CVE-2026-44761
SAP Commerce Cloud could retain a sample OAuth2 client with publicly documented sample credentials originating from sample configuration pro
CVSS
9.1
Critical
EPSS
0.4%
p27
KEV
—
Exploit Today
8
0-100
Published: Jul 14, 2026 · Last modified: Jul 15, 2026 · CWE-1392
0.4%EPSS · 30 days0.4%
2026-07-142026-07-16
SAP Commerce Cloud could retain a sample OAuth2 client with publicly documented sample credentials originating from sample configuration provided in SAP Help Portal documentation. If left unchanged, an unauthenticated attacker could use these well-known credentials to obtain a valid access token and invoke certain APIs to read and modify data. Successful exploitation results in high impact on confidentiality and integrity, with no impact on availability.
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2026-584539.8 CRI74.5%
——22JAIOTlink C492A-W6 Wi-Fi IP cameras running firmware 4.8.30.57701411 contain a hard-coded credentials vulnerability that allows network-adjacent attackers to gain unauthorized access by using the default admin username with an empty password accepted by the anyka_ipc HTTP service on port 80. Attackers can authenticate with these hardcoded credentials to access camera snapshots, video streams, network configuration, and factory-level API endpoints including the SetMAC command injection surface.15dCVE-2026-584669.8 CRI39.8%
——12AutoBangumi before 3.2.8 contains a hard-coded default credentials vulnerability that allows unauthenticated attackers to authenticate as the administrator by using the publicly known default credentials seeded at startup via add_default_user() in the database user module when the users table is empty. Attackers can submit the default credentials to the authentication login endpoint to gain full control of the application, including RSS feed configuration, downloader configuration, and all authenticated API endpoints.2dCVE-2026-31448.1 HIG33.4%
——10IBM API Connect 12.1.0.0 through 12.1.0.3 uses default credentials which could allow an attacker to gain unauthorized access to the application before the system enforces a credential update.7dCVE-2026-318377.5 HIG30.1%
——9Istio is an open platform to connect, manage, and secure microservices. Prior to 1.29.1, 1.28.5, and 1.27.8, a user of Istio is impacted if the JWKS resolver becomes unavailable or the fetch fails, exposing hardcoded defaults regardless of use of the RequestAuthentication resource. This vulnerability is fixed in 1.29.1, 1.28.5, and 1.27.8.2d