VYPR

CWE-798

Use of Hard-coded Credentials

BaseDraftLikelihood: High

Description

The product contains hard-coded credentials, such as a password or cryptographic key.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-191 · CAPEC-70

CVEs mapped to this weakness (556)

page 26 of 28
  • CVE-2025-61926MedOct 9, 2025
    risk 0.23cvss epss 0.00

    Allstar is a GitHub App to set and enforce security policies. In versions prior to 4.5, a vulnerability in Allstar’s Reviewbot component caused inbound webhook requests to be validated against a hard-coded, shared secret. The value used for the secret token was compiled into…

  • CVE-2026-4993LowMar 28, 2026
    risk 0.21cvss 3.3epss 0.00

    A vulnerability has been found in wandb OpenUI up to 0.0.0.0/1.0. This impacts an unknown function of the file backend/openui/config.py. The manipulation of the argument LITELLM_MASTER_KEY leads to hard-coded credentials. An attack has to be approached locally. The exploit has…

  • CVE-2026-4219LowMar 16, 2026
    risk 0.21cvss 3.3epss 0.00

    A flaw has been found in INDEX Conferences & Exhibitions Organization YWF BPOF APGCS App up to 1.0.2 on Android. Affected by this vulnerability is an unknown functionality of the file com/index/event/BuildConfig.java of the component ae.index.apgcs. Executing a manipulation of…

  • CVE-2026-2702LowFeb 19, 2026
    risk 0.20cvss 3.1epss 0.00

    A security flaw has been discovered in Beetel 777VR1 up to 01.00.09. This issue affects some unknown processing of the component WPA2 PSK. Performing a manipulation results in hard-coded credentials. The attacker must have access to the local network to execute the attack. The…

  • CVE-2018-5552LowMar 19, 2018
    risk 0.19cvss 2.9epss 0.00

    Versions of DocuTrac QuicDoc and Office Therapy that ship with DTISQLInstaller.exe version 1.6.4.0 and prior contains a hard-coded cryptographic salt, "S@l+&pepper".

  • CVE-2025-9731LowAug 31, 2025
    risk 0.16cvss 2.5epss 0.00

    A vulnerability was determined in Tenda AC9 15.03.05.19. The impacted element is an unknown function of the file /etc_ro/shadow of the component Administrative Interface. This manipulation causes hard-coded credentials. It is possible to launch the attack on the local host. The…

  • CVE-2025-9725LowAug 31, 2025
    risk 0.16cvss 2.5epss 0.00

    A vulnerability was identified in Cudy LT500E up to 2.3.12. Affected is an unknown function of the file /squashfs-root/etc/shadow of the component Web Interface. The manipulation leads to use of hard-coded password. The attack must be carried out locally. The attack's complexity…

  • CVE-2025-9309LowAug 21, 2025
    risk 0.16cvss 2.5epss 0.00

    A vulnerability was found in Tenda AC10 16.03.10.13. Affected is an unknown function of the file /etc_ro/shadow of the component MD5 Hash Handler. Performing manipulation results in hard-coded credentials. The attack needs to be approached locally. A high degree of complexity is…

  • CVE-2025-9091LowAug 17, 2025
    risk 0.16cvss 2.5epss 0.00

    A security flaw has been discovered in Tenda AC20 16.03.08.12. Affected by this vulnerability is an unknown functionality of the file /etc_ro/shadow. The manipulation leads to hard-coded credentials. It is possible to launch the attack on the local host. The complexity of an…

  • CVE-2025-9806LowSep 2, 2025
    risk 0.12cvss 1.9epss 0.00

    A vulnerability was determined in Tenda F1202 1.2.0.9/1.2.0.14/1.2.0.20. Impacted is an unknown function of the file /etc_ro/shadow of the component Administrative Interface. This manipulation with the input Fireitup causes hard-coded credentials. The attack can only be executed…

  • CVE-2025-9778LowSep 1, 2025
    risk 0.12cvss 1.9epss 0.00

    A security vulnerability has been detected in Tenda W12 up to 3.0.0.6(3948). Affected is an unknown function of the file /etc_ro/shadow of the component Administrative Interface. The manipulation leads to hard-coded credentials. An attack has to be approached locally. The…

  • CVE-2023-20512LowAug 13, 2024
    risk 0.12cvss 1.9epss 0.00

    A hardcoded AES key in PMFW may result in a privileged attacker gaining access to the key, potentially resulting in internal debug information leakage.

  • CVE-2025-48491LowMay 30, 2025
    risk 0.11cvss epss 0.00

    Project AI is a platform designed to create AI agents. Prior to the pre-beta version, a hardcoded API key was present in the source code. This issue has been patched in the pre-beta version.

  • CVE-2021-43116Jul 5, 2022
    risk 0.03cvss epss 0.06

    An Access Control vulnerability exists in Nacos 2.0.3 in the access prompt page; enter username and password, click on login to capture packets and then change the returned package, which lets a malicious user login.

  • CVE-2024-3408Jun 6, 2024
    risk 0.02cvss epss 0.78

    man-group/dtale version 3.10.0 is vulnerable to an authentication bypass and remote code execution (RCE) due to improper input validation. The vulnerability arises from a hardcoded `SECRET_KEY` in the flask configuration, allowing attackers to forge a session cookie if…

  • CVE-2026-56266Jun 22, 2026
    risk 0.00cvss epss 0.00

    Crawl4AI before 0.8.7 contains a server-side request forgery vulnerability in the /crawl, /crawl/stream, /md, and /llm endpoints that fetch arbitrary user-supplied URLs without validation. Unauthenticated attackers can bypass the internal-address blocklist using IPv6-mapped IPv4…

  • CVE-2026-4404Mar 23, 2026
    risk 0.00cvss epss 0.01

    Use of hard coded credentials in GoHarbor Harbor version 2.15.0 and below, allows attackers to use the default password and gain access to the web UI.

  • CVE-2026-27167Feb 27, 2026
    risk 0.00cvss epss 0.00

    Gradio is an open-source Python package designed for quick prototyping. Starting in version 4.16.0 and prior to version 6.6.0, Gradio applications running outside of Hugging Face Spaces automatically enable "mocked" OAuth routes when OAuth components (e.g. `gr.LoginButton`) are…

  • CVE-2025-69971Feb 3, 2026
    risk 0.00cvss epss 0.02

    FUXA v1.2.7 contains a hard-coded credential vulnerability in server/api/jwt-helper.js. The application uses a hard-coded secret key to sign and verify JWT Tokens. This allows remote attackers to forge valid admin tokens and bypass authentication to gain full administrative…

  • CVE-2025-68926Dec 30, 2025
    risk 0.00cvss epss 0.29

    RustFS is a distributed object storage system built in Rust. In versions prior to 1.0.0-alpha.78, RustFS implements gRPC authentication using a hardcoded static token `"rustfs rpc"` that is publicly exposed in the source code repository, hardcoded on both client and server…