FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration

Description An insecure default configuration in FUXA allows an unauthenticated, remote attacker to gain administrative access and execute arbitrary code on the server. This affects FUXA through version 1.2.9 when authentication is enabled, but the administrator JWT secret is not configured. This...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization in the attribute handling logic in restHandler/AttributesRestHandlder.go‎, which is accessible over the /attributes endpoint with /orchestrator/attributes?key=apiTokenSecret. A user can obtain the global API Token...

CVE-2026-25538

Devtron CVE-2026-25538 affects the open-source Devtron Kubernetes integration platform (versions up to 2.0.0). A vulnerability in the Attributes API interface allows any authenticated user to access /orchestrator/attributes?key=apiTokenSecret, exposing the global API Token signing key. With the k...

CVE-2026-25537 jsonwebtoken has Type Confusion that leads to potential authorization bypass

jsonwebtoken is a JWT lib in rust. Prior to version 10.3.0, there is a Type Confusion vulnerability in jsonwebtoken, specifically, in its claim validation logic. When a standard claim such as nbf or exp is provided with an incorrect JSON type Like a String instead of a Number, the library’s...

CVE-2026-25505 Bambuddy Uses Hardcoded Secret Key + Many API Endpoints do not Require Authentication

Bambuddy is a self-hosted print archive and management system for Bambu Lab 3D printers. Prior to version 0.1.7, a hardcoded secret key used for signing JWTs is checked into source code and ManyAPI routes do not check authentication. This issue has been patched in version 0.1.7...

CVE-2026-25505

CVE-2026-25505 affects Bambuddy (self-hosted print archive/management for Bambu Lab printers). Root cause: hardcoded secret key used to sign JWTs and many API endpoints do not require authentication, enabling unauthorized access. Impact in the documented disclosures is high (unauthorized admin-li...

CVE-2026-25505

Bambuddy is a self-hosted print archive and management system for Bambu Lab 3D printers. Prior to version 0.1.7, a hardcoded secret key used for signing JWTs is checked into source code and ManyAPI routes do not check authentication. This issue has been patched in version 0.1.7...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in PyJWT-2.10.1-py3-none-any.whl

Summary IBM Watson Discovery Cartridge affected by vulnerability in PyJWT-2.10.1-py3-none-any.whl Vulnerability Details CVEID:CVE-2025-45768 DESCRIPTION: pyjwt v2.10.1 was discovered to contain weak encryption. NOTE: this is disputed by the Supplier because the key length is chosen by the...

jsonwebtoken 安全漏洞

jsonwebtoken is an implementation of a JSON Web Token developed by Auth0 as open source. Versions of jsonwebtoken prior to 10.3.0 contained a security vulnerability. This vulnerability stemmed from a declaration verification logic that had type confusion issues, which could lead to bypassing...

GHSA-H395-GR6Q-CPJC jsonwebtoken has Type Confusion that leads to potential authorization bypass

Summary: It has been discovered that there is a Type Confusion vulnerability in jsonwebtoken, specifically, in its claim validation logic. When a standard claim such as nbf or exp is provided with an incorrect JSON type Like a String instead of a Number, the library’s internal parsing mechanism...

Use of Hard-coded Credentials

Overview fuxa-server is a Web-based Process Visualization SCADA/HMI/Dashboard software Affected versions of this package are vulnerable to Use of Hard-coded Credentials via the jwt-helper.js when verifying JWT tokens. An attacker can gain unauthorized administrative access by forging valid tokens...

CVE-2025-69971

FUXA v1.2.7 contains a hard-coded credential vulnerability in server/api/jwt-helper.js. The application uses a hard-coded secret key to sign and verify JWT Tokens. This allows remote attackers to forge valid admin tokens and bypass authentication to gain full administrative access...

PT-2026-6510

Fleet has a JWT signature bypass vulnerability in Azure AD MDM enrollment in github.com/fleetdm/fleet...

PT-2026-6431

Summary: It has been discovered that there is a Type Confusion vulnerability in jsonwebtoken, specifically, in its claim validation logic. When a standard claim such as nbf or exp is provided with an incorrect JSON type Like a String instead of a Number, the library’s internal parsing mechanism...

EUVD-2025-206717

FUXA v1.2.7 contains a hard-coded credential vulnerability in server/api/jwt-helper.js. The application uses a hard-coded secret key to sign and verify JWT Tokens. This allows remote attackers to forge valid admin tokens and bypass authentication to gain full administrative access...

Delta Electronics DIAView Hard-coded JWT Secret Key (CVE-2025-62581)

Binary data deltaelectronicsdiaviewcve-2025-62581.nbin...

golang-jwt/jwt: jwt-go allows excessive memory allocation during header parsing

A flaw was found in the golang-jwt implementation of JSON Web Tokens JWT. In affected versions, a malicious request with specially crafted Authorization header data may trigger an excessive consumption of resources on the host system. This issue can cause significant performance degradation or an...

HCL AION Security Bypass Vulnerability (CNVD-2026-16404)

HCL AION is an AI lifecycle management platform from HCL India. HCL AION suffers from a security vulnerability that is caused by a JWT token that expires too long increasing the risk of token misuse. An attacker can exploit the vulnerability to cause unauthorized access...

Security Bulletin: IBM Engineering Lifecycle Management - Jazz Foundation is impacted by vulnerabilities in Nimbus JOSE+JWT

Summary Vulnerabilities have been identified in Nimbus JOSE+JWT, which is used in IBM Engineering Lifecycle Management - Jazz Foundation. Vulnerability Details CVEID:CVE-2025-53864 DESCRIPTION: Connect2id Nimbus JOSE + JWT 10.0.x before 10.0.2 and 9.37.x before 9.37.4 allows a remote attacker to...

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the FindContainer function. An attacker can gain unauthorized interactive shell access to containers outside their permitted label scope by directly targeting container IDs through th...