Total
1551 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-36752 | 2025-12-13 | N/A | ||
| Growatt ShineLan-X communication dongle has an undocumented backup account with undocumented credentials which allows significant level access to the device, such as allowing any attacker to access the Setting Center. This means that this is effectively backdoor for all devices utilizing a Growatt ShineLan-X communication dongle. | ||||
| CVE-2025-36747 | 2025-12-13 | N/A | ||
| ShineLan-X contains a set of credentials for an FTP server was found within the firmware, allowing testers to establish an insecure FTP connection with the server. This may allow an attacker to replace legitimate files being deployed to devices with their own malicious versions, since the firmware signature verification is not enforced. | ||||
| CVE-2021-47730 | 1 Selea | 1 Targa Ip Ocr-anpr Camera | 2025-12-12 | N/A |
| Selea Targa IP OCR-ANPR Camera contains a cross-site request forgery vulnerability that allows attackers to create administrative users without authentication. Attackers can craft a malicious web page that submits a form to add a new admin user with full system privileges when a logged-in user visits the page. | ||||
| CVE-2025-13954 | 1 Actions-micro | 2 Ezcast Pro Ii, Ezcast Pro Ii Firmware | 2025-12-12 | N/A |
| Hard-coded cryptographic keys in Admin UI of EZCast Pro II version 1.17478.146 allows attackers to bypass authorization checks and gain full access to the admin UI | ||||
| CVE-2025-65823 | 1 Meatmeet | 1 Meatmeet Pro | 2025-12-12 | 9.8 Critical |
| The Meatmeet Pro was found to be shipped with hardcoded Wi-Fi credentials in the firmware, for the test network it was developed on. If an attacker retrieved this, and found the physical location of the Wi-Fi network, they could gain unauthorized access to the Wi-Fi network of the vendor. Additionally, if an attacker were located in close physical proximity to the device when it was first set up, they may be able to force the device to auto-connect to an attacker-controlled access point by setting the SSID and password to the same as which was found in the firmware file. | ||||
| CVE-2025-42890 | 1 Sap | 1 Sql Anywhere | 2025-12-11 | 10 Critical |
| SQL Anywhere Monitor (Non-GUI) baked credentials into the code,exposing the resources or functionality to unintended users and providing attackers with the possibility of arbitrary code execution.This could cause high impact on confidentiality integrity and availability of the system. | ||||
| CVE-2025-65730 | 2 Goaway Project, Pommee | 2 Goaway, Goaway | 2025-12-11 | 8.8 High |
| Authentication Bypass via Hardcoded Credentials GoAway up to v0.62.18, fixed in 0.62.19, uses a hardcoded secret for signing JWT tokens used for authentication. | ||||
| CVE-2025-40938 | 1 Siemens | 2 Simatic Cn 4100, Simatic Cn 4100 Firmware | 2025-12-10 | 8.1 High |
| A vulnerability has been identified in SIMATIC CN 4100 (All versions < V4.0.1). The affected device stores sensitive information in the firmware. This could allow an attacker to access and misuse this information, potentially impacting the device’s confidentiality, integrity, and availability. | ||||
| CVE-2025-2538 | 1 Esri | 1 Portal For Arcgis | 2025-12-10 | 9.8 Critical |
| A hardcoded credential vulnerability exists in a specific deployment pattern for Esri Portal for ArcGIS versions 11.4 and below that may allow a remote unauthenticated attacker to gain administrative access to the system. | ||||
| CVE-2025-41696 | 1 Phoenixcontact | 67 Fl Nat 2208, Fl Nat 2304-2gc-2sfp, Fl Switch 2005 and 64 more | 2025-12-10 | 4.6 Medium |
| An attacker can use an undocumented UART port on the PCB as a side-channel with the user hardcoded credentials obtained from CVE-2025-41692 to gain read access to parts of the filesystem of the device. | ||||
| CVE-2024-9486 | 2 Kubernetes, Kubernetes-sigs | 2 Image Builder, Image Builder | 2025-12-08 | 9.8 Critical |
| A security issue was discovered in the Kubernetes Image Builder versions <= v0.1.37 where default credentials are enabled during the image build process. Virtual machine images built using the Proxmox provider do not disable these default credentials, and nodes using the resulting images may be accessible via these default credentials. The credentials can be used to gain root access. Kubernetes clusters are only affected if their nodes use VM images created via the Image Builder project with its Proxmox provider. | ||||
| CVE-2024-9594 | 2 Kubernetes, Kubernetes-sigs | 2 Image Builder, Image Builder | 2025-12-08 | 6.3 Medium |
| A security issue was discovered in the Kubernetes Image Builder versions <= v0.1.37 where default credentials are enabled during the image build process when using the Nutanix, OVA, QEMU or raw providers. The credentials can be used to gain root access. The credentials are disabled at the conclusion of the image build process. Kubernetes clusters are only affected if their nodes use VM images created via the Image Builder project. Because these images were vulnerable during the image build process, they are affected only if an attacker was able to reach the VM where the image build was happening and used the vulnerability to modify the image at the time the image build was occurring. | ||||
| CVE-2022-27600 | 1 Qnap | 3 Qts, Quts Hero, Qutscloud | 2025-12-08 | 6.8 Medium |
| An uncontrolled resource consumption vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.0.1.2277 and later QTS 4.5.4.2280 build 20230112 and later QuTS hero h5.0.1.2277 build 20230112 and later QuTS hero h4.5.4.2374 build 20230417 and later QuTScloud c5.0.1.2374 and later | ||||
| CVE-2025-66237 | 1 Sunbirddcim | 2 Dctrack, Power Iq | 2025-12-08 | 6.7 Medium |
| DCIM dcTrack platforms utilize default and hard-coded credentials for access. An attacker could use these credentials to administer the database, escalate privileges on the platform or execute system commands on the host. | ||||
| CVE-2025-29268 | 1 Allnet | 1 All-rut22gw | 2025-12-08 | 9.8 Critical |
| ALLNET ALL-RUT22GW v3.3.8 was discovered to store hardcoded credentials in the libicos.so library. | ||||
| CVE-2025-14126 | 1 Tozed | 2 Zlt M30s, Zlt M30s Pro | 2025-12-08 | 8.8 High |
| A vulnerability has been found in TOZED ZLT M30S and ZLT M30S PRO 1.47/3.09.06. Affected is an unknown function of the component Web Interface. Such manipulation leads to hard-coded credentials. The attack needs to be initiated within the local network. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-54341 | 1 Desktopalert | 2 Pingalert, Pingalert Application Server | 2025-12-05 | 5.3 Medium |
| A vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2. There are Hard-coded configuration values. | ||||
| CVE-2025-66454 | 1 Arcadeai | 1 Arcade-mcp | 2025-12-04 | 6.5 Medium |
| Arcade MCP allows you to to create, deploy, and share MCP Servers. Prior to 1.5.4, the arcade-mcp HTTP server uses a hardcoded default worker secret ("dev") that is never validated or overridden during normal server startup. As a result, any unauthenticated attacker who knows this default key can forge valid JWTs and fully bypass the FastAPI authentication layer. This grants remote access to all worker endpoints—including tool enumeration and tool invocation—without credentials. This vulnerability is fixed in 1.5.4. | ||||
| CVE-2025-64778 | 1 Mirion Medical | 1 Nmis Biodose | 2025-12-04 | 7.3 High |
| NMIS/BioDose software V22.02 and previous versions contain executable binaries with plain text hard-coded passwords. These hard-coded passwords could allow unauthorized access to both the application and database. | ||||
| CVE-2024-45656 | 1 Ibm | 57 Ess 5000 \(5105-22e\), Ess 5000 \(5105-22e\) Firmware, Power9 System Firmware and 54 more | 2025-12-03 | 9.8 Critical |
| IBM Flexible Service Processor (FSP) FW860.00 through FW860.B3, FW950.00 through FW950.C0, FW1030.00 through FW1030.61, FW1050.00 through FW1050.21, and FW1060.00 through FW1060.10 has static credentials which may allow network users to gain service privileges to the FSP. | ||||