CWE-321— Use of Hard-coded Cryptographic Key
The product uses a hard-coded, unchangeable cryptographic key.— MITRE CWE catalog
292 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-321page 6 of 6
- CVE-2026-32644CRITICALCVSS 9.8EG 9.82026-04-28
Specific firmware versions of Milesight AIOT cameras use SSL certificates with default private keys.
- CVE-2026-32958MEDIUMCVSS 6.5EG 6.52026-04-20
SD-330AC and AMC Manager provided by silex technology, Inc. use a hard-coded cryptographic key. An administrative user may be directed to apply a fake firmware update.
- CVE-2026-33266HIGHCVSS 7.5EG 7.52026-04-09
Use of Hard-coded Cryptographic Key vulnerability in Apache OpenMeetings. The remember-me cookie encryption key is set to default value in openmeetings.properties and not being auto-rotated. In case OM admin hasn't changed the default enc…
- CVE-2026-33362HIGHCVSS 8.6EG 8.62026-05-11
In Meari IoT SDK builds embedded in CloudEdge 5.5.0 (build 220), Arenti 1.8.1 (build 220), and white-label Android apps <= 1.8.x (latest observed), multiple security-critical secrets are hardcoded and shared, including API signing material…
- CVE-2026-34022HIGHCVSS 7.1EG 7.12026-06-15
The Wertheim SafeController Family 65000, Controller 65000 - AssemblyVersion 6.11.8130.22319, uses weak custom cryptographic algorithms with hard-coded cryptographic keys to protect communication. An attacker in an adversary-in-the-middle…
- CVE-2026-34029MEDIUMCVSS 6.8EG 6.82026-06-15
The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains a hard-coded cryptographic key in the SafeSystem.Infrastructure.Security.dll component. An attacker with access to the application files can reverse engineer …
- CVE-2026-35019HIGHCVSS 8.1EG 8.12026-06-23
NetComm NF20MESH routers running firmware R6B031 and earlier contain an authentication bypass vulnerability that allows unauthenticated attackers to gain administrative access by exploiting a hardcoded AES-256 key used to encrypt session c…
- CVE-2026-39031MEDIUMCVSS 5.5EG 5.52026-06-26
Lansweeper lsrunase 2.0 and lsencrypt 2.0 use RC4 encryption with a hardcoded 142-byte static key array to encrypt credentials. An 8-character prefix is stored in cleartext alongside the ciphertext. This allows an attacker with local acces…
- CVE-2026-39810MEDIUMCVSS 6.0EG 6.02026-04-14
A use of hard-coded cryptographic key vulnerability in Fortinet FortiClientEMS 7.4.0 through 7.4.5 may allow attacker to information disclosure via decrypting database dump.
- CVE-2026-42518HIGHCVSS 8.7EG 8.72026-04-29
This vulnerability exists in e-Sushrut due to disclosure of sensitive information and hardcoded AES encryption keys in client-side JavaScript. An unauthenticated remote attacker could exploit this vulnerability by accessing the client-side…
- CVE-2026-44278LOWCVSS 2.3EG 2.32026-05-12
A use of hard-coded cryptographic key vulnerability in Fortinet FortiClientWindows 7.4.0 through 7.4.2, FortiClientWindows 7.2 all versions may allow attacker to information disclosure via <insert attack vector here>
- CVE-2026-45041HIGHCVSS 8.7EG 8.72026-05-28
RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, crates/appauth/src/token.rs ships a 2048-bit RSA private key as a string constant named TEST_PRIVATE_KEY and uses it in production via parse_license() to "…
- CVE-2026-45433HIGHCVSS 8.7EG 8.72026-06-04
This vulnerability exists in GX Earth 2022 ONT models due to the presence of hardcoded RSA private key within the device firmware. A remote attacker could exploit this vulnerability by extracting the cryptographic private key from the firm…
- CVE-2026-46395CRITICALCVSS 9.3EG 9.32026-05-19
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, the `hmacBase64()` function in the HAXcms Node.js backend contains two critical cryptographic implementation errors that together allow any unaut…
- CVE-2026-50091HIGHCVSS 7.4EG 9.12026-06-12
Aqara Home Android (com.lumiunited.aqarahome) 6.0.0 (and white-label clients embedding the same liblumidevsdk.so) uses hard-coded cryptographic keys, which is an instance of "CWE-321: Use of Hard-coded Cryptographic Key" and has an estimat…
- CVE-2026-50226MEDIUMCVSS 5.3EG 5.32026-06-04
Fixed AES-128-CBC keys inside the AcerConnect OTA application let attackers forge authorization credentials for arbitrary IMEI numbers. This allows unauthorized actors to list catalog items and extract protected binaries from pre-signed cl…
- CVE-2026-5310LOWCVSS 2.5EG 2.52026-04-01
A vulnerability was identified in Enter Software Iperius Backup up to 8.7.2. This impacts an unknown function of the file IperiusAccounts.ini. Such manipulation leads to use of hard-coded cryptographic key . The attack must be carried out…
- CVE-2026-5420LOWCVSS 2.5EG 2.52026-04-02
A security flaw has been discovered in Shinrays Games Goods Triple App up to 1.200. The affected element is an unknown function of the file jRwTX.java of the component cats.goods.sort.sorting.games. Performing a manipulation of the argumen…
- CVE-2026-5426CRITICALCVSS 9.1EG 7.52026-04-16
Hard-coded ASP.NET/IIS machineKey value in Digital Knowledge KnowledgeDeliver deployments prior to February 24, 2026 allows adversaries to circumvent ViewState validation mechanisms and achieve remote code execution via malicious ViewState…
- CVE-2026-5452LOWCVSS 3.3EG 3.32026-04-03
A flaw has been found in UCC CampusConnect App up to 14.3.5 on Android. This vulnerability affects unknown code of the file campusconnect/BuildConfig.java of the component campusconnect.ucc. This manipulation causes use of hard-coded crypt…
- CVE-2026-5453LOWCVSS 3.3EG 3.32026-04-03
A vulnerability has been found in Rico só vantagem pra investir App up to 4.58.32.12421 on Android. This issue affects some unknown processing of the file br/com/rico/mobile/di/SegmentSettingsModule.java of the component br.com.rico.mobil…
- CVE-2026-5454LOWCVSS 3.3EG 3.32026-04-03
A vulnerability was found in GRID Organiser App up to 1.0.5 on Android. Impacted is an unknown function of the file file res/raw/app.json of the component co.gridapp.organiser. Performing a manipulation of the argument SegmentWriteKey res…
- CVE-2026-5455LOWCVSS 3.3EG 3.32026-04-03
A vulnerability was determined in Dialogue App up to 4.3.2 on Android. The affected element is an unknown function of the file file res/raw/config.json of the component ca.diagram.dialogue. Executing a manipulation of the argument SEGMENT…
- CVE-2026-5456LOWCVSS 3.3EG 3.32026-04-03
A vulnerability was identified in Align Technology My Invisalign App 3.12.4 on Android. The impacted element is an unknown function of the file com/aligntech/myinvisalign/BuildConfig.java of the component com.aligntech.myinvisalign.emea. T…
- CVE-2026-5457LOWCVSS 3.3EG 3.32026-04-03
A security flaw has been discovered in PropertyGuru AgentNet Singapore App up to 23.7.10 on Android. This affects an unknown function of the file com/allproperty/android/agentnet/BuildConfig.java of the component com.allproperty.android.ag…
- CVE-2026-5458LOWCVSS 3.3EG 3.32026-04-03
A weakness has been identified in Noelse Individuals & Pro App up to 2.1.7 on Android. This impacts an unknown function of the file com/reactnative/antelop/BuildConfig.java of the component com.afone.noelse. This manipulation of the argume…
- CVE-2026-5462LOWCVSS 3.3EG 3.32026-04-03
A vulnerability was identified in Wahoo Fitness SYSTM App up to 7.2.1 on Android. Impacted is an unknown function of the file com/WahooFitness/SYSTM/BuildConfig.java of the component com.WahooFitness.SYSTM. Such manipulation of the argumen…
- CVE-2026-5471LOWCVSS 3.3EG 3.32026-04-03
A vulnerability was detected in Investory Toy Planet Trouble App up to 1.5.5 on Android. Impacted is an unknown function of the file assets/google-services-desktop.json of the component app.investory.toyfactory. The manipulation of the arg…
- CVE-2026-54833HIGHCVSS 7.4EG 7.42026-06-26
Unauthenticated Backdoor in Enable CORS <= 2.0.3 versions.
- CVE-2026-5527MEDIUMCVSS 5.3EG 5.32026-04-05
A weakness has been identified in Tenda 4G03 Pro 1.0/1.0re/01.bin/04.03.01.53. Affected by this issue is some unknown functionality of the file /etc/www/pem/server.key of the component ECDSA P-256 Private Key Handler. This manipulation cau…
- CVE-2026-5549MEDIUMCVSS 5.3EG 5.32026-04-05
A vulnerability was determined in Tenda AC10 16.03.10.10_multi_TDE01. Affected by this issue is some unknown functionality of the file /webroot_ro/pem/privkeySrv.pem of the component RSA 2048-bit Private Key Handler. Executing a manipulati…
- CVE-2026-5622LOWCVSS 3.7EG 3.72026-04-06
A vulnerability was determined in hcengineering Huly Platform 0.7.382. Affected by this issue is some unknown functionality of the file foundations/core/packages/token/src/token.ts of the component JWT Token Handler. This manipulation of t…
- CVE-2026-57172HIGHCVSS 8.3EG 8.32026-07-07
DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, ShareSecretManage uses a hardcoded default share link signature key, allowing an attacker who can obtain a passwordless share for a resource and user to use…
- CVE-2026-6580HIGHCVSS 7.3EG 7.32026-04-19
A security vulnerability has been detected in liangliangyy DjangoBlog up to 2.1.0.0. Affected is an unknown function of the file owntracks/views.py of the component Amap API Call Handler. Such manipulation of the argument key leads to use …
- CVE-2026-6611LOWCVSS 3.1EG 3.12026-04-20
A vulnerability was found in liangliangyy DjangoBlog up to 2.1.0.0. This affects an unknown function of the file djangoblog/settings.py of the component File Upload Endpoint. Performing a manipulation of the argument SECRET_KEY results in …
- CVE-2026-6787HIGHCVSS 7.8EG 7.82026-05-06
Use of Hard-coded Cryptographic Key vulnerability in WatchGuard Agent on Windows allows Inclusion of Code in Existing Process.This issue affects WatchGuard Agent: before 1.25.03.0000.
- CVE-2026-7018MEDIUMCVSS 5.6EG 5.62026-04-26
A vulnerability was determined in Datavane Datavines up to 13607645e14a4982468cfdbcf75c85cde63bae71. The affected element is an unknown function of the file datavines-core/src/main/java/io/datavines/core/utils/TokenManager.java of the comp…
- CVE-2026-7306MEDIUMCVSS 5.6EG 5.62026-04-28
A security vulnerability has been detected in Xuxueli xxl-job up to 3.3.2. The impacted element is an unknown function of the file xxl-job-admin/src/main/java/com/xxl/job/admin/scheduler/openapi/OpenApiController.java of the component Open…
- CVE-2026-8243MEDIUMCVSS 5.3EG 5.32026-05-10
A vulnerability was determined in Industrial Application Software IAS Canias ERP 8.03. This affects an unknown function of the component JNLP Deployment Endpoint. Executing a manipulation can lead to use of hard-coded cryptographic key . …
- CVE-2026-8739MEDIUMCVSS 5.3EG 5.32026-05-17
A vulnerability was detected in Sanluan PublicCMS 5.202506.d. The affected element is the function getSignKey of the file publiccms-core/src/main/java/com/publiccms/logic/component/config/SafeConfigComponent.java. The manipulation of the a…
- CVE-2026-9220HIGHCVSS 7.5EG 7.52026-06-26
Setracker2 Android Companion App com.tgelec.setracker versions 3.1.5 and prior encrypts requests between the watch and its backend with static hardcoded AES keys and initialization vectors. This allows an attacker to decrypt Setracker2 wat…
- CVE-2026-9260CRITICALCVSS 9.8EG 6.22026-06-16
Use of hard-coded cryptographic keys in Canon EOS Network Setting Tool Version 1.5.0 or earlier
Map vulnerabilities like CWE-321 to your infrastructure
EchelonGraph correlates every CVE — across CWE-321 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →