CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

45 matches found

D-Tale 3.10.0 - 3.15.1 - Authentication Bypass & Remote Code Execution

man-group/dtale 3.10.0 contains an authentication bypass and remote code execution caused by improper input validation and a hardcoded SECRETKEY in Flask configuration, letting attackers forge session cookies and execute arbitrary code, exploit requires attacker to access the application. id:...

9.8CVSS8.8AI score0.91737EPSS

Exploits5References2

CNNVD•added 2026/04/06 12:0 a.m.•3 views

Huly Platform 安全漏洞

Huly Platform is an integrated project management platform developed by Huly in open source. Version 0.7.382 of Huly Platform contains a security vulnerability, which stems from the use of a hardcoded secret key in the SERVERSECRET parameter of the JWT Token Handler component...

6.3CVSS5.8AI score0.00038EPSS

Exploits0References3

GithubExploit•added 2026/03/21 3:47 p.m.•143 views

Exploit for CVE-2026-21994

CVE-2026-21994 Summary Oracle OKIT oci-designer-tool...

9.8CVSS5.8AI score0.0013EPSS

Exploits1

Packet Storm•added 2026/02/13 12:0 a.m.•142 views

📄 Patients Waiting Area Queue Management System 1.0 SQL Injection

Patients Waiting Area Queue Management System version 1.0 is vulnerable to SQL injection due to improper sanitization on the appointmentID parameter. Authentication bypass and full database dump are possible. The application also appears to have a hardcoded JWT key, suffers from a username...

9.8CVSS5.9AI score0.00052EPSS

Exploits3

OSV•added 2026/02/04 8:6 p.m.•2 views

CVE-2026-25505 Bambuddy Uses Hardcoded Secret Key + Many API Endpoints do not Require Authentication

Bambuddy is a self-hosted print archive and management system for Bambu Lab 3D printers. Prior to version 0.1.7, a hardcoded secret key used for signing JWTs is checked into source code and ManyAPI routes do not check authentication. This issue has been patched in version 0.1.7...

9.8CVSS5.4AI score0.00132EPSS

Exploits1References9

OSV•added 2026/02/02 9:21 p.m.•3 views

GHSA-GC24-PX2R-5QMF Bambuddy Uses Hardcoded Secret Key + Many API Endpoints do not Require Authentication

Summary 1. A hardcoded secret key used for signing JWTs is checked into source code 2. ManyAPI routes do not check authentication Details I am using the publicly available docker image at ghcr.io/maziggy/bambuddy 1. Hardcoded JWT Secret Key...

9.8CVSS5.6AI score0.00132EPSS

Exploits1References9

Github Security Blog•added 2026/02/02 9:21 p.m.•6 views

Bambuddy Uses Hardcoded Secret Key + Many API Endpoints do not Require Authentication

9.8CVSS5.5AI score0.00132EPSS

Exploits1References9Affected Software1

Positive Technologies•added 2026/02/02 12:0 a.m.•2 views

PT-2026-6421

9.8CVSS5.7AI score0.00132EPSS

Exploits1References6

RedhatCVE•added 2026/01/09 10:27 a.m.•8 views

CVE-2008-7311

The session cookie store implementation in Spree 0.2.0 uses a hardcoded config.actioncontrollersession hash value aka secret key, which makes it easier for remote attackers to bypass cryptographic protection mechanisms by leveraging an application that contains this value within the...

5CVSS6.9AI score0.00158EPSS

Exploits0References1

RedhatCVE•added 2026/01/09 9:55 a.m.•3 views

CVE-2020-12627

Calibre-Web 0.6.6 allows authentication bypass because of the 'A0Zr98j/3yX RXHH!jmNLWX/,?RT' hardcoded secret key...

9.8CVSS7.3AI score0.00132EPSS

Exploits0References1

VulnCheck KEV•added 2025/12/19 12:0 a.m.•20 views

VulnCheck KEV: CVE-2024-3408

man-group/dtale version 3.10.0 is vulnerable to an authentication bypass and remote code execution RCE due to improper input validation. The vulnerability arises from a hardcoded SECRETKEY in the flask configuration, allowing attackers to forge a session cookie if authentication is enabled...

9.8CVSS6.7AI score0.91737EPSS

In wildExploits5References64

CNVD•added 2025/11/05 12:0 a.m.•1 views

News Portal Hardcoding Vulnerability

News Portal is a news portal. News Portal has a hard-coded vulnerability that stems from the use of a fixed encryption key for the handling of the SECRETKEY parameter in the file /onps/settings.py. An attacker could exploit this vulnerability to obtain sensitive system information...

8.1CVSS5.2AI score0.00067EPSS

Exploits1References1

EUVD•added 2025/10/07 12:30 a.m.•2 views

EUVD-2018-5755

Malware in sbrugna...

7.5CVSS7.8AI score0.00249EPSS

Exploits0References3

EUVD•added 2025/10/03 8:7 p.m.•3 views

EUVD-2022-0108

Malicious code in bioql PyPI...

8.8CVSS8.6AI score0.00289EPSS

Exploits1References4

EUVD•added 2025/10/03 8:7 p.m.•3 views

EUVD-2025-23514

Malicious code in bioql PyPI...

9CVSS9.2AI score0.00421EPSS

Exploits0References3

EUVD•added 2025/10/03 8:7 p.m.•2 views

EUVD-2022-3880

Malicious code in bioql PyPI...

5CVSS6.5AI score0.00158EPSS

Exploits0References9

CVE•added 2025/08/21 12:0 a.m.•21 views

CVE-2025-51606

CVE-2025-51606 affects hippo4j versions 1.0.0 through 1.5.0. The root cause is a hard-coded secret key used during JWT creation, enabling an attacker with access to source code or binaries to forge valid tokens and impersonate any user, including privileged ones like admin. The NVD metrics assign...

8.8CVSS7.5AI score0.00086EPSS

Exploits0References1

RedhatCVE•added 2025/08/06 12:14 a.m.•3 views

CVE-2025-44963

RUCKUS Network Director RND before 4.5 allows spoofing of an administrator JWT by an attacker who knows the hardcoded value of a certain secret key...

9CVSS9.3AI score0.00421EPSS

Exploits0References1

OSV•added 2025/08/04 5:15 p.m.•2 views

CVE-2025-44963

RUCKUS Network Director RND before 4.5 allows spoofing of an administrator JWT by an attacker who knows the hardcoded value of a certain secret key...

8.1CVSS5.8AI score0.00421EPSS

Exploits0References4

Cvelist•added 2025/08/04 12:0 a.m.•6 views

CVE-2025-44963

RUCKUS Network Director RND before 4.5 allows spoofing of an administrator JWT by an attacker who knows the hardcoded value of a certain secret key...

9CVSS0.00421EPSS

Exploits0References3

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by