VYPR

CWE-798

Use of Hard-coded Credentials

BaseDraftLikelihood: High

Description

The product contains hard-coded credentials, such as a password or cryptographic key.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-191 · CAPEC-70

CVEs mapped to this weakness (556)

page 25 of 28
  • CVE-2025-59096MedJan 26, 2026
    risk 0.30cvss epss 0.00

    The default password for the extended admin user mode in the application U9ExosAdmin.exe ("Kaba 9300 Administration") is hard-coded in multiple locations as well as documented in the locally stored user documentation.

  • CVE-2017-14014MedMay 1, 2018
    risk 0.30cvss 4.6epss 0.00

    Boston Scientific ZOOM LATITUDE PRM Model 3120 uses a hard-coded cryptographic key to encrypt PHI prior to having it transferred to removable media. CVSS v3 base score: 4.6; CVSS vector string: AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.

  • CVE-2025-53842MedJul 16, 2025
    risk 0.29cvss 4.5epss 0.00

    Use of hard-coded credentials issue exists in ZWX-2000CSW2-HN prior to 0.3.19 and ZWX-2000CS2-HN firmware all versions. If this vulnerability is exploited, an attacker may tamper with the settings of the device by obtaining the credentials. This vulnerability is caused by an…

  • CVE-2017-1787MedMar 2, 2018
    risk 0.29cvss 4.4epss 0.00

    IBM Publishing Engine 2.1.2 and 6.0.5 contains an undisclosed vulnerability that could allow a local user with administrative privileges to obtain hard coded user credentials. IBM X-Force ID: 137022.

  • CVE-2026-49323MedMay 29, 2026
    risk 0.28cvss 4.3epss 0.00

    Weak authentication between the Wireless Control Module (WCM) and the Engine Control Module (ECM) of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker with read access to the in-vehicle network to recover the per-vehicle ECM…

  • CVE-2025-5379MedMay 31, 2025
    risk 0.28cvss 4.3epss 0.00

    A vulnerability classified as critical was found in NuCom NC-WR744G 8.5.5 Build 20200530.307. This vulnerability affects unknown code of the component Console Application. The manipulation of the argument CMCCAdmin/useradmin/CUAdmin leads to hard-coded credentials. The attack…

  • CVE-2025-2556MedMar 20, 2025
    risk 0.28cvss 4.3epss 0.00

    A vulnerability classified as problematic was found in Audi UTR Dashcam 2.0. Affected by this vulnerability is an unknown functionality of the component Video Stream Handler. The manipulation leads to hard-coded credentials. The attack can only be initiated within the local…

  • CVE-2024-45832MedJan 17, 2025
    risk 0.28cvss 4.3epss 0.00

    Hard-coded credentials were included as part of the application binary. These credentials served as part of the application authentication flow and communication with the mobile application. An attacker could access unauthorized information.

  • CVE-2026-48245MedMay 21, 2026
    risk 0.27cvss 5.3epss 0.00

    Open ISES Tickets before 3.44.2 embeds a hardcoded Google Maps API key in tables.php that is committed to the public source repository. The key can be extracted by anyone with read access to the source and used to make Google Maps Platform requests billed against the original…

  • CVE-2026-48244MedMay 21, 2026
    risk 0.27cvss 5.3epss 0.00

    Open ISES Tickets before 3.44.2 embeds a hardcoded Google Maps API key in settings.inc.php that is committed to the public source repository. The key can be extracted by anyone with read access to the source and used to make Google Maps Platform requests billed against the…

  • CVE-2026-48243MedMay 21, 2026
    risk 0.27cvss 5.3epss 0.00

    Open ISES Tickets before 3.44.2 embeds a hardcoded WhitePages reverse-phone API key in wp1.php that is committed to the public source repository. Any actor with read access to the source tree can extract the key and use it to make third-party API calls billed to or rate-limited…

  • CVE-2025-64766MedNov 17, 2025
    risk 0.27cvss 5.3epss 0.00

    NixOS's Onlyoffice is a software suite that offers online and offline tools for document editing, collaboration, and management. In versions from 22.11 to before 25.05 and versions before Unstable 25.11, a hard-coded secret was used in the NixOS module for the OnlyOffice…

  • CVE-2026-56269medApr 16, 2026
    risk 0.26cvss epss 0.00

    **Detection Method:** Kolega.dev Deep Code Scan | Attribute | Value | |---|---| | Location | packages/server/src/enterprise/utils/tempTokenUtils.ts:31-34 | | Practical Exploitability | Medium | | Developer Approver | faizan@kolega.ai | ### Description The encryption key for…

  • CVE-2025-55739MedSep 5, 2025
    risk 0.26cvss epss 0.01

    api is a module for FreePBX@, which is an open source GUI that controls and manages Asterisk© (PBX). In versions lower than 15.0.13, 16.0.2 through 16.0.14, 17.0.1 and 17.0.2, there is an identical OAuth private key used across multiple systems that installed the same FreePBX…

  • CVE-2024-38480MedJul 1, 2024
    risk 0.26cvss 4.0epss 0.00

    "Piccoma" App for Android and iOS versions prior to 6.20.0 uses a hard-coded API key for an external service, which may allow a local attacker to obtain the API key. Note that the users of the app are not directly affected by this vulnerability.

  • CVE-2026-6610LowApr 20, 2026
    risk 0.24cvss 3.7epss 0.00

    A vulnerability has been found in liangliangyy DjangoBlog up to 2.1.0.0. The impacted element is an unknown function of the file djangoblog/settings.py of the component Setting Handler. Such manipulation of the argument USER/PASSWORD leads to hard-coded credentials. The attack…

  • CVE-2025-15107LowDec 27, 2025
    risk 0.24cvss 3.7epss 0.01

    A security vulnerability has been detected in actiontech sqle up to 4.2511.0. The impacted element is an unknown function of the file sqle/utils/jwt.go of the component JWT Secret Handler. The manipulation of the argument JWTSecretKey leads to use of hard-coded cryptographic…

  • CVE-2025-15105LowDec 27, 2025
    risk 0.24cvss 3.7epss 0.00

    A security flaw has been discovered in getmaxun maxun up to 0.0.28. Impacted is an unknown function of the file /getmaxun/maxun/blob/develop/server/src/routes/auth.ts. Performing manipulation of the argument api_key results in use of hard-coded cryptographic key . Remote…

  • CVE-2025-8974LowAug 14, 2025
    risk 0.24cvss 3.7epss 0.00

    A vulnerability was determined in linlinjava litemall up to 1.8.0. Affected by this issue is some unknown functionality of the file litemall-wx-api/src/main/java/org/linlinjava/litemall/wx/util/JwtHelper.java of the component JSON Web Token Handler. The manipulation of the…

  • CVE-2025-7079LowJul 6, 2025
    risk 0.24cvss 3.7epss 0.01

    A vulnerability, which was classified as problematic, has been found in mao888 bluebell-plus up to 2.3.0. This issue affects some unknown processing of the file bluebell_backend/pkg/jwt/jwt.go of the component JWT Token Handler. The manipulation of the argument mySecret with the…