45 matches found
Use of Hard-coded Credentials
Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Use of Hard-coded Credentials due to the use of a weak default value for the secret parameter in session management when the EXPRESSSESSIONSECRET environment variable is not set. An attacker can impersonate...
GHSA-2QQC-P94C-HXWH Flowise: Weak Default Express Session Secret
Detection Method: Kolega.dev Deep Code Scan | Attribute | Value | |---|---| | Location | packages/server/src/enterprise/middleware/passport/index.ts:55 | | Practical Exploitability | High | | Developer Approver | [email protected] | Description Express session secret has a weak default value...
CVE-2025-41258 LibreChat RAG API Authentication Bypass
LibreChat version 0.8.1-rc2 uses the same JWT secret for the user session mechanism and RAG API which compromises the service-level authentication of the RAG API...
Gradio: Mocked OAuth Login Exposes Server Credentials and Uses Hardcoded Session Secret
Summary Gradio applications running outside of Hugging Face Spaces automatically enable "mocked" OAuth routes when OAuth components e.g. gr.LoginButton are used. When a user visits /login/huggingface, the server retrieves its own Hugging Face access token via huggingfacehub.gettoken and stores it...
CVE-2026-27167 Gradio: Mocked OAuth Login Exposes Server Credentials and Uses Hardcoded Session Secret
Gradio is an open-source Python package designed for quick prototyping. Starting in version 4.16.0 and prior to version 6.6.0, Gradio applications running outside of Hugging Face Spaces automatically enable "mocked" OAuth routes when OAuth components e.g. gr.LoginButton are used. When a user visi...
CVE-2026-27167 Gradio: Mocked OAuth Login Exposes Server Credentials and Uses Hardcoded Session Secret
Gradio is an open-source Python package designed for quick prototyping. Starting in version 4.16.0 and prior to version 6.6.0, Gradio applications running outside of Hugging Face Spaces automatically enable "mocked" OAuth routes when OAuth components e.g. gr.LoginButton are used. When a user visi...
CVE-2026-27167
Gradio, in versions 4.16.0 through 6.5.x, running outside Hugging Face Spaces enables mocked OAuth routes when OAuth components are used. Visiting /login/huggingface causes the server to fetch its HF token via hugggingface_hub.get_token() and store it in the visitor’s session cookie, which is sig...
CVE-2025-68948
SiYuan is self-hosted, open source personal knowledge management software. In versions 3.5.1 and prior, the SiYuan Note application utilizes a hardcoded cryptographic secret for its session store. This unsafe practice renders the session encryption ineffective. Since the sensitive AccessAuthCode ...
CVE-2025-68948 SiYuan: Information Disclosure and Authentication Bypass via Hardcoded Session Secret
SiYuan is self-hosted, open source personal knowledge management software. In versions 3.5.1 and prior, the SiYuan Note application utilizes a hardcoded cryptographic secret for its session store. This unsafe practice renders the session encryption ineffective. Since the sensitive AccessAuthCode ...
CVE-2025-68948 SiYuan: Information Disclosure and Authentication Bypass via Hardcoded Session Secret
SiYuan is self-hosted, open source personal knowledge management software. In versions 3.5.1 and prior, the SiYuan Note application utilizes a hardcoded cryptographic secret for its session store. This unsafe practice renders the session encryption ineffective. Since the sensitive AccessAuthCode ...
CVE-2025-68948
SiYuan Note (pre-3.5.1) stores session data with a hardcoded cryptographic secret, making session encryption ineffective. The AccessAuthCode is kept in the session cookie, so an attacker who obtains or intercepts that cookie can locally decrypt it with the public key, retrieve the code in plain t...
CVE-2025-68948 SiYuan: Information Disclosure and Authentication Bypass via Hardcoded Session Secret
SiYuan is self-hosted, open source personal knowledge management software. In versions 3.5.1 and prior, the SiYuan Note application utilizes a hardcoded cryptographic secret for its session store. This unsafe practice renders the session encryption ineffective. Since the sensitive AccessAuthCode ...
CVE-2025-14651
A vulnerability has been found in MartialBE one-hub up to 0.14.27. This vulnerability affects unknown code of the file docker-compose.yml. The manipulation of the argument SESSIONSECRET leads to use of hard-coded cryptographic key . The attack may be initiated remotely. The complexity of an attac...
CVE-2025-14651
A vulnerability has been found in MartialBE one-hub up to 0.14.27. This vulnerability affects unknown code of the file docker-compose.yml. The manipulation of the argument SESSIONSECRET leads to use of hard-coded cryptographic key . The attack may be initiated remotely. The complexity of an attac...
CVE-2025-14651
A vulnerability has been found in MartialBE one-hub up to 0.14.27. This vulnerability affects unknown code of the file docker-compose.yml. The manipulation of the argument SESSIONSECRET leads to use of hard-coded cryptographic key . The attack may be initiated remotely. The complexity of an attac...
CVE-2025-14651
The CVE concerns MartialBE one-hub up to version 0.14.27. The vulnerability arises from the docker-compose.yml configuration where the SESSION_SECRET is manipulated, leading to use of a hard-coded cryptographic key. Reported as exploitable remotely with high attack complexity, the issue is descri...
CVE-2025-14651 MartialBE one-hub docker-compose.yml hard-coded key
A vulnerability has been found in MartialBE one-hub up to 0.14.27. This vulnerability affects unknown code of the file docker-compose.yml. The manipulation of the argument SESSIONSECRET leads to use of hard-coded cryptographic key . The attack may be initiated remotely. The complexity of an attac...
CVE-2025-14651 MartialBE one-hub docker-compose.yml hard-coded key
A vulnerability has been found in MartialBE one-hub up to 0.14.27. This vulnerability affects unknown code of the file docker-compose.yml. The manipulation of the argument SESSIONSECRET leads to use of hard-coded cryptographic key . The attack may be initiated remotely. The complexity of an attac...
One Hub 安全漏洞
One Hub is an OpenAI interface management and distribution system for Buer individual developers. A security vulnerability exists in One Hub version 0.14.27 and earlier, which stems from the use of a hard-coded key for the parameter SESSIONSECRET in the docker-compose.yml file, which could lead t...
PT-2025-51155
A vulnerability has been found in MartialBE one-hub up to 0.14.27. This vulnerability affects unknown code of the file docker-compose.yml. The manipulation of the argument SESSION SECRET leads to use of hard-coded cryptographic key . The attack may be initiated remotely. The complexity of an atta...