Total
1522 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-45466 | 1 Unitree | 2 Go1, Go1 Firmware | 2025-10-17 | N/A | 8.8 HIGH |
| Unitree Go1 <= Go1_2022_05_11 is vulnerale to Incorrect Access Control due to authentication credentials being hardcoded in plaintext. | |||||
| CVE-2025-61926 | 2025-10-16 | N/A | N/A | ||
| Allstar is a GitHub App to set and enforce security policies. In versions prior to 4.5, a vulnerability in Allstar’s Reviewbot component caused inbound webhook requests to be validated against a hard-coded, shared secret. The value used for the secret token was compiled into the Allstar binary and could not be configured at runtime. In practice, this meant that every deployment using Reviewbot would validate requests with the same secret unless the operator modified source code and rebuilt the component - an expectation that is not documented and is easy to miss. All Allstar releases prior to v4.5 that include the Reviewbot code path are affected. Deployments on v4.5 and later are not affected. Those who have not enabled or exposed the Reviewbot endpoint are not exposed to this issue. | |||||
| CVE-2025-34196 | 2 Microsoft, Vasion | 3 Windows, Virtual Appliance Application, Virtual Appliance Host | 2025-10-16 | N/A | 9.8 CRITICAL |
| Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 25.1.102 and Application prior to 25.1.1413 (Windows client deployments) contain a hardcoded private key for the PrinterLogic Certificate Authority (CA) and a hardcoded password in product configuration files. The Windows client ships the CA certificate and its associated private key (and other sensitive settings such as a configured password) directly in shipped configuration files (for example clientsettings.dat and defaults.ini). An attacker who obtains these files can impersonate the CA, sign arbitrary certificates trusted by the Windows client, intercept or decrypt TLS-protected communications, and otherwise perform man-in-the-middle or impersonation attacks against the product's network communications. This vulnerability has been identified by the vendor as: V-2022-001 — Configuration File Contains CA & Private Key. | |||||
| CVE-2025-10850 | 2025-10-16 | N/A | 9.8 CRITICAL | ||
| The Felan Framework plugin for WordPress is vulnerable to improper authentication in versions up to, and including, 1.1.4. This is due to the hardcoded password in the 'fb_ajax_login_or_register' function and in the 'google_ajax_login_or_register' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, if they registered with facebook or google social login and did not change their password. | |||||
| CVE-2025-57434 | 1 Creacast | 1 Creabox Manager | 2025-10-14 | N/A | 8.8 HIGH |
| Creacast Creabox Manager contains a critical authentication flaw that allows an attacker to bypass login validation. The system grants access when the username is creabox and the password begins with the string creacast, regardless of what follows. | |||||
| CVE-2025-11643 | 2025-10-14 | 2.6 LOW | 3.7 LOW | ||
| A security flaw has been discovered in Tomofun Furbo 360 and Furbo Mini. Affected by this vulnerability is an unknown functionality of the file /squashfs-root/furbo_img of the component MQTT Client Certificate. Performing manipulation results in hard-coded credentials. The attack may be initiated remotely. The attack's complexity is rated as high. The exploitation appears to be difficult. The firmware versions determined to be affected are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-0949 | 2025-10-14 | N/A | 9.8 CRITICAL | ||
| Missing Authentication, Files or Directories Accessible to External Parties, Use of Hard-coded Credentials vulnerability in Talya Informatics Elektraweb allows Authentication Bypass.This issue affects Elektraweb: before v17.0.68. | |||||
| CVE-2025-45813 | 1 Enensys | 2 Ipguardv2, Ipguardv2 Firmware | 2025-10-10 | N/A | 9.8 CRITICAL |
| ENENSYS IPGuard v2 2.10.0 was discovered to contain hardcoded credentials. | |||||
| CVE-2025-31953 | 1 Hcltech | 1 Dryice Iautomate | 2025-10-10 | N/A | 7.1 HIGH |
| HCL iAutomate includes hardcoded credentials which may result in potential exposure of confidential data if intercepted or accessed by unauthorized parties. | |||||
| CVE-2025-34223 | 1 Vasion | 2 Virtual Appliance Application, Virtual Appliance Host | 2025-10-09 | N/A | 9.8 CRITICAL |
| Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.1049 and Application prior to version 20.0.2786 (VA/SaaS deployments) contain a default admin account and an installation‑time endpoint at `/admin/query/update_database.php` that can be accessed without authentication. An attacker who can reach the installation web interface can POST arbitrary `root_user` and `root_password` values, causing the script to replace the default admin credentials with attacker‑controlled ones. The script also contains hard‑coded SHA‑512 and SHA‑1 hashes of the default password, allowing the attacker to bypass password‑policy validation. As a result, an unauthenticated remote attacker can obtain full administrative control of the system during the initial setup. This vulnerability has been identified by the vendor as: V-2024-022 — Insecure Installation Credentials. | |||||
| CVE-2025-58385 | 1 Doxense | 1 Watchdoc | 2025-10-07 | N/A | 7.1 HIGH |
| In DOXENSE WATCHDOC before 6.1.0.5094, private user puk codes can be disclosed for Active Directory registered users (there is hard-coded and predictable data). | |||||
| CVE-2025-56466 | 1 Masterlifecrm | 1 Dietly | 2025-10-06 | N/A | 7.5 HIGH |
| Hardcoded credentials in Dietly v1.25.0 for android allows attackers to gain sensitive information. | |||||
| CVE-2025-10609 | 2025-10-06 | N/A | 5.9 MEDIUM | ||
| Use of Hard-coded Credentials vulnerability in Logo Software Inc. TigerWings ERP allows Read Sensitive Constants Within an Executable.This issue affects TigerWings ERP: from 01.01.00 before 3.03.00. | |||||
| CVE-2025-34209 | 1 Vasion | 2 Virtual Appliance Application, Virtual Appliance Host | 2025-10-03 | N/A | 7.2 HIGH |
| Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to 22.0.862 and Application prior to 20.0.2014 (VA and SaaS deployments) contain Docker images with the private GPG key and passphrase for the account *no‑reply+virtual‑appliance@printerlogic.com*. The key is stored in cleartext and the passphrase is hardcoded in files. An attacker with administrative access to the appliance can extract the private key, import it into their own system, and subsequently decrypt GPG-encrypted files and sign arbitrary firmware update packages. A maliciously signed update can be uploaded by an admin‑level attacker and will be executed by the appliance, giving the attacker full control of the virtual appliance. This vulnerability has been identified by the vendor as: V-2023-010 — Hardcoded Private Key. | |||||
| CVE-2014-2349 | 1 Emerson | 1 Deltav | 2025-10-03 | 2.4 LOW | N/A |
| Emerson DeltaV 10.3.1, 11.3, 11.3.1, and 12.3 uses hardcoded credentials for diagnostic services, which allows remote attackers to bypass intended access restrictions via a TCP session, as demonstrated by a session that uses the telnet program. | |||||
| CVE-2024-4996 | 2025-10-03 | N/A | 9.8 CRITICAL | ||
| Use of a hard-coded password for a database administrator account created during Wapro ERP installation allows an attacker to retrieve embedded sensitive data stored in the database. The password is same among all Wapro ERP installations. This issue affects Wapro ERP Desktop versions before 8.90.0. | |||||
| CVE-2024-3700 | 1 Estomed | 1 Simple Care | 2025-10-03 | N/A | 9.8 CRITICAL |
| Use of hard-coded password to the patients' database allows an attacker to retrieve sensitive data stored in the database. The password is the same among all Simple Care software installations. This issue affects Estomed Sp. z o.o. Simple Care software in all versions. The software is no longer supported. | |||||
| CVE-2024-3699 | 1 Dreryk | 1 Gabinet | 2025-10-03 | N/A | 9.8 CRITICAL |
| Use of hard-coded password to the patients' database allows an attacker to retrieve sensitive data stored in the database. The password is the same among all drEryk Gabinet installations.This issue affects drEryk Gabinet software versions from 7.0.0.0 through 9.17.0.0. | |||||
| CVE-2024-1228 | 1 Eurosoft | 1 Przychodnia | 2025-10-03 | N/A | 9.8 CRITICAL |
| Use of hard-coded password to the patients' database allows an attacker to retrieve sensitive data stored in the database. The password is the same among all Eurosoft Przychodnia installations. This issue affects Eurosoft Przychodnia software before version 20240417.001 (from that version vulnerability is fixed). | |||||
| CVE-2025-34198 | 1 Vasion | 2 Virtual Appliance Application, Virtual Appliance Host | 2025-10-02 | N/A | 9.8 CRITICAL |
| Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 22.0.951 and Application prior to 20.0.2368 (VA and SaaS deployments) contain shared, hardcoded SSH host private keys in the appliance image. The same private host keys (RSA, ECDSA, and ED25519) are present across installations, rather than being uniquely generated per appliance. An attacker who obtains these private keys (for example from one compromised appliance image or another installation) can impersonate the appliance, decrypt or intercept SSH connections to appliances that use the same keys, and perform man-in-the-middle or impersonation attacks against administrative SSH sessions. This vulnerability has been identified by the vendor as: V-2024-011 — Hardcoded SSH Host Key. | |||||