CVE-2025-59870

HCL MyXalytics is affected by improper management of a static JWT signing secret in the web application, where the secret lacks rotation , introducing a security risk...

CVE-2025-59870 Improper management of a static JWT signing secret in the web application, where the secret lacks rotation , introducing a security risk

HCL MyXalytics v6.7 is affected by improper management of a static JWT signing secret in the web application, where the secret lacks rotation , introducing a security risk...

CVE-2025-69425

The Ruckus vRIoT IoT Controller firmware versions prior to 3.0.0.0 GA expose a command execution service on TCP port 2004 running with root privileges. Authentication to this service relies on a hardcoded Time-based One-Time Password TOTP secret and an embedded static token. An attacker who...

CVE-2025-63314

A static password reset token in the password reset function of DDSN Interactive Acora CMS v10.7.1 allows attackers to arbitrarily reset the user password and execute a full account takeover via a replay attack...

CVE-2025-63314

A static password reset token in the password reset function of DDSN Interactive Acora CMS v10.7.1 allows attackers to arbitrarily reset the user password and execute a full account takeover via a replay attack...

CVE-2025-63314

CVE-2025-63314 affects DDSN Interactive Acora CMS v10.7.1. The password reset function uses a static reset token, enabling an attacker to replay the token and arbitrarily reset user passwords, resulting in a full account takeover. The impact is described as high confidentiality and integrity impa...

CVE-2025-69425

The Ruckus vRIoT IoT Controller firmware versions prior to 3.0.0.0 GA expose a command execution service on TCP port 2004 running with root privileges. Authentication to this service relies on a hardcoded Time-based One-Time Password TOTP secret and an embedded static token. An attacker who...

CVE-2025-69425

The CVE-2025-69425 entry affects Ruckus vRIoT IoT Controller firmware before 3.0.0.0 (GA). A command execution service on TCP port 2004 runs with root privileges, authenticated by a hardcoded TOTP secret and an embedded static token. Exploitation requires credential extraction from the appliance ...

CVE-2025-69425 Ruckus vRIoT IoT Controller < 3.0.0.0 Hardcoded Tokens RCE

The Ruckus vRIoT IoT Controller firmware versions prior to 3.0.0.0 GA expose a command execution service on TCP port 2004 running with root privileges. Authentication to this service relies on a hardcoded Time-based One-Time Password TOTP secret and an embedded static token. An attacker who...

RustFS gRPC GetMetrics deserialization panic enables remote DoS

Summary A malformed gRPC GetMetrics request causes getmetrics to unwrap failed deserialization of metrictype/opts, panicking the handler thread and enabling remote denial of service of the metrics endpoint. Details - Vulnerable code: rustfs/src/storage/tonicservice.rs:1775-1782: - MetricType and...

EUVD-2024-52028

Malicious code in bioql PyPI...

EUVD-2024-48332

Malicious code in bioql PyPI...

CVE-2024-53683

A valid set of credentials in a .js file and a static token for communication were obtained from the decompiled IPA. An attacker could use the information to disrupt normal use of the application by changing the translation files and thus weaken the integrity of normal use...

GHSA-VW58-PH65-6RXP Directus inserts access token from query string into logs

Summary Access token from query string is not redacted and is potentially exposed in system logs which may be persisted. Details The access token in req.query is not redacted when the LOGSTYLE is set to raw. If these logs are not properly sanitized or protected, an attacker with access to it can...

CVE-2024-53683 Ossur Mobile Logic Application Exposure of Sensitive System Information to an Unauthorized Control Sphere

A valid set of credentials in a .js file and a static token for communication were obtained from the decompiled IPA. An attacker could use the information to disrupt normal use of the application by changing the translation files and thus weaken the integrity of normal use...

CVE-2024-53683

CVE-2024-53683 affects the Ossur Mobile Logic Application. Hard-coded/valid credentials in a .js file and a static token found in the decompiled IPA could enable an attacker to disrupt normal use by altering translation files, compromising integrity. Public sources indicate vulnerable versions ex...

PT-2024-10438

Name of the Vulnerable Software and Affected Versions Yeti platform affected versions not specified Description The issue is related to the use of hardcoded credentials. An attacker can exploit this to gain elevated privileges by utilizing a static JWT token. Recommendations At the moment, there ...

CVE-2024-7401

Netskope was notified about a security gap in Netskope Client enrollment process where NSClient is using a static token “Orgkey” as authentication parameter. Since this is a static token, if leaked, cannot be rotated or revoked. A malicious actor can use this token to enroll NSClient from a...

CVE-2024-7401 Client Enrollment Process Bypass

Netskope was notified about a security gap in Netskope Client enrollment process where NSClient is using a static token “Orgkey” as authentication parameter. Since this is a static token, if leaked, cannot be rotated or revoked. A malicious actor can use this token to enroll NSClient from a...

CVE-2024-7401 Client Enrollment Process Bypass

Netskope was notified about a security gap in Netskope Client enrollment process where NSClient is using a static token “Orgkey” as authentication parameter. Since this is a static token, if leaked, cannot be rotated or revoked. A malicious actor can use this token to enroll NSClient from a...