Lucene search
K

22 matches found

NVD
NVD
added 2026/06/26 8:17 p.m.6 views

CVE-2026-46386

OpenProject is open-source, web-based project management software. Prior to , the official openproject/openproject Docker image ships ENV SECRETKEYBASE=OVERWRITEME as the default Rails master key. Combined with cookiesserializer = :marshal, this gives any logged-in user a deterministic...

9.9CVSS0.00272EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/26 7:26 p.m.8 views

CVE-2026-46386

OpenProject is open-source, web-based project management software. Prior to , the official openproject/openproject Docker image ships ENV SECRETKEYBASE=OVERWRITEME as the default Rails master key. Combined with cookiesserializer = :marshal, this gives any logged-in user a deterministic...

9.9CVSS5.8AI score0.00272EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/06/26 7:26 p.m.12 views

CVE-2026-46386

OpenProject’s official docker image ships SECRET_KEY_BASE=OVERWRITE_ME and cookies_serializer = :marshal, creating a deterministic Marshal-deserialization path reachable via the /my/two_factor_devices cookie reader. This enables potential pre-authentication remote code execution, as noted in the ...

9.9CVSS5.8AI score0.00272EPSS
Exploits0References1
NVD
NVD
added 2026/05/28 7:16 p.m.17 views

CVE-2026-45039

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, the internode RPC layer authenticates every request with an HMAC-SHA256 signature using a shared secret. The function that produces this secret, getsharedsecret in crates/ecstore/src/rpc/httpauth.rs, falls back to...

9.8CVSS0.00268EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/28 6:39 p.m.34 views

CVE-2026-45039 RustFS: Internode RPC HMAC secret falls back to public default credential, enabling peer impersonation

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, the internode RPC layer authenticates every request with an HMAC-SHA256 signature using a shared secret. The function that produces this secret, getsharedsecret in crates/ecstore/src/rpc/httpauth.rs, falls back to...

9.8CVSS0.00268EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/02/08 1:3 p.m.13 views

CVE-2026-1675

The Advanced Country Blocker plugin for WordPress is vulnerable to Authorization Bypass in all versions up to, and including, 2.3.1 due to the use of a predictable default value for the secret bypass key created during installation without requiring users to change it. This makes it possible for...

5.3CVSS5.4AI score0.00342EPSS
Exploits0References1
NVD
NVD
added 2026/02/07 9:16 a.m.4 views

CVE-2026-1675

The Advanced Country Blocker plugin for WordPress is vulnerable to Authorization Bypass in all versions up to, and including, 2.3.1 due to the use of a predictable default value for the secret bypass key created during installation without requiring users to change it. This makes it possible for...

5.3CVSS0.00342EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/02/07 8:26 a.m.29 views

CVE-2026-1675 Advanced Country Blocker <= 2.3.1 - Unauthenticated Authorization Bypass via Insecure Default Secret Key

The Advanced Country Blocker plugin for WordPress is vulnerable to Authorization Bypass in all versions up to, and including, 2.3.1 due to the use of a predictable default value for the secret bypass key created during installation without requiring users to change it. This makes it possible for...

5.3CVSS0.00342EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/02/07 8:26 a.m.6 views

CVE-2026-1675 Advanced Country Blocker <= 2.3.1 - Unauthenticated Authorization Bypass via Insecure Default Secret Key

The Advanced Country Blocker plugin for WordPress is vulnerable to Authorization Bypass in all versions up to, and including, 2.3.1 due to the use of a predictable default value for the secret bypass key created during installation without requiring users to change it. This makes it possible for...

5.3CVSS5.5AI score0.00342EPSS
Exploits0References4
CVE
CVE
added 2026/02/07 8:26 a.m.22 views

CVE-2026-1675

The CVE-2026-1675 entry concerns the WordPress plugin Advanced Country Blocker. Affects all versions up to 2.3.1 where a predictable default value for the secret bypass key is created during installation and not required to be changed, enabling unauthenticated attackers to bypass the geolocation ...

5.3CVSS5.4AI score0.00342EPSS
Exploits0References5
Patchstack
Patchstack
added 2026/02/06 11:51 p.m.7 views

WordPress Advanced Country Blocker plugin <= 2.3.1 - Unauthenticated Authorization Bypass via Insecure Default Secret Key vulnerability

Unauthenticated Authorization Bypass via Insecure Default Secret Key vulnerability discovered by Hector Flores in WordPress Plugin Advanced Country Blocker versions = 2.3.1...

5.3CVSS5.3AI score0.00342EPSS
Exploits0References1Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/09 5:42 p.m.10 views

Authentication Bypass via Default JWT Secret in NocoBase docker-compose Deployments

Impact CVE-2025-13877 is an authentication bypass vulnerability caused by insecure default JWT key usage in NocoBase Docker deployments. Because the official one-click Docker deployment configuration historically provided a public default JWT key, attackers can forge valid JWT tokens without...

6.3CVSS7.3AI score0.00262EPSS
Exploits0References14Affected Software1
Vulnrichment
Vulnrichment
added 2025/07/08 11:22 p.m.2 views

CVE-2025-4855 Support Board <= 3.8.0 - Unauthenticated Authorization Bypass due to Use of Default Secret Key

The Support Board plugin for WordPress is vulnerable to unauthorized access/modification/deletion of data due to use of hardcoded default secrets in the sbencryption function in all versions up to, and including, 3.8.0. This makes it possible for unauthenticated attackers to bypass authorization...

9.8CVSS7.7AI score0.00338EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2025/02/05 8:7 a.m.8 views

CVE-2024-29037

datahub-helm provides the Kubernetes Helm charts for deploying Datahub and its dependencies on a Kubernetes cluster. Starting in version 0.1.143 and prior to version 0.2.182, due to configuration issues in the helm chart, if there was a successful initial deployment during a limited window of tim...

9.1CVSS7.1AI score0.00605EPSS
Exploits0References1
VulnCheck KEV
VulnCheck KEV
added 2024/01/08 12:0 a.m.5 views

VulnCheck KEV: CVE-2023-27524

Apache Superset contains an insecure default initialization of a resource vulnerability that allows an attacker to authenticate and access unauthorized resources on installations that have not altered the default configured SECRETKEY according to installation instructions...

9.8CVSS7.4AI score0.97405EPSS
Exploits20References1
0day.today
0day.today
added 2023/10/15 12:0 a.m.1043 views

Apache Superset 2.0.0 Remote Code Execution Exploit

Apache Superset versions 2.0.0 and below utilize Flask with a known default secret key which is used to sign HTTP cookies. These cookies can therefore be forged. If a user is able to login to the site, they can decode the cookie, set their userid to that of an administrator, and re-sign the cooki...

9.8CVSS7.7AI score0.97405EPSS
Exploits20
BDU FSTEC
BDU FSTEC
added 2023/05/26 12:0 a.m.5 views

The vulnerability of the Apache Superset data visualization software lies in its insecure resource initialization, which allows attackers to bypass established access controls.

The vulnerability of the Apache Superset data visualization software is related to the insecure initialization of resources. Exploiting this vulnerability can allow an attacker, operating remotely, to bypass established access controls, provided that the SECRETKEY is set by default...

10CVSS7.8AI score0.97405EPSS
Exploits20References6Affected Software1
Veracode
Veracode
added 2023/05/01 11:21 p.m.40 views

Authentication Bypass

apachesuperset is vulnerable to Authentication Bypass. The vulnerability is due to a default secret key in which allows an attacker to authenticate and access unauthorized resources when the default configuration of SECRETKEY is not altered according to the installation instructions...

9.8CVSS8.7AI score0.97405EPSS
Exploits20References10Affected Software1
The Hacker News
The Hacker News
added 2023/04/26 9:29 a.m.5 views

Apache Superset Vulnerability: Insecure Default Configuration Exposes Servers to RCE Attacks

The maintainers of the Apache Superset open source data visualization software have released fixes to plug an insecure default configuration that could lead to remote code execution. The vulnerability, tracked as CVE-2023-27524 CVSS score: 8.9, impacts versions up to and including 2.0.1 and relat...

9.8CVSS7.3AI score0.97405EPSS
Exploits20
OSV
OSV
added 2021/04/20 4:40 p.m.7 views

GHSA-7MX5-X372-XH87 Incorrect Session Validation in Apache Airflow

Incorrect Session Validation in Apache Airflow Webserver versions prior to 1.10.14 with default config allows a malicious airflow user on site A where they log in normally, to access unauthorized Airflow Webserver on Site B through the session from Site A. This does not affect users who have...

8.3CVSS5.8AI score0.23336EPSS
Exploits0References14
Rows per page
Query Builder