 2023risk 0.00cvss —epss 0.01
Use of Hard-coded, Security-relevant Constants in GitHub repository deepset-ai/haystack prior to 0.1.30.
- CVE-2019-14837Jan 7, 2020risk 0.00cvss —epss 0.02
A flaw was found in keycloack before version 8.0.0. The owner of 'placeholder.org' domain can setup mail server on this domain and knowing only name of a client can reset password and then log in. For example, for client name 'test' the email address will be…