CVE-2026-43828

Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected...

CVE-2026-43828

Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected...

Metasploit Wrap-Up 05/08/2026

Spring cleanup This week’s Metasploit updates focused on foundational improvements and expanded target reach. Key enhancements were made to the recently released Copy Fail exploit module, which now benefits from payload fixes in linux/x64/exec and linux/armle/exec. These changes expand its...

CVE-2026-3963

A security flaw has been discovered in perfree go-fastdfs-web up to 1.3.7. This affects the function rememberMeManager of the file src/main/java/com/perfree/config/ShiroConfig.java of the component Apache Shiro RememberMe. Performing a manipulation results in use of hard-coded cryptographic key...

CVE-2026-3963 perfree go-fastdfs-web Apache Shiro RememberMe ShiroConfig.java rememberMeManager hard-coded key

A security flaw has been discovered in perfree go-fastdfs-web up to 1.3.7. This affects the function rememberMeManager of the file src/main/java/com/perfree/config/ShiroConfig.java of the component Apache Shiro RememberMe. Performing a manipulation results in use of hard-coded cryptographic key...

go-fastdfs-web 安全漏洞

go-fastdfs-web is a web management platform for a distributed file storage system developed by Perfree’s individual developers. Versions of go-fastdfs-web prior to 1.3.7 contain security vulnerabilities. These vulnerabilities stem from incorrect operations on the rememberMeManager function in the...

PT-2026-24894

A security flaw has been discovered in perfree go-fastdfs-web up to 1.3.7. This affects the function rememberMeManager of the file src/main/java/com/perfree/config/ShiroConfig.java of the component Apache Shiro RememberMe. Performing a manipulation results in use of hard-coded cryptographic key...

EUVD-2020-19091

Malware in sbrugna...

aidigu 安全漏洞

aidigu Aidigu is an open source microblogging project by the individual developer SR.Lee lty628. A security vulnerability exists in aidigu 1.8.2 and earlier versions, which stems from a misuse of the parameter rememberMe leading to deserialization...

Symfony has an Authentication Bypass via RememberMe

Description When consuming a persisted remember-me cookie, Symfony does not check if the username persisted in the database matches the username attached with the cookie, leading to authentication bypass. Resolution The PersistentRememberMeHandler class now ensures the submitted username is the...

GHSA-CG23-QF8F-62RR Symfony has an Authentication Bypass via RememberMe

Description When consuming a persisted remember-me cookie, Symfony does not check if the username persisted in the database matches the username attached with the cookie, leading to authentication bypass. Resolution The PersistentRememberMeHandler class now ensures the submitted username is the...

CVE-2024-51996 Symphony has an Authentication Bypass via RememberMe

Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. When consuming a persisted remember-me cookie, Symfony does not check if the username persisted in the database matches the username attached with the cookie, leading to authentication bypass. Th...

RuoYi Cross-Site Scripting Vulnerability

RuoYi is a backend management system by the individual developer of RuoYi in China. A cross-site scripting vulnerability exists in RuoYi version 4.7.8, which stems from a reflected cross-site scripting XSS vulnerability in the parameter rememberMe...

Spring Security 5.8.0-M1 and 6.0.0-M6 are released

On behalf of the team and everyone who has contributed, I am pleased to announce that Spring Security 5.8.0-M1 and 6.0.0-M6 are available now. This release includes dependency upgrades, bug fixes, and enhancements. Here are a few noteworthy changes: Deferred SecurityContext lookup...

CVE-2022-35857

kvf-admin through 2022-02-12 allows remote attackers to execute arbitrary code because deserialization is mishandled. The rememberMe parameter is encrypted with a hardcoded key from the com.kalvin.kvf.common.shiro.ShiroConfig file...

CVE-2022-35857

kvf-admin through 2022-02-12 allows remote attackers to execute arbitrary code because deserialization is mishandled. The rememberMe parameter is encrypted with a hardcoded key from the com.kalvin.kvf.common.shiro.ShiroConfig file...

CVE-2022-35857

kvf-admin through 2022-02-12 allows remote attackers to execute arbitrary code because deserialization is mishandled. The rememberMe parameter is encrypted with a hardcoded key from the com.kalvin.kvf.common.shiro.ShiroConfig file...

PT-2022-22971 · Kvf-Admin · Kvf-Admin

Name of the Vulnerable Software and Affected Versions: kvf-admin through 2022-02-12 Description: The issue allows remote attackers to execute arbitrary code because deserialization is mishandled. The rememberMe parameter is encrypted with a hardcoded key from the...

CVE-2020-19229

Jeesite 1.2.7 uses the apache shiro version 1.2.3 affected by CVE-2016-4437. Because of this version of the java deserialization vulnerability, an attacker could exploit the vulnerability to execute arbitrary commands via the rememberMe parameter...

卓源软件 Jeesite 代码问题漏洞

Zhuo source software Jeesite is China's Zhuo source software company of a set of open source Java EE enterprise-class rapid development platform . The platform includes system permissions components , data permissions components , data dictionary components , core tools components , view...