202 matches found
Exploit for CVE-2026-21994
CVE-2026-21994 Summary Oracle OKIT oci-designer-tool...
GHSA-C8M8-3JCR-6RJ5 FUXA has a hardcoded fallback JWT signing secret
FUXA used a static fallback JWT signing secret frangoteam751 when no secretCode was configured. If authentication was enabled without explicitly setting a custom secret, an attacker who knew the default value could forge valid JWT tokens and bypass authentication. This issue has been addressed in...
FUXA has a hardcoded fallback JWT signing secret
FUXA used a static fallback JWT signing secret frangoteam751 when no secretCode was configured. If authentication was enabled without explicitly setting a custom secret, an attacker who knew the default value could forge valid JWT tokens and bypass authentication. This issue has been addressed in...
CVE-2026-27167
A flaw was found in Gradio. When Gradio applications run outside of Hugging Face Spaces and use OAuth components, they automatically enable "mocked" OAuth routes. A remote attacker can exploit this by visiting the /login/huggingface endpoint, which causes the server to retrieve its Hugging Face H...
GHSA-H3H8-3V2V-RG7M Gradio: Mocked OAuth Login Exposes Server Credentials and Uses Hardcoded Session Secret
Summary Gradio applications running outside of Hugging Face Spaces automatically enable "mocked" OAuth routes when OAuth components e.g. gr.LoginButton are used. When a user visits /login/huggingface, the server retrieves its own Hugging Face access token via huggingfacehub.gettoken and stores it...
CVE-2026-27167
Gradio is an open-source Python package designed for quick prototyping. Starting in version 4.16.0 and prior to version 6.6.0, Gradio applications running outside of Hugging Face Spaces automatically enable "mocked" OAuth routes when OAuth components e.g. gr.LoginButton are used. When a user visi...
CVE-2026-27167
Gradio, in versions 4.16.0 through 6.5.x, running outside Hugging Face Spaces enables mocked OAuth routes when OAuth components are used. Visiting /login/huggingface causes the server to fetch its HF token via hugggingface_hub.get_token() and store it in the visitor’s session cookie, which is sig...
CVE-2026-27167 Gradio: Mocked OAuth Login Exposes Server Credentials and Uses Hardcoded Session Secret
Gradio is an open-source Python package designed for quick prototyping. Starting in version 4.16.0 and prior to version 6.6.0, Gradio applications running outside of Hugging Face Spaces automatically enable "mocked" OAuth routes when OAuth components e.g. gr.LoginButton are used. When a user visi...
PT-2026-22405
Name of the Vulnerable Software and Affected Versions Gradio versions 4.16.0 through 6.5.9 Description Gradio is a Python package for rapid prototyping. Applications running outside of Hugging Face Spaces, versions 4.16.0 through 6.5.9, improperly handle OAuth components like gr.LoginButton...
CVE-2025-14892
The Prime Listing Manager WordPress plugin through 1.1 allows an attacker to gain administrative access without having any kind of account on the targeted site and perform unauthorized actions due to a hardcoded secret...
📄 Patients Waiting Area Queue Management System 1.0 SQL Injection
Patients Waiting Area Queue Management System version 1.0 is vulnerable to SQL injection due to improper sanitization on the appointmentID parameter. Authentication bypass and full database dump are possible. The application also appears to have a hardcoded JWT key, suffers from a username...
CVE-2025-14892
The Prime Listing Manager WordPress plugin through 1.1 allows an attacker to gain administrative access without having any kind of account on the targeted site and perform unauthorized actions due to a hardcoded secret...
CVE-2025-14892
The Prime Listing Manager WordPress plugin through 1.1 allows an attacker to gain administrative access without having any kind of account on the targeted site and perform unauthorized actions due to a hardcoded secret...
CVE-2025-14892 Prime Listing Manager <= 1.1 - Unauthenticated Privilege Escalation
The Prime Listing Manager WordPress plugin through 1.1 allows an attacker to gain administrative access without having any kind of account on the targeted site and perform unauthorized actions due to a hardcoded secret...
CVE-2025-14892
CVE-2025-14892 affects the WordPress plugin Prime Listing Manager (
CVE-2025-14892 Prime Listing Manager <= 1.1 - Unauthenticated Privilege Escalation
The Prime Listing Manager WordPress plugin through 1.1 allows an attacker to gain administrative access without having any kind of account on the targeted site and perform unauthorized actions due to a hardcoded secret...
PT-2026-7819
The Prime Listing Manager WordPress plugin through 1.1 allows an attacker to gain administrative access without having any kind of account on the targeted site and perform unauthorized actions due to a hardcoded secret...
CVE-2026-25894 FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration
FUXA is a web-based Process Visualization SCADA/HMI/Dashboard software. An insecure default configuration in FUXA allows an unauthenticated, remote attacker to gain administrative access and execute arbitrary code on the server. This affects FUXA through version 1.2.9 when authentication is...
CVE-2026-25894
FUXA (web-based Process Visualization) contains an insecure default configuration that allows an unauthenticated, remote attacker to gain administrative access and execute arbitrary code on the server. The root cause is a hardcoded admin JWT secret in the default configuration, affecting versions...
CVE-2026-25894 FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration
FUXA is a web-based Process Visualization SCADA/HMI/Dashboard software. An insecure default configuration in FUXA allows an unauthenticated, remote attacker to gain administrative access and execute arbitrary code on the server. This affects FUXA through version 1.2.9 when authentication is...