CVE-2026-42869

SOCFortress CoPilot prior to version 0.1.57 ships a hardcoded JWT signing secret as a fallback in backend/app/auth/utils.py:28 and includes it in .env.example. If JWT_SECRET is not explicitly set (including default Docker Compose deployments), tokens are signed with this public value, allowing an...

PT-2026-39734

Name of the Vulnerable Software and Affected Versions SOCFortress CoPilot versions prior to 0.1.57 Description The application contains a hardcoded JSON Web Token JWT signing secret used as a fallback value in the backend/app/auth/utils.py file and the .env.example file. In deployments where the...

GHSA-32CC-X95P-FXCG FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration

Description An insecure default configuration in FUXA allows an unauthenticated, remote attacker to gain administrative access and execute arbitrary code on the server. This affects FUXA through version 1.2.9 when authentication is enabled, but the administrator JWT secret is not configured. This...

CVE-2025-56749

Creativeitem Academy LMS up to and including 6.14 uses a hardcoded default JWT secret for token signing. This predictable secret allows attackers to forge valid JWT tokens, leading to authentication bypass and unauthorized access to any user account...