CWE-798
Use of Hard-coded Credentials
MITRENo catalog description on file. The MITRE CWE site has the canonical reference.
Recent CVEs
showing 18 of 18- CVE-2026-50083Critical· 9.120 h ago
The Aqara IAM/SSO Gateway (gw-builder.aqara.com) used a hardcoded OAuth client credential, which is an instance of "CWE-798: Use of Hard-coded Credentials." This issue has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (9
- CVE-2026-22769Critical· 10.0KEVEPSS 27%21 h ago
Dell RecoverPoint for Virtual Machines (RP4VMs) Use of Hard-coded Credentials Vulnerability
- CVE-2021-44207High· 8.1KEVEPSS 9%21 h ago
Acclaim Systems USAHERDS Use of Hard-Coded Credentials Vulnerability
- CVE-2024-3272Critical· 9.8KEVEPSS 94%21 h ago
D-Link Multiple NAS Devices Use of Hard-Coded Credentials Vulnerability
- CVE-2022-26138Critical· 9.8KEVEPSS 94%21 h ago
Atlassian Questions For Confluence App Hard-coded Credentials Vulnerability
- CVE-2019-6693Medium· 6.5KEVEPSS 72%21 h ago
Fortinet FortiOS Use of Hard-Coded Credentials Vulnerability
- CVE-2020-8657Critical· 9.8KEVEXPLOITEPSS 89%21 h ago
EyesOfNetwork Use of Hard-Coded Credentials Vulnerability
- CVE-2024-28987Critical· 9.1KEVEXPLOITEPSS 94%21 h ago
SolarWinds Web Help Desk Hardcoded Credential Vulnerability
- CVE-2025-14611Critical· 9.8KEVEXPLOITEPSS 82%21 h ago
Gladinet CentreStack and Triofox Hard Coded Cryptographic Vulnerability
- CVE-2026-10557Critical· 9.821 h ago
The Yarbo Android and iOS applications contain hard-coded MQTT broker credentials that are identical for all users and all devices. These credentials are embedded in the application binary and are readily extractable via APK decompilation.
- CVE-2026-11849Critical· 9.8EPSS 0%21 h ago
The iRM-IEI Remote Management developed by IEI Integration Corp has a Hardcoded Credentials vulnerability, allowing unauthenticated remote attackers to exploit hard-coded credentials to gain administrative privileges on the database.
- CVE-2026-47281Critical· 9.6EPSS 0%3 d ago
Improper input validation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network.
- CVE-2016-20031Medium· 5.5EPSS 0%4 d ago
ZKTeco ZKBioSecurity 3.0 contains a local authorization bypass vulnerability in visLogin.jsp that allows attackers to authenticate without valid credentials by spoofing localhost requests. Attackers can exploit the EnvironmentUtil.getClient
- CVE-2016-20026Critical· 9.8EPSS 0%4 d ago
ZKTeco ZKBioSecurity 3.0 contains hardcoded credentials in the bundled Apache Tomcat server that allow unauthenticated attackers to access the manager application. Attackers can authenticate with hardcoded credentials stored in tomcat-users
- CVE-2026-49201Critical· 9.8EPSS 0%5 d ago
The upload.cgi binary, responsible for processing device backups, contains a hardcoded AES encryption key. This allows an attacker to decrypt, modify, and re-encrypt system backups, facilitating persistent backdoor injection.
- CVE-2025-1029High· 7.5EPSS 0%7 d ago
Use of Hard-coded Credentials vulnerability in Utarit Information Services Inc. SoliClub allows Read Sensitive Constants Within an Executable. This issue affects SoliClub: from 5.2.4 before 5.3.7.
- CVE-2025-0642Medium· 6.3EPSS 0%7 d ago
Use of Hard-coded Credentials, Authorization Bypass Through User-Controlled Key vulnerability in PosCube Hardware Software and Consulting Ltd. Co. Assist allows Excavation, Authentication Bypass. This issue affects Assist: through 10.02.20
- CVE-2026-11414—EPSS 0%7 d ago
A hard-coded cryptographic key is used by Altium Enterprise Server to sign file download URLs in the Vault service. Because the key is identical across all installations, an unauthenticated network attacker who can reach the server can forg
CWE catalog data sourced from MITRE. CVE associations come from NVD weakness mappings; some CVEs carry multiple CWEs.