CWE-798— Use of Hard-coded Credentials
The product contains hard-coded credentials, such as a password or cryptographic key.— MITRE CWE catalog
1,625 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-798page 33 of 33
- CVE-2026-49204MEDIUMCVSS 6.5EG 6.52026-06-04
Leftover debug modules contain fixed credentials for internal AWS Cognito test sandboxes, risking asset exploitation.
- CVE-2026-49323MEDIUMCVSS 4.3EG 4.32026-05-29
Weak authentication between the Wireless Control Module (WCM) and the Engine Control Module (ECM) of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker with read access to the in-vehicle network t…
- CVE-2026-50083CRITICALCVSS 9.8EG 9.12026-06-12
The Aqara IAM/SSO Gateway (gw-builder.aqara.com) used a hardcoded OAuth client credential, which is an instance of "CWE-798: Use of Hard-coded Credentials." This issue has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N…
- CVE-2026-50091HIGHCVSS 7.4EG 9.12026-06-12
Aqara Home Android (com.lumiunited.aqarahome) 6.0.0 (and white-label clients embedding the same liblumidevsdk.so) uses hard-coded cryptographic keys, which is an instance of "CWE-321: Use of Hard-coded Cryptographic Key" and has an estimat…
- CVE-2026-50110CRITICALCVSS 9.2EG 9.22026-07-01
Storage Concentrator (SC & SCVM) contains hardcoded credentials for numerous internal services embedded within a configuration file. While the credentials are stored in an encoded format, the encoding can be reversed to plaintext. The expo…
- CVE-2026-50213HIGHCVSS 7.5EG 7.52026-06-04
The account validation endpoint /v1/User/validate returns comprehensive user profile data sheets, which can be crawled by iterating predictable identification strings.
- CVE-2026-5065HIGHCVSS 8.8EG 8.82026-05-27
IBM Controller 11.0.1, 11.1.0, 11.1.1, and 11.1.2 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of i…
- CVE-2026-5189CRITICALCVSS 9.2EG 9.22026-04-15
CWE-798: Use of Hard-coded Credentials in Sonatype Nexus Repository Manager versions 3.0.0 through 3.70.5 allows an unauthenticated attacker with network access to gain unauthorized read/write access to the internal database and execute ar…
- CVE-2026-56265CRITICALCVSS 9.8EG 9.82026-06-21
Crawl4AI before 0.8.7 contains an authentication bypass vulnerability due to a hardcoded default JWT signing key in the Docker API server. Attackers who know the default key can forge valid authentication tokens for any user, bypassing aut…
- CVE-2026-56269MEDIUMCVSS 4.6EG 5.62026-04-16
Flowise before 3.1.0 (npm package flowise, versions 3.0.13 and earlier) uses a weak hardcoded default value 'Secre$t' for the TOKEN_HASH_SECRET environment variable in packages/server/src/enterprise/utils/tempTokenUtils.ts when the variabl…
- CVE-2026-56278CRITICALCVSS 9.1EG 9.12026-07-01
Flowise before 3.1.0 (affected versions 3.0.13 and earlier) uses a weak hardcoded default secret ('flowise') for the express-session middleware when the EXPRESS_SESSION_SECRET environment variable is not set (packages/server/src/enterprise…
- CVE-2026-5667HIGHCVSS 7.2EG 7.22026-06-17
Use of Hard-coded Credentials vulnerability in Mitsubishi Electric Room Air Conditioners (for Japan and outside Japan); Wireless LAN Adapters for Room Air Conditioners (for Japan and outside Japan); Wireless LAN Adapters for Packaged Air C…
- CVE-2026-57172HIGHCVSS 8.3EG 8.32026-07-07
DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, ShareSecretManage uses a hardcoded default share link signature key, allowing an attacker who can obtain a passwordless share for a resource and user to use…
- CVE-2026-6574HIGHCVSS 7.3EG 7.32026-04-19
A vulnerability has been found in osuuu LightPicture up to 1.2.2. This issue affects some unknown processing of the file /public/install/lp.sql of the component API Upload Endpoint. Such manipulation of the argument key leads to hard-coded…
- CVE-2026-6578MEDIUMCVSS 5.6EG 5.62026-04-19
A security flaw has been discovered in liangliangyy DjangoBlog up to 2.1.0.0. This affects an unknown function of the file djangoblog/settings.py of the component Setting Handler. The manipulation of the argument SECRET_KEY results in hard…
- CVE-2026-6610LOWCVSS 3.7EG 3.72026-04-20
A vulnerability has been found in liangliangyy DjangoBlog up to 2.1.0.0. The impacted element is an unknown function of the file djangoblog/settings.py of the component Setting Handler. Such manipulation of the argument USER/PASSWORD leads…
- CVE-2026-7414CRITICALCVSS 9.8EG 9.82026-05-07
Yarbo firmware v2.3.9 contains hardcoded administrative credentials embedded in the firmware image. These credentials are identical across all devices running this firmware and cannot be changed or removed by end users, enabling trivial un…
- CVE-2026-7579HIGHCVSS 7.3EG 7.32026-05-01
A security vulnerability has been detected in AstrBotDevs AstrBot up to 4.16.0. This issue affects some unknown processing of the file astrbot/dashboard/routes/auth.py of the component Dashboard. The manipulation leads to hard-coded creden…
- CVE-2026-7786CRITICALCVSS 9.8EG 9.82026-05-29
Jinan USR IOT Technology Limited (PUSR) USR-W610 RS232/485 to Wi-Fi/Ethernet Converter device firmware contains plaintext administrative credentials embedded in the firmware image. These credentials can be extracted through firmware analys…
- CVE-2026-7839CRITICALCVSS 9.1EG 9.12026-07-01
UltraVNC repeater through 1.8.2.2 initializes the HTTP administration server with a hardcoded default password. In repeater/webgui/settings.c:197, when settings2.txt is absent on first run the repeater writes the literal string "adminadmi2…
- CVE-2026-8032HIGHCVSS 7.3EG 7.32026-05-06
A flaw has been found in PicoTronica e-Clinic Healthcare System ECHS 5.7. The impacted element is an unknown function of the file /cdemos/echs/priv/echs.js. This manipulation of the argument ADMIN_KEY causes hard-coded credentials. The att…
- CVE-2026-8605CRITICALCVSS 9.8EG 9.82026-05-19
In ScadaBR version 1.2.0, a Use of Hard-Coded Credentials vulnerability could allow an attacker to access the SCADA system as admin.
- CVE-2026-8876HIGHCVSS 7.3EG 7.32026-06-03
Version 3.0.7 of the Securly Chrome Extension contains hardcoded, plaintext AES passphrases in securly.min.js. These keys decrypt crisis alert keyword data and intervention site data.
- CVE-2026-9139CRITICALCVSS 9.8EG 9.82026-05-20
Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 contains a hard-coded credential vulnerability in the embedded web configuration interface where authentication is implemented entirely in client-side JavaScript in login.zhtml, exposing…
- CVE-2026-9260CRITICALCVSS 9.8EG 6.22026-06-16
Use of hard-coded cryptographic keys in Canon EOS Network Setting Tool Version 1.5.0 or earlier
Map vulnerabilities like CWE-798 to your infrastructure
EchelonGraph correlates every CVE — across CWE-798 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →