Total
1647 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-27073 | 2026-03-30 | N/A | 7.5 HIGH | ||
| Use of Hard-coded Credentials vulnerability in Addi Addi – Cuotas que se adaptan a ti buy-now-pay-later-addi allows Password Recovery Exploitation.This issue affects Addi – Cuotas que se adaptan a ti: from n/a through <= 2.0.4. | |||||
| CVE-2026-1612 | 2026-03-30 | N/A | N/A | ||
| AL-KO Robolinho Update Software has hard-coded AWS Access and Secret keys that allow anyone to access AL-KO's AWS bucket. Using the keys directly might give the attacker greater access than the app itself. Key grants AT LEAST read access to some of the objects in bucket. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only versions 8.0.21.0610 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | |||||
| CVE-2026-4993 | 2026-03-30 | 1.7 LOW | 3.3 LOW | ||
| A vulnerability has been found in wandb OpenUI up to 0.0.0.0/1.0. This impacts an unknown function of the file backend/openui/config.py. The manipulation of the argument LITELLM_MASTER_KEY leads to hard-coded credentials. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-9497 | 2026-03-30 | N/A | N/A | ||
| Use of Hard-coded Credentials vulnerability in Microchip Time Provider 4100 allows Malicious Manual Software Update.This issue affects Time Provider 4100: before 2.5.0. | |||||
| CVE-2025-12708 | 1 Ibm | 1 Concert | 2026-03-27 | N/A | 6.2 MEDIUM |
| IBM Concert 1.0.0 through 2.2.0 contains hard-coded credentials that could be obtained by a local user. | |||||
| CVE-2026-28255 | 1 Trane | 5 Tracer Concierge, Tracer Sc, Tracer Sc\+ and 2 more | 2026-03-27 | N/A | 9.8 CRITICAL |
| A Use of Hard-coded Credentials vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an attacker to disclose sensitive information and take over accounts. | |||||
| CVE-2025-55262 | 1 Hcltech | 1 Aftermarket Cloud | 2026-03-26 | N/A | 8.3 HIGH |
| HCL Aftermarket DPC is affected by SQL Injection which allows attacker to exploit this vulnerability to retrieve sensitive information from the database. | |||||
| CVE-2025-55263 | 1 Hcltech | 1 Aftermarket Cloud | 2026-03-26 | N/A | 7.3 HIGH |
| HCL Aftermarket DPC is affected by Hardcoded Sensitive Data which allows attacker to gain access to the source code or if it is stored in insecure repositories, they can easily retrieve these hardcoded secrets. | |||||
| CVE-2026-22900 | 1 Qnap | 1 Qunetswitch | 2026-03-25 | N/A | 9.8 CRITICAL |
| A use of hard-coded credentials vulnerability has been reported to affect QuNetSwitch. The remote attackers can then exploit the vulnerability to gain unauthorized access. We have already fixed the vulnerability in the following version: QuNetSwitch 2.0.5.0906 and later | |||||
| CVE-2026-4404 | 2026-03-24 | N/A | 9.4 CRITICAL | ||
| Use of hard coded credentials in GoHarbor Harbor version 2.15.0 and below, allows attackers to use the default password and gain access to the web UI. | |||||
| CVE-2026-28674 | 1 Danvei233 | 1 Xiaoheifs | 2026-03-23 | N/A | 7.2 HIGH |
| xiaoheiFS is a self-hosted financial and operational system for cloud service businesses. In versions up to and including 0.3.15, the `AdminPaymentPluginUpload` endpoint lets admins upload any file to `plugins/payment/`. It only checks a hardcoded password (`qweasd123456`) and ignores file content. A background watcher (`StartWatcher`) then scans this folder every 5 seconds. If it finds a new executable, it runs it immediately, resulting in RCE. Version 4.0.0 fixes the issue. | |||||
| CVE-2026-30701 | 2026-03-23 | N/A | 9.1 CRITICAL | ||
| The web interface of the WiFi Extender WDR201A (HW V2.1, FW LFMZX28040922V1.02) contains hardcoded credential disclosure mechanisms (in the form of Server Side Include) within multiple server-side web pages, including login.shtml and settings.shtml. These pages embed server-side execution directives that dynamically retrieve and expose the web administration password from non-volatile memory at runtime. | |||||
| CVE-2026-33072 | 1 Filerise | 1 Filerise | 2026-03-23 | N/A | 8.2 HIGH |
| FileRise is a self-hosted web file manager / WebDAV server. In versions prior to 3.9.0, a hardcoded default encryption key (default_please_change_this_key) is used for all cryptographic operations — HMAC token generation, AES config encryption, and session tokens — allowing any unauthenticated attacker to forge upload tokens for arbitrary file upload to shared folders, and to decrypt admin configuration secrets including OIDC client secrets and SMTP passwords. FileRise uses a single key (PERSISTENT_TOKENS_KEY) for all crypto operations. The default value default_please_change_this_key is hardcoded in two places and used unless the deployer explicitly overrides the environment variable. This issue is fixed in version 3.9.0. | |||||
| CVE-2026-1958 | 2026-03-23 | N/A | N/A | ||
| Use of hard-coded credentials in Klinika XP and KlinikaXP Insertino allowed an unauthorized attacker access to several internal services. Critically, this included access to the FTP server that hosted the application's update packages. The attacker with these credentials could upload a malicious update file, which then may have been distributed and installed on client machines as a legitimate update. This issue affects KlinikaXP: before 5.39.01.01. and KlinikaXP Insertino before 3.1.0.1 Beside removing the hardcoded credentials from the code, previously exposed credentials were also rotated preventing further attack attempts. | |||||
| CVE-2026-4475 | 2026-03-20 | 8.3 HIGH | 8.8 HIGH | ||
| A vulnerability has been found in Yi Technology YI Home Camera 2 2.1.1_20171024151200. The affected element is an unknown function of the file home/web/ipc. Such manipulation leads to hard-coded credentials. Access to the local network is required for this attack to succeed. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2026-25803 | 1 Denpiligrim | 1 3dp-manager | 2026-03-17 | N/A | 9.8 CRITICAL |
| 3DP-MANAGER is an inbound generator for 3x-ui. In version 2.0.1 and prior, the application automatically creates an administrative account with known default credentials (admin/admin) upon the first initialization. Attackers with network access to the application's login interface can gain full administrative control, managing VPN tunnels and system settings. This issue will be patched in version 2.0.2. | |||||
| CVE-2026-29120 | 1 Datacast | 2 Sfx2100, Sfx2100 Firmware | 2026-03-17 | N/A | 7.8 HIGH |
| The /root/anaconda-ks.cfg installation configuration file in International Datacasting Corporation (IDC) SFX Series(SFX2100) SuperFlex Satellite Receiver insecurely stores the hardcoded root password hash. The password itself is highly insecure and susceptible to offline dictionary attacks using the rockyou.txt wordlist. Because direct root SSH login is disabled, an attacker must first obtain low-privileged access to the system (e.g., via other vulnerabilities) to be able to log in as the root user. The password is hardcoded and so allows for an actor with local access on effected versions to escalate to root | |||||
| CVE-2026-28777 | 1 Datacast | 2 Sfx2100, Sfx2100 Firmware | 2026-03-17 | N/A | 9.8 CRITICAL |
| International Datacasting Corporation (IDC) SFX2100 Satellite Receiver, trivial password for the `user` (usr) account. A remote unauthenticated attacker can exploit this to gain unauthorized SSH access to the system, while intially dropped into a restricted shell, an attacker can trivially spawn a complete pty to gain an appropriately interactive shell. | |||||
| CVE-2026-28778 | 1 Datacast | 2 Sfx2100, Sfx2100 Firmware | 2026-03-17 | N/A | 9.8 CRITICAL |
| International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver contains undocumented, hardcoded/insecure credentials for the `xd` user account. A remote unauthenticated attacker can log in via FTP using these credentials. Because the `xd` user has write permissions to their home directory where root-executed binaries and symlinks (such as those invoked by `xdstartstop`) are stored, the attacker can overwrite these files or manipulate symlinks to achieve arbitrary code execution as the root user. | |||||
| CVE-2026-29119 | 1 Datacast | 2 Sfx2100, Sfx2100 Firmware | 2026-03-17 | N/A | 9.8 CRITICAL |
| International Datacasting Corporation (IDC) SFX Series SuperFlex(SFX2100) SatelliteReceiver contains hardcoded and insecure credentials for the `admin` account. A remote unauthenticated attacker can use these undocumented credentials to access the satellite system directly via the Telnet service, leading to potential system compromise. | |||||