VYPR

CWE-547

Use of Hard-coded, Security-relevant Constants

BaseDraft

Description

The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change.

If the developer does not find all occurrences of the hard-coded constants, an incorrect policy decision may be made if one of the constants is not changed. Making changes to these values will require code changes that may be difficult or impossible once the system is released to the field. In addition, these hard-coded values may become available to attackers if the code is ever disclosed.

Hierarchy (View 1000)

Parents

Children

none

CVEs mapped to this weakness (11)

  • CVE-2025-49151CriJun 25, 2025
    risk 0.60cvss epss 0.01

    The affected products could allow an unauthenticated attacker to generate forged JSON Web Tokens (JWT) to bypass authentication.

  • CVE-2025-30206CriApr 15, 2025
    risk 0.57cvss 9.8epss 0.01

    Dpanel is a Docker visualization panel system which provides complete Docker management functions. The Dpanel service contains a hardcoded JWT secret in its default configuration, allowing attackers to generate valid JWT tokens and compromise the host machine. This security flaw…

  • CVE-2025-2081HigMar 13, 2025
    risk 0.57cvss epss 0.00

    Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 are vulnerable to an attacker impersonating the web application service and mislead victim clients.

  • CVE-2025-2079HigMar 13, 2025
    risk 0.57cvss epss 0.00

    Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 contain a hard coded secret key. This could allow an attacker to generate valid JWT (JSON Web Token) sessions.

  • CVE-2024-39888HigJul 9, 2024
    risk 0.49cvss 7.5epss 0.00

    A vulnerability has been identified in Mendix Encryption (All versions >= V10.0.0 < V10.0.2). Affected versions of the module define a specific hard-coded default value for the EncryptionKey constant, which is used in projects where no individual EncryptionKey was specified. …

  • CVE-2017-0928MedJun 4, 2018
    risk 0.40cvss 6.1epss 0.01

    html-janitor node module suffers from an External Control of Critical State Data vulnerability via user-control of the '_sanitized' variable causing sanitization to be bypassed.

  • CVE-2024-41885MedDec 24, 2024
    risk 0.36cvss epss 0.00

    Team ENVY, a Security Research TEAM has found a flaw that allows for a remote code execution on the NVR. The seed string for the encrypt key was hardcoding. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and…

  • CVE-2026-6420MedMay 6, 2026
    risk 0.34cvss 6.3epss 0.00

    A flaw was found in Keylime. An attacker with root access on an enrolled monitored machine, where the Keylime agent runs, can exploit a vulnerability in the Keylime verifier. The verifier uses a hardcoded challenge nonce for Trusted Platform Module (TPM) quote attestation…

  • CVE-2025-23253LowApr 22, 2025
    risk 0.16cvss 2.5epss 0.00

    NVIDIA NvContainer service for Windows contains a vulnerability in its usage of OpenSSL, where an attacker could exploit a hard-coded constant issue by copying a malicious DLL in a hard-coded path. A successful exploit of this vulnerability might lead to code execution, denial…

  • CVE-2023-1712Mar 30, 2023
    risk 0.00cvss epss 0.01

    Use of Hard-coded, Security-relevant Constants in GitHub repository deepset-ai/haystack prior to 0.1.30.

  • CVE-2019-14837Jan 7, 2020
    risk 0.00cvss epss 0.02

    A flaw was found in keycloack before version 8.0.0. The owner of 'placeholder.org' domain can setup mail server on this domain and knowing only name of a client can reset password and then log in. For example, for client name 'test' the email address will be…