CVE-2025-15603 open-webui JWT Key start_windows.bat random values

A security vulnerability has been detected in open-webui up to 0.6.16. Affected is an unknown function of the file backend/startwindows.bat of the component JWT Key Handler. Such manipulation of the argument WEBUISECRETKEY leads to insufficiently random values. It is possible to launch the attack...

CVE-2025-15603

A security vulnerability has been detected in open-webui up to 0.6.16. Affected is an unknown function of the file backend/startwindows.bat of the component JWT Key Handler. Such manipulation of the argument WEBUISECRETKEY leads to insufficiently random values. It is possible to launch the attack...

CVE-2025-15603 open-webui JWT Key start_windows.bat random values

A security vulnerability has been detected in open-webui up to 0.6.16. Affected is an unknown function of the file backend/startwindows.bat of the component JWT Key Handler. Such manipulation of the argument WEBUISECRETKEY leads to insufficiently random values. It is possible to launch the attack...

CVE-2025-15603

The CVE affects open-webui up to 0.6.16, specifically the JWT Key Handler’s file backend/start_windows.bat. Manipulating the WEBUI_SECRET_KEY can produce insufficiently random values, enabling a remote attack. Exploitability is rated high complexity with no authentication required; impact shown a...

CVE-2023-25403

CleverStupidDog yf-exam v 1.8.0 is vulnerable to Authentication Bypass. The program uses a fixed JWT key, and the stored key uses username format characters. Any user who logged in within 24 hours. A token can be forged with his username to bypass authentication...

CVE-2022-42980

go-admin aka GO Admin 2.0.12 uses the string go-admin as a production JWT key...

Insecure Defaults

Overview ingenious is an An enterprise-grade Python library for quickly setting up APIs to interact with AI Agents Affected versions of this package are vulnerable to Insecure Defaults in the form of a hardcoded fallback JWT key in jwt.py, which may be used under certain circumstances if one is n...

EUVD-2023-29358

Malicious code in bioql PyPI...

EUVD-2022-46029

Malicious code in bioql PyPI...

EUVD-2023-31327

Malicious code in bioql PyPI...

CVE-2025-45765

CVE-2025-45765 concerns ruby-jwt v3.0.0.beta1, which is reported to contain weak encryption due to lack of enforced minimum key sizes. The Supplier’s note indicates keysize enforcement is not within the library itself, while newer OpenSSL versions enforce key size restrictions that may affect use...

PT-2025-27551 · Onelogin · Onelogin Ad Connector

Name of the Vulnerable Software and Affected Versions: OneLogin AD Connector versions prior to 6.1.5 Description: A cryptographic authentication bypass issue exists due to the exposure of a tenant’s SSO JWT signing key via the "/api/adc/v4/configuration" endpoint. An attacker with the signing key...

One Identity OneLogin AD Connector 安全漏洞

One Identity OneLogin AD Connector is a connector software from One Identity USA. A security vulnerability exists in One Identity OneLogin AD Connector versions prior to 6.1.5, which stems from a JWT signing key disclosure leading to an authentication bypass...

CVE-2024-46612

IceCMS v3.4.7 and before was discovered to contain a hardcoded JWT key, allowing an attacker to forge JWT authentication information...

CVE-2024-48952

An issue was discovered in Logpoint before 7.5.0. SOAR uses a static JWT secret key to generate tokens that allow access to SOAR API endpoints without authentication. This static key vulnerability enables attackers to create custom JWT secret keys for unauthorized access to these endpoints...

CVE-2023-48396

Web Authentication vulnerability in Apache SeaTunnel. Since the jwt key is hardcoded in the application, an attacker can forge any token to log in any user. Attacker can get secret key in /seatunnel-server/seatunnel-app/src/main/resources/application.yml and then create a token. This issue affect...

IBM Sterling Partner Engagement Manager Improper Key Storage Vulnerability

IBM Sterling Partner Engagement Manager is an automated management tool from International Business Machines IBM. IBM Sterling Partner Engagement Manager suffers from an improper key storage vulnerability that stems from improper JWT key storage. An attacker could exploit the vulnerability to cau...

CVE-2025-31123

CVE-2025-31123 — Zitadel (open-source identity infrastructure) : A vulnerability exists where Zitadel fails to properly check the expiration date of the JWT key when used for Authorization Grants. An attacker with an expired key can obtain valid access tokens, while the JWT Profile for OAuth 2.0 ...

PT-2025-13821 · Zitadel · Zitadel

Name of the Vulnerable Software and Affected Versions: Zitadel versions prior to 2.63.9 Zitadel versions prior to 2.64.6 Zitadel versions prior to 2.65.7 Zitadel versions prior to 2.66.16 Zitadel versions prior to 2.67.13 Zitadel versions prior to 2.68.9 Zitadel versions prior to 2.69.9 Zitadel...

VulnCheck KEV: CVE-2024-36111

KubePi is a K8s panel. Starting in version 1.6.3 and prior to version 1.8.0, there is a defect in the KubePi JWT token verification. The JWT key in the default configuration file is empty. Although a random 32-bit string will be generated to overwrite the key in the configuration file when the...