Monthly
Hardcoded database credentials in Text to Speech for WP (AI Voices by Mementor) WordPress plugin versions ≤1.9.8 expose the vendor's external telemetry MySQL server to unauthorized write access by unauthenticated remote attackers. The credentials are embedded in the Mementor_TTS_Remote_Telemetry class and can be extracted via static analysis or HTTP request inspection. EPSS data not provided, but the unauthenticated network vector (CVSS:3.1/AV:N/AC:L/PR:N) and public disclosure via Wordfence indicate elevated risk despite no confirmed active exploitation (CISA KEV) or publicly available exploit code identified at time of analysis.
Hardcoded storage credentials in Gardyn mobile application and device firmware grant unauthenticated remote attackers access to production cloud storage containers with excessive permissions. The CVSS v4.0 score of 8.8 reflects network-accessible attack vector with no complexity barriers, enabling high confidentiality impact and limited integrity/availability impact. CISA ICS-CERT disclosure indicates industrial/IoT context. No public exploit identified at time of analysis, though hardcoded credential vulnerabilities are trivial to exploit once discovered. EPSS data not available for this recent CVE.
Hardcoded cryptographic key in Metronik MEPIS RM's Mx.Web.ComponentModel.dll component allows privileged database users to decrypt stored domain passwords and gain unauthorized access to ICS/OT environments. The vulnerability affects all versions of MEPIS RM where password storage is enabled; exploitation requires high-level privileges to access the application database, and no public exploit code has been identified at time of analysis.
Hard-coded AWS credentials in AL-KO Robolinho Update Software allow unauthenticated attackers to directly access AL-KO's AWS S3 bucket with read permissions and potentially escalated privileges beyond the application's intended access model. Version 8.0.21.0610 is confirmed vulnerable; the full affected version range is unknown due to lack of vendor cooperation. No public exploit code or active exploitation has been reported, but the credentials are trivially extractable from the application binary.
Microchip Time Provider 4100 contains hard-coded credentials used for software update decryption, allowing malicious actors to craft and deploy unauthorized firmware updates without detection. Versions prior to 2.5.0 are affected. An attacker with local or network access to the device can leverage these credentials to bypass authentication controls during the manual software update process, potentially gaining full control of the time synchronization infrastructure.
Wandb OpenUI up to version 1.0 contains hard-coded credentials exposure in backend/openui/config.py where the LITELLM_MASTER_KEY argument is improperly handled, allowing local authenticated users with low privileges to read sensitive authentication material. The vulnerability has a low CVSS score (3.3) due to local-only attack vector and low impact scope, but publicly available exploit code exists and vendor contact has been unsuccessful, increasing practical risk for deployed instances.
SQL injection in HCL Aftermarket DPC version 1.0.0 enables unauthenticated remote attackers to extract sensitive database contents and potentially compromise data integrity and availability. The vulnerability carries a CVSS score of 8.3 with network-based attack vector requiring user interaction. No public exploit is identified at time of analysis, and SSVC assessment indicates no current exploitation with non-automatable attack characteristics.
Hardcoded credentials in HCL Aftermarket DPC version 1.0.0 enable authenticated low-privilege attackers with user interaction to extract sensitive secrets from source code or insecure repositories, resulting in high confidentiality compromise and complete denial of service. CVSS score 7.3 reflects network-accessible attack requiring low privileges and user interaction. No public exploit identified at time of analysis, with SSVC framework indicating no current exploitation and non-automatable attack characteristics.
IBM Concert versions 1.0.0 through 2.2.0 contain hard-coded credentials accessible to local users, enabling unauthorized authentication bypass and potential privilege escalation. An attacker with local access can extract these credentials to gain unauthorized system access without requiring network connectivity or user interaction. This vulnerability is classified as moderate severity (CVSS 6.2) with high confidentiality impact but no direct integrity or availability impact.
A hard-coded credentials vulnerability exists in the Addi buy-now-pay-later WordPress plugin (versions up to 2.0.4) that enables password recovery exploitation and authentication bypass attacks. Attackers can leverage embedded credentials to gain unauthorized access to user accounts and potentially escalate privileges within the plugin's functionality. This vulnerability is classified under CWE-798 (Use of Hard-coded Credentials) and has been reported by Patchstack; no CVSS score, EPSS data, or active KEV status is currently available, though the authentication bypass nature suggests active exploitation risk.
Hardcoded database credentials in Text to Speech for WP (AI Voices by Mementor) WordPress plugin versions ≤1.9.8 expose the vendor's external telemetry MySQL server to unauthorized write access by unauthenticated remote attackers. The credentials are embedded in the Mementor_TTS_Remote_Telemetry class and can be extracted via static analysis or HTTP request inspection. EPSS data not provided, but the unauthenticated network vector (CVSS:3.1/AV:N/AC:L/PR:N) and public disclosure via Wordfence indicate elevated risk despite no confirmed active exploitation (CISA KEV) or publicly available exploit code identified at time of analysis.
Hardcoded storage credentials in Gardyn mobile application and device firmware grant unauthenticated remote attackers access to production cloud storage containers with excessive permissions. The CVSS v4.0 score of 8.8 reflects network-accessible attack vector with no complexity barriers, enabling high confidentiality impact and limited integrity/availability impact. CISA ICS-CERT disclosure indicates industrial/IoT context. No public exploit identified at time of analysis, though hardcoded credential vulnerabilities are trivial to exploit once discovered. EPSS data not available for this recent CVE.
Hardcoded cryptographic key in Metronik MEPIS RM's Mx.Web.ComponentModel.dll component allows privileged database users to decrypt stored domain passwords and gain unauthorized access to ICS/OT environments. The vulnerability affects all versions of MEPIS RM where password storage is enabled; exploitation requires high-level privileges to access the application database, and no public exploit code has been identified at time of analysis.
Hard-coded AWS credentials in AL-KO Robolinho Update Software allow unauthenticated attackers to directly access AL-KO's AWS S3 bucket with read permissions and potentially escalated privileges beyond the application's intended access model. Version 8.0.21.0610 is confirmed vulnerable; the full affected version range is unknown due to lack of vendor cooperation. No public exploit code or active exploitation has been reported, but the credentials are trivially extractable from the application binary.
Microchip Time Provider 4100 contains hard-coded credentials used for software update decryption, allowing malicious actors to craft and deploy unauthorized firmware updates without detection. Versions prior to 2.5.0 are affected. An attacker with local or network access to the device can leverage these credentials to bypass authentication controls during the manual software update process, potentially gaining full control of the time synchronization infrastructure.
Wandb OpenUI up to version 1.0 contains hard-coded credentials exposure in backend/openui/config.py where the LITELLM_MASTER_KEY argument is improperly handled, allowing local authenticated users with low privileges to read sensitive authentication material. The vulnerability has a low CVSS score (3.3) due to local-only attack vector and low impact scope, but publicly available exploit code exists and vendor contact has been unsuccessful, increasing practical risk for deployed instances.
SQL injection in HCL Aftermarket DPC version 1.0.0 enables unauthenticated remote attackers to extract sensitive database contents and potentially compromise data integrity and availability. The vulnerability carries a CVSS score of 8.3 with network-based attack vector requiring user interaction. No public exploit is identified at time of analysis, and SSVC assessment indicates no current exploitation with non-automatable attack characteristics.
Hardcoded credentials in HCL Aftermarket DPC version 1.0.0 enable authenticated low-privilege attackers with user interaction to extract sensitive secrets from source code or insecure repositories, resulting in high confidentiality compromise and complete denial of service. CVSS score 7.3 reflects network-accessible attack requiring low privileges and user interaction. No public exploit identified at time of analysis, with SSVC framework indicating no current exploitation and non-automatable attack characteristics.
IBM Concert versions 1.0.0 through 2.2.0 contain hard-coded credentials accessible to local users, enabling unauthorized authentication bypass and potential privilege escalation. An attacker with local access can extract these credentials to gain unauthorized system access without requiring network connectivity or user interaction. This vulnerability is classified as moderate severity (CVSS 6.2) with high confidentiality impact but no direct integrity or availability impact.
A hard-coded credentials vulnerability exists in the Addi buy-now-pay-later WordPress plugin (versions up to 2.0.4) that enables password recovery exploitation and authentication bypass attacks. Attackers can leverage embedded credentials to gain unauthorized access to user accounts and potentially escalate privileges within the plugin's functionality. This vulnerability is classified under CWE-798 (Use of Hard-coded Credentials) and has been reported by Patchstack; no CVSS score, EPSS data, or active KEV status is currently available, though the authentication bypass nature suggests active exploitation risk.