Lucene search
K

64 matches found

RedhatCVE
RedhatCVE
added 2026/06/05 7:51 p.m.8 views

CVE-2025-55449

AstrBotDevs AstrBot 3.5.15 has AdvancedSystemforTextResponseandBotOperationsTool as the hardcoded private key used to sign a JWT...

7.3CVSS5.4AI score0.00281EPSS
Exploits2References1
NVD
NVD
added 2026/06/01 10:16 p.m.14 views

CVE-2026-40965

Cloud Foundry UAA versions v76.12.0 through v78.12.0 are vulnerable to a private key exposure. The server contains a vulnerability where EC Elliptic Curve private keys are inadvertently exposed through the public /tokenkeys endpoint. This endpoint is designed to provide public key material for JW...

10CVSS0.00346EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/06/01 9:22 p.m.9 views

CVE-2026-40965

Cloud Foundry UAA versions v76.12.0 through v78.12.0 are vulnerable to a private key exposure. The server contains a vulnerability where EC Elliptic Curve private keys are inadvertently exposed through the public /tokenkeys endpoint. This endpoint is designed to provide public key material for JW...

10CVSS5.8AI score0.00346EPSS
Exploits0References1
CVE
CVE
added 2026/06/01 9:22 p.m.62 views

CVE-2026-40965

Cloud Foundry UAA versions v76.12.0–v78.12.0 expose EC private keys via the public /token_keys endpoint, enabling private key disclosure for EC-based JWT signing. Affected components: uaa_release (v76.12.0–v78.12.0) and CF Deployment (v30.0.0–v56.0.0). Root cause: misexposure of EC private key ma...

10CVSS5.8AI score0.00346EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/01 12:0 a.m.20 views

PT-2026-45616

Name of the Vulnerable Software and Affected Versions Cloud Foundry UAA versions v76.12.0 through v78.12.0 CF Deployment versions v30.0.0 through v56.0.0 Description Private key exposure occurs when the server inadvertently reveals Elliptic Curve EC private keys through the public '/token keys'...

10CVSS5.8AI score0.00346EPSS
Exploits0References8
OSV
OSV
added 2026/05/29 10:42 p.m.8 views

GHSA-3QG8-5G3R-79V5 praisonai-platform: JWT signing key defaults to hardcoded "dev-secret-change-me", allowing token forgery for any user when PLATFORM_ENV is unset

Summary Type: Insecure default cryptographic key. The JWT signing secret defaults to the hardcoded literal "dev-secret-change-me" when PLATFORMJWTSECRET is unset. A safety check exists but only fires when PLATFORMENV != "dev"; the default value of PLATFORMENV is "dev", so the check is silently...

9.8CVSS6AI score0.00054EPSS
Exploits0References2
NVD
NVD
added 2026/05/08 7:16 a.m.8 views

CVE-2025-55449

AstrBotDevs AstrBot 3.5.15 has AdvancedSystemforTextResponseandBotOperationsTool as the hardcoded private key used to sign a JWT...

7.3CVSS0.00281EPSS
Exploits2References2
CVE
CVE
added 2026/05/08 12:0 a.m.61 views

CVE-2025-55449

AstrBot 3.5.15 is vulnerable to remote code execution via a hardcoded JWT signing key: Advanced_System_for_Text_Response_and_Bot_Operations_Tool. An attacker can forge a valid admin JWT and upload a malicious plugin through /api/plugin/install-upload, leading to arbitrary command execution (e.g.,...

7.3CVSS5.8AI score0.00281EPSS
Exploits2References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/08 12:0 a.m.6 views

CVE-2025-55449

AstrBotDevs AstrBot 3.5.15 has AdvancedSystemforTextResponseandBotOperationsTool as the hardcoded private key used to sign a JWT...

5.8AI score0.00281EPSS
Exploits2References3
Positive Technologies
Positive Technologies
added 2026/05/07 12:0 a.m.17 views

PT-2026-38622

Name of the Vulnerable Software and Affected Versions note-mark affected versions not specified Description The application does not enforce a minimum length or entropy for the JWT SECRET configuration value, accepting any base64-decodable secret regardless of size. In backend/config/utils.go, th...

10CVSS5.8AI score0.00124EPSS
Exploits0References9
OSV
OSV
added 2026/04/07 7:16 a.m.17 views

PYSEC-2026-170

In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens JWT. This vulnerability allows an attacker to perform an offline brute-force attack to recover the secret key. Once the...

9.8CVSS5.8AI score0.0054EPSS
Exploits1References2
Github Security Blog
Github Security Blog
added 2026/04/04 6:14 a.m.7 views

LightRAG: Hardcoded JWT Signing Secret Allows Authentication Bypass

Subject: Security Vulnerability Report Hardcoded JWT Secret CVE-2026-30762 Hi HKUDS team, I'm writing to report a security vulnerability I discovered in LightRAG v1.4.10. This has been assigned CVE-2026-30762 by MITRE. Vulnerability: Hardcoded JWT signing secret Type: Improper Authentication...

5.8AI score0.0012EPSS
Exploits0References2Affected Software1
NVD
NVD
added 2026/03/10 6:18 p.m.7 views

CVE-2026-30928

Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, the /api/4/config REST API endpoint returns the entire parsed Glances configuration file glances.conf via self.config.asdict with no filtering of sensitive values. The configuration file contains credentials for all...

8.7CVSS0.01657EPSS
Exploits1References3
CNNVD
CNNVD
added 2026/02/03 12:0 a.m.5 views

FUXA 安全漏洞

FUXA is a web-based process visualization software developed by frangoteam. Version 1.2.7 of FUXA contains a security vulnerability. This vulnerability stems from the use of hardcoded keys for signing and verifying JWT tokens in the server/api/jwt-helper.js file. This could allow remote attackers...

9.8CVSS5.8AI score0.02036EPSS
Exploits0References1
NVD
NVD
added 2026/01/20 8:16 p.m.8 views

CVE-2026-0622

Open 5GS WebUI uses a hard-coded JWT signing key change-me whenever the environment variable JWTSECRETKEY is unset...

6.5CVSS0.00408EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2025/12/11 5:3 a.m.9 views

CVE-2025-65730

Authentication Bypass via Hardcoded Credentials GoAway up to v0.62.18, fixed in 0.62.19, uses a hardcoded secret for signing JWT tokens used for authentication...

8.8CVSS6.8AI score0.00495EPSS
Exploits1References1
Cvelist
Cvelist
added 2025/12/08 6:12 p.m.21 views

CVE-2025-14261 Lack of entropy allows registered low-privileged users of Litmus to crack valid JWT tokens and gain admin privileges

The Litmus platform uses JWT for authentication and authorization, but the secret being used for signing the JWT is only 6 bytes long at its core, which makes it extremely easy to crack...

7.1CVSS0.00268EPSS
Exploits0References2
CVE
CVE
added 2025/12/05 12:0 a.m.16 views

CVE-2025-65730

GoAway vulnerability CVE-2025-65730 involves an authentication bypass due to a hardcoded secret used to sign JWT tokens. Affected software includes GoAway up to version 0.62.18, with remediation in 0.62.19. The issue arises from the hardcoded signing key, enabling bypass of authentication. Measur...

8.8CVSS6.5AI score0.00495EPSS
Exploits1References9Affected Software1
EUVD
EUVD
added 2025/10/03 8:7 p.m.5 views

EUVD-2024-53586

Malicious code in bioql PyPI...

7.5CVSS6.6AI score0.00511EPSS
Exploits1References1
EUVD
EUVD
added 2025/10/03 8:7 p.m.5 views

EUVD-2024-34482

Malicious code in bioql PyPI...

9.8CVSS6.6AI score0.00523EPSS
Exploits0References2
Rows per page
Query Builder