CVE-2026-45631

Dokploy is a free, self-hostable Platform as a Service PaaS. From 0.27.0 to before 0.29.3, a hardcoded BETTERAUTHSECRET fallback "better-auth-secret-123456789" lets an unauthenticated attacker forge email verification JWTs, trigger auto-sign-in as admin, and execute commands on the host via the...

Linux Distros Unpatched Vulnerability : CVE-2026-44699

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - LibJWT is a C JSON Web Token Library. From 3.0.0 to 3.3.2, libjwt accepts an RSA JWK that does not contain an alg parameter as the verification key for an...

CVE-2026-25538 Devtron Attributes API Unauthorized Access Leading to API Token Signing Key Leakage

Devtron is an open source tool integration platform for Kubernetes. In version 2.0.0 and prior, a vulnerability exists in Devtron's Attributes API interface, allowing any authenticated user including low-privileged CI/CD Developers to obtain the global API Token signing key by accessing the...

PT-2026-6398

Devtron Attributes API Unauthorized Access Leading to API Token Signing Key Leakage Summary This vulnerability exists in Devtron's Attributes API interface, allowing any authenticated user including low-privileged CI/CD Developers to obtain the global API Token signing key by accessing the...

CVE-2025-11760 eRoom – Webinar & Meeting Plugin for Zoom, Google Meet, Microsoft Teams <= 1.5.6 - Unauthenticated Sensitive Information Exposure

The eRoom – Webinar & Meeting Plugin for Zoom, Google Meet, Microsoft Teams plugin for WordPress is vulnerable to exposure of sensitive information in all versions up to, and including, 1.5.6. This is due to the plugin exposing Zoom SDK secret keys in client-side JavaScript within the meeting vie...

CVE-2024-52295

DataEase is an open source data visualization analysis tool. Prior to 2.10.2, DataEase allows attackers to forge jwt and take over services. The JWT secret is hardcoded in the code, and the UID and OID are hardcoded. The vulnerability has been fixed in v2.10.2...

CVE-2024-57432

macrozheng mall-tiny 1.0.1 suffers from Insecure Permissions. The application's JWT signing keys are hardcoded and do not change. User information is explicitly written into the JWT and used for subsequent privilege management, making it is possible to forge the JWT of any user to achieve...

CVE-2024-33625

The CVE-2024-33625 issue affects CyberPower PowerPanel Business software (PowerPanel business) where the application code contains a hard-coded JWT signing key, enabling attacker forgery of JWT tokens and bypass of authentication. The documented remediation is to update to PowerPanel business ver...

Milesight MilesightVPN requestHandlers.js verifyToken authentication bypass vulnerability

Talos Vulnerability Report TALOS-2023-1700 Milesight MilesightVPN requestHandlers.js verifyToken authentication bypass vulnerability July 6, 2023 CVE Number CVE-2023-22844 SUMMARY An authentication bypass vulnerability exists in the requestHandlers.js verifyToken functionality of Milesight VPN...

CVE-2021-32631

Common is a package of common modules that can be accessed by NIMBLE services. Common before commit number 3b96cb0293d3443b870351945f41d7d55cb34b53 did not properly verify the signature of JSON Web Tokens. This allows someone to forge a valid JWT. Being able to forge JWTs may lead to authenticati...

Exploit for Improper Authentication in Magic_Home_Pro_Project Magic_Home_Pro

CVE-2020-27199 Magic Home Pro - Authentication Bypass !mag...

CVE-2017-11424

In PyJWT 1.5.0 and below the invalidstrings check in HMACAlgorithm.preparekey does not account for all PEM encoded public keys. Specifically, the PKCS1 PEM encoded format would be allowed because it is prefaced with the string -----BEGIN RSA PUBLIC KEY----- which is not accounted for. This enable...