EUVD-2026-34094

ProjectsAndPrograms school-management-system uses predictable credentials by generating student's and teacher's passwords solely from the user’s date of birth e.g., 12072000 for 12 July 2000. The application does not require or prompt users to change the password upon first login. This behavior...

CVE-2026-42941

The Danelec MacGregor Voyage Data Recorder device includes a default username and password, with no enforced password change...

CVE-2026-44649

SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, SillyTavern accepts Remote-User Authelia and X-Authentik-Username Authentik HTTP headers to...

EUVD-2026-33395

The Danelec MacGregor Voyage Data Recorder device includes a default username and password, with no enforced password change...

CVE-2026-42941

The CVE-2026-42941 relates to the Danelec MacGregor Voyage Data Recorder (VDR) G4e, which ships with default credentials and no enforced password change. The confirmed issues include hard-coded/default accounts, an authenticated user being able to download device backups containing account data a...

PT-2026-44927

Name of the Vulnerable Software and Affected Versions Danelec MacGregor Voyage Data Recorder affected versions not specified Description The device contains a default username and password and does not require the user to change the password upon initial setup. Recommendations At the moment, ther...

D-Link DWR-X1820 安全漏洞

The D-Link DWR-X1820 is a wireless router produced by D-Link Corporation. The D-Link DWR-X1820 has a security vulnerability. This vulnerability stems from the use of weak default passwords generated from the IMEI number, and no requirement is placed on users to change them. As a result, attackers...

AVideo's Meet plugin: `uploadRecordedVideo.json.php` derives `users_id` from the uploaded filename and calls passwordless `User->login()`, allowing any caller with the Meet shared secret to obtain a session as arbitrary users including admin

Summary Type: Authorization-bypass via user-controlled identifier. The Meet plugin's recorded-video upload endpoint plugin/Meet/uploadRecordedVideo.json.php authenticates the caller using a single shared Authorization: Bearer against $objM-secret. Once that check passes, the endpoint reads the...

Pocket ID 授权问题漏洞

Pocket ID is an open-source OIDC identity provider that supports no-password authentication. Versions of Pocket ID prior to 2.6.0 had an authorization vulnerability. This vulnerability stemmed from the createTokenFromRefreshToken function not revalidating the user’s current authorization status,...

Your Redis Server Looks Fine. That’s the Problem.

Introduction There’s an automated attack circulating right now that breaks into unprotected Redis servers, takes over the underlying machine, and then carefully puts everything back the way it found it. It restores the database filename. It deletes the tools it used. It detaches from the...

Linux Distros Unpatched Vulnerability : CVE-2026-32609

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Glances is an open-source system cross-platform monitoring tool. The GHSA-gh4x fix commit 5d3de60 addressed unauthenticated configuration secrets exposure on th...

GHSA-R297-P3V4-WP8M Glances's Browser API Exposes Reusable Downstream Credentials via `/api/4/serverslist`

Summary In Central Browser mode, the /api/4/serverslist endpoint returns raw server objects from GlancesServersList.getserverslist. Those objects are mutated in-place during background polling and can contain a uri field with embedded HTTP Basic credentials for downstream Glances servers, using t...

CVE-2026-22886

OpenMQ exposes a TCP-based management service imqbrokerd that by default requires authentication. However, the product ships with a default administrative account admin/ admin and does not enforce a mandatory password change on first use. After the first successful login, the server continues to...

CVE-2025-30035

CVE-2025-30035 affects CGM CLININET: lack of API authentication allows generating a session for any user, enabling session takeover without a password. Root cause: missing auth on session creation. Impact is high across confidentiality, integrity, and availability (CVSS v4.0 base score 9.0; vecto...

Server-side Request Forgery (SSRF)

Overview changedetection.io is a Website change detection and monitoring service Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the issafevalidurl function. An attacker can access internal network resources and exfiltrate sensitive data by submitting...

📄 Tattile Cameras 1.181.5 Default Credentials

Tattile Cameras version 1.181.5 ship with default credentials that remain active after installation and commissioning without enforcing a mandatory password change. Tattile Cameras 1.181.5 Use of Default Credentials Vendor: Tattile s.r.l. Product web page: https://www.tattile.com Affected version...

EUVD-2022-55958

An unauthenticated remote attacker can gain full access on the affected devices as they are shipped without a password by default and setting one is not enforced...

PT-2026-4795

Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.195037 allow account passwords to be changed through the maintenance interface without requiring verification of the existing password. This enables unauthorized password changes when access to the affected endpoint is obtained...

CVE-2025-66050

CVE-2025-66050 (Vivotek IP7137, firmware 0200a) is linked to multiple issues: path traversal (CVE-2025-66051), information disclosure via RTSP without authentication (CVE-2025-66049), and command injection through /cgi-bin/admin/setparam.cgi (CVE-2025-66052). All references indicate default admin...

CVE-2025-66050 No password set for administrative account in Vivotek IP7137 cameras

Vivotek IP7137 camera with firmware version 0200a by default dos not require to provide any password when logging in as an administrator. While it is possible to set up such a password, a user is not informed about such a need. The vendor has not replied to the CNA. Possibly all firmware versions...