310 matches found
Calendar app used predictable proposal participant tokens
None...
Use of Hard-coded Cryptographic Key
Overview arcade-mcp-server is a Model Context Protocol MCP server framework for Arcade.dev Affected versions of this package are vulnerable to Use of Hard-coded Cryptographic Key via the HTTP server uses a hardcoded default worker secret "dev" that is never validated or overridden during normal...
CVE-2025-59390 Apache Druid: Kerberos authenticaton chooses a cryptographically unsecure secret if not configured explicitly.
Apache Druid’s Kerberos authenticator uses a weak fallback secret when the druid.auth.authenticator.kerberos.cookieSignatureSecret configuration is not explicitly set. In this case, the secret is generated using ThreadLocalRandom, which is not a crypto-graphically secure random number generator...
CVE-2025-59390
Apache Druid’s Kerberos authenticator is affected. If the configuration druid.auth.authenticator.kerberos.cookieSignatureSecret is not set, a weak fallback secret is generated with ThreadLocalRandom, which is not cryptographically secure. This can allow an attacker to predict or brute‑force the c...
UBUNTU-CVE-2025-11990
GitLab has remediated an issue in GitLab EE affecting all versions from 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated user to gain CSRF tokens by exploiting improper input validation in repository references combined with redirect handling weaknesses...
aEnrich a+HRD 安全漏洞
aEnrich a+HRD is a full-service human resources development solution from Acer China aEnrich. A security vulnerability exists in aEnrich a+HRD, which stems from authentication misuse and could allow an unauthenticated remote attacker to forge an administrator access token and elevate privileges t...
CVE-2025-63691
In pig-mesh In Pig version 3.8.2 and below, within the Token Management function under the System Management module, the token query interface /api/admin/sys-token/page has an improper permission verification issue, which leads to information leakage. This interface can be called by any user who...
Exploit for CVE-2025-9209
🍔 RestroPress – Online Food Ordering System 3.0.0 - 3.1.9.2...
EUVD-2025-36186
StarCharge Artemis AC Charger 7-22 kW v1.0.4 was discovered to contain a hardcoded AES key which allows attackers to forge or decrypt valid login tokens...
CVE-2025-52268
StarCharge Artemis AC Charger 7-22 kW v1.0.4 was discovered to contain a hardcoded AES key which allows attackers to forge or decrypt valid login tokens...
PT-2025-43959
Name of the Vulnerable Software and Affected Versions StarCharge Artemis AC Charger version 1.0.4 Description The StarCharge Artemis AC Charger version 1.0.4 contains a hardcoded AES key. This allows attackers to forge or decrypt valid login tokens. Recommendations At the moment, there is no...
CVE-2025-52268
CVE-2025-52268 affects StarCharge Artemis AC Charger 7-22 kW v1.0.4. The issue is a hardcoded AES key that enables attackers to forge or decrypt valid login tokens. Documented across multiple sources (NVD, Red Hat, ENISA/EUVD, CVE list, CNNVD) with the same vulnerability description. Exploitation...
StarCharge Artemis AC Charger 安全漏洞
StarCharge Artemis AC Charger is an AC charger from StarCharge Singapore. A security vulnerability exists in the StarCharge Artemis AC Charger version 7-22 kW 1.0.4, which stems from the use of a hard-coded AES key, which could allow an attacker to forge or decrypt a valid login token...
CVE-2025-12221 CSRF Token not Properly Implemented
Busybox 1.31.1 - Multiple Known Vulnerabilities.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5...
CVE-2025-54808
Oxford Nanopore Technologies' MinKNOW software at or prior to version 24.11 stores authentication tokens in a file located in the system's temporary directory /tmp on the host machine. This directory is typically world-readable, allowing any local user or application to access the token. If the...
CVE-2025-6950
An Use of Hard-coded Credentials vulnerability has been identified in Moxa’s network security appliances and routers. The system employs a hard-coded secret key to sign JSON Web Tokens JWT used for authentication. This insecure implementation allows an unauthenticated attacker to forge valid...
CVE-2025-56749
Creativeitem Academy LMS up to and including 6.14 uses a hardcoded default JWT secret for token signing. This predictable secret allows attackers to forge valid JWT tokens, leading to authentication bypass and unauthorized access to any user account...
EUVD-2025-34570
The Keyy Two Factor Authentication like Clef plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.2.3. This is due to the plugin not properly validating a user's identity associated with a token generated. This makes it possible f...
CVE-2025-56749
The CVE-2025-56749 issue affects Creativeitem Academy LMS up to version 6.14, where a hardcoded default JWT secret allows forging valid tokens, enabling authentication bypass and unauthorized access to user accounts. Multiple connected sources corroborate the vulnerability across NVD, Red Hat, EN...
CVE-2025-56749
Creativeitem Academy LMS up to and including 6.14 uses a hardcoded default JWT secret for token signing. This predictable secret allows attackers to forge valid JWT tokens, leading to authentication bypass and unauthorized access to any user account...