Hardcoded-Credentials

Praisonai-platform versions up to and including 0.1.4 are vulnerable to a critical authentication bypass stemming from a hardcoded JWT signing secret ('dev-secret-change-me') and a bypassed production guard, allowing unauthenticated attackers to forge JSON Web Tokens (JWTs) and impersonate any user, leading to complete access, privilege escalation to workspace owner, and potential resource destruction.

The `praisonai-platform` package, versions 0.1.4 and below, is critically vulnerable to authentication bypass and privilege escalation due to a hardcoded default JWT signing secret (`dev-secret-change-me`) that is inadvertently enabled in default deployments, allowing an unauthenticated attacker to forge JWTs and impersonate any user.

IBM Controller versions 11.0.1, 11.1.0, 11.1.1, and 11.1.2 are vulnerable to hard-coded credentials (CVE-2026-5065), potentially allowing unauthorized access and control of the application.

Open ISES Tickets before version 3.44.2 contains hardcoded MySQL database connection credentials in import_mdb.php, allowing unauthorized database access.

Open ISES Tickets before version 3.44.2 contains hardcoded MySQL database credentials in loader.php, allowing an attacker with access to the source code or the file on a deployed installation to read the username, password, and database name and use them to connect to the database (CVE-2026-48241).

Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 contains a hard-coded credential vulnerability (CVE-2026-9139) in the embedded web configuration interface, allowing unauthenticated attackers with network access to recover administrative credentials directly from client-side JavaScript and gain full administrative access to the device.

FreePBX Security-Reporting userman versions 16.0.45 and prior (FreePBX 16) and 17.0.7 and prior (FreePBX 17) contain a critical vulnerability due to unauthenticated use of hard-coded credentials in the UCP interface, potentially allowing unauthorized access.

Vvveb versions before 1.0.8.2 contain a hardcoded credentials vulnerability in the docker-compose-apache.yaml configuration, allowing unauthenticated attackers to access the phpMyAdmin container and gain unrestricted read and write access to the Vvveb database, leading to account takeover and data manipulation.

CVE-2026-6574 allows remote attackers to manipulate the 'key' argument in the /public/install/lp.sql file via the API Upload Endpoint in osuuu LightPicture <= 1.2.2, leading to hardcoded credentials exposure.

CVE-2025-10681 describes a vulnerability where hardcoded storage credentials in a mobile app and device firmware, with inadequate permission limits and lack of expiration, could lead to unauthorized access to production storage containers.

GoHarbor Harbor version 2.15.0 and below is vulnerable to the use of hard-coded credentials, allowing an attacker to use the default password and gain unauthorized access to the web UI.

CVE-2026-7579 describes a vulnerability in AstrBotDevs AstrBot up to version 4.16.0 where improper handling of the `auth.py` file in the dashboard component leads to hardcoded credentials being exposed, enabling remote exploitation.

PicoTronica e-Clinic Healthcare System ECHS 5.7 is vulnerable to remote hardcoded credential exploitation due to manipulation of the ADMIN_KEY argument in /cdemos/echs/priv/echs.js, potentially leading to unauthorized access.