127 matches found
EUVD-2026-45085
clawvet self-hosted API server apps/api before 0.7.5 hard-codes a fallback JWT secret 'clawvet-dev-secret-change-me' in auth.ts and ships it as the default in .env.example. Because GET /api/v1/scans returns scan records containing userId values without authentication, a remote unauthenticated...
CVE-2026-62241 clawvet < 0.7.5 Hard-coded JWT Secret Session Forgery
clawvet self-hosted API server apps/api before 0.7.5 hard-codes a fallback JWT secret 'clawvet-dev-secret-change-me' in auth.ts and ships it as the default in .env.example. Because GET /api/v1/scans returns scan records containing userId values without authentication, a remote unauthenticated...
CVE-2026-45336
HireFlow is a web-based interview management system for managing candidates, scheduling interviews, and tracking hiring progress. In 1.2 and earlier, app.py assigns a hard-coded Flask secretkey used to sign session cookies, allowing unauthenticated attackers who know the public source value to...
CVE-2026-45336
CVE-2026-45336 affects HireFlow’s web-based interview management system. In 1.2 and earlier, the Flask session handling used a hard-coded secret_key in app.py, allowing unauthenticated attackers who know the public source value to forge cookies containing role=admin and user_id values and bypass ...
CVE-2026-11746
A vulnerability has been identified in centraldogma-server versions prior to 0.84.0, where enabling ZooKeeper replication without setting replication.secret causes the server to silently fall back to a hard-coded, publicly known secret. This default credential authenticates the embedded ZooKeeper...
EUVD-2026-38207
A vulnerability has been identified in centraldogma-server versions prior to 0.84.0, where enabling ZooKeeper replication without setting replication.secret causes the server to silently fall back to a hard-coded, publicly known secret. This default credential authenticates the embedded ZooKeeper...
CVE-2026-25600
The PDBM application relies on a static, hard‑coded secret embedded in the PDBM.exe executable. This secret is used by the application’s encryption routines, including the function responsible for decrypting credentials stored in the product’s configuration file. Because the secret is constant...
CVE-2026-25600
The PDBM application relies on a static, hard‑coded secret embedded in the PDBM.exe executable. This secret is used by the application’s encryption routines, including the function responsible for decrypting credentials stored in the product’s configuration file. Because the secret is constant...
CVE-2026-25600 Credential Exposure Vulnerability in Trac PDBM
The PDBM application relies on a static, hard‑coded secret embedded in the PDBM.exe executable. This secret is used by the application’s encryption routines, including the function responsible for decrypting credentials stored in the product’s configuration file. Because the secret is constant...
CVE-2026-25600
The PDBM application relies on a static, hard‑coded secret embedded in the PDBM.exe executable. This secret is used by the application’s encryption routines, including the function responsible for decrypting credentials stored in the product’s configuration file. Because the secret is constant...
CVE-2026-25600 Credential Exposure Vulnerability in Trac PDBM
The PDBM application relies on a static, hard‑coded secret embedded in the PDBM.exe executable. This secret is used by the application’s encryption routines, including the function responsible for decrypting credentials stored in the product’s configuration file. Because the secret is constant...
DjangoBlog 安全漏洞
DjangoBlog is a blog system developed by liangliangyy using Django. Versions of DjangoBlog 2.1.0.0 and earlier had security vulnerabilities. These vulnerabilities stemmed from the use of the parameter SECRETKEY in the file djangoblog/settings.py, which resulted in hard-coded credentials,...
PYSEC-2026-63
Gradio is an open-source Python package designed for quick prototyping. Starting in version 4.16.0 and prior to version 6.6.0, Gradio applications running outside of Hugging Face Spaces automatically enable "mocked" OAuth routes when OAuth components e.g. gr.LoginButton are used. When a user visi...
CVE-2025-69971
FUXA v1.2.7 contains a hard-coded credential vulnerability in server/api/jwt-helper.js. The application uses a hard-coded secret key to sign and verify JWT Tokens. This allows remote attackers to forge valid admin tokens and bypass authentication to gain full administrative access...
GHSA-2R8F-CF6W-X5VQ Duplicate Advisory: FUXA contains a hard-coded credential vulnerability
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-c8m8-3jcr-6rj5. This link is maintained to preserve external references. Original Description FUXA v1.2.7 contains a hard-coded credential vulnerability in server/api/jwt-helper.js. The application uses a...
Duplicate Advisory: FUXA contains a hard-coded credential vulnerability
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-c8m8-3jcr-6rj5. This link is maintained to preserve external references. Original Description FUXA v1.2.7 contains a hard-coded credential vulnerability in server/api/jwt-helper.js. The application uses a...
CVE-2025-69971
FUXA v1.2.7 contains a hard-coded credential vulnerability in server/api/jwt-helper.js. The application uses a hard-coded secret key to sign and verify JWT Tokens. This allows remote attackers to forge valid admin tokens and bypass authentication to gain full administrative access...
CVE-2025-69971
FUXA v1.2.7 contains a hard-coded credential vulnerability in server/api/jwt-helper.js. The application uses a hard-coded secret key to sign and verify JWT Tokens. This allows remote attackers to forge valid admin tokens and bypass authentication to gain full administrative access...
CVE-2025-69971
FUXA v1.2.7 contains a hard-coded credential vulnerability in server/api/jwt-helper.js. The application uses a hard-coded secret key to sign and verify JWT Tokens. This allows remote attackers to forge valid admin tokens and bypass authentication to gain full administrative access...
PT-2026-6348
FUXA v1.2.7 contains a hard-coded credential vulnerability in server/api/jwt-helper.js. The application uses a hard-coded secret key to sign and verify JWT Tokens. This allows remote attackers to forge valid admin tokens and bypass authentication to gain full administrative access...