CVE-2025-65998 Apache Syncope: Default AES key used for internal password encryption

Apache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the default option. When AES is configured, the default key value, hard-coded in the source code, is always used. This allows a malicious attacker, once obtained...

Xtool AnyScan App 安全漏洞

Xtool AnyScan App is an automotive diagnostic mobile application from China-based Xtool. A security vulnerability exists in Xtool AnyScan App version 4.40.40 and earlier, which stems from the use of a hard-coded key to decrypt update metadata...

PT-2025-47918

Name of the Vulnerable Software and Affected Versions Apache Syncope versions prior to 3.0.15 Apache Syncope versions prior to 4.0.3 Description Apache Syncope, when configured to use AES encryption for storing user passwords in its internal database, utilizes a hard-coded default key. This allow...

ONLYOFFICE Docs 信任管理问题漏洞

ONLYOFFICE Docs is an online office software from ONLYOFFICE, Inc. A trust management issue vulnerability exists in ONLYOFFICE Docs versions 22.11 through prior to 25.05 and prior to 25.11, which stems from the use of a hard-coded key to protect the file cache, which could lead to accessing known...

GHSA-4M32-CJV7-F425 AstrBot is vulnerable to RCE with hard-coded JWT signing keys

Summary AstrBot uses a hard-coded JWT signing key, allowing attackers to execute arbitrary commands by installing a malicious plugin. Details AstrBot uses a hard-coded JWT signing key, which allows attackers to bypass the authentication mechanism. Once bypassed, the attacker can install a Python...

PT-2025-47033

Name of the Vulnerable Software and Affected Versions AstrBot version 3.5.15 Description The software uses a hard-coded private key, "Advanced System for Text Response and Bot Operations Tool", to sign JSON Web Tokens JWT, which are compact, URL-safe means of representing claims to be transferred...

CVE-2025-12615

A security vulnerability has been detected in PHPGurukul News Portal 1.0. The affected element is an unknown function of the file /onps/settings.py. Such manipulation of the argument SECRETKEY leads to use of hard-coded cryptographic key . The attack may be performed from remote. The attack...

EUVD-2025-37470

A security vulnerability has been detected in PHPGurukul News Portal 1.0. The affected element is an unknown function of the file /onps/settings.py. Such manipulation of the argument SECRETKEY leads to use of hard-coded cryptographic key . The attack may be performed from remote. The attack...

CVE-2025-12615

A security vulnerability has been detected in PHPGurukul News Portal 1.0. The affected element is an unknown function of the file /onps/settings.py. Such manipulation of the argument SECRETKEY leads to use of hard-coded cryptographic key . The attack may be performed from remote. The attack...

CVE-2025-12615

A security vulnerability has been detected in PHPGurukul News Portal 1.0. The affected element is an unknown function of the file /onps/settings.py. Such manipulation of the argument SECRETKEY leads to use of hard-coded cryptographic key . The attack may be performed from remote. The attack...

CVE-2025-12615

CVE-2025-12615 affects PHPGurukul News Portal 1.0. The vulnerability arises from manipulation of the SECRET_KEY in the file /onps/settings.py, leading to the use of a hard-coded cryptographic key. This enables remote exploitation and is described as difficult to exploit, with the exploit publicly...

PT-2025-44748

Name of the Vulnerable Software and Affected Versions PHPGurukul News Portal version 1.0 Description A security issue exists in PHPGurukul News Portal. Manipulation of the SECRET KEY argument within an unknown function in the /onps/settings.py file results in the use of a hard-coded cryptographic...

CVE-2025-54471

NeuVector used a hard-coded cryptographic key embedded in the source code. At compilation time, the key value was replaced with the secret key value and used to encrypt sensitive configurations when NeuVector stores the data...

CVE-2025-54471

NeuVector used a hard-coded cryptographic key embedded in the source code. At compilation time, the key value was replaced with the secret key value and used to encrypt sensitive configurations when NeuVector stores the data...

CVE-2025-54471

NeuVector used a hard-coded cryptographic key embedded in the source code. At compilation time, the key value was replaced with the secret key value and used to encrypt sensitive configurations when NeuVector stores the data...

CVE-2025-54471 NeuVector is shipping cryptographic material into its binary

NeuVector used a hard-coded cryptographic key embedded in the source code. At compilation time, the key value was replaced with the secret key value and used to encrypt sensitive configurations when NeuVector stores the data...

CVE-2025-54471

The CVE-2025-54471 entry concerns NeuVector where a hard-coded cryptographic key was embedded in the source and replaced at compile time, then used to encrypt sensitive configurations stored by NeuVector. Affected data and configurations could be exposed due to the improper key handling. The prov...

EUVD-2025-35895

Deck Mate 2's firmware update mechanism accepts packages without cryptographic signature verification, encrypts them with a single hard-coded AES key shared across devices, and uses a truncated HMAC for integrity validation. Attackers with access to the update interface - typically via the unit's...

CVE-2025-34500

CVE-2025-34500 affects Deck Mate 2. The firmware update mechanism accepts unsigned packages, uses a single hard-coded AES key for encryption, and applies a truncated HMAC for integrity, enabling an attacker with USB/update-interface access to craft/modify firmware to execute arbitrary code as roo...

PT-2025-43687

Name of the Vulnerable Software and Affected Versions Deck Mate 2 affected versions not specified Description The firmware update mechanism for Deck Mate 2 does not verify cryptographic signatures on update packages. Updates are encrypted using a single, hard-coded AES key shared across all devic...