Search Results (300 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-25505 2 Bambuddy, Maziggy 2 Bambuddy, Bambuddy 2026-04-18 9.8 Critical
Bambuddy is a self-hosted print archive and management system for Bambu Lab 3D printers. Prior to version 0.1.7, a hardcoded secret key used for signing JWTs is checked into source code and ManyAPI routes do not check authentication. This issue has been patched in version 0.1.7.
CVE-2026-1442 1 Unitree 15 Go1 Air, Go1 Air Firmware, Go1 Pro and 12 more 2026-04-18 7.8 High
Since the encryption algorithm used to protect firmware updates is itself encrypted using key material available to an attacker (or anyone paying attention), the firmware updates may be altered by an unauthorized user, and then trusted by a Unitree product, such as the Unitree Go2 and other models. This issue appears to affect all of Unitree’s current offerings as of February 26, 2026, and so should be considered a vulnerability in both the firmware generation and extraction processes. At the time of this release, there is no publicly-documented mechanism to subvert the update process and insert poisoned firmware packages without the equipment owner’s knowledge.
CVE-2026-22586 1 Salesforce 1 Marketing Cloud Engagement 2026-04-18 9.8 Critical
Hard-coded Cryptographic Key vulnerability in Salesforce Marketing Cloud Engagement (CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, View As Webpage modules) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026.
CVE-2026-2103 1 Infor 1 Syteline Erp 2026-04-17 7.1 High
Infor SyteLine ERP uses hard-coded static cryptographic keys to encrypt stored credentials, including user passwords, database connection strings, and API keys. The encryption keys are identical across all installations. An attacker with access to the application binary and database can decrypt all stored credentials.
CVE-2026-22906 1 Wago 2 0852-1322, 0852-1328 2026-04-17 9.8 Critical
User credentials are stored using AES‑ECB encryption with a hardcoded key. An unauthenticated remote attacker obtaining the configuration file can decrypt and recover plaintext usernames and passwords, especially when combined with the authentication bypass.
CVE-2026-25894 1 Frangoteam 1 Fuxa 2026-04-17 9.8 Critical
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An insecure default configuration in FUXA allows an unauthenticated, remote attacker to gain administrative access and execute arbitrary code on the server. This affects FUXA through version 1.2.9 when authentication is enabled, but the administrator JWT secret is not configured. This issue has been patched in FUXA version 1.2.10.
CVE-2026-26335 1 Calero 1 Verasmart 2026-04-17 9.8 Critical
Calero VeraSMART versions prior to 2022 R1 use static ASP.NET/IIS machineKey values configured for the VeraSMART web application and stored in C:\\Program Files (x86)\\Veramark\\VeraSMART\\WebRoot\\web.config. An attacker who obtains these keys can craft a valid ASP.NET ViewState payload that passes integrity validation and is accepted by the application, resulting in server-side deserialization and remote code execution in the context of the IIS application.
CVE-2026-27519 1 Binardat 3 10g08-0800gsm, 10g08-0800gsm Firmware, 10g08-0800gsm Network Switch 2026-04-17 7.5 High
Binardat 10G08-0800GSM network switch firmware version V300SP10260209 and prior use RC4 with a hard-coded key embedded in client-side JavaScript. Because the key is static and exposed, an attacker can decrypt protected values and defeat confidentiality protections.
CVE-2026-0754 1 Hp 3 Edge E, Trio 8300, Vvx 2026-04-17 N/A
An embedded test key and certificate could be extracted from a Poly Voice device using specialized reverse engineering tools. This extracted certificate could be accepted by a SIP service provider if the service provider does not perform proper validation of the device certificate.
CVE-2026-33266 1 Apache 1 Openmeetings 2026-04-15 7.5 High
Use of Hard-coded Cryptographic Key vulnerability in Apache OpenMeetings. The remember-me cookie encryption key is set to default value in openmeetings.properties and not being auto-rotated. In case OM admin hasn't changed the default encryption key, an attacker who has stolen a cookie from a logged-in user can get full user credentials. This issue affects Apache OpenMeetings: from 6.1.0 before 9.0.0. Users are recommended to upgrade to version 9.0.0, which fixes the issue.
CVE-2025-24525 1 Keysight 1 Ixia Vision 2026-04-15 7.5 High
Keysight Ixia Vision has an issue with hardcoded cryptographic material which may allow an attacker to intercept or decrypt payloads sent to the device via API calls or user authentication if the end user does not replace the TLS certificate that shipped with the device. Remediation is available in Version 6.9.1, released on September 23, 2025.
CVE-2025-46582 1 Zte 1 Zxmp M721 2026-04-15 7.7 High
A private key disclosure vulnerability exists in ZTE's ZXMP M721 product. A low-privileged user can bypass authorization checks to view the device's communication private key, resulting in key exposure and impacting communication security.
CVE-2025-58069 1 Automationdirect 1 Click Plus 2026-04-15 5.3 Medium
The use of a hard-coded cryptographic key was discovered in firmware version 3.60 of the Click Plus PLC. The vulnerability relies on the fact that the software contains a hard-coded AES key used to protect the initial messages of a new KOPS session.
CVE-2024-45837 2026-04-15 N/A
Use of hard-coded cryptographic key issue exists in AIPHONE IX SYSTEM, IXG SYSTEM, and System Support Software. A network-adjacent unauthenticated attacker may log in to SFTP service and obtain and/or manipulate unauthorized files.
CVE-2025-1099 2026-04-15 N/A
This vulnerability exists in Tapo C500 Wi-Fi camera due to hard-coded RSA private key embedded within the device firmware. An attacker with physical access could exploit this vulnerability to obtain cryptographic private keys which can then be used to perform impersonation, data decryption and man in the middle attacks on the targeted device.
CVE-2025-31362 2026-04-15 N/A
Use of hard-coded cryptographic key issue exists in BizRobo! all versions. Credentials inside robot files may be obtained if the encryption key is available. The vendor provides the workaround information and recommends to apply it to the deployment environment.
CVE-2025-11899 1 Flowring 1 Agentflow 2026-04-15 8.1 High
Agentflow developed by Flowring has an Use of Hard-coded Cryptographic Key vulnerability, allowing unauthenticated remote attackers to exploit the fixed key to generate verification information, thereby logging into the system as any user. Attacker must first obtain an user ID in order to exploit this vulnerability.
CVE-2025-13948 1 Opsre 1 Go-ldap-admin 2026-04-15 5.6 Medium
A vulnerability was determined in opsre go-ldap-admin up to 20251011. This issue affects some unknown processing of the file docs/docker-compose/docker-compose.yaml of the component JWT Handler. Executing manipulation of the argument secret key can lead to use of hard-coded cryptographic key . The attack can be launched remotely. Attacks of this nature are highly complex. The exploitability is assessed as difficult. The exploit has been publicly disclosed and may be utilized.
CVE-2025-10080 2026-04-15 3.1 Low
A vulnerability has been found in running-elephant Datart up to 1.0.0-rc3. Affected by this issue is the function getTokensecret of the file datart/security/src/main/java/datart/security/util/AESUtil.java of the component API. The manipulation leads to use of hard-coded cryptographic key . The attack is possible to be carried out remotely. The attack is considered to have high complexity. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used.
CVE-2024-41260 1 Netbirdio 1 Netbird 2026-04-15 7.5 High
A static initialization vector (IV) in the encrypt function of netbird management's service from v0.23.2 to v0.29.1 allows attackers to obtain sensitive information (email addresses) when in possession of the audit events database.