Lucene search
K

11 matches found

EUVD
EUVD
added 2026/04/07 9:31 a.m.3 views

EUVD-2026-19574

In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens JWT. This vulnerability allows an attacker to perform an offline brute-force attack to recover the secret key. Once the...

9.8CVSS7.2AI score0.0054EPSS
Exploits1References3
OSV
OSV
added 2026/04/07 7:16 a.m.18 views

PYSEC-2026-170

In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens JWT. This vulnerability allows an attacker to perform an offline brute-force attack to recover the secret key. Once the...

9.8CVSS5.8AI score0.0054EPSS
Exploits1References2
CVE
CVE
added 2026/04/07 6:19 a.m.18 views

CVE-2026-1114

CVE-2026-1114 affects parisneo/lollms 2.1.0. The issue is an improper access control flaw caused by signing JWTs with a weak secret key, enabling an offline brute‑force to recover the key. With the cracked secret, an attacker can forge administrative tokens, modify the JWT payload, and resigns to...

9.8CVSS7.2AI score0.0054EPSS
Exploits1References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/07 12:0 a.m.10 views

PT-2026-30796

Name of the Vulnerable Software and Affected Versions parisneo/lollms versions prior to 2.2.0 Description Session management is subject to improper access control because a weak secret key is used for signing JSON Web Tokens JWT. This allows an attacker to conduct an offline brute-force attack to...

9.8CVSS8.6AI score0.0054EPSS
Exploits1References6
Positive Technologies
Positive Technologies
added 2026/03/31 12:0 a.m.9 views

PT-2026-29420

Name of the Vulnerable Software and Affected Versions Cloudreve versions prior to 4.13.0 Description Cloudreve is a self-hosted file management and sharing system. Versions prior to 4.13.0 use a weak pseudo-random number generator math/rand seeded with time to generate critical security secrets,...

9.8CVSS6AI score0.00376EPSS
Exploits0References7
Cvelist
Cvelist
added 2025/12/19 9:5 p.m.29 views

CVE-2023-53951 Ever Gauzy v0.281.9 JWT Authentication Weakness via HMAC Secret

Ever Gauzy v0.281.9 contains a JWT authentication vulnerability that allows attackers to exploit weak HMAC secret key implementation. Attackers can leverage the exposed JWT token to authenticate and gain unauthorized access with administrative permissions...

9.8CVSS0.0032EPSS
Exploits0References3
Tenable Nessus
Tenable Nessus
added 2024/09/24 12:0 a.m.10 views

Ruby On Rails Weak Secret Key

Ruby On Rails applications use an application key to encrypt and sign various data, including session cookies and other sensitive information. This key is typically stored in the .env file and is used for multiple security-critical operations. When a weak or easily guessable application key is...

7.8AI score
Exploits0References2
Tenable Nessus
Tenable Nessus
added 2024/09/24 12:0 a.m.14 views

Django Weak Secret Key

Django applications use an application key to encrypt and sign various data, including session cookies and other sensitive information. This key is typically stored in the settings.py file and is used for multiple security-critical operations. When a weak or easily guessable application key is...

7.8AI score
Exploits0References2
Tenable Nessus
Tenable Nessus
added 2024/09/24 12:0 a.m.11 views

Laravel Weak Secret Key

Laravel applications use an application key to encrypt and sign various data, including session cookies and other sensitive information. This key is typically stored in the .env file and is used for multiple security-critical operations. When a weak or easily guessable application key is used, it...

7.8AI score
Exploits0References2
Hacker One
Hacker One
added 2022/01/04 6:37 a.m.26 views

Flickr: Critical broken cookie signing on dagobah.flickr.com

In this report it was discovered that we were signing one of our cookies with a weak, static secret key. To fix this, we replaced the aforementioned weak, static key with a more robust and secure system for signing that cookie...

1.7AI score
Exploits0
Hacker One
Hacker One
added 2021/11/01 7:23 a.m.7 views

Kubernetes: elections.k8s.io uses weak session secret key, may place elections at risk

The elections.k8s.io application used a weak Flask SECRETKEY, the string "N/A", to sign authentication cookies. This allowed the complete compromise of the application, as the session could be manipulated...

7AI score
Exploits0
Rows per page
Query Builder