50 matches found
CVE-2026-40934
A flaw was found in Jupyter Server. The secret used to sign authentication cookies is not rotated when a user changes their password, allowing previously issued authentication cookies to remain valid. A remote attacker who has captured a session cookie can retain full authenticated access to the...
slack-go `SecretsVerifier` accepts empty signing secret without precondition
go func NewSecretsVerifierheader http.Header, secret string SecretsVerifier, error hash := hmac.Newsha256.New, bytesecret // raw secret, no precondition...
GHSA-GXHX-2686-5H9G slack-go `SecretsVerifier` accepts empty signing secret without precondition
go func NewSecretsVerifierheader http.Header, secret string SecretsVerifier, error hash := hmac.Newsha256.New, bytesecret // raw secret, no precondition...
PYSEC-2026-69
Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the secret used to sign authentication cookies is persisted to a static file at /.local/share/jupyter/runtime/jupytercookiesecret and is never rotated when a user changes their password. After a password...
DEBIAN-CVE-2026-40934
Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the secret used to sign authentication cookies is persisted to a static file at /.local/share/jupyter/runtime/jupytercookiesecret and is never rotated when a user changes their password. After a password...
CVE-2026-40934
Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the secret used to sign authentication cookies is persisted to a static file at /.local/share/jupyter/runtime/jupytercookiesecret and is never rotated when a user changes their password. After a password...
CVE-2026-40934
CVE-2026-40934 affects Jupyter Server up to version 2.17.0, where the signing secret for authentication cookies is stored at ~/.local/share/jupyter/runtime/jupyter_cookie_secret and is never rotated on password changes. After a password reset and server restart, previously issued cookies remain c...
EUVD-2026-19748
Windmill CE and EE versions 1.276.0 through 1.603.2 contain an SQL injection vulnerability in the folder ownership management functionality that allows authenticated attackers to inject SQL through the owner parameter. An attacker can use the injection to read sensitive data such as the JWT signi...
CVE-2026-1114
In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens JWT. This vulnerability allows an attacker to perform an offline brute-force attack to recover the secret key. Once the...
GHSA-MCWW-4HXQ-HFR3 LightRAG: Hardcoded JWT Signing Secret Allows Authentication Bypass
Subject: Security Vulnerability Report Hardcoded JWT Secret CVE-2026-30762 Hi HKUDS team, I'm writing to report a security vulnerability I discovered in LightRAG v1.4.10. This has been assigned CVE-2026-30762 by MITRE. Vulnerability: Hardcoded JWT signing secret Type: Improper Authentication...
CVE-2025-64998
Exposure of session signing secret in Checkmk 2.4.0p23, 2.3.0p45 and 2.2.0 allows an administrator of a remote site with config sync enabled to hijack sessions on the central site by forging session cookies...
EUVD-2014-9820
Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution. Plack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server during deserialization of the cookie data, when...
CVE-2014-125112 Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution
Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution. Plack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server during deserialization of the cookie data, when...
EUVD-2025-208958
Exposure of session signing secret in Checkmk 2.4.0p23, 2.3.0p45 and 2.2.0 allows an administrator of a remote site with config sync enabled to hijack sessions on the central site by forging session cookies...
CVE-2025-64998
Exposure of session signing secret in Checkmk 2.4.0p23, 2.3.0p45 and 2.2.0 allows an administrator of a remote site with config sync enabled to hijack sessions on the central site by forging session cookies...
UBUNTU-CVE-2025-64998
Exposure of session signing secret in Checkmk 2.4.0p23, 2.3.0p45 and 2.2.0 allows an administrator of a remote site with config sync enabled to hijack sessions on the central site by forging session cookies...
CVE-2025-64998
Exposure of session signing secret in Checkmk 2.4.0p23, 2.3.0p45 and 2.2.0 allows an administrator of a remote site with config sync enabled to hijack sessions on the central site by forging session cookies...
CVE-2025-64998 Session hijacking via exposed session signing secret in distributed Checkmk setups
Exposure of session signing secret in Checkmk 2.4.0p23, 2.3.0p45 and 2.2.0 allows an administrator of a remote site with config sync enabled to hijack sessions on the central site by forging session cookies...
CVE-2025-64998
CVE-2025-64998 affects Checkmk versions prior to 2.4.0p23, 2.3.0p45, and 2.2.0. The issue is the exposure of the session signing secret in distributed Checkmk deployments with config sync enabled, enabling an administrator on a remote site to forge session cookies and hijack sessions on the centr...
CVE-2025-64998 Session hijacking via exposed session signing secret in distributed Checkmk setups
Exposure of session signing secret in Checkmk 2.4.0p23, 2.3.0p45 and 2.2.0 allows an administrator of a remote site with config sync enabled to hijack sessions on the central site by forging session cookies...