VYPR

CWE-798

Use of Hard-coded Credentials

BaseDraftLikelihood: High

Description

The product contains hard-coded credentials, such as a password or cryptographic key.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-191 · CAPEC-70

CVEs mapped to this weakness (556)

page 13 of 28
  • CVE-2026-42869CriMay 11, 2026
    risk 0.58cvss 10.0epss 0.00

    SOCFortress CoPilot focuses on providing a single pane of glass for all your security operations needs. Prior to 0.1.57, SOCFortress CoPilot ships a hardcoded JWT signing secret as a fallback value in backend/app/auth/utils.py:28 and ships it verbatim in .env.example. Any…

  • CVE-2024-55557CriDec 16, 2024
    risk 0.58cvss 9.8epss 0.01

    ui/pref/ProxyPrefView.java in weasis-core in Weasis 4.5.1 has a hardcoded key for symmetric encryption of proxy credentials.

  • CVE-2024-6045HigJun 17, 2024
    risk 0.58cvss 8.8epss 0.06

    Certain models of D-Link wireless routers contain an undisclosed factory testing backdoor. Unauthenticated attackers on the local area network can force the device to enable Telnet service by accessing a specific URL and can log in by using the administrator credentials obtained…

  • CVE-2026-42251HigJun 1, 2026
    risk 0.57cvss epss 0.00

    Use of hard-coded credentials in KS-SOMED allowed an unauthorized attacker access to FTP server that hosted the application's update packages. The attacker with these credentials could upload a malicious update file, which then may have been distributed and installed on client…

  • CVE-2026-5065HigMay 27, 2026
    risk 0.57cvss 8.8epss 0.00

    IBM Controller 11.0.1, 11.1.0, 11.1.1, and 11.1.2 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

  • CVE-2025-68421HigMay 14, 2026
    risk 0.57cvss epss 0.00

    Comarch ERP Optima client makes use of a hard-coded password for a database user. These credentials cannot be changed. It is possible for a remote attacker to gain an access to the database with elevated privileges including executing system commands on a server. This issue has…

  • CVE-2026-42372HigMay 4, 2026
    risk 0.57cvss 8.8epss 0.00

    D-Link DIR-605L Hardware Revision A1 (End-of-Life, EOL) contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot via /bin/telnetd.sh with the username "Alphanetworks" and the static password "wrgn35_dlwbr_dir605l" read from /etc/alpha_config/image_sign.…

  • CVE-2026-27785HigApr 28, 2026
    risk 0.57cvss 8.8epss 0.00

    Specific firmware versions of Milesight AIOT camera firmware contain hard-coded credentials.

  • CVE-2026-1958HigMar 23, 2026
    risk 0.57cvss epss 0.00

    Use of hard-coded credentials in Klinika XP and KlinikaXP Insertino allowed an unauthorized attacker access to several internal services. Critically, this included access to the FTP server that hosted the application's update packages. The attacker with these credentials could…

  • CVE-2026-4475HigMar 20, 2026
    risk 0.57cvss 8.8epss 0.00

    A vulnerability has been found in Yi Technology YI Home Camera 2 2.1.1_20171024151200. The affected element is an unknown function of the file home/web/ipc. Such manipulation leads to hard-coded credentials. Access to the local network is required for this attack to succeed. The…

  • CVE-2026-2616HigFeb 17, 2026
    risk 0.57cvss 8.8epss 0.01

    A vulnerability has been found in Beetel 777VR1 up to 01.00.09. The impacted element is an unknown function of the component Web Management Interface. The manipulation leads to hard-coded credentials. The attack needs to be initiated within the local network. The exploit has…

  • CVE-2025-59092HigJan 26, 2026
    risk 0.57cvss epss 0.01

    An RPC service, which is part of exos 9300, is reachable on port 4000, run by the process FSMobilePhoneInterface.exe. This service is used for interprocess communication between services and the Kaba exos 9300 GUI, containing status information about the Access Managers.…

  • CVE-2025-14126HigDec 6, 2025
    risk 0.57cvss 8.8epss 0.00

    A vulnerability has been found in TOZED ZLT M30S and ZLT M30S PRO 1.47/3.09.06. Affected is an unknown function of the component Web Interface. Such manipulation leads to hard-coded credentials. The attack needs to be initiated within the local network. The exploit has been…

  • CVE-2025-33186HigNov 11, 2025
    risk 0.57cvss 8.8epss 0.00

    NVIDIA AIStore contains a vulnerability in AuthN. A successful exploit of this vulnerability might lead to escalation of privileges, information disclosure, and data tampering.

  • CVE-2025-62777HigOct 28, 2025
    risk 0.57cvss 8.8epss 0.00

    Use of Hard-Coded Credentials issue exists in MZK-DP300N version 1.07 and earlier, which may allow an attacker within the local network to log in to the affected device via Telnet and execute arbitrary commands.

  • CVE-2025-10639HigOct 21, 2025
    risk 0.57cvss 8.8epss 0.01

    The WorkExaminer Professional server installation comes with an FTP server that is used to receive the client logs on TCP port 12304. An attacker with network access to this port can use weak hardcoded credentials to login to the FTP server and modify or read data, log files…

  • CVE-2025-51606HigAug 21, 2025
    risk 0.57cvss 8.8epss 0.00

    hippo4j 1.0.0 to 1.5.0, uses a hard-coded secret key in its JWT (JSON Web Token) creation. This allows attackers with access to the source code or compiled binary to forge valid access tokens and impersonate any user, including privileged ones such as "admin". The vulnerability…

  • CVE-2024-53484HigDec 2, 2024
    risk 0.57cvss 8.8epss 0.00

    Ever Traduora 0.20.0 and below is vulnerable to Privilege Escalation due to the use of a hard-coded JWT signing key.

  • CVE-2023-49223HigJun 7, 2024
    risk 0.57cvss 8.8epss 0.00

    Precor touchscreen console P62, P80, and P82 could allow a remote attacker to obtain sensitive information because the root password is stored in /etc/passwd. An attacker could exploit this to extract files and obtain sensitive information.

  • CVE-2023-49222HigJun 7, 2024
    risk 0.57cvss 8.8epss 0.00

    Precor touchscreen console P82 contains a private SSH key that corresponds to a default public key. A remote attacker could exploit this to gain root privileges.