CWE-79810 advisories

Use of Hard-coded Credentials

What it is

Credentials are embedded in source or config, so anyone with the code can authenticate.

How to fix it

Upgrade, remove the secret, rotate it, and load it from a secret manager.

How to avoid it

Keep secrets out of code; inject them at runtime and scan for leaks in CI.

Known Use of Hard-coded Credentials vulnerabilities

AI-SECRETS-SPRAWL-2025 — medium · AI coding/AI coding assistants (Claude Code, MCP configs)
SECRET-HARDCODED-SOURCE — critical · Secrets · Source code/Hardcoded secrets in source code · exploited
OPSEC-INTERNET-ARCHIVE-2024 — high · SaaS/Internet Archive
OPSEC-MERCEDES-BENZ-2024 — high · Source control/Mercedes-Benz
OPSEC-SOURCEGRAPH-2023 — high · Source control/Sourcegraph
SECRET-TOYOTA-TCONNECT-2022 — high · Secrets · Source code/Toyota T-Connect
OPSEC-UBER-2022 — high · Identity/Uber
SECRET-CLIENT-EMBEDDED — high · Secrets · Mobile/Secrets embedded in client-side and mobile apps · exploited
SECRET-STARBUCKS-JUMPCLOUD-2019 — critical · Secrets · Source code/Starbucks
SECRET-UBER-2016 — critical · Secrets · Cloud keys/Uber

Stateward flags Use of Hard-coded Credentials in your own code and dependencies on every pull request.

Scan my repo

Summarize with AI

ChatGPT Claude Perplexity

Sources: CISA KEV (public domain), OSV.dev & GitHub Advisory Database (CC-BY-4.0), FIRST EPSS, NVD/CWE (public domain). Served live from the Stateward advisory database.