Skip to main content

CWE-259

Use of Hard-coded Password

150 CVEs Avg CVSS 7.4 MITRE
49
CRITICAL
50
HIGH
35
MEDIUM
16
LOW
33
POC
0
KEV

Monthly

CVE-2026-11552 MEDIUM This Month

Hard-coded credential exposure in SourceCodester's Online Examination & Learning Management System 1.0 (also distributed as Syllabus-aligned Learning Management and Examination System 1.0) allows remote unauthenticated attackers to exploit a statically embedded password ('CICT_2026') in the import_users.php file without any authentication or user interaction. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms fully unauthenticated remote exploitation at low complexity, and the E:P exploit maturity modifier alongside the CVE description's explicit statement of public disclosure confirm that publicly available exploit code exists. Impact is constrained to low confidentiality exposure against the vulnerable component with no confirmed integrity or availability consequences.

PHP Authentication Bypass
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-11515 MEDIUM This Month

Unauthenticated password reset bypass in SourceCodester Barangay Resident Profiling and Information Management System 1.0 allows remote attackers to reset user accounts to a known hard-coded credential via the `passsword_reset.php` endpoint. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or user interaction is required, and the E:P modifier confirms publicly available exploit code exists. Despite the VI:L integrity-only CVSS impact rating, the Authentication Bypass tag indicates the realistic consequence is full account takeover for any user whose password can be reset to the predictable hard-coded value 'password123'.

PHP Authentication Bypass
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-35905 CRITICAL Act Now

Hardcoded root credentials in T3 Technology CPE devices (models T625Pro v1.0.07, T6825G v1.0.03, and T7281 v1.0.03) allow remote unauthenticated attackers to gain full root-level control via the built-in 'superadmin' account. The CVSS 9.8 rating reflects network-reachable, no-interaction exploitation with total impact to confidentiality, integrity, and availability, and SSVC marks the issue as automatable with total technical impact. No public exploit identified at time of analysis, and EPSS remains very low (0.02%) despite the severity, suggesting limited current scanning activity.

Authentication Bypass N A
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-22055 MEDIUM This Month

Hard-coded credentials embedded in NetApp Active IQ OneCollect 2.7.3 allow any low-privileged authenticated user to perform unauthorized AutoSupport operations beyond their intended authorization scope. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) confirms network-accessible exploitation with low complexity, requiring only a low-privilege account with no special attack conditions. No public exploit has been identified and the vulnerability does not appear in the CISA KEV catalog at time of analysis.

Authentication Bypass Active Iq Onecollect
NVD VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-22054 MEDIUM This Month

Hard-coded credentials in NetApp Active IQ Config Advisor 6.7.3 enable authenticated low-privileged attackers to perform unauthorized AutoSupport operations against connected NetApp infrastructure. The embedded credentials bypass intended access controls, allowing any account holder to trigger or manipulate AutoSupport telemetry functions beyond their assigned privilege level. No public exploit code exists and this vulnerability has not been added to the CISA KEV catalog at time of analysis.

Authentication Bypass Active Iq Config Advisor
NVD VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-7251 CRITICAL CISA Emergency

Hard-coded VNC password in the Eppendorf BioFlo 320 bioprocess control system allows any remote attacker who can reach the device on the network to take full control of its user interface without authentication. The flaw (CWE-259) is rated CVSS 9.3 and carries an SSVC technical impact of 'total' with automatable exploitation, though no public exploit has been identified at time of analysis and EPSS is low at 0.10%.

Authentication Bypass Bioflo 320
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.1%
CVE-2025-57175 MEDIUM This Month

Siklu EtherHaul 8010 wireless backhaul devices contain a static root password that enables physical attackers or those with local console access to gain complete administrative control without authentication. The vulnerability affects firmware version 10.6.2-18707 and potentially other versions of the EtherHaul 8010 product line, allowing credential-based authentication bypass with high confidentiality and integrity impact. No public exploit code or active exploitation has been confirmed at this time, though the CVSS:3.1 physical attack vector (AV:P) reflects that an attacker must have direct physical access to the device's console interfaces.

Authentication Bypass Etherhaul 8010
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-7741 LOW CISA Monitor

Hardcoded password vulnerability in Yokogawa CENTUM VP allows authentication bypass for the PROG system account across versions R5.01.00-R5.04.20, R6.01.00-R6.12.00, and R7.01.00. An attacker who obtains the hardcoded credential and has direct access to the Human Interface Station (HIS) running CTM authentication mode can log in as PROG; however, real-world risk is constrained because PROG defaults to S1 (OFFUSER) permission level, and exploitation requires pre-existing HIS access. No public exploit code or active CISA KEV status identified at time of analysis.

Authentication Bypass Centum Vp
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-4475 HIGH This Week

Hard-coded credentials in YI Home Camera 2 firmware 2.1.1_20171024151200 allow adjacent network attackers to gain complete device control without authentication. The vulnerability exists in the /home/web/ipc file component and enables full compromise of confidentiality, integrity, and availability. Public exploit code exists (SSVC: poc) and vendor Yi Technology did not respond to responsible disclosure, leaving devices unpatched. EPSS score is low (0.02%, 5th percentile) despite total technical impact, suggesting limited widespread exploitation but significant risk for exposed IoT camera deployments on shared networks.

Authentication Bypass
NVD VulDB
CVSS 4.0
7.4
EPSS
0.0%
CVE-2025-59388 CRITICAL Act Now

QNAP Hyper Data Protector before 2.3.1.455 contains hard-coded credentials that allow remote unauthenticated attackers to gain unauthorized access to backup management functions, potentially compromising all backed-up data across the organization.

Authentication Bypass Hyper Data Protector
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
EPSS 0% CVSS 5.5
MEDIUM This Month

Hard-coded credential exposure in SourceCodester's Online Examination & Learning Management System 1.0 (also distributed as Syllabus-aligned Learning Management and Examination System 1.0) allows remote unauthenticated attackers to exploit a statically embedded password ('CICT_2026') in the import_users.php file without any authentication or user interaction. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms fully unauthenticated remote exploitation at low complexity, and the E:P exploit maturity modifier alongside the CVE description's explicit statement of public disclosure confirm that publicly available exploit code exists. Impact is constrained to low confidentiality exposure against the vulnerable component with no confirmed integrity or availability consequences.

PHP Authentication Bypass
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

Unauthenticated password reset bypass in SourceCodester Barangay Resident Profiling and Information Management System 1.0 allows remote attackers to reset user accounts to a known hard-coded credential via the `passsword_reset.php` endpoint. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or user interaction is required, and the E:P modifier confirms publicly available exploit code exists. Despite the VI:L integrity-only CVSS impact rating, the Authentication Bypass tag indicates the realistic consequence is full account takeover for any user whose password can be reset to the predictable hard-coded value 'password123'.

PHP Authentication Bypass
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Hardcoded root credentials in T3 Technology CPE devices (models T625Pro v1.0.07, T6825G v1.0.03, and T7281 v1.0.03) allow remote unauthenticated attackers to gain full root-level control via the built-in 'superadmin' account. The CVSS 9.8 rating reflects network-reachable, no-interaction exploitation with total impact to confidentiality, integrity, and availability, and SSVC marks the issue as automatable with total technical impact. No public exploit identified at time of analysis, and EPSS remains very low (0.02%) despite the severity, suggesting limited current scanning activity.

Authentication Bypass N A
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Hard-coded credentials embedded in NetApp Active IQ OneCollect 2.7.3 allow any low-privileged authenticated user to perform unauthorized AutoSupport operations beyond their intended authorization scope. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) confirms network-accessible exploitation with low complexity, requiring only a low-privilege account with no special attack conditions. No public exploit has been identified and the vulnerability does not appear in the CISA KEV catalog at time of analysis.

Authentication Bypass Active Iq Onecollect
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Hard-coded credentials in NetApp Active IQ Config Advisor 6.7.3 enable authenticated low-privileged attackers to perform unauthorized AutoSupport operations against connected NetApp infrastructure. The embedded credentials bypass intended access controls, allowing any account holder to trigger or manipulate AutoSupport telemetry functions beyond their assigned privilege level. No public exploit code exists and this vulnerability has not been added to the CISA KEV catalog at time of analysis.

Authentication Bypass Active Iq Config Advisor
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL Emergency

Hard-coded VNC password in the Eppendorf BioFlo 320 bioprocess control system allows any remote attacker who can reach the device on the network to take full control of its user interface without authentication. The flaw (CWE-259) is rated CVSS 9.3 and carries an SSVC technical impact of 'total' with automatable exploitation, though no public exploit has been identified at time of analysis and EPSS is low at 0.10%.

Authentication Bypass Bioflo 320
NVD GitHub VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Siklu EtherHaul 8010 wireless backhaul devices contain a static root password that enables physical attackers or those with local console access to gain complete administrative control without authentication. The vulnerability affects firmware version 10.6.2-18707 and potentially other versions of the EtherHaul 8010 product line, allowing credential-based authentication bypass with high confidentiality and integrity impact. No public exploit code or active exploitation has been confirmed at this time, though the CVSS:3.1 physical attack vector (AV:P) reflects that an attacker must have direct physical access to the device's console interfaces.

Authentication Bypass Etherhaul 8010
NVD VulDB
EPSS 0% CVSS 2.1
LOW Monitor

Hardcoded password vulnerability in Yokogawa CENTUM VP allows authentication bypass for the PROG system account across versions R5.01.00-R5.04.20, R6.01.00-R6.12.00, and R7.01.00. An attacker who obtains the hardcoded credential and has direct access to the Human Interface Station (HIS) running CTM authentication mode can log in as PROG; however, real-world risk is constrained because PROG defaults to S1 (OFFUSER) permission level, and exploitation requires pre-existing HIS access. No public exploit code or active CISA KEV status identified at time of analysis.

Authentication Bypass Centum Vp
NVD VulDB
EPSS 0% CVSS 7.4
HIGH This Week

Hard-coded credentials in YI Home Camera 2 firmware 2.1.1_20171024151200 allow adjacent network attackers to gain complete device control without authentication. The vulnerability exists in the /home/web/ipc file component and enables full compromise of confidentiality, integrity, and availability. Public exploit code exists (SSVC: poc) and vendor Yi Technology did not respond to responsible disclosure, leaving devices unpatched. EPSS score is low (0.02%, 5th percentile) despite total technical impact, suggesting limited widespread exploitation but significant risk for exposed IoT camera deployments on shared networks.

Authentication Bypass
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

QNAP Hyper Data Protector before 2.3.1.455 contains hard-coded credentials that allow remote unauthenticated attackers to gain unauthorized access to backup management functions, potentially compromising all backed-up data across the organization.

Authentication Bypass Hyper Data Protector
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy