Search Results (51 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-2229 2026-04-15 7.7 High
A token is created using the username, current date/time, and a fixed AES-128 encryption key, which is the same across all installations.
CVE-2024-11717 1 Ctfd 1 Ctfd 2026-04-15 N/A
Tokens in CTFd used for account activation and password resetting can be used interchangeably for these operations. When used, they are sent to the server as a GET parameter and they are not single use, which means, that during token expiration time an on-path attacker might reuse such a token to change user's password and take over the account. Moreover, the tokens also include base64 encoded user email. This issue impacts releases up to 3.7.4 and was addressed by pull request 2679 https://github.com/CTFd/CTFd/pull/2679  included in 3.7.5 release.
CVE-2024-32759 2026-04-15 N/A
Under certain circumstances the Software House C●CURE 9000 installer will utilize weak credentials.
CVE-2025-1081 2026-04-15 3.1 Low
A vulnerability was found in Bharti Airtel Xstream Fiber up to 20250123. It has been rated as problematic. This issue affects some unknown processing of the component WiFi Password Handler. The manipulation leads to use of weak credentials. The attack needs to be done within the local network. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to change the configuration settings. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-4057 1 Redhat 2 Amq Broker, Rhosemc 2026-04-15 5.5 Medium
A flaw was found in ActiveMQ Artemis. The password generated by activemq-artemis-operator does not regenerate between separated CR dependencies.
CVE-2025-22936 2026-04-15 5.7 Medium
An issue in Smartcom Bulgaria AD Smartcom Ralink CPE/WiFi router SAM-4G1G-TT-W-VC, SAM-4F1F-TT-W-A1 allows a remote attacker to obtain sensitive information via the Weak default WiFi password generation algorithm in WiFi routers.
CVE-2025-6077 1 Partner Software 2 Partner Software, Partner Web 2026-04-15 9.8 Critical
Partner Software's Partner Software Product and corresponding Partner Web application use the same default username and password for the administrator account across all versions.
CVE-2025-35970 2026-04-15 7.5 High
On multiple products of SEIKO EPSON and FUJIFILM Corporation, the initial administrator password is easy to guess from the information available via SNMP. If the administrator password is not changed from the initial one, a remote attacker with SNMP access can log in to the product with the administrator privilege.
CVE-2025-30519 1 Doverfuelingsolutions 1 Progauge Maglink Lx Console 2026-04-15 9.8 Critical
Dover Fueling Solutions ProGauge MagLink LX4 Devices have default root credentials that cannot be changed through standard administrative means. An attacker with network access to the device can gain administrative access to the system.
CVE-2024-42027 1 Rocketchat 1 Rocket.chat 2026-04-15 6.7 Medium
The E2EE password entropy generated by Rocket.Chat Mobile prior to version 4.5.1 is insufficient, allowing attackers to crack it if they have the appropriate time and resources.
CVE-2025-53558 1 Zte 2 Zxhn F660a, Zxhn F660t 2026-04-15 N/A
ZXHN-F660T and ZXHN-F660A provided by ZTE Japan K.K. use a common credential for all installations. With the knowledge of the credential, an attacker may log in to the affected devices.
CVE-2025-32471 2026-04-15 3.7 Low
The device’s passwords have not been adequately salted, making them vulnerable to password extraction attacks.
CVE-2024-51978 2026-04-15 9.8 Critical
An unauthenticated attacker who knows the target device's serial number, can generate the default administrator password for the device. An unauthenticated attacker can first discover the target device's serial number via CVE-2024-51977 over HTTP/HTTPS/IPP, or via a PJL request, or via an SNMP request.
CVE-2025-67114 1 Freedomfi 1 Sercomm Sce4255w 2026-03-25 9.8 Critical
Use of a deterministic credential generation algorithm in /ftl/bin/calc_f2 in Small Cell Sercomm SCE4255W (FreedomFi Englewood) firmware before DG3934v3@2308041842 allows remote attackers to derive valid administrative/root credentials from the device's MAC address, enabling authentication bypass and full device access.
CVE-2025-6523 1 Devolutions 1 Devolutions Server 2025-11-25 7.7 High
Use of weak credentials in emergency authentication component in Devolutions Server allows an unauthenticated attacker to bypass authentication via brute forcing the short emergency codes generated by the server within a feasible timeframe. This issue affects the following versions : * Devolutions Server 2025.2.2.0 through 2025.2.3.0 * Devolutions Server 2025.1.11.0 and earlier
CVE-2024-12728 1 Sophos 2 Firewall, Firewall Firmware 2025-11-12 9.8 Critical
A weak credentials vulnerability potentially allows privileged system access via SSH to Sophos Firewall older than version 20.0 MR3 (20.0.3).
CVE-2025-59460 1 Sick 2 Tloc100-100, Tloc100-100 Firmware 2025-11-03 7.5 High
The system is deployed in its default state, with configuration settings that do not comply with the latest best practices for restricting access. This increases the risk of unauthorised connections.
CVE-2024-52331 1 Ecovacs 28 Airbot Andy, Airbot Andy Firmware, Airbot Ava and 25 more 2025-10-02 7.5 High
ECOVACS robot lawnmowers and vacuums use a deterministic symmetric key to decrypt firmware updates. An attacker can create and encrypt malicious firmware that will be successfully decrypted and installed by the robot.
CVE-2024-42051 1 Splashtop 1 Streamer 2025-09-03 7.8 High
The MSI installer for Splashtop Streamer for Windows before 3.6.2.0 uses a temporary folder with weak permissions during installation. A local user can exploit this to escalate privileges to SYSTEM by replacing InstRegExp.reg.
CVE-2024-7558 1 Canonical 1 Juju 2025-08-26 8.7 High
JUJU_CONTEXT_ID is a predictable authentication secret. On a Juju machine (non-Kubernetes) or Juju charm container (on Kubernetes), an unprivileged user in the same network namespace can connect to an abstract domain socket and guess the JUJU_CONTEXT_ID value. This gives the unprivileged user access to the same information and tools as the Juju charm.