Total
1548 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-40938 | 1 Siemens | 2 Simatic Cn 4100, Simatic Cn 4100 Firmware | 2025-12-10 | 8.1 High |
| A vulnerability has been identified in SIMATIC CN 4100 (All versions < V4.0.1). The affected device stores sensitive information in the firmware. This could allow an attacker to access and misuse this information, potentially impacting the device’s confidentiality, integrity, and availability. | ||||
| CVE-2021-47730 | 1 Selea | 1 Targa Ip Ocr-anpr Camera | 2025-12-10 | N/A |
| Selea Targa IP OCR-ANPR Camera contains a cross-site request forgery vulnerability that allows attackers to create administrative users without authentication. Attackers can craft a malicious web page that submits a form to add a new admin user with full system privileges when a logged-in user visits the page. | ||||
| CVE-2025-2538 | 1 Esri | 1 Portal For Arcgis | 2025-12-10 | 9.8 Critical |
| A hardcoded credential vulnerability exists in a specific deployment pattern for Esri Portal for ArcGIS versions 11.4 and below that may allow a remote unauthenticated attacker to gain administrative access to the system. | ||||
| CVE-2025-41696 | 1 Phoenixcontact | 67 Fl Nat 2208, Fl Nat 2304-2gc-2sfp, Fl Switch 2005 and 64 more | 2025-12-10 | 4.6 Medium |
| An attacker can use an undocumented UART port on the PCB as a side-channel with the user hardcoded credentials obtained from CVE-2025-41692 to gain read access to parts of the filesystem of the device. | ||||
| CVE-2025-13954 | 1 Actions-micro | 2 Ezcast Pro Ii, Ezcast Pro Ii Firmware | 2025-12-10 | N/A |
| Hard-coded cryptographic keys in Admin UI of EZCast Pro II version 1.17478.146 allows attackers to bypass authorization checks and gain full access to the admin UI | ||||
| CVE-2025-65730 | 1 Goaway Project | 1 Goaway | 2025-12-09 | 8.8 High |
| Authentication Bypass via Hardcoded Credentials GoAway up to v0.62.18, fixed in 0.62.19, uses a hardcoded secret for signing JWT tokens used for authentication. | ||||
| CVE-2024-9486 | 2 Kubernetes, Kubernetes-sigs | 2 Image Builder, Image Builder | 2025-12-08 | 9.8 Critical |
| A security issue was discovered in the Kubernetes Image Builder versions <= v0.1.37 where default credentials are enabled during the image build process. Virtual machine images built using the Proxmox provider do not disable these default credentials, and nodes using the resulting images may be accessible via these default credentials. The credentials can be used to gain root access. Kubernetes clusters are only affected if their nodes use VM images created via the Image Builder project with its Proxmox provider. | ||||
| CVE-2024-9594 | 2 Kubernetes, Kubernetes-sigs | 2 Image Builder, Image Builder | 2025-12-08 | 6.3 Medium |
| A security issue was discovered in the Kubernetes Image Builder versions <= v0.1.37 where default credentials are enabled during the image build process when using the Nutanix, OVA, QEMU or raw providers. The credentials can be used to gain root access. The credentials are disabled at the conclusion of the image build process. Kubernetes clusters are only affected if their nodes use VM images created via the Image Builder project. Because these images were vulnerable during the image build process, they are affected only if an attacker was able to reach the VM where the image build was happening and used the vulnerability to modify the image at the time the image build was occurring. | ||||
| CVE-2022-27600 | 1 Qnap | 3 Qts, Quts Hero, Qutscloud | 2025-12-08 | 6.8 Medium |
| An uncontrolled resource consumption vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.0.1.2277 and later QTS 4.5.4.2280 build 20230112 and later QuTS hero h5.0.1.2277 build 20230112 and later QuTS hero h4.5.4.2374 build 20230417 and later QuTScloud c5.0.1.2374 and later | ||||
| CVE-2025-66237 | 1 Sunbirddcim | 2 Dctrack, Power Iq | 2025-12-08 | 6.7 Medium |
| DCIM dcTrack platforms utilize default and hard-coded credentials for access. An attacker could use these credentials to administer the database, escalate privileges on the platform or execute system commands on the host. | ||||
| CVE-2025-29268 | 1 Allnet | 1 All-rut22gw | 2025-12-08 | 9.8 Critical |
| ALLNET ALL-RUT22GW v3.3.8 was discovered to store hardcoded credentials in the libicos.so library. | ||||
| CVE-2025-14126 | 1 Tozed | 2 Zlt M30s, Zlt M30s Pro | 2025-12-08 | 8.8 High |
| A vulnerability has been found in TOZED ZLT M30S and ZLT M30S PRO 1.47/3.09.06. Affected is an unknown function of the component Web Interface. Such manipulation leads to hard-coded credentials. The attack needs to be initiated within the local network. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-54341 | 1 Desktopalert | 2 Pingalert, Pingalert Application Server | 2025-12-05 | 5.3 Medium |
| A vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2. There are Hard-coded configuration values. | ||||
| CVE-2025-66454 | 1 Arcadeai | 1 Arcade-mcp | 2025-12-04 | 6.5 Medium |
| Arcade MCP allows you to to create, deploy, and share MCP Servers. Prior to 1.5.4, the arcade-mcp HTTP server uses a hardcoded default worker secret ("dev") that is never validated or overridden during normal server startup. As a result, any unauthenticated attacker who knows this default key can forge valid JWTs and fully bypass the FastAPI authentication layer. This grants remote access to all worker endpoints—including tool enumeration and tool invocation—without credentials. This vulnerability is fixed in 1.5.4. | ||||
| CVE-2025-64778 | 1 Mirion Medical | 1 Nmis Biodose | 2025-12-04 | 7.3 High |
| NMIS/BioDose software V22.02 and previous versions contain executable binaries with plain text hard-coded passwords. These hard-coded passwords could allow unauthorized access to both the application and database. | ||||
| CVE-2024-45656 | 1 Ibm | 57 Ess 5000 \(5105-22e\), Ess 5000 \(5105-22e\) Firmware, Power9 System Firmware and 54 more | 2025-12-03 | 9.8 Critical |
| IBM Flexible Service Processor (FSP) FW860.00 through FW860.B3, FW950.00 through FW950.C0, FW1030.00 through FW1030.61, FW1050.00 through FW1050.21, and FW1060.00 through FW1060.10 has static credentials which may allow network users to gain service privileges to the FSP. | ||||
| CVE-2024-23687 | 1 Openlibraryfoundation | 1 Mod-data-export-spring | 2025-11-29 | 9.1 Critical |
| Hard-coded credentials in FOLIO mod-data-export-spring versions before 1.5.4 and from 2.0.0 to 2.0.2 allows unauthenticated users to access critical APIs, modify user data, modify configurations including single-sign-on, and manipulate fees/fines. | ||||
| CVE-2024-23685 | 1 Openlibraryfoundation | 1 Mod-remote-storage | 2025-11-29 | 5.3 Medium |
| Hard-coded credentials in mod-remote-storage versions under 1.7.2 and from 2.0.0 to 2.0.3 allows unauthorized users to gain read access to mod-inventory-storage records including instances, holdings, items, contributor-types, and identifier-types. | ||||
| CVE-2025-34034 | 1 5vtechnologies | 1 Blue Angel Software Suite | 2025-11-29 | 8.8 High |
| A hardcoded credential vulnerability exists in the Blue Angel Software Suite deployed on embedded Linux systems. The application contains multiple known default and hardcoded user accounts that are not disclosed in public documentation. These accounts allow unauthenticated or low-privilege attackers to gain administrative access to the device’s web interface. Exploitation evidence was observed by the Shadowserver Foundation on 2025-01-26 UTC. | ||||
| CVE-2025-63433 | 2 Google, Xtooltech | 3 Android, Anyscan, Xtool Anyscan | 2025-11-28 | 4.6 Medium |
| Xtooltech Xtool AnyScan Android Application 4.40.40 and prior uses a hardcoded cryptographic key and IV to decrypt update metadata. The key is stored as a static value within the application's code. An attacker with the ability to intercept network traffic can use this hardcoded key to decrypt, modify, and re-encrypt the update manifest, allowing them to direct the application to download a malicious update package. | ||||