Common Weakness Enumeration

CWE-798

Allowed-with-Review

Use of Hard-coded Credentials

Abstraction: Base · Status: Draft

The product contains hard-coded credentials, such as a password or cryptographic key.

2178 vulnerabilities reference this CWE, most recent first.

GHSA-M56Q-XH2M-7M5P

Vulnerability from github – Published: 2023-08-28 06:30 – Updated: 2024-04-04 07:13
VLAI
Details

SpotCam Co., Ltd. SpotCam FHD 2 has a vulnerability of using hard-coded uBoot credentials. An remote attacker can exploit this vulnerability to access the system to perform arbitrary system operations or disrupt service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-38026"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-28T04:15:16Z",
    "severity": "CRITICAL"
  },
  "details": "\nSpotCam Co., Ltd. SpotCam FHD 2 has a vulnerability of using hard-coded uBoot credentials. An remote attacker can exploit this vulnerability to access the system to perform arbitrary system operations or disrupt service.\n\n",
  "id": "GHSA-m56q-xh2m-7m5p",
  "modified": "2024-04-04T07:13:56Z",
  "published": "2023-08-28T06:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38026"
    },
    {
      "type": "WEB",
      "url": "https://www.twcert.org.tw/tw/cp-132-7333-972ca-1.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M5V2-9QV5-HVH2

Vulnerability from github – Published: 2022-05-24 16:49 – Updated: 2024-04-04 01:08
VLAI
Details

SICK MSC800 all versions prior to Version 4.0, the affected firmware versions contain a hard-coded customer account password.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-10979"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-07-01T21:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "SICK MSC800 all versions prior to Version 4.0, the affected firmware versions contain a hard-coded customer account password.",
  "id": "GHSA-m5v2-9qv5-hvh2",
  "modified": "2024-04-04T01:08:07Z",
  "published": "2022-05-24T16:49:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10979"
    },
    {
      "type": "WEB",
      "url": "https://www.sick.com/de/en/service-and-support/the-sick-product-security-incident-response-team-sick-psirt/w/psirt/#advisories"
    },
    {
      "type": "WEB",
      "url": "https://www.us-cert.gov/ics/advisories/icsa-19-178-04"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/108924"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M656-2GWX-2QC9

Vulnerability from github – Published: 2022-05-19 00:00 – Updated: 2022-05-27 00:00
VLAI
Details

A weak default password for the serial port was reported in some Lenovo Personal Cloud Storage devices that could allow unauthorized device access to an attacker with physical access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-42849"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-05-18T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A weak default password for the serial port was reported in some Lenovo Personal Cloud Storage devices that could allow unauthorized device access to an attacker with physical access.",
  "id": "GHSA-m656-2gwx-2qc9",
  "modified": "2022-05-27T00:00:49Z",
  "published": "2022-05-19T00:00:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42849"
    },
    {
      "type": "WEB",
      "url": "https://iknow.lenovo.com.cn/detail/dc_200017.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M65W-R8PM-J2P4

Vulnerability from github – Published: 2026-07-17 21:31 – Updated: 2026-07-17 21:31
VLAI
Details

IBM Langflow OSS 1.0.0 through 1.10.1 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-13446"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-17T21:17:05Z",
    "severity": "CRITICAL"
  },
  "details": "IBM Langflow OSS 1.0.0 through 1.10.1 contains\u00a0hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.",
  "id": "GHSA-m65w-r8pm-j2p4",
  "modified": "2026-07-17T21:31:45Z",
  "published": "2026-07-17T21:31:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-13446"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7279991"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M6G3-CH98-VRMR

Vulnerability from github – Published: 2024-09-19 18:30 – Updated: 2024-09-30 21:02
VLAI
Details

Kastle Systems firmware prior to May 1, 2024, contained a hard-coded credential, which if accessed may allow an attacker to access sensitive information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-45861"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-19T16:15:05Z",
    "severity": "CRITICAL"
  },
  "details": "Kastle Systems firmware prior to May 1, 2024, contained a hard-coded credential, which if accessed may allow an attacker to access sensitive information.",
  "id": "GHSA-m6g3-ch98-vrmr",
  "modified": "2024-09-30T21:02:12Z",
  "published": "2024-09-19T18:30:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45861"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-263-05"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-M6XR-CGMM-VX52

Vulnerability from github – Published: 2022-05-13 01:35 – Updated: 2022-05-13 01:35
VLAI
Details

Yokogawa STARDOM FCJ controllers R4.02 and prior, FCN-100 controllers R4.02 and prior, FCN-RTU controllers R4.02 and prior, and FCN-500 controllers R4.02 and prior utilize hard-coded credentials that could allow an attacker to gain unauthorized administrative access to the device, which could result in remote code execution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-10592"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-07-31T17:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "Yokogawa STARDOM FCJ controllers R4.02 and prior, FCN-100 controllers R4.02 and prior, FCN-RTU controllers R4.02 and prior, and FCN-500 controllers R4.02 and prior utilize hard-coded credentials that could allow an attacker to gain unauthorized administrative access to the device, which could result in remote code execution.",
  "id": "GHSA-m6xr-cgmm-vx52",
  "modified": "2022-05-13T01:35:01Z",
  "published": "2022-05-13T01:35:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10592"
    },
    {
      "type": "WEB",
      "url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-151-03"
    },
    {
      "type": "WEB",
      "url": "https://web-material3.yokogawa.com/1/6712/details/YSAR-18-0004-E.pdf"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/104376"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M727-97QG-JRMP

Vulnerability from github – Published: 2025-03-14 12:32 – Updated: 2025-03-14 12:32
VLAI
Details

The Civi - Job Board & Freelance Marketplace WordPress Theme plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.4 via hard-coded credentials. This makes it possible for unauthenticated attackers to extract sensitive data including LinkedIn client and secret keys.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-13773"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-321",
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-14T12:15:14Z",
    "severity": "HIGH"
  },
  "details": "The Civi - Job Board \u0026 Freelance Marketplace WordPress Theme plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.4 via hard-coded credentials. This makes it possible for unauthenticated attackers to extract sensitive data including LinkedIn client and secret keys.",
  "id": "GHSA-m727-97qg-jrmp",
  "modified": "2025-03-14T12:32:02Z",
  "published": "2025-03-14T12:32:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13773"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e3499182-7501-4fec-a7c6-b66ae47533cd?source=cve"
    },
    {
      "type": "WEB",
      "url": "http://localhost:1337/wp-content/themes/civi/includes/class-init.php#L36"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M7MQ-85XJ-9X33

Vulnerability from github – Published: 2026-04-16 21:22 – Updated: 2026-06-24 13:06
VLAI
Summary
Flowise: Weak Default Token Hash Secret
Details

Detection Method: Kolega.dev Deep Code Scan

Attribute Value
Location packages/server/src/enterprise/utils/tempTokenUtils.ts:31-34
Practical Exploitability Medium
Developer Approver faizan@kolega.ai

Description

The encryption key for token encryption has a weak default value 'Secre$t' when TOKEN_HASH_SECRET environment variable is not set.

Affected Code

const key = crypto
    .createHash('sha256')
    .update(process.env.TOKEN_HASH_SECRET || 'Secre$t')
    .digest()

Evidence

The default value 'Secre$t' is hardcoded in the source code and is cryptographically weak. This key is used to encrypt user IDs and workspace IDs in JWT tokens.

Impact

Token forgery - attackers can decrypt and manipulate encrypted token metadata, potentially changing user IDs or workspace IDs to escalate privileges or access unauthorized data.

Recommendation

Require TOKEN_HASH_SECRET to be set as a strong random value in environment variables. Throw an error on startup if not configured. Use a minimum of 32 bytes of entropy.

Notes

The TOKEN_HASH_SECRET has a weak hardcoded default 'Secre$t' (lines 31-34 and 50-53). This secret is used to derive an AES-256-CBC encryption key for encrypting sensitive metadata (user ID and workspace ID) embedded in JWT tokens via encryptToken() called at line 394 of passport/index.ts. If TOKEN_HASH_SECRET is not configured, an attacker knowing the default can decrypt the 'meta' field in JWTs to extract user IDs and workspace IDs. While this alone doesn't grant access (the JWT signature is separate), it leaks internal identifiers that could aid other attacks. The .env.example shows '# TOKEN_HASH_SECRET='popcorn'' - another weak value, and it's commented out suggesting it's optional. The application should require this secret to be explicitly set with a strong random value.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.0.13"
      },
      "package": {
        "ecosystem": "npm",
        "name": "flowise"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-56269"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-798"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-16T21:22:36Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "**Detection Method:** Kolega.dev Deep Code Scan\n\n| Attribute | Value |\n|---|---|\n| Location | packages/server/src/enterprise/utils/tempTokenUtils.ts:31-34 |\n| Practical Exploitability | Medium |\n| Developer Approver | faizan@kolega.ai |\n\n### Description\nThe encryption key for token encryption has a weak default value \u0027Secre$t\u0027 when TOKEN_HASH_SECRET environment variable is not set.\n\n### Affected Code\n```\nconst key = crypto\n    .createHash(\u0027sha256\u0027)\n    .update(process.env.TOKEN_HASH_SECRET || \u0027Secre$t\u0027)\n    .digest()\n```\n\n### Evidence\nThe default value \u0027Secre$t\u0027 is hardcoded in the source code and is cryptographically weak. This key is used to encrypt user IDs and workspace IDs in JWT tokens.\n\n### Impact\nToken forgery - attackers can decrypt and manipulate encrypted token metadata, potentially changing user IDs or workspace IDs to escalate privileges or access unauthorized data.\n\n### Recommendation\nRequire TOKEN_HASH_SECRET to be set as a strong random value in environment variables. Throw an error on startup if not configured. Use a minimum of 32 bytes of entropy.\n\n### Notes\nThe TOKEN_HASH_SECRET has a weak hardcoded default \u0027Secre$t\u0027 (lines 31-34 and 50-53). This secret is used to derive an AES-256-CBC encryption key for encrypting sensitive metadata (user ID and workspace ID) embedded in JWT tokens via encryptToken() called at line 394 of passport/index.ts. If TOKEN_HASH_SECRET is not configured, an attacker knowing the default can decrypt the \u0027meta\u0027 field in JWTs to extract user IDs and workspace IDs. While this alone doesn\u0027t grant access (the JWT signature is separate), it leaks internal identifiers that could aid other attacks. The .env.example shows \u0027# TOKEN_HASH_SECRET=\u0027popcorn\u0027\u0027 - another weak value, and it\u0027s commented out suggesting it\u0027s optional. The application should require this secret to be explicitly set with a strong random value.",
  "id": "GHSA-m7mq-85xj-9x33",
  "modified": "2026-06-24T13:06:09Z",
  "published": "2026-04-16T21:22:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-m7mq-85xj-9x33"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/FlowiseAI/Flowise"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Flowise: Weak Default Token Hash Secret"
}

GHSA-M83F-PX8C-C623

Vulnerability from github – Published: 2022-05-24 17:36 – Updated: 2022-05-24 17:36
VLAI
Details

A vulnerability has been identified in LOGO! 8 BM (incl. SIPLUS variants) (All versions < V8.3). The implemented encryption for communication with affected devices is prone to replay attacks due to the usage of a static key. An attacker could change the password or change the configuration on any affected device if using prepared messages that were generated for another device.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-25229"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-294",
      "CWE-321",
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-12-14T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability has been identified in LOGO! 8 BM (incl. SIPLUS variants) (All versions \u003c V8.3). The implemented encryption for communication with affected devices is prone to replay attacks due to the usage of a static key. An attacker could change the password or change the configuration on any affected device if using prepared messages that were generated for another device.",
  "id": "GHSA-m83f-px8c-c623",
  "modified": "2022-05-24T17:36:17Z",
  "published": "2022-05-24T17:36:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25229"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-480824.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M872-H33F-6RRM

Vulnerability from github – Published: 2022-05-14 01:30 – Updated: 2022-05-14 01:30
VLAI
Details

A Hard-coded Credentials vulnerability exists in EVLink Parking, v3.2.0-12_v1 and earlier, which could enable an attacker to gain access to the device.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-7800"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-12-24T16:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "A Hard-coded Credentials vulnerability exists in EVLink Parking, v3.2.0-12_v1 and earlier, which could enable an attacker to gain access to the device.",
  "id": "GHSA-m872-h33f-6rrm",
  "modified": "2022-05-14T01:30:15Z",
  "published": "2022-05-14T01:30:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7800"
    },
    {
      "type": "WEB",
      "url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-031-01"
    },
    {
      "type": "WEB",
      "url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-354-01"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/106807"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design
  • For outbound authentication: store passwords, keys, and other credentials outside of the code in a strongly-protected, encrypted configuration file or database that is protected from access by all outsiders, including other local users on the same system. Properly protect the key (CWE-320). If you cannot use encryption to protect the file, then make sure that the permissions are as restrictive as possible [REF-7].
  • In Windows environments, the Encrypted File System (EFS) may provide some protection.
Mitigation
Architecture and Design

For inbound authentication: Rather than hard-code a default username and password, key, or other authentication credentials for first time logins, utilize a "first login" mode that requires the user to enter a unique strong password or key.

Mitigation
Architecture and Design

If the product must contain hard-coded credentials or they cannot be removed, perform access control checks and limit which entities can access the feature that requires the hard-coded credentials. For example, a feature might only be enabled through the system console instead of through a network connection.

Mitigation
Architecture and Design
  • For inbound authentication using passwords: apply strong one-way hashes to passwords and store those hashes in a configuration file or database with appropriate access control. That way, theft of the file/database still requires the attacker to try to crack the password. When handling an incoming password during authentication, take the hash of the password and compare it to the saved hash.
  • Use randomly assigned salts for each separate hash that is generated. This increases the amount of computation that an attacker needs to conduct a brute-force attack, possibly limiting the effectiveness of the rainbow table method.
Mitigation
Architecture and Design
  • For front-end to back-end connections: Three solutions are possible, although none are complete.
  • The first suggestion involves the use of generated passwords or keys that are changed automatically and must be entered at given time intervals by a system administrator. These passwords will be held in memory and only be valid for the time intervals.
  • Next, the passwords or keys should be limited at the back end to only performing actions valid for the front end, as opposed to having full access.
  • Finally, the messages sent should be tagged and checksummed with time sensitive values so as to prevent replay-style attacks.
CAPEC-191: Read Sensitive Constants Within an Executable

An adversary engages in activities to discover any sensitive constants present within the compiled code of an executable. These constants may include literal ASCII strings within the file itself, or possibly strings hard-coded into particular routines that can be revealed by code refactoring methods including static and dynamic analysis.

CAPEC-70: Try Common or Default Usernames and Passwords

An adversary may try certain common or default usernames and passwords to gain access into the system and perform unauthorized actions. An adversary may try an intelligent brute force using empty passwords, known vendor default credentials, as well as a dictionary of common usernames and passwords. Many vendor products come preconfigured with default (and thus well-known) usernames and passwords that should be deleted prior to usage in a production environment. It is a common mistake to forget to remove these default login credentials. Another problem is that users would pick very simple (common) passwords (e.g. "secret" or "password") that make it easier for the attacker to gain access to the system compared to using a brute force attack or even a dictionary attack using a full dictionary.