CWE-259
Use of Hard-coded Password
The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.
CVE-2025-9806 (GCVE-0-2025-9806)
Vulnerability from cvelistv5 – Published: 2025-09-02 00:32 – Updated: 2025-09-02 19:33
VLAI
Title
Tenda F1202 Administrative shadow hard-coded credentials
Summary
A vulnerability was determined in Tenda F1202 1.2.0.9/1.2.0.14/1.2.0.20. Impacted is an unknown function of the file /etc_ro/shadow of the component Administrative Interface. This manipulation with the input Fireitup causes hard-coded credentials. The attack can only be executed locally. A high degree of complexity is needed for the attack. The exploitability is considered difficult. The exploit has been publicly disclosed and may be utilized.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.322130 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.322130 | signaturepermissions-required |
| https://vuldb.com/?submit.640980 | third-party-advisory |
| https://github.com/August829/Yu/blob/main/58ead8e… | related |
| https://github.com/August829/Yu/blob/main/58ead8e… | exploit |
| https://www.tenda.com.cn/ | product |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9806",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-02T19:27:54.101282Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-02T19:33:32.924Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Administrative Interface"
],
"product": "F1202",
"vendor": "Tenda",
"versions": [
{
"status": "affected",
"version": "1.2.0.9"
},
{
"status": "affected",
"version": "1.2.0.14"
},
{
"status": "affected",
"version": "1.2.0.20"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Yu Bao (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was determined in Tenda F1202 1.2.0.9/1.2.0.14/1.2.0.20. Impacted is an unknown function of the file /etc_ro/shadow of the component Administrative Interface. This manipulation with the input Fireitup causes hard-coded credentials. The attack can only be executed locally. A high degree of complexity is needed for the attack. The exploitability is considered difficult. The exploit has been publicly disclosed and may be utilized."
},
{
"lang": "de",
"value": "In Tenda F1202 1.2.0.9/1.2.0.14/1.2.0.20 wurde eine Schwachstelle gefunden. Dies betrifft einen unbekannten Teil der Datei /etc_ro/shadow der Komponente Administrative Interface. Durch Manipulation mit der Eingabe Fireitup mit unbekannten Daten kann eine hard-coded credentials-Schwachstelle ausgenutzt werden. Der Angriff erfordert einen lokalen Zugriff. Ein Angriff erfordert eine vergleichsweise hohe Komplexit\u00e4t. Die Ausnutzbarkeit gilt als schwierig. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 1.8,
"baseSeverity": "LOW",
"vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 1.9,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 1.9,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 0.8,
"vectorString": "AV:L/AC:H/Au:M/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-259",
"description": "Use of Hard-coded Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-02T00:32:07.898Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-322130 | Tenda F1202 Administrative shadow hard-coded credentials",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.322130"
},
{
"name": "VDB-322130 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.322130"
},
{
"name": "Submit #640980 | Tenda F1202 V1.2.0.14/V1.2.0.20/V1.2.0.9 Hard-coded Credentials",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.640980"
},
{
"tags": [
"related"
],
"url": "https://github.com/August829/Yu/blob/main/58ead8e7e08bfb0e9.md"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/August829/Yu/blob/main/58ead8e7e08bfb0e9.md#steps-to-reproduce"
},
{
"tags": [
"product"
],
"url": "https://www.tenda.com.cn/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-09-01T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-09-01T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-09-01T17:17:06.000Z",
"value": "VulDB entry last update"
}
],
"title": "Tenda F1202 Administrative shadow hard-coded credentials"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-9806",
"datePublished": "2025-09-02T00:32:07.898Z",
"dateReserved": "2025-09-01T15:09:53.760Z",
"dateUpdated": "2025-09-02T19:33:32.924Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-11515 (GCVE-0-2026-11515)
Vulnerability from cvelistv5 – Published: 2026-06-08 12:45 – Updated: 2026-06-08 13:16 X_Freeware
VLAI
Title
SourceCodester Barangay Resident Profiling and Information Management System Password Reset passsword_reset.php hard-coded password
Summary
A vulnerability has been found in SourceCodester Barangay Resident Profiling and Information Management System 1.0. The impacted element is an unknown function of the file passsword_reset.php of the component Password Reset Handler. Such manipulation of the argument new_password with the input password123 leads to use of hard-coded password. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/369135 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/369135/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-11515 | third-party-advisory |
| https://vuldb.com/submit/836238 | third-party-advisory |
| https://www.sourcecodester.com/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SourceCodester | Barangay Resident Profiling and Information Management System |
Affected:
1.0
cpe:2.3:a:sourcecodester:barangay_resident_profiling_and_information_management_system:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11515",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-08T13:16:31.477337Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T13:16:39.308Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:sourcecodester:barangay_resident_profiling_and_information_management_system:*:*:*:*:*:*:*:*"
],
"modules": [
"Password Reset Handler"
],
"product": "Barangay Resident Profiling and Information Management System",
"vendor": "SourceCodester",
"versions": [
{
"status": "affected",
"version": "1.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Kamran Saifullah (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB Vulnerability Moderation Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in SourceCodester Barangay Resident Profiling and Information Management System 1.0. The impacted element is an unknown function of the file passsword_reset.php of the component Password Reset Handler. Such manipulation of the argument new_password with the input password123 leads to use of hard-coded password. The attack may be launched remotely. The exploit has been disclosed to the public and may be used."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-259",
"description": "Use of Hard-coded Password",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-255",
"description": "Credentials Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T12:45:09.359Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-369135 | SourceCodester Barangay Resident Profiling and Information Management System Password Reset passsword_reset.php hard-coded password",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/369135"
},
{
"name": "VDB-369135 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/369135/cti"
},
{
"name": "CVE-2026-11515 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-11515"
},
{
"name": "Submit #836238 | SourceCodester Barangay Resident Profiling and Information Management System (BRPMS) in PHP/MySQL 0 Unverified Password Change",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/836238"
},
{
"tags": [
"product"
],
"url": "https://www.sourcecodester.com/"
}
],
"tags": [
"x_freeware"
],
"timeline": [
{
"lang": "en",
"time": "2026-06-07T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-07T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-07T17:58:34.000Z",
"value": "VulDB entry last update"
}
],
"title": "SourceCodester Barangay Resident Profiling and Information Management System Password Reset passsword_reset.php hard-coded password"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-11515",
"datePublished": "2026-06-08T12:45:09.359Z",
"dateReserved": "2026-06-07T15:53:30.000Z",
"dateUpdated": "2026-06-08T13:16:39.308Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11552 (GCVE-0-2026-11552)
Vulnerability from cvelistv5 – Published: 2026-06-08 17:00 – Updated: 2026-06-08 18:24 X_Freeware
VLAI
Title
SourceCodester Onlne Examination & Learning Management System import_users.php hard-coded password
Summary
A vulnerability has been found in SourceCodester Onlne Examination & Learning Management System and Syllabus-aligned Learning Management and Examination System 1.0. Affected by this issue is some unknown functionality of the file import_users.php. The manipulation of the argument raw_password with the input CICT_2026 leads to use of hard-coded password. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. This product is distributed under two entirely different names.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/369162 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/369162/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-11552 | third-party-advisory |
| https://vuldb.com/submit/836751 | third-party-advisory |
| https://www.sourcecodester.com/ | product |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| SourceCodester | Onlne Examination & Learning Management System |
Affected:
1.0
cpe:2.3:a:sourcecodester:onlne_examination_learning_management_system:*:*:*:*:*:*:*:* |
|
| SourceCodester | Syllabus-aligned Learning Management and Examination System |
Affected:
1.0
cpe:2.3:a:sourcecodester:syllabus-aligned_learning_management_and_examination_system:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11552",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-08T18:22:46.805674Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T18:24:02.345Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:sourcecodester:onlne_examination_learning_management_system:*:*:*:*:*:*:*:*"
],
"product": "Onlne Examination \u0026 Learning Management System",
"vendor": "SourceCodester",
"versions": [
{
"status": "affected",
"version": "1.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:sourcecodester:syllabus-aligned_learning_management_and_examination_system:*:*:*:*:*:*:*:*"
],
"product": "Syllabus-aligned Learning Management and Examination System",
"vendor": "SourceCodester",
"versions": [
{
"status": "affected",
"version": "1.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Kamran Saifullah (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB Vulnerability Moderation Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in SourceCodester Onlne Examination \u0026 Learning Management System and Syllabus-aligned Learning Management and Examination System 1.0. Affected by this issue is some unknown functionality of the file import_users.php. The manipulation of the argument raw_password with the input CICT_2026 leads to use of hard-coded password. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. This product is distributed under two entirely different names."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-259",
"description": "Use of Hard-coded Password",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-255",
"description": "Credentials Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T17:00:15.864Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-369162 | SourceCodester Onlne Examination \u0026 Learning Management System import_users.php hard-coded password",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/369162"
},
{
"name": "VDB-369162 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/369162/cti"
},
{
"name": "CVE-2026-11552 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-11552"
},
{
"name": "Submit #836751 | SourceCodester Onlne Examination \u0026 Learning Management System using PHP and MySQL 0 Use of Hard-coded Password",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/836751"
},
{
"tags": [
"product"
],
"url": "https://www.sourcecodester.com/"
}
],
"tags": [
"x_freeware"
],
"timeline": [
{
"lang": "en",
"time": "2026-06-08T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-08T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-08T07:23:25.000Z",
"value": "VulDB entry last update"
}
],
"title": "SourceCodester Onlne Examination \u0026 Learning Management System import_users.php hard-coded password"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-11552",
"datePublished": "2026-06-08T17:00:15.864Z",
"dateReserved": "2026-06-08T05:18:19.106Z",
"dateUpdated": "2026-06-08T18:24:02.345Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1610 (GCVE-0-2026-1610)
Vulnerability from cvelistv5 – Published: 2026-01-29 19:02 – Updated: 2026-02-23 09:06
VLAI
Title
Tenda AX12 Pro V2 Telnet Service hard-coded credentials
Summary
A vulnerability was found in Tenda AX12 Pro V2 16.03.49.24_cn. Affected by this issue is some unknown functionality of the component Telnet Service. Performing a manipulation results in hard-coded credentials. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. The exploitation is known to be difficult. The exploit has been made public and could be used.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.343378 | vdb-entry |
| https://vuldb.com/?ctiid.343378 | signaturepermissions-required |
| https://vuldb.com/?submit.740766 | third-party-advisory |
| https://github.com/QIU-DIE/CVE/issues/49 | broken-linkexploitissue-tracking |
| https://www.tenda.com.cn/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Tenda | AX12 Pro V2 |
Affected:
16.03.49.24_cn
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1610",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-29T20:32:16.778705Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-29T20:32:42.875Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Telnet Service"
],
"product": "AX12 Pro V2",
"vendor": "Tenda",
"versions": [
{
"status": "affected",
"version": "16.03.49.24_cn"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "hhsw34 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Tenda AX12 Pro V2 16.03.49.24_cn. Affected by this issue is some unknown functionality of the component Telnet Service. Performing a manipulation results in hard-coded credentials. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. The exploitation is known to be difficult. The exploit has been made public and could be used."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 9.2,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.6,
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-259",
"description": "Use of Hard-coded Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-23T09:06:50.985Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-343378 | Tenda AX12 Pro V2 Telnet Service hard-coded credentials",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.343378"
},
{
"name": "VDB-343378 | CTI Indicators (IOB, IOC, TTP)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.343378"
},
{
"name": "Submit #740766 | Tenda AX12 pro V2 V16.03.49.24_cn Hard-coded Credentials",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.740766"
},
{
"tags": [
"broken-link",
"exploit",
"issue-tracking"
],
"url": "https://github.com/QIU-DIE/CVE/issues/49"
},
{
"tags": [
"product"
],
"url": "https://www.tenda.com.cn/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-29T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-01-29T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-01-30T04:59:41.000Z",
"value": "VulDB entry last update"
}
],
"title": "Tenda AX12 Pro V2 Telnet Service hard-coded credentials"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-1610",
"datePublished": "2026-01-29T19:02:08.122Z",
"dateReserved": "2026-01-29T12:32:02.383Z",
"dateUpdated": "2026-02-23T09:06:50.985Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25753 (GCVE-0-2026-25753)
Vulnerability from cvelistv5 – Published: 2026-02-06 18:57 – Updated: 2026-02-09 15:28
VLAI
Title
PlaciPy has a Hard-Coded Default Password for All Student Accounts (Account Takeover)
Summary
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the application uses a hard-coded, static default password for all newly created student accounts. This results in mass account takeover, allowing any attacker to log in as any student once the password is known.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-259 - Use of Hard-coded Password
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/Praskla-Technology/assessment-… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Praskla-Technology | assessment-placipy |
Affected:
<= 1.0.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25753",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-09T15:22:53.453481Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T15:28:38.433Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "assessment-placipy",
"vendor": "Praskla-Technology",
"versions": [
{
"status": "affected",
"version": "\u003c= 1.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the application uses a hard-coded, static default password for all newly created student accounts. This results in mass account takeover, allowing any attacker to log in as any student once the password is known."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-259",
"description": "CWE-259: Use of Hard-coded Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T18:57:31.419Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Praskla-Technology/assessment-placipy/security/advisories/GHSA-6537-cf56-j9w2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Praskla-Technology/assessment-placipy/security/advisories/GHSA-6537-cf56-j9w2"
}
],
"source": {
"advisory": "GHSA-6537-cf56-j9w2",
"discovery": "UNKNOWN"
},
"title": "PlaciPy has a Hard-Coded Default Password for All Student Accounts (Account Takeover)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25753",
"datePublished": "2026-02-06T18:57:31.419Z",
"dateReserved": "2026-02-05T18:35:52.357Z",
"dateUpdated": "2026-02-09T15:28:38.433Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2616 (GCVE-0-2026-2616)
Vulnerability from cvelistv5 – Published: 2026-02-17 15:02 – Updated: 2026-02-23 10:13
VLAI
Title
Beetel 777VR1 Web Management hard-coded credentials
Summary
A vulnerability has been found in Beetel 777VR1 up to 01.00.09. The impacted element is an unknown function of the component Web Management Interface. The manipulation leads to hard-coded credentials. The attack needs to be initiated within the local network. The exploit has been disclosed to the public and may be used. It is advisable to modify the configuration settings. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.346266 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.346266 | signaturepermissions-required |
| https://vuldb.com/?submit.751314 | third-party-advisory |
| https://gist.github.com/raghav20232023/d8dcaaa76e… | related |
| https://gist.github.com/raghav20232023/d8dcaaa76e… | exploit |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2616",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-17T15:21:19.605846Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-17T15:21:26.533Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Web Management Interface"
],
"product": "777VR1",
"vendor": "Beetel",
"versions": [
{
"status": "affected",
"version": "01.00.09"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "raghav_2026 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in Beetel 777VR1 up to 01.00.09. The impacted element is an unknown function of the component Web Management Interface. The manipulation leads to hard-coded credentials. The attack needs to be initiated within the local network. The exploit has been disclosed to the public and may be used. It is advisable to modify the configuration settings. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 8.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:W/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:W/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 8.3,
"vectorString": "AV:A/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:W/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-259",
"description": "Use of Hard-coded Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-23T10:13:35.134Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-346266 | Beetel 777VR1 Web Management hard-coded credentials",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.346266"
},
{
"name": "VDB-346266 | CTI Indicators (IOB, IOC, TTP)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.346266"
},
{
"name": "Submit #751314 | Beetel 777VR1 Firmware Versions: V01.00.09 / V01.00.09_55 CWE-521, CWE-307",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.751314"
},
{
"tags": [
"related"
],
"url": "https://gist.github.com/raghav20232023/d8dcaaa76e71790f77f8d3ea714d2afc"
},
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/raghav20232023/d8dcaaa76e71790f77f8d3ea714d2afc#reproduction-steps"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-17T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-02-17T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-02-21T11:09:23.000Z",
"value": "VulDB entry last update"
}
],
"title": "Beetel 777VR1 Web Management hard-coded credentials"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-2616",
"datePublished": "2026-02-17T15:02:07.133Z",
"dateReserved": "2026-02-17T07:00:41.421Z",
"dateUpdated": "2026-02-23T10:13:35.134Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2702 (GCVE-0-2026-2702)
Vulnerability from cvelistv5 – Published: 2026-02-19 03:32 – Updated: 2026-02-24 01:43
VLAI
Title
Beetel 777VR1 WPA2 PSK hard-coded credentials
Summary
A security flaw has been discovered in Beetel 777VR1 up to 01.00.09. This issue affects some unknown processing of the component WPA2 PSK. Performing a manipulation results in hard-coded credentials. The attacker must have access to the local network to execute the attack. The complexity of an attack is rather high. The exploitability is assessed as difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.346648 | vdb-entry |
| https://vuldb.com/?ctiid.346648 | signaturepermissions-required |
| https://vuldb.com/?submit.754354 | third-party-advisory |
| https://gist.github.com/raghav20232023/a79c06d2d2… | related |
| https://gist.github.com/raghav20232023/a79c06d2d2… | exploit |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2702",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-24T01:43:20.863040Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-24T01:43:31.577Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"WPA2 PSK"
],
"product": "777VR1",
"vendor": "Beetel",
"versions": [
{
"status": "affected",
"version": "01.00.09"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "raghav_2026 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security flaw has been discovered in Beetel 777VR1 up to 01.00.09. This issue affects some unknown processing of the component WPA2 PSK. Performing a manipulation results in hard-coded credentials. The attacker must have access to the local network to execute the attack. The complexity of an attack is rather high. The exploitability is assessed as difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 2.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 1.8,
"vectorString": "AV:A/AC:H/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-259",
"description": "Use of Hard-coded Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-23T10:28:20.424Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-346648 | Beetel 777VR1 WPA2 PSK hard-coded credentials",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.346648"
},
{
"name": "VDB-346648 | CTI Indicators (IOB, IOC, TTP)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.346648"
},
{
"name": "Submit #754354 | Beetel 777VR1 Firmware Versions: V01.00.09 / V01.00.09_55 Hard-Coded PSK at scale, wifi compromise, PMKID exposure, CWE798",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.754354"
},
{
"tags": [
"related"
],
"url": "https://gist.github.com/raghav20232023/a79c06d2d2562238a6c9d5e6229a13fa"
},
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/raghav20232023/a79c06d2d2562238a6c9d5e6229a13fa#steps-to-reproduce"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-18T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-02-18T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-02-18T19:01:15.000Z",
"value": "VulDB entry last update"
}
],
"title": "Beetel 777VR1 WPA2 PSK hard-coded credentials"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-2702",
"datePublished": "2026-02-19T03:32:06.458Z",
"dateReserved": "2026-02-18T17:56:10.604Z",
"dateUpdated": "2026-02-24T01:43:31.577Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4216 (GCVE-0-2026-4216)
Vulnerability from cvelistv5 – Published: 2026-03-16 05:02 – Updated: 2026-03-16 18:45
VLAI
Title
i-SENS SmartLog App air.SmartLog.android hard-coded credentials
Summary
A weakness has been identified in i-SENS SmartLog App up to 2.6.8 on Android. This affects an unknown function of the component air.SmartLog.android. This manipulation causes hard-coded credentials. The attack can only be executed locally. The exploit has been made available to the public and could be used for attacks. The vendor explains: "The function referenced in the report currently exists in our deployed system. It is related to a developer mode used during the configuration process for Bluetooth pairing between the blood glucose meter and the SmartLog application. This function is intended for configuration purposes related to device integration and testing. (...) [I]n a future application update, we plan to review measures to either remove the developer mode function or restrict access to it."
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.351140 | vdb-entry |
| https://vuldb.com/?ctiid.351140 | signaturepermissions-required |
| https://vuldb.com/?submit.770497 | third-party-advisory |
| https://www.notion.so/Developer-Mode-Credential-E… | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| i-SENS | SmartLog App |
Affected:
2.6.0
Affected: 2.6.1 Affected: 2.6.2 Affected: 2.6.3 Affected: 2.6.4 Affected: 2.6.5 Affected: 2.6.6 Affected: 2.6.7 Affected: 2.6.8 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4216",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-16T18:44:59.397464Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-16T18:45:09.497Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"air.SmartLog.android"
],
"product": "SmartLog App",
"vendor": "i-SENS",
"versions": [
{
"status": "affected",
"version": "2.6.0"
},
{
"status": "affected",
"version": "2.6.1"
},
{
"status": "affected",
"version": "2.6.2"
},
{
"status": "affected",
"version": "2.6.3"
},
{
"status": "affected",
"version": "2.6.4"
},
{
"status": "affected",
"version": "2.6.5"
},
{
"status": "affected",
"version": "2.6.6"
},
{
"status": "affected",
"version": "2.6.7"
},
{
"status": "affected",
"version": "2.6.8"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "fxizenta (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A weakness has been identified in i-SENS SmartLog App up to 2.6.8 on Android. This affects an unknown function of the component air.SmartLog.android. This manipulation causes hard-coded credentials. The attack can only be executed locally. The exploit has been made available to the public and could be used for attacks. The vendor explains: \"The function referenced in the report currently exists in our deployed system. It is related to a developer mode used during the configuration process for Bluetooth pairing between the blood glucose meter and the SmartLog application. This function is intended for configuration purposes related to device integration and testing. (...) [I]n a future application update, we plan to review measures to either remove the developer mode function or restrict access to it.\""
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4.3,
"vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-259",
"description": "Use of Hard-coded Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-16T05:02:08.472Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-351140 | i-SENS SmartLog App air.SmartLog.android hard-coded credentials",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.351140"
},
{
"name": "VDB-351140 | CTI Indicators (IOB, IOC, TTP)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.351140"
},
{
"name": "Submit #770497 | i-SENS SmartLog(air.SmartLog.android) 2.6.8 Developer Mode Credential Exposure",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.770497"
},
{
"tags": [
"exploit"
],
"url": "https://www.notion.so/Developer-Mode-Credential-Exposure-in-air-SmartLog-android-3182de3f97fb80f1abb7e958be2940fa?source=copy_link"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-15T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-03-15T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-03-15T16:15:50.000Z",
"value": "VulDB entry last update"
}
],
"title": "i-SENS SmartLog App air.SmartLog.android hard-coded credentials"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-4216",
"datePublished": "2026-03-16T05:02:08.472Z",
"dateReserved": "2026-03-15T15:09:22.212Z",
"dateUpdated": "2026-03-16T18:45:09.497Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4219 (GCVE-0-2026-4219)
Vulnerability from cvelistv5 – Published: 2026-03-16 06:02 – Updated: 2026-03-16 15:27
VLAI
Title
INDEX Conferences & Exhibitions Organization YWF BPOF APGCS App ae.index.apgcs BuildConfig.java hard-coded credentials
Summary
A flaw has been found in INDEX Conferences & Exhibitions Organization YWF BPOF APGCS App up to 1.0.2 on Android. Affected by this vulnerability is an unknown functionality of the file com/index/event/BuildConfig.java of the component ae.index.apgcs. Executing a manipulation of the argument ACCESS_KEY/HASH_KEY can lead to hard-coded credentials. The attack is restricted to local execution. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.351143 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.351143 | signaturepermissions-required |
| https://vuldb.com/?submit.770513 | third-party-advisory |
| https://www.notion.so/Authorization-Credentials-i… | exploit |
| https://www.notion.so/Authorization-Credentials-i… | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| INDEX Conferences & Exhibitions Organization | YWF BPOF APGCS App |
Affected:
1.0.0
Affected: 1.0.1 Affected: 1.0.2 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4219",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-16T15:26:02.872319Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-16T15:27:30.797Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://www.notion.so/Authorization-Credentials-in-ae-index-apgcs-Lead-to-Exposure-of-Backend-Secrets-3172de3f97fb8040bc30c5519a742251"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"ae.index.apgcs"
],
"product": "YWF BPOF APGCS App",
"vendor": "INDEX Conferences \u0026 Exhibitions Organization",
"versions": [
{
"status": "affected",
"version": "1.0.0"
},
{
"status": "affected",
"version": "1.0.1"
},
{
"status": "affected",
"version": "1.0.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "fxizenta (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB"
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw has been found in INDEX Conferences \u0026 Exhibitions Organization YWF BPOF APGCS App up to 1.0.2 on Android. Affected by this vulnerability is an unknown functionality of the file com/index/event/BuildConfig.java of the component ae.index.apgcs. Executing a manipulation of the argument ACCESS_KEY/HASH_KEY can lead to hard-coded credentials. The attack is restricted to local execution. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 1.7,
"vectorString": "AV:L/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-259",
"description": "Use of Hard-coded Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-16T06:02:08.055Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-351143 | INDEX Conferences \u0026 Exhibitions Organization YWF BPOF APGCS App ae.index.apgcs BuildConfig.java hard-coded credentials",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.351143"
},
{
"name": "VDB-351143 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.351143"
},
{
"name": "Submit #770513 | INDEX Conferences \u0026 Exhibitions Organization L.L.C YWF | BPOF | APGCS 1.0.2 Authorization Credential Exposure",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.770513"
},
{
"tags": [
"exploit"
],
"url": "https://www.notion.so/Authorization-Credentials-in-ae-index-apgcs-Lead-to-Exposure-of-Backend-Secrets-3172de3f97fb8040bc30c5519a742251?source=copy_link"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-15T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-03-15T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-03-15T17:30:38.000Z",
"value": "VulDB entry last update"
}
],
"title": "INDEX Conferences \u0026 Exhibitions Organization YWF BPOF APGCS App ae.index.apgcs BuildConfig.java hard-coded credentials"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-4219",
"datePublished": "2026-03-16T06:02:08.055Z",
"dateReserved": "2026-03-15T16:25:29.066Z",
"dateUpdated": "2026-03-16T15:27:30.797Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4475 (GCVE-0-2026-4475)
Vulnerability from cvelistv5 – Published: 2026-03-20 06:02 – Updated: 2026-03-20 13:51
VLAI
Title
Yi Technology YI Home Camera ipc hard-coded credentials
Summary
A vulnerability has been found in Yi Technology YI Home Camera 2 2.1.1_20171024151200. The affected element is an unknown function of the file home/web/ipc. Such manipulation leads to hard-coded credentials. Access to the local network is required for this attack to succeed. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.351765 | vdb-entry |
| https://vuldb.com/?ctiid.351765 | signaturepermissions-required |
| https://vuldb.com/?submit.772996 | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Yi Technology | YI Home Camera |
Affected:
2 2.1.1_20171024151200
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4475",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-20T13:51:35.894323Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T13:51:39.023Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://vuldb.com/?submit.772996"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "YI Home Camera",
"vendor": "Yi Technology",
"versions": [
{
"status": "affected",
"version": "2 2.1.1_20171024151200"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "0rbitingZer0 (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in Yi Technology YI Home Camera 2 2.1.1_20171024151200. The affected element is an unknown function of the file home/web/ipc. Such manipulation leads to hard-coded credentials. Access to the local network is required for this attack to succeed. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 8.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 8.3,
"vectorString": "AV:A/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-259",
"description": "Use of Hard-coded Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T06:02:14.715Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-351765 | Yi Technology YI Home Camera ipc hard-coded credentials",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.351765"
},
{
"name": "VDB-351765 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.351765"
},
{
"name": "Submit #772996 | yitechnology YI Home Camera 2 2.1.1_20171024151200 Hard-coded Credentials",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.772996"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-19T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-03-19T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-03-19T21:51:36.000Z",
"value": "VulDB entry last update"
}
],
"title": "Yi Technology YI Home Camera ipc hard-coded credentials"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-4475",
"datePublished": "2026-03-20T06:02:14.715Z",
"dateReserved": "2026-03-19T20:46:18.780Z",
"dateUpdated": "2026-03-20T13:51:39.023Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phase: Architecture and Design
Description:
- For outbound authentication: store passwords outside of the code in a strongly-protected, encrypted configuration file or database that is protected from access by all outsiders, including other local users on the same system. Properly protect the key (CWE-320). If you cannot use encryption to protect the file, then make sure that the permissions are as restrictive as possible.
Mitigation
Phase: Architecture and Design
Description:
- For inbound authentication: Rather than hard-code a default username and password for first time logins, utilize a "first login" mode that requires the user to enter a unique strong password.
Mitigation
Phase: Architecture and Design
Description:
- Perform access control checks and limit which entities can access the feature that requires the hard-coded password. For example, a feature might only be enabled through the system console instead of through a network connection.
Mitigation
Phase: Architecture and Design
Description:
- For inbound authentication: apply strong one-way hashes to your passwords and store those hashes in a configuration file or database with appropriate access control. That way, theft of the file/database still requires the attacker to try to crack the password. When receiving an incoming password during authentication, take the hash of the password and compare it to the hash that you have saved.
- Use randomly assigned salts for each separate hash that you generate. This increases the amount of computation that an attacker needs to conduct a brute-force attack, possibly limiting the effectiveness of the rainbow table method.
Mitigation
Phase: Architecture and Design
Description:
- For front-end to back-end connections: Three solutions are possible, although none are complete.
No CAPEC attack patterns related to this CWE.