Insecure Defaults

Overview ingenious is an An enterprise-grade Python library for quickly setting up APIs to interact with AI Agents Affected versions of this package are vulnerable to Insecure Defaults in the form of a hardcoded fallback JWT key in jwt.py, which may be used under certain circumstances if one is n...

CVE-2024-46612

IceCMS v3.4.7 and before was discovered to contain a hardcoded JWT key, allowing an attacker to forge JWT authentication information...

CVE-2022-35540

Hardcoded JWT Secret in AgileConfig 1.6.8 Server allows remote attackers to use the generated JWT token to gain administrator access...

Authentication Bypass

Dpanel is vulnerable to Authentication Bypass. The vulnerability is due to use of a hardcoded JWT secret due to the default configuration embedding a static secret, allowing attackers to forge valid tokens and gain unauthorized administrative access...

CVE-2025-30206

Dpanel is a Docker visualization panel system which provides complete Docker management functions. The Dpanel service contains a hardcoded JWT secret in its default configuration, allowing attackers to generate valid JWT tokens and compromise the host machine. This security flaw allows attackers ...

CVE-2025-30206

Dpanel is a Docker visualization panel system which provides complete Docker management functions. The Dpanel service contains a hardcoded JWT secret in its default configuration, allowing attackers to generate valid JWT tokens and compromise the host machine. This security flaw allows attackers ...

Dpanel's hard-coded JWT secret leads to remote code execution

Summary The Dpanel service contains a hardcoded JWT secret in its default configuration, allowing attackers to generate valid JWT tokens and compromise the host machine. Details The Dpanel service, when initiated using its default configuration, includes a hardcoded JWT secret embedded directly...

PT-2025-16384

Name of the Vulnerable Software and Affected Versions Dpanel versions prior to 1.6.1 Description The Dpanel service contains a hardcoded JWT secret in its default configuration, allowing attackers to generate valid JWT tokens and compromise the host machine. This security flaw enables attackers t...

CVE-2024-46612

IceCMS v3.4.7 and earlier versions contain a hardcoded JWT key, enabling an attacker to forge JWT authentication information. Affected component is the authentication/key handling within IceCMS. Impact is authenticated access forgery with high severity as described in cited sources; exploitation ...

CVE-2024-46612

IceCMS v3.4.7 and before was discovered to contain a hardcoded JWT key, allowing an attacker to forge JWT authentication information...

GHSA-CP2C-X2PC-FPH7 Apache SeaTunnel Web Authentication vulnerability

Web Authentication vulnerability in Apache SeaTunnel. Since the jwt key is hardcoded in the application, an attacker can forge any token to log in any user. Attacker can get secret key in /seatunnel-server/seatunnel-app/src/main/resources/application.yml and then create a token. This issue affect...

Apache SeaTunnel Web Authentication vulnerability

Web Authentication vulnerability in Apache SeaTunnel. Since the jwt key is hardcoded in the application, an attacker can forge any token to log in any user. Attacker can get secret key in /seatunnel-server/seatunnel-app/src/main/resources/application.yml and then create a token. This issue affect...

CVE-2023-48396 Apache SeaTunnel Web: Authentication bypass

Web Authentication vulnerability in Apache SeaTunnel. Since the jwt key is hardcoded in the application, an attacker can forge any token to log in any user. Attacker can get secret key in /seatunnel-server/seatunnel-app/src/main/resources/application.yml and then create a token. This issue affect...

CVE-2023-48396

CVE-2023-48396 concerns an authentication bypass in Apache SeaTunnel (v1.0.0). The underlying issue is a hardcoded JWT secret in the application, enabling an attacker to forge tokens and log in as any user. The secret key can be retrieved from the file path shown in the reports (seatunnel-app/src...

CVE-2023-48396 Apache SeaTunnel Web: Authentication bypass

Web Authentication vulnerability in Apache SeaTunnel. Since the jwt key is hardcoded in the application, an attacker can forge any token to log in any user. Attacker can get secret key in /seatunnel-server/seatunnel-app/src/main/resources/application.yml and then create a token. This issue affect...

CVE-2024-28194 Authentication Bypass Because of Hardcoded JWT Secret in your_spotify

yourspotify is an open source, self hosted Spotify tracking dashboard. YourSpotify versions 1.8.0 use a hardcoded JSON Web Token JWT secret to sign authentication tokens. Attackers can use this well-known value to forge valid authentication tokens for arbitrary users. This vulnerability allows...

Moxa MXsecurity Series Hardcoded JWT Key Authentication Bypass Vulnerability

This vulnerability allows remote attackers to bypass authentication on affected installations of Moxa MXsecurity Series appliances. Authentication is not required to exploit this vulnerability. The specific flaw exists within the configuration of the web-based interface. The issue results from a...

PT-2022-26691 · Goadmin · Go-Admin

Name of the Vulnerable Software and Affected Versions: go-admin aka GO Admin version 2.0.12 Description: The issue concerns the use of a hardcoded string 'go-admin' as a production JWT key in go-admin. Recommendations: For go-admin version 2.0.12, update the JWT key to a secure, randomly generate...

CVE-2022-35540

CVE-2022-35540 concerns AgileConfig prior to 1.6.8 where a hard-coded JWT secret in the server enables remote attackers to forge a token and gain administrator access. The issue, documented across multiple sources (Red Hat, GHSA, OSV, NVD), attributes the root cause to an inline secret, allowing ...

Hardcoded JWT Token in Lin CMS Spring Boot

An access control issue in Lin CMS Spring Boot v0.2.1 allows attackers to access the backend information and functions within the application...