11 matches found
EUVD-2026-19574
In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens JWT. This vulnerability allows an attacker to perform an offline brute-force attack to recover the secret key. Once the...
PYSEC-2026-170
In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens JWT. This vulnerability allows an attacker to perform an offline brute-force attack to recover the secret key. Once the...
CVE-2026-1114
CVE-2026-1114 affects parisneo/lollms 2.1.0. The issue is an improper access control flaw caused by signing JWTs with a weak secret key, enabling an offline brute‑force to recover the key. With the cracked secret, an attacker can forge administrative tokens, modify the JWT payload, and resigns to...
PT-2026-30796
Name of the Vulnerable Software and Affected Versions parisneo/lollms versions prior to 2.2.0 Description Session management is subject to improper access control because a weak secret key is used for signing JSON Web Tokens JWT. This allows an attacker to conduct an offline brute-force attack to...
PT-2026-29420
Name of the Vulnerable Software and Affected Versions Cloudreve versions prior to 4.13.0 Description Cloudreve is a self-hosted file management and sharing system. Versions prior to 4.13.0 use a weak pseudo-random number generator math/rand seeded with time to generate critical security secrets,...
CVE-2023-53951 Ever Gauzy v0.281.9 JWT Authentication Weakness via HMAC Secret
Ever Gauzy v0.281.9 contains a JWT authentication vulnerability that allows attackers to exploit weak HMAC secret key implementation. Attackers can leverage the exposed JWT token to authenticate and gain unauthorized access with administrative permissions...
Laravel Weak Secret Key
Laravel applications use an application key to encrypt and sign various data, including session cookies and other sensitive information. This key is typically stored in the .env file and is used for multiple security-critical operations. When a weak or easily guessable application key is used, it...
Ruby On Rails Weak Secret Key
Ruby On Rails applications use an application key to encrypt and sign various data, including session cookies and other sensitive information. This key is typically stored in the .env file and is used for multiple security-critical operations. When a weak or easily guessable application key is...
Django Weak Secret Key
Django applications use an application key to encrypt and sign various data, including session cookies and other sensitive information. This key is typically stored in the settings.py file and is used for multiple security-critical operations. When a weak or easily guessable application key is...
Flickr: Critical broken cookie signing on dagobah.flickr.com
In this report it was discovered that we were signing one of our cookies with a weak, static secret key. To fix this, we replaced the aforementioned weak, static key with a more robust and secure system for signing that cookie...
Kubernetes: elections.k8s.io uses weak session secret key, may place elections at risk
The elections.k8s.io application used a weak Flask SECRETKEY, the string "N/A", to sign authentication cookies. This allowed the complete compromise of the application, as the session could be manipulated...