Lucene search
K

24 matches found

NVD
NVD
added 2026/06/24 1:16 p.m.11 views

CVE-2026-56269

Flowise before 3.1.0 npm package flowise, versions 3.0.13 and earlier uses a weak hardcoded default value 'Secre$t' for the TOKENHASHSECRET environment variable in packages/server/src/enterprise/utils/tempTokenUtils.ts when the variable is not configured. This secret derives the AES-256-CBC key...

4.6CVSS0.00093EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/06/24 11:53 a.m.4 views

CVE-2026-56269

Flowise before 3.1.0 npm package flowise, versions 3.0.13 and earlier uses a weak hardcoded default value 'Secre$t' for the TOKENHASHSECRET environment variable in packages/server/src/enterprise/utils/tempTokenUtils.ts when the variable is not configured. This secret derives the AES-256-CBC key...

4.6CVSS5.8AI score0.00093EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/24 11:53 a.m.8 views

EUVD-2026-38746

Flowise before 3.1.0 npm package flowise, versions 3.0.13 and earlier uses a weak hardcoded default value 'Secre$t' for the TOKENHASHSECRET environment variable in packages/server/src/enterprise/utils/tempTokenUtils.ts when the variable is not configured. This secret derives the AES-256-CBC key...

4.6CVSS5.8AI score0.00093EPSS
Exploits0References2
OSV
OSV
added 2026/06/24 11:53 a.m.4 views

CVE-2026-56269 Flowise - Weak Default Token Hash Secret in JWT Token Encryption

Flowise before 3.1.0 npm package flowise, versions 3.0.13 and earlier uses a weak hardcoded default value 'Secre$t' for the TOKENHASHSECRET environment variable in packages/server/src/enterprise/utils/tempTokenUtils.ts when the variable is not configured. This secret derives the AES-256-CBC key...

4.2CVSS6.2AI score0.00093EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/04/16 12:0 a.m.16 views

PT-2026-51774

Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.1.0 Description The software uses a weak hardcoded default value 'Secre$t' for the TOKEN HASH SECRET environment variable in the packages/server/src/enterprise/utils/tempTokenUtils.ts file when the variable is not...

5.6CVSS6.2AI score0.00093EPSS
Exploits0References9
RedhatCVE
RedhatCVE
added 2026/03/26 3:11 p.m.4 views

CVE-2026-32897

OpenClaw versions prior to 2026.2.22 reuse gateway.auth.token as a fallback hash secret for owner-ID prompt obfuscation when commands.ownerDisplay is set to hash and commands.ownerDisplaySecret is unset, creating dual-use of authentication secrets across security domains. Attackers with access to...

6.3CVSS5.8AI score0.00262EPSS
Exploits0References1
OSV
OSV
added 2026/03/21 3:31 a.m.5 views

GHSA-8MR2-F9WF-HCFQ Duplicate Advisory: OpenClaw reuses the gateway auth token in the owner ID prompt hashing fallback

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-v6x2-2qvm-6gv8. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.22 reuse gateway.auth.token as a fallback hash secret for owner-ID prompt obfuscati...

3.7CVSS5.7AI score0.00262EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/03/21 3:31 a.m.7 views

Duplicate Advisory: OpenClaw reuses the gateway auth token in the owner ID prompt hashing fallback

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-v6x2-2qvm-6gv8. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.22 reuse gateway.auth.token as a fallback hash secret for owner-ID prompt obfuscati...

6.3CVSS5.7AI score0.00262EPSS
Exploits0References5Affected Software1
NVD
NVD
added 2026/03/21 1:17 a.m.7 views

CVE-2026-32897

OpenClaw versions prior to 2026.2.22 reuse gateway.auth.token as a fallback hash secret for owner-ID prompt obfuscation when commands.ownerDisplay is set to hash and commands.ownerDisplaySecret is unset, creating dual-use of authentication secrets across security domains. Attackers with access to...

6.3CVSS0.00262EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/03/21 12:42 a.m.28 views

CVE-2026-32897 OpenClaw < 2026.2.22 - Authentication Token Reuse in Owner ID Prompt Hashing Fallback

OpenClaw versions prior to 2026.2.22 reuse gateway.auth.token as a fallback hash secret for owner-ID prompt obfuscation when commands.ownerDisplay is set to hash and commands.ownerDisplaySecret is unset, creating dual-use of authentication secrets across security domains. Attackers with access to...

6.3CVSS0.00262EPSS
Exploits0References3
CVE
CVE
added 2026/03/21 12:42 a.m.22 views

CVE-2026-32897

OpenClaw versions prior to 2026.2.22 reuse gateway.auth.token as a fallback hash secret for owner-ID prompt obfuscation when commands.ownerDisplay is set to hash and commands.ownerDisplaySecret is unset. This allows attackers with access to system prompts sent to third-party model providers to de...

6.3CVSS5.8AI score0.00262EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/03/21 12:42 a.m.5 views

CVE-2026-32897 OpenClaw < 2026.2.22 - Authentication Token Reuse in Owner ID Prompt Hashing Fallback

OpenClaw versions prior to 2026.2.22 reuse gateway.auth.token as a fallback hash secret for owner-ID prompt obfuscation when commands.ownerDisplay is set to hash and commands.ownerDisplaySecret is unset, creating dual-use of authentication secrets across security domains. Attackers with access to...

6.3CVSS6AI score0.00262EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/03/03 12:0 a.m.5 views

PT-2026-26746

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.22 Description The software reuses the gateway.auth.token as a fallback hash secret for owner-ID prompt obfuscation when commands.ownerDisplay is set to hash and commands.ownerDisplaySecret is unset. This...

6.3CVSS5.8AI score0.00262EPSS
Exploits0References11
OSV
OSV
added 2026/01/22 1:42 a.m.7 views

CVE-2026-23958 DataEase Vulnerable to Brute-Force Attack on Admin JWT Secret Derived from Password that Enables Full Account Takeover

Dataease is an open source data visualization analysis tool. Prior to version 2.10.19, DataEase uses the MD5 hash of the user’s password as the JWT signing secret. This deterministic secret derivation allows an attacker to brute-force the admin’s password by exploiting unmonitored API endpoints...

9.3CVSS5.5AI score0.00475EPSS
Exploits1References4
OSV
OSV
added 2025/12/05 6:15 p.m.5 views

CVE-2025-34256

Advantech WISE-DeviceOn Server versions prior to 5.4 contain a hard-coded cryptographic key vulnerability. The product uses a static HS512 HMAC secret for signing EIRMMToken JWTs across all installations. The server accepts forged JWTs that need only contain a valid email claim, allowing a remote...

9.8CVSS6.1AI score0.00604EPSS
Exploits0References3
OSV
OSV
added 2022/05/02 3:18 a.m.3 views

GHSA-JG55-3Q6H-2CCF Typo3 Backend XSS Vulnerability

An Information Disclosure vulnerability in jumpUrl mechanism, used to track access on web pages and provided files, allows a remote attacker to read arbitrary files on a host. The expected value of a mandatory hash secret, intended to invalidate such requests, is exposed to remote users allowing...

4.3CVSS6AI score0.01056EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2022/05/02 3:18 a.m.11 views

TYPO3 leaks a hash secret in an error message

The jumpUrl mechanism in class.tslibfe.php in TYPO3 3.3.x through 3.8.x, 4.0 before 4.0.12, 4.1 before 4.1.10, 4.2 before 4.2.6, and 4.3alpha1 leaks a hash secret juHash in an error message, which allows remote attackers to read arbitrary files by including the hash in a request...

5CVSS7.2AI score0.42227EPSS
Exploits3References6Affected Software1
OSV
OSV
added 2022/05/02 3:18 a.m.7 views

GHSA-C22J-84C7-CM77 TYPO3 leaks a hash secret in an error message

The jumpUrl mechanism in class.tslibfe.php in TYPO3 3.3.x through 3.8.x, 4.0 before 4.0.12, 4.1 before 4.1.10, 4.2 before 4.2.6, and 4.3alpha1 leaks a hash secret juHash in an error message, which allows remote attackers to read arbitrary files by including the hash in a request...

6.9CVSS6.4AI score0.42227EPSS
Exploits3References6
NVD
NVD
added 2009/03/05 2:30 a.m.30 views

CVE-2009-0815

The jumpUrl mechanism in class.tslibfe.php in TYPO3 3.3.x through 3.8.x, 4.0 before 4.0.12, 4.1 before 4.1.10, 4.2 before 4.2.6, and 4.3alpha1 leaks a hash secret juHash in an error message, which allows remote attackers to read arbitrary files by including the hash in a request...

5CVSS6.5AI score0.42227EPSS
Exploits3References4
Cvelist
Cvelist
added 2009/03/05 2:0 a.m.37 views

CVE-2009-0815

The jumpUrl mechanism in class.tslibfe.php in TYPO3 3.3.x through 3.8.x, 4.0 before 4.0.12, 4.1 before 4.1.10, 4.2 before 4.2.6, and 4.3alpha1 leaks a hash secret juHash in an error message, which allows remote attackers to read arbitrary files by including the hash in a request...

6.4AI score0.42227EPSS
Exploits3References4
Rows per page
Query Builder