VYPR

CWE-798

Use of Hard-coded Credentials

BaseDraftLikelihood: High

Description

The product contains hard-coded credentials, such as a password or cryptographic key.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-191 · CAPEC-70

CVEs mapped to this weakness (556)

page 20 of 28
  • CVE-2024-27170HigJun 14, 2024
    risk 0.48cvss 7.4epss 0.00

    It was observed that all the Toshiba printers contain credentials used for WebDAV access in the readable file. Then, it is possible to get a full access with WebDAV to the printer. As for the affected products/models/versions, see the reference URL.

  • CVE-2018-15360HigAug 17, 2018
    risk 0.48cvss 7.3epss 0.02

    An attacker without authentication can login with default credentials for privileged users in Eltex ESP-200 firmware version 1.2.0.

  • CVE-2018-10966HigJun 5, 2018
    risk 0.48cvss 7.3epss 0.02

    An issue was discovered in GamerPolls 0.4.6, related to config/environments/all.js and config/initializers/02_passport.js. An attacker can edit the Passport.js contents of the session cookie to contain the ID number of the account they wish to take over, and re-sign it using the…

  • CVE-2018-10813HigJun 5, 2018
    risk 0.48cvss 7.3epss 0.01

    In Dedos-web 1.0, the cookie and session secrets used in the Express.js application have hardcoded values that are visible in the source code published on GitHub. An attacker can edit the contents of the session cookie and re-sign it using the hardcoded secret. Due to the use of…

  • CVE-2018-10328HigApr 24, 2018
    risk 0.48cvss 7.4epss 0.01

    Momentum Axel 720P 5.1.8 devices have a hardcoded password of streaming for the appagent account, which allows remote attackers to view the RTSP video stream.

  • CVE-2017-12726HigFeb 15, 2018
    risk 0.48cvss 7.3epss 0.01

    A Use of Hard-coded Password issue was discovered in Smiths Medical Medfusion 4000 Wireless Syringe Infusion Pump, Version 1.1, 1.5, and 1.6. Telnet on the pump uses hardcoded credentials, which can be used if the pump is configured to allow external communications. Smiths…

  • CVE-2017-9956HigSep 26, 2017
    risk 0.48cvss 7.3epss 0.01

    An authentication bypass vulnerability exists in Schneider Electric's U.motion Builder software versions 1.2.1 and prior in which the system contains a hard-coded valid session. An attacker can use that session ID as part of the HTTP cookie of a web request, resulting in…

  • CVE-2026-8876HigJun 3, 2026
    risk 0.47cvss 7.3epss 0.00

    Version 3.0.7 of the Securly Chrome Extension contains hardcoded, plaintext AES passphrases in securly.min.js. These keys decrypt crisis alert keyword data and intervention site data.

  • CVE-2026-36538HigMay 27, 2026
    risk 0.47cvss 7.3epss 0.00

    Netis AC1200 Router NC21 V4.0.1.4296 contains a hard-coded root credential stored in /etc/shadow.sample. The password for the root account is set to the trivially weak value root, allowing an attacker with access to the device to authenticate as root and gain full control of the…

  • CVE-2026-8032HigMay 6, 2026
    risk 0.47cvss 7.3epss 0.00

    A flaw has been found in PicoTronica e-Clinic Healthcare System ECHS 5.7. The impacted element is an unknown function of the file /cdemos/echs/priv/echs.js. This manipulation of the argument ADMIN_KEY causes hard-coded credentials. The attack is possible to be carried out…

  • CVE-2026-7579HigMay 1, 2026
    risk 0.47cvss 7.3epss 0.00

    A security vulnerability has been detected in AstrBotDevs AstrBot up to 4.16.0. This issue affects some unknown processing of the file astrbot/dashboard/routes/auth.py of the component Dashboard. The manipulation leads to hard-coded credentials. It is possible to initiate the…

  • CVE-2026-6574HigApr 19, 2026
    risk 0.47cvss 7.3epss 0.00

    A vulnerability has been found in osuuu LightPicture up to 1.2.2. This issue affects some unknown processing of the file /public/install/lp.sql of the component API Upload Endpoint. Such manipulation of the argument key leads to hard-coded credentials. The attack may be…

  • CVE-2025-15605HigMar 23, 2026
    risk 0.47cvss 7.3epss 0.00

    A hardcoded cryptographic key within the configuration mechanism on TP-Link Archer NX200, NX210, NX500 and NX600 enables decryption and re-encryption of device configuration data. An authenticated attacker may decrypt configuration files, modify them, and re-encrypt them,…

  • CVE-2026-3873HigMar 13, 2026
    risk 0.47cvss 7.2epss 0.00

    Use of Hard-coded Credentials vulnerability in Avantra allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Avantra: before 25.3.0.

  • CVE-2026-29023HigMar 9, 2026
    risk 0.47cvss 7.3epss 0.00

    Keygraph Shannon contains a hard-coded API key in its router configuration that, when the router component is enabled and exposed, allows network attackers to authenticate using the publicly known static key. An attacker able to reach the router port can proxy requests through…

  • CVE-2025-13252HigNov 16, 2025
    risk 0.47cvss 7.3epss 0.00

    A vulnerability was found in shsuishang ShopSuite ModulithShop up to 45a99398cec3b7ad7ff9383694f0b53339f2d35a. Affected by this issue is some unknown functionality of the component RSA/OAuth2/Database. The manipulation results in hard-coded credentials. The attack can be…

  • CVE-2025-46617HigApr 25, 2025
    risk 0.47cvss 7.2epss 0.00

    Quantum StorNext Web GUI API before 7.2.4 grants access to internal StorNext configuration and unauthorized modification of some software configuration parameters via undocumented user credentials. This affects StorNext RYO before 7.2.4, StorNext Xcellis Workflow Director before…

  • CVE-2025-3426HigApr 7, 2025
    risk 0.47cvss epss 0.00

    We observed that Intellispace Portal binaries doesn’t have any protection mechanisms to prevent reverse engineering. Specifically, the app’s code is not obfuscated, and no measures are in place to protect against decompilation, disassembly, or debugging. As a result,…

  • CVE-2024-8893HigFeb 14, 2025
    risk 0.47cvss 7.3epss 0.00

    Use of Hard-coded Credentials vulnerability in GoodWe Technologies Co., Ltd. GW1500‑XS allows anyone in physical proximity to the device to fully access the web interface of the inverter via Wi‑Fi.This issue affects GW1500‑XS: 1.1.2.1.

  • CVE-2024-11630HigNov 22, 2024
    risk 0.47cvss 7.3epss 0.01

    A vulnerability has been found in E-Lins H685, H685f, H700, H720, H750, H820, H820Q, H820Q0 and H900 up to 3.2 and classified as critical. This vulnerability affects unknown code of the component OEM Backend. The manipulation leads to hard-coded credentials. The attack can be…