CVE-2026-32625

LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.8.3, the Model Context Protocol MCP server integration resolves $VAR placeholders against the server's process.env during Zod schema validation of user-supplied MCP server URLs. Any...

MAL-2026-4766 Malicious code in saas-common-lib-473815 (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0142a19ba91410cc19470321caba04aa48633df937b0ed66439cccf31877a333 utils/sendemailotp.py exposes otpEmailServicetoemail, emailbody, which authenticates to smtp.gmail.com using a hardcoded sender address...

PYSEC-2026-170

In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens JWT. This vulnerability allows an attacker to perform an offline brute-force attack to recover the secret key. Once the...

CVE-2025-41258

LibreChat version 0.8.1-rc2 uses the same JWT secret for the user session mechanism and RAG API which compromises the service-level authentication of the RAG API...

CVE-2025-41258

LibreChat version 0.8.1-rc2 uses the same JWT secret for the user session mechanism and RAG API which compromises the service-level authentication of the RAG API...

PT-2026-26053

🟠 CVE-2025-41258 - High LibreChat version 0.8.1-rc2 uses the same JWT secret for the user session mechanism and RAG API which compromises the service-level authentication of the RAG API. https://t.co/MJXOI2sVrJ https://t.co/WsKiIkw0M2...

Insecure Default Initialization of Resource

Overview fuxa-server is a Web-based Process Visualization SCADA/HMI/Dashboard software Affected versions of this package are vulnerable to Insecure Default Initialization of Resource due to the use of a hardcoded JWT secret in the default configuration. An attacker can gain administrative access...

CVE-2026-23958 DataEase Vulnerable to Brute-Force Attack on Admin JWT Secret Derived from Password that Enables Full Account Takeover

Dataease is an open source data visualization analysis tool. Prior to version 2.10.19, DataEase uses the MD5 hash of the user’s password as the JWT signing secret. This deterministic secret derivation allows an attacker to brute-force the admin’s password by exploiting unmonitored API endpoints...

CVE-2026-0622

Open5GS WebUI is affected by CVE-2026-0622: by default it uses hard-coded JWT signing keys (the string change-me) when JWT_SECRET_KEY is unset, allowing an unauthenticated network attacker to forge JWTs and gain access to protected WebUI endpoints (notably under /api/db/*). The issue arises from ...

CVE-2025-15108 PandaXGO PandaX JWT Secret config.yml hard-coded key

A vulnerability was detected in PandaXGO PandaX up to fb8ff40f7ce5dfebdf66306c6d85625061faf7e5. This affects an unknown function of the file config.yml of the component JWT Secret Handler. The manipulation of the argument key results in use of hard-coded cryptographic key . The attack may be...

PT-2025-53624

Name of the Vulnerable Software and Affected Versions PandaXGO PandaX versions prior to fb8ff40f7ce5dfebdf66306c6d85625061faf7e5 Description A security issue exists in PandaXGO PandaX related to the JWT Secret Handler component. The issue involves the manipulation of the key argument within the...

CVE-2025-56749

Creativeitem Academy LMS up to and including 6.14 uses a hardcoded default JWT secret for token signing. This predictable secret allows attackers to forge valid JWT tokens, leading to authentication bypass and unauthorized access to any user account...