Lucene search
K

190 matches found

Github Security Blog
Github Security Blog
added 2025/12/02 5:55 p.m.6 views

arcade-mcp-server Has Default Hardcoded Worker Secret That Allows Full Unauthorized Access to All HTTP MCP Worker Endpoints

Summary The arcade-mcp HTTP server uses a hardcoded default worker secret "dev" that is never validated or overridden during normal server startup. As a result, any unauthenticated attacker who knows this default key can forge valid JWTs and fully bypass the FastAPI authentication layer. This...

6.5CVSS7.5AI score0.00281EPSS
Exploits0References6Affected Software1
EUVD
EUVD
added 2025/12/02 5:55 p.m.5 views

EUVD-2025-200280

arcade-mcp-server Has Default Hardcoded Worker Secret That Allows Full Unauthorized Access to All HTTP MCP Worker Endpoints...

6.5CVSS6.4AI score0.00281EPSS
Exploits0References6
CVE
CVE
added 2025/11/17 9:38 p.m.17 views

CVE-2025-64766

The CVE describes a hard-coded secret in the NixOS module for OnlyOffice document server affecting OnlyOffice 22.11–25.05 (and pre-Unstable 25.11). A knowledge of an existing revision ID could allow an attacker to access documents protected by this secret, exposing known documents of users with e...

5.3CVSS6.4AI score0.00246EPSS
Exploits0References5
Cvelist
Cvelist
added 2025/11/17 9:38 p.m.11 views

CVE-2025-64766 NixOS has hardcoded credentials in Onlyoffice module

NixOS's Onlyoffice is a software suite that offers online and offline tools for document editing, collaboration, and management. In versions from 22.11 to before 25.05 and versions before Unstable 25.11, a hard-coded secret was used in the NixOS module for the OnlyOffice document server to protec...

5.3CVSS0.00246EPSS
Exploits0References5
OSV
OSV
added 2025/11/17 9:38 p.m.5 views

CVE-2025-64766 NixOS has hardcoded credentials in Onlyoffice module

NixOS's Onlyoffice is a software suite that offers online and offline tools for document editing, collaboration, and management. In versions from 22.11 to before 25.05 and versions before Unstable 25.11, a hard-coded secret was used in the NixOS module for the OnlyOffice document server to protec...

5.3CVSS6.7AI score0.00246EPSS
Exploits0References7
CNVD
CNVD
added 2025/11/05 12:0 a.m.3 views

News Portal Hardcoding Vulnerability

News Portal is a news portal. News Portal has a hard-coded vulnerability that stems from the use of a fixed encryption key for the handling of the SECRETKEY parameter in the file /onps/settings.py. An attacker could exploit this vulnerability to obtain sensitive system information...

8.1CVSS5.2AI score0.00379EPSS
Exploits1References1
EUVD
EUVD
added 2025/10/15 3:30 p.m.6 views

EUVD-2025-34618

Creativeitem Academy LMS up to and including 6.14 uses a hardcoded default JWT secret for token signing. This predictable secret allows attackers to forge valid JWT tokens, leading to authentication bypass and unauthorized access to any user account...

9.4CVSS6.5AI score0.00445EPSS
Exploits1References2
OSV
OSV
added 2025/10/15 3:16 p.m.4 views

CVE-2025-56749

Creativeitem Academy LMS up to and including 6.14 uses a hardcoded default JWT secret for token signing. This predictable secret allows attackers to forge valid JWT tokens, leading to authentication bypass and unauthorized access to any user account...

9.4CVSS5.7AI score0.00445EPSS
Exploits1References1
NVD
NVD
added 2025/10/15 3:16 p.m.3 views

CVE-2025-56749

Creativeitem Academy LMS up to and including 6.14 uses a hardcoded default JWT secret for token signing. This predictable secret allows attackers to forge valid JWT tokens, leading to authentication bypass and unauthorized access to any user account...

9.4CVSS0.00445EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2025/10/15 12:0 a.m.2 views

CVE-2025-56749

Creativeitem Academy LMS up to and including 6.14 uses a hardcoded default JWT secret for token signing. This predictable secret allows attackers to forge valid JWT tokens, leading to authentication bypass and unauthorized access to any user account...

6.7AI score0.00445EPSS
Exploits1References1
CVE
CVE
added 2025/10/15 12:0 a.m.12 views

CVE-2025-56749

The CVE-2025-56749 issue affects Creativeitem Academy LMS up to version 6.14, where a hardcoded default JWT secret allows forging valid tokens, enabling authentication bypass and unauthorized access to user accounts. Multiple connected sources corroborate the vulnerability across NVD, Red Hat, EN...

9.4CVSS6.7AI score0.00445EPSS
Exploits1References1Affected Software1
EUVD
EUVD
added 2025/10/07 12:30 a.m.5 views

EUVD-2018-5755

Malware in sbrugna...

7.5CVSS7.8AI score0.01383EPSS
Exploits0References3
EUVD
EUVD
added 2025/10/07 12:30 a.m.5 views

EUVD-2017-16550

Malware in sbrugna...

7.5CVSS6.5AI score0.01458EPSS
Exploits1References5
EUVD
EUVD
added 2025/10/03 8:7 p.m.5 views

EUVD-2024-54777

Malicious code in bioql PyPI...

9CVSS9.2AI score0.00554EPSS
Exploits0References1
EUVD
EUVD
added 2025/10/03 8:7 p.m.5 views

EUVD-2025-14597

Malicious code in bioql PyPI...

9.8CVSS6.6AI score0.003EPSS
Exploits1References3
EUVD
EUVD
added 2025/10/03 8:7 p.m.17 views

EUVD-2025-23514

Malicious code in bioql PyPI...

9CVSS9.2AI score0.00622EPSS
Exploits0References3
EUVD
EUVD
added 2025/10/03 8:7 p.m.7 views

EUVD-2022-0108

Malicious code in bioql PyPI...

8.8CVSS8.6AI score0.01035EPSS
Exploits1References4
EUVD
EUVD
added 2025/10/03 8:7 p.m.4 views

EUVD-2025-12378

Malicious code in bioql PyPI...

3.4CVSS6.6AI score0.00194EPSS
Exploits0References2
EUVD
EUVD
added 2025/10/03 8:7 p.m.7 views

EUVD-2022-3880

Malicious code in bioql PyPI...

5CVSS6.5AI score0.01244EPSS
Exploits0References9
RedhatCVE
RedhatCVE
added 2025/09/20 9:13 p.m.15 views

CVE-2025-54807

The secret used for validating authentication tokens is hardcoded in device firmware for affected versions. An attacker who obtains the signing key can bypass authentication, gaining complete access to the system...

9.8CVSS7.1AI score0.0068EPSS
Exploits0References1
Rows per page
Query Builder