54 matches found
UBUNTU-CVE-2025-64998
Exposure of session signing secret in Checkmk 2.4.0p23, 2.3.0p45 and 2.2.0 allows an administrator of a remote site with config sync enabled to hijack sessions on the central site by forging session cookies...
CVE-2025-64998
Exposure of session signing secret in Checkmk 2.4.0p23, 2.3.0p45 and 2.2.0 allows an administrator of a remote site with config sync enabled to hijack sessions on the central site by forging session cookies...
CVE-2025-64998 Session hijacking via exposed session signing secret in distributed Checkmk setups
Exposure of session signing secret in Checkmk 2.4.0p23, 2.3.0p45 and 2.2.0 allows an administrator of a remote site with config sync enabled to hijack sessions on the central site by forging session cookies...
CVE-2025-64998
CVE-2025-64998 affects Checkmk versions prior to 2.4.0p23, 2.3.0p45, and 2.2.0. The issue is the exposure of the session signing secret in distributed Checkmk deployments with config sync enabled, enabling an administrator on a remote site to forge session cookies and hijack sessions on the centr...
CVE-2025-64998 Session hijacking via exposed session signing secret in distributed Checkmk setups
Exposure of session signing secret in Checkmk 2.4.0p23, 2.3.0p45 and 2.2.0 allows an administrator of a remote site with config sync enabled to hijack sessions on the central site by forging session cookies...
PT-2026-27382
Exposure of session signing secret in Checkmk 2.4.0p23, 2.3.0p45 and 2.2.0 allows an administrator of a remote site with config sync enabled to hijack sessions on the central site by forging session cookies...
CVE-2026-1461
The Simple Membership plugin for WordPress is vulnerable to Improper Handling of Missing Values in all versions up to, and including, 4.7.0 via the Stripe webhook handler. This is due to the plugin only validating webhook signatures when the stripe-webhook-signing-secret setting is configured,...
CVE-2026-1461
The Simple Membership plugin for WordPress is vulnerable to Improper Handling of Missing Values in all versions up to, and including, 4.7.0 via the Stripe webhook handler. This is due to the plugin only validating webhook signatures when the stripe-webhook-signing-secret setting is configured,...
CVE-2026-1461
CVE-2026-1461 affects the Simple Membership WordPress plugin (all versions up to 4.7.0) via the Stripe webhook handler. The issue is improper handling of missing values caused by validating webhook signatures only when stripe-webhook-signing-secret is configured (empty by default), enabling unaut...
PT-2026-20777
The Simple Membership plugin for WordPress is vulnerable to Improper Handling of Missing Values in all versions up to, and including, 4.7.0 via the Stripe webhook handler. This is due to the plugin only validating webhook signatures when the stripe-webhook-signing-secret setting is configured,...
CVE-2026-23958
DataEase (open-source data visualization tool) prior to version 2.10.19 uses the MD5 hash of the user password as the JWT signing secret. This deterministic secret derivation allows an attacker to brute-force the admin password by abusing unmonitored API endpoints that verify JWT tokens. The vuln...
CVE-2025-59870
HCL MyXalytics is affected by improper management of a static JWT signing secret in the web application, where the secret lacks rotation , introducing a security risk...
CVE-2025-59870
Summary: CVE-2025-59870 affects HCL MyXalytics web applications. The issue is improper management of a static JWT signing secret that is not rotated, creating a risk to confidentiality and integrity. The cited sources consistently describe the secret as static and non-rotated across multiple feed...
CVE-2025-59870 Improper management of a static JWT signing secret in the web application, where the secret lacks rotation , introducing a security risk
HCL MyXalytics v6.7 is affected by improper management of a static JWT signing secret in the web application, where the secret lacks rotation , introducing a security risk...
PT-2026-3243
Name of the Vulnerable Software and Affected Versions HCL MyXalytics version 6.7 Description The web application does not rotate the JWT signing secret, resulting in improper management of a static secret. This introduces a security risk. Recommendations Rotate the JWT signing secret in the web...
CVE-2026-21894
n8n is an open source workflow automation platform. In versions from 0.150.0 to before 2.2.2, an authentication bypass vulnerability in the Stripe Trigger node allows unauthenticated parties to trigger workflows by sending forged Stripe webhook events. The Stripe Trigger creates and stores a Stri...
CVE-2026-21894 n8n's Missing Stripe-Signature Verification Allows Unauthenticated Forged Webhooks
n8n is an open source workflow automation platform. In versions from 0.150.0 to before 2.2.2, an authentication bypass vulnerability in the Stripe Trigger node allows unauthenticated parties to trigger workflows by sending forged Stripe webhook events. The Stripe Trigger creates and stores a Stri...
EUVD-2025-201794
The Litmus platform uses JWT for authentication and authorization, but the secret being used for signing the JWT is only 6 bytes long at its core, which makes it extremely easy to crack...
CVE-2025-14261
The Litmus platform uses JWT for authentication and authorization, but the secret being used for signing the JWT is only 6 bytes long at its core, which makes it extremely easy to crack...
CVE-2025-14261 Lack of entropy allows registered low-privileged users of Litmus to crack valid JWT tokens and gain admin privileges
The Litmus platform uses JWT for authentication and authorization, but the secret being used for signing the JWT is only 6 bytes long at its core, which makes it extremely easy to crack...