CWE-321
Use of Hard-coded Cryptographic Key
The product uses a hard-coded, unchangeable cryptographic key.
CVE-2026-3963 (GCVE-0-2026-3963)
Vulnerability from cvelistv5 – Published: 2026-03-11 23:02 – Updated: 2026-03-12 13:35
VLAI
Title
perfree go-fastdfs-web Apache Shiro RememberMe ShiroConfig.java rememberMeManager hard-coded key
Summary
A security flaw has been discovered in perfree go-fastdfs-web up to 1.3.7. This affects the function rememberMeManager of the file src/main/java/com/perfree/config/ShiroConfig.java of the component Apache Shiro RememberMe. Performing a manipulation results in use of hard-coded cryptographic key
. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitability is reported as difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.350392 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.350392 | signaturepermissions-required |
| https://vuldb.com/?submit.768282 | third-party-advisory |
| https://www.notion.so/go-fastdfs-web-Hardcoded-Ap… | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| perfree | go-fastdfs-web |
Affected:
1.3.0
Affected: 1.3.1 Affected: 1.3.2 Affected: 1.3.3 Affected: 1.3.4 Affected: 1.3.5 Affected: 1.3.6 Affected: 1.3.7 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3963",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-12T13:35:04.604852Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-12T13:35:12.584Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Apache Shiro RememberMe"
],
"product": "go-fastdfs-web",
"vendor": "perfree",
"versions": [
{
"status": "affected",
"version": "1.3.0"
},
{
"status": "affected",
"version": "1.3.1"
},
{
"status": "affected",
"version": "1.3.2"
},
{
"status": "affected",
"version": "1.3.3"
},
{
"status": "affected",
"version": "1.3.4"
},
{
"status": "affected",
"version": "1.3.5"
},
{
"status": "affected",
"version": "1.3.6"
},
{
"status": "affected",
"version": "1.3.7"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "din4 (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security flaw has been discovered in perfree go-fastdfs-web up to 1.3.7. This affects the function rememberMeManager of the file src/main/java/com/perfree/config/ShiroConfig.java of the component Apache Shiro RememberMe. Performing a manipulation results in use of hard-coded cryptographic key\r . The attack can be initiated remotely. The complexity of an attack is rather high. The exploitability is reported as difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 2.6,
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "Use of Hard-coded Cryptographic Key",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-320",
"description": "Key Management Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-11T23:02:08.333Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-350392 | perfree go-fastdfs-web Apache Shiro RememberMe ShiroConfig.java rememberMeManager hard-coded key",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.350392"
},
{
"name": "VDB-350392 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.350392"
},
{
"name": "Submit #768282 | perfree go-fastdfs-web \u22641.3.7 Hardcoded Apache Shiro Cipher Key",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.768282"
},
{
"tags": [
"exploit"
],
"url": "https://www.notion.so/go-fastdfs-web-Hardcoded-Apache-Shiro-Cipher-Key-reach-RCE-313ea92a3c41806fae44dffe53e69751"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-11T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-03-11T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-03-11T14:03:54.000Z",
"value": "VulDB entry last update"
}
],
"title": "perfree go-fastdfs-web Apache Shiro RememberMe ShiroConfig.java rememberMeManager hard-coded key"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-3963",
"datePublished": "2026-03-11T23:02:08.333Z",
"dateReserved": "2026-03-11T12:58:50.832Z",
"dateUpdated": "2026-03-12T13:35:12.584Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-39810 (GCVE-0-2026-39810)
Vulnerability from cvelistv5 – Published: 2026-04-14 15:38 – Updated: 2026-04-14 17:41
VLAI
Summary
A use of hard-coded cryptographic key vulnerability in Fortinet FortiClientEMS 7.4.0 through 7.4.5 may allow attacker to information disclosure via decrypting database dump.
Severity
CWE
- CWE-321 - Information disclosure
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Fortinet | FortiClientEMS |
Affected:
7.4.3 , ≤ 7.4.5
(semver)
Affected: 7.4.0 , ≤ 7.4.1 (semver) cpe:2.3:a:fortinet:forticlientems:7.4.5:*:*:*:*:*:*:* cpe:2.3:a:fortinet:forticlientems:7.4.4:*:*:*:*:*:*:* cpe:2.3:a:fortinet:forticlientems:7.4.3:*:*:*:*:*:*:* cpe:2.3:a:fortinet:forticlientems:7.4.1:*:*:*:*:*:*:* cpe:2.3:a:fortinet:forticlientems:7.4.0:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-39810",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T16:25:24.721264Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T16:46:15.215Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:fortinet:forticlientems:7.4.5:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:forticlientems:7.4.4:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:forticlientems:7.4.3:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:forticlientems:7.4.1:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:forticlientems:7.4.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "FortiClientEMS",
"vendor": "Fortinet",
"versions": [
{
"lessThanOrEqual": "7.4.5",
"status": "affected",
"version": "7.4.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.4.1",
"status": "affected",
"version": "7.4.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A use of hard-coded cryptographic key vulnerability in Fortinet FortiClientEMS 7.4.0 through 7.4.5 may allow attacker to information disclosure via decrypting database dump."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "Information disclosure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T17:41:54.082Z",
"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"shortName": "fortinet"
},
"references": [
{
"name": "https://fortiguard.fortinet.com/psirt/FG-IR-26-107",
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-26-107"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to FortiClientEMS version 7.4.6 or above"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"assignerShortName": "fortinet",
"cveId": "CVE-2026-39810",
"datePublished": "2026-04-14T15:38:21.194Z",
"dateReserved": "2026-04-07T15:24:09.072Z",
"dateUpdated": "2026-04-14T17:41:54.082Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42518 (GCVE-0-2026-42518)
Vulnerability from cvelistv5 – Published: 2026-04-29 08:37 – Updated: 2026-04-29 12:02
VLAI
Title
Information Disclosure Vulnerability in e-Sushrut HMIS
Summary
This vulnerability exists in e-Sushrut due to disclosure of sensitive information and hardcoded AES encryption keys in client-side JavaScript. An unauthenticated remote attacker could exploit this vulnerability by accessing the client-side code to extract sensitive information and cryptographic keys.
Successful exploitation of this vulnerability could lead to exposure of sensitive data and compromise of cryptographic protections on the targeted system.
Severity
CWE
- CWE-321 - Use of hard-coded cryptographic key
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.cert-in.org.in/s2cMainServlet?pageid=… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| CDAC-Noida | e-Sushrut, Hospital Management Information System (HMIS) |
Affected:
Previous versions
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42518",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-29T12:02:47.874493Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-29T12:02:59.352Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "e-Sushrut, Hospital Management Information System (HMIS)",
"vendor": "CDAC-Noida",
"versions": [
{
"status": "affected",
"version": "Previous versions",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:cdac-noida:e-sushrut_hospital_management_information_system_hmis_:previous_versions:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This vulnerability is reported by Harsh Verma"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This vulnerability exists in e-Sushrut due to disclosure of sensitive information and hardcoded AES encryption keys in client-side JavaScript. An unauthenticated remote attacker could exploit this vulnerability by accessing the client-side code to extract sensitive information and cryptographic keys.\n\u003cbr\u003eSuccessful exploitation of this vulnerability could lead to exposure of sensitive data and compromise of cryptographic protections on the targeted system.\u0026nbsp;\u003cbr\u003e"
}
],
"value": "This vulnerability exists in e-Sushrut due to disclosure of sensitive information and hardcoded AES encryption keys in client-side JavaScript. An unauthenticated remote attacker could exploit this vulnerability by accessing the client-side code to extract sensitive information and cryptographic keys.\n\nSuccessful exploitation of this vulnerability could lead to exposure of sensitive data and compromise of cryptographic protections on the targeted system."
}
],
"impacts": [
{
"capecId": "CAPEC-37",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-37 Retrieve Embedded Sensitive Data"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "CWE-321 Use of hard-coded cryptographic key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-29T08:37:32.944Z",
"orgId": "66834db9-ab24-42b4-be80-296b2e40335c",
"shortName": "CERT-In"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2026-0207"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Contact C-DAC for upgrading e-Sushrut HMIS to latest version"
}
],
"value": "Contact C-DAC for upgrading e-Sushrut HMIS to latest version"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Information Disclosure Vulnerability in e-Sushrut HMIS",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "66834db9-ab24-42b4-be80-296b2e40335c",
"assignerShortName": "CERT-In",
"cveId": "CVE-2026-42518",
"datePublished": "2026-04-29T08:37:32.944Z",
"dateReserved": "2026-04-28T08:14:36.620Z",
"dateUpdated": "2026-04-29T12:02:59.352Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44278 (GCVE-0-2026-44278)
Vulnerability from cvelistv5 – Published: 2026-05-12 16:54 – Updated: 2026-05-14 15:28
VLAI
Summary
A use of hard-coded cryptographic key vulnerability in Fortinet FortiClientWindows 7.4.0 through 7.4.2, FortiClientWindows 7.2 all versions may allow attacker to information disclosure via <insert attack vector here>
Severity
CWE
- CWE-321 - Information disclosure
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Fortinet | FortiClientWindows |
Affected:
7.4.0 , ≤ 7.4.2
(semver)
Affected: 7.2.0 , ≤ 7.2.14 (semver) cpe:2.3:a:fortinet:forticlientwindows:7.4.2:*:*:*:*:*:*:* cpe:2.3:a:fortinet:forticlientwindows:7.4.1:*:*:*:*:*:*:* cpe:2.3:a:fortinet:forticlientwindows:7.4.0:*:*:*:*:*:*:* cpe:2.3:a:fortinet:forticlientwindows:7.2.14:*:*:*:*:*:*:* cpe:2.3:a:fortinet:forticlientwindows:7.2.13:*:*:*:*:*:*:* cpe:2.3:a:fortinet:forticlientwindows:7.2.12:*:*:*:*:*:*:* cpe:2.3:a:fortinet:forticlientwindows:7.2.11:*:*:*:*:*:*:* cpe:2.3:a:fortinet:forticlientwindows:7.2.10:*:*:*:*:*:*:* cpe:2.3:a:fortinet:forticlientwindows:7.2.9:*:*:*:*:*:*:* cpe:2.3:a:fortinet:forticlientwindows:7.2.8:*:*:*:*:*:*:* cpe:2.3:a:fortinet:forticlientwindows:7.2.7:*:*:*:*:*:*:* cpe:2.3:a:fortinet:forticlientwindows:7.2.6:*:*:*:*:*:*:* cpe:2.3:a:fortinet:forticlientwindows:7.2.5:*:*:*:*:*:*:* cpe:2.3:a:fortinet:forticlientwindows:7.2.4:*:*:*:*:*:*:* cpe:2.3:a:fortinet:forticlientwindows:7.2.3:*:*:*:*:*:*:* cpe:2.3:a:fortinet:forticlientwindows:7.2.2:*:*:*:*:*:*:* cpe:2.3:a:fortinet:forticlientwindows:7.2.1:*:*:*:*:*:*:* cpe:2.3:a:fortinet:forticlientwindows:7.2.0:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44278",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-12T18:59:50.445107Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T19:02:43.679Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:fortinet:forticlientwindows:7.4.2:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:forticlientwindows:7.4.1:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:forticlientwindows:7.4.0:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:forticlientwindows:7.2.14:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:forticlientwindows:7.2.13:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:forticlientwindows:7.2.12:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:forticlientwindows:7.2.11:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:forticlientwindows:7.2.10:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:forticlientwindows:7.2.9:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:forticlientwindows:7.2.8:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:forticlientwindows:7.2.7:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:forticlientwindows:7.2.6:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:forticlientwindows:7.2.5:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:forticlientwindows:7.2.4:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:forticlientwindows:7.2.3:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:forticlientwindows:7.2.2:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:forticlientwindows:7.2.1:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:forticlientwindows:7.2.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "FortiClientWindows",
"vendor": "Fortinet",
"versions": [
{
"lessThanOrEqual": "7.4.2",
"status": "affected",
"version": "7.4.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.2.14",
"status": "affected",
"version": "7.2.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A use of hard-coded cryptographic key vulnerability in Fortinet FortiClientWindows 7.4.0 through 7.4.2, FortiClientWindows 7.2 all versions may allow attacker to information disclosure via \u003cinsert attack vector here\u003e"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "Information disclosure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T15:28:56.927Z",
"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"shortName": "fortinet"
},
"references": [
{
"name": "https://fortiguard.fortinet.com/psirt/FG-IR-26-129",
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-26-129"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to FortiClientWindows version 7.4.3 or above"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"assignerShortName": "fortinet",
"cveId": "CVE-2026-44278",
"datePublished": "2026-05-12T16:54:09.226Z",
"dateReserved": "2026-05-05T17:24:17.727Z",
"dateUpdated": "2026-05-14T15:28:56.927Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4477 (GCVE-0-2026-4477)
Vulnerability from cvelistv5 – Published: 2026-03-20 07:02 – Updated: 2026-03-20 15:45
VLAI
Title
Yi Technology YI Home Camera WPA/WPS hard-coded key
Summary
A vulnerability was determined in Yi Technology YI Home Camera 2 2.1.1_20171024151200. This affects an unknown function of the component WPA/WPS. Executing a manipulation can lead to use of hard-coded cryptographic key
. The attack can only be done within the local network. This attack is characterized by high complexity. The exploitability is reported as difficult. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.351767 | vdb-entry |
| https://vuldb.com/?ctiid.351767 | signaturepermissions-required |
| https://vuldb.com/?submit.773095 | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Yi Technology | YI Home Camera |
Affected:
2 2.1.1_20171024151200
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4477",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-20T15:45:22.880805Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T15:45:32.782Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"WPA/WPS"
],
"product": "YI Home Camera",
"vendor": "Yi Technology",
"versions": [
{
"status": "affected",
"version": "2 2.1.1_20171024151200"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "0rbitingZer0 (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was determined in Yi Technology YI Home Camera 2 2.1.1_20171024151200. This affects an unknown function of the component WPA/WPS. Executing a manipulation can lead to use of hard-coded cryptographic key\r . The attack can only be done within the local network. This attack is characterized by high complexity. The exploitability is reported as difficult. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 2.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 1.8,
"vectorString": "AV:A/AC:H/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "Use of Hard-coded Cryptographic Key",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-320",
"description": "Key Management Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T07:02:10.470Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-351767 | Yi Technology YI Home Camera WPA/WPS hard-coded key",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.351767"
},
{
"name": "VDB-351767 | CTI Indicators (IOB, IOC, TTP)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.351767"
},
{
"name": "Submit #773095 | yitechnology YI Home Camera 2 2.1.1_20171024151200 Hardcoded WPA/WPS",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.773095"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-19T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-03-19T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-03-19T21:51:41.000Z",
"value": "VulDB entry last update"
}
],
"title": "Yi Technology YI Home Camera WPA/WPS hard-coded key"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-4477",
"datePublished": "2026-03-20T07:02:10.470Z",
"dateReserved": "2026-03-19T20:46:27.311Z",
"dateUpdated": "2026-03-20T15:45:32.782Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4588 (GCVE-0-2026-4588)
Vulnerability from cvelistv5 – Published: 2026-03-23 12:46 – Updated: 2026-03-25 14:06
VLAI
Title
kalcaddle kodbox Site-level API key shareOut.class.php shareSafeGroup hard-coded key
Summary
A vulnerability was determined in kalcaddle kodbox 1.64. Impacted is the function shareSafeGroup of the file /workspace/source-code/app/controller/explorer/shareOut.class.php of the component Site-level API key Handler. This manipulation of the argument sk causes use of hard-coded cryptographic key
. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitability is considered difficult. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.352424 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.352424 | signaturepermissions-required |
| https://vuldb.com/?submit.775464 | third-party-advisory |
| https://vulnplus-note.wetolink.com/share/rM8GdIOvQZrw | broken-linkexploit |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4588",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-25T14:06:02.288408Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T14:06:30.268Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Site-level API key Handler"
],
"product": "kodbox",
"vendor": "kalcaddle",
"versions": [
{
"status": "affected",
"version": "1.64"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "vulnplusbot (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was determined in kalcaddle kodbox 1.64. Impacted is the function shareSafeGroup of the file /workspace/source-code/app/controller/explorer/shareOut.class.php of the component Site-level API key Handler. This manipulation of the argument sk causes use of hard-coded cryptographic key\r . The attack may be initiated remotely. The complexity of an attack is rather high. The exploitability is considered difficult. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 2.6,
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "Use of Hard-coded Cryptographic Key",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-320",
"description": "Key Management Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T12:46:51.056Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-352424 | kalcaddle kodbox Site-level API key shareOut.class.php shareSafeGroup hard-coded key",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.352424"
},
{
"name": "VDB-352424 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.352424"
},
{
"name": "Submit #775464 | Kodbox 1.64 Improper Access Controls",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.775464"
},
{
"tags": [
"broken-link",
"exploit"
],
"url": "https://vulnplus-note.wetolink.com/share/rM8GdIOvQZrw"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-22T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-03-22T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-03-22T12:45:38.000Z",
"value": "VulDB entry last update"
}
],
"title": "kalcaddle kodbox Site-level API key shareOut.class.php shareSafeGroup hard-coded key"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-4588",
"datePublished": "2026-03-23T12:46:51.056Z",
"dateReserved": "2026-03-22T11:40:12.546Z",
"dateUpdated": "2026-03-25T14:06:30.268Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5310 (GCVE-0-2026-5310)
Vulnerability from cvelistv5 – Published: 2026-04-01 16:30 – Updated: 2026-04-01 17:54
VLAI
Title
Enter Software Iperius Backup IperiusAccounts.ini hard-coded key
Summary
A vulnerability was identified in Enter Software Iperius Backup up to 8.7.2. This impacts an unknown function of the file IperiusAccounts.ini. Such manipulation leads to use of hard-coded cryptographic key
. The attack must be carried out locally. This attack is characterized by high complexity. The exploitability is said to be difficult. The exploit is publicly available and might be used. Upgrading to version 8.7.4 will fix this issue. It is suggested to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
Severity
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/354639 | vdb-entry |
| https://vuldb.com/vuln/354639/cti | signaturepermissions-required |
| https://vuldb.com/submit/778602 | third-party-advisory |
| https://github.com/VulnaraByte/iperius-backup-sec… | related |
| https://github.com/VulnaraByte/iperius-backup-sec… | exploit |
| https://www.iperiusbackup.com/download-software-b… | patch |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Enter Software | Iperius Backup |
Affected:
8.7.0
Affected: 8.7.1 Affected: 8.7.2 Unaffected: 8.7.4 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5310",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-01T17:52:04.996671Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T17:54:16.358Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Iperius Backup",
"vendor": "Enter Software",
"versions": [
{
"status": "affected",
"version": "8.7.0"
},
{
"status": "affected",
"version": "8.7.1"
},
{
"status": "affected",
"version": "8.7.2"
},
{
"status": "unaffected",
"version": "8.7.4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "VulnaraByte (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was identified in Enter Software Iperius Backup up to 8.7.2. This impacts an unknown function of the file IperiusAccounts.ini. Such manipulation leads to use of hard-coded cryptographic key\r . The attack must be carried out locally. This attack is characterized by high complexity. The exploitability is said to be difficult. The exploit is publicly available and might be used. Upgrading to version 8.7.4 will fix this issue. It is suggested to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 2,
"baseSeverity": "LOW",
"vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 2.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 2.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 1,
"vectorString": "AV:L/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "Use of Hard-coded Cryptographic Key",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-320",
"description": "Key Management Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T16:30:21.522Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-354639 | Enter Software Iperius Backup IperiusAccounts.ini hard-coded key",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/vuln/354639"
},
{
"name": "VDB-354639 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/354639/cti"
},
{
"name": "Submit #778602 | Iperius Iperius Backup \u003c= 8.7.2 Use of Hard-coded Cryptographic Key",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/778602"
},
{
"tags": [
"related"
],
"url": "https://github.com/VulnaraByte/iperius-backup-security-advisories"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/VulnaraByte/iperius-backup-security-advisories/blob/main/poc/decrypt_iperius.py"
},
{
"tags": [
"patch"
],
"url": "https://www.iperiusbackup.com/download-software-backup.aspx"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-01T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-04-01T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-04-01T14:07:14.000Z",
"value": "VulDB entry last update"
}
],
"title": "Enter Software Iperius Backup IperiusAccounts.ini hard-coded key"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-5310",
"datePublished": "2026-04-01T16:30:21.522Z",
"dateReserved": "2026-04-01T12:02:06.531Z",
"dateUpdated": "2026-04-01T17:54:16.358Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5420 (GCVE-0-2026-5420)
Vulnerability from cvelistv5 – Published: 2026-04-02 19:00 – Updated: 2026-04-03 15:56
VLAI
Title
Shinrays Games Goods Triple App cats.goods.sort.sorting.games jRwTX.java hard-coded key
Summary
A security flaw has been discovered in Shinrays Games Goods Triple App up to 1.200. The affected element is an unknown function of the file jRwTX.java of the component cats.goods.sort.sorting.games. Performing a manipulation of the argument AES_IV/AES_PASSWORD results in use of hard-coded cryptographic key
. Attacking locally is a requirement. The complexity of an attack is rather high. The exploitability is described as difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/354856 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/354856/cti | signaturepermissions-required |
| https://vuldb.com/submit/781740 | third-party-advisory |
| https://www.notion.so/Exposed-Cryptographic-Key-a… | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Shinrays Games | Goods Triple App |
Affected:
1
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5420",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-03T15:46:39.316826Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T15:56:29.692Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"cats.goods.sort.sorting.games"
],
"product": "Goods Triple App",
"vendor": "Shinrays Games",
"versions": [
{
"status": "affected",
"version": "1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "fxizenta (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security flaw has been discovered in Shinrays Games Goods Triple App up to 1.200. The affected element is an unknown function of the file jRwTX.java of the component cats.goods.sort.sorting.games. Performing a manipulation of the argument AES_IV/AES_PASSWORD results in use of hard-coded cryptographic key\r . Attacking locally is a requirement. The complexity of an attack is rather high. The exploitability is described as difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 2,
"baseSeverity": "LOW",
"vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 2.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 2.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 1,
"vectorString": "AV:L/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "Use of Hard-coded Cryptographic Key",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-320",
"description": "Key Management Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T19:00:17.487Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-354856 | Shinrays Games Goods Triple App cats.goods.sort.sorting.games jRwTX.java hard-coded key",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/354856"
},
{
"name": "VDB-354856 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/354856/cti"
},
{
"name": "Submit #781740 | Shinrays Games Goods Triple - Cat Goods Sort(cats.goods.sort.sorting.games) 1.200 Exposed Cryptographic Key and IV",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/781740"
},
{
"tags": [
"exploit"
],
"url": "https://www.notion.so/Exposed-Cryptographic-Key-and-IV-in-cats-goods-sort-sorting-games-3262de3f97fb801499ebc3dfd56e232e?source=copy_link"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-02T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-04-02T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-04-02T13:51:50.000Z",
"value": "VulDB entry last update"
}
],
"title": "Shinrays Games Goods Triple App cats.goods.sort.sorting.games jRwTX.java hard-coded key"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-5420",
"datePublished": "2026-04-02T19:00:17.487Z",
"dateReserved": "2026-04-02T11:46:41.200Z",
"dateUpdated": "2026-04-03T15:56:29.692Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5426 (GCVE-0-2026-5426)
Vulnerability from cvelistv5 – Published: 2026-04-16 15:18 – Updated: 2026-04-18 02:31
VLAI
Title
KnowledgeDeliver deployments before February 24, 2026 use a static ASP.NET/IIS machineKey value
Summary
Hard-coded ASP.NET/IIS machineKey value in Digital Knowledge KnowledgeDeliver deployments prior to February 24, 2026 allows adversaries to circumvent ViewState validation mechanisms and achieve remote code execution via malicious ViewState deserialization attacks
Severity
7.5 (High)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/mandiant/Vulnerability-Disclos… | third-party-advisory |
| https://www.digital-knowledge.co.jp/product/kd/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Digital Knowledge | KnowledgeDeliver |
Affected:
0 , < 20260224
(date)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-5426",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-18T02:30:29.158302Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T02:31:32.234Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "KnowledgeDeliver",
"vendor": "Digital Knowledge",
"versions": [
{
"lessThan": "20260224",
"status": "affected",
"version": "0",
"versionType": "date"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Hard-coded ASP.NET/IIS machineKey value in Digital Knowledge KnowledgeDeliver deployments prior to February 24, 2026 allows adversaries to circumvent ViewState validation mechanisms and achieve remote code execution via malicious ViewState deserialization attacks"
}
],
"value": "Hard-coded ASP.NET/IIS machineKey value in Digital Knowledge KnowledgeDeliver deployments prior to February 24, 2026 allows adversaries to circumvent ViewState validation mechanisms and achieve remote code execution via malicious ViewState deserialization attacks"
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-586 Object Injection"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "CWE-321 Use of hard-coded cryptographic key",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of untrusted data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-16T15:22:20.823Z",
"orgId": "027e81ed-0dd4-4685-ab4d-884aec5bb484",
"shortName": "Mandiant"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2026/MNDT-2026-0009.md"
},
{
"tags": [
"product"
],
"url": "https://www.digital-knowledge.co.jp/product/kd/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "KnowledgeDeliver deployments before February 24, 2026 use a static ASP.NET/IIS machineKey value",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "027e81ed-0dd4-4685-ab4d-884aec5bb484",
"assignerShortName": "Mandiant",
"cveId": "CVE-2026-5426",
"datePublished": "2026-04-16T15:18:46.224Z",
"dateReserved": "2026-04-02T14:20:13.588Z",
"dateUpdated": "2026-04-18T02:31:32.234Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5452 (GCVE-0-2026-5452)
Vulnerability from cvelistv5 – Published: 2026-04-03 02:45 – Updated: 2026-04-03 14:45
VLAI
Title
UCC CampusConnect App campusconnect.ucc BuildConfig.java hard-coded key
Summary
A flaw has been found in UCC CampusConnect App up to 14.3.5 on Android. This vulnerability affects unknown code of the file campusconnect/BuildConfig.java of the component campusconnect.ucc. This manipulation causes use of hard-coded cryptographic key
. The attack can only be executed locally. The exploit has been published and may be used.
Severity
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/355040 | vdb-entry |
| https://vuldb.com/vuln/355040/cti | signaturepermissions-required |
| https://vuldb.com/submit/781757 | third-party-advisory |
| https://www.notion.so/Uploadcare-Private-Key-Expo… | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| UCC | CampusConnect App |
Affected:
14.3.0
Affected: 14.3.1 Affected: 14.3.2 Affected: 14.3.3 Affected: 14.3.4 Affected: 14.3.5 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5452",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-03T14:45:03.299154Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T14:45:11.495Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"campusconnect.ucc"
],
"product": "CampusConnect App",
"vendor": "UCC",
"versions": [
{
"status": "affected",
"version": "14.3.0"
},
{
"status": "affected",
"version": "14.3.1"
},
{
"status": "affected",
"version": "14.3.2"
},
{
"status": "affected",
"version": "14.3.3"
},
{
"status": "affected",
"version": "14.3.4"
},
{
"status": "affected",
"version": "14.3.5"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "fxizenta (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw has been found in UCC CampusConnect App up to 14.3.5 on Android. This vulnerability affects unknown code of the file campusconnect/BuildConfig.java of the component campusconnect.ucc. This manipulation causes use of hard-coded cryptographic key\r . The attack can only be executed locally. The exploit has been published and may be used."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 1.7,
"vectorString": "AV:L/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "Use of Hard-coded Cryptographic Key",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-320",
"description": "Key Management Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T02:45:09.544Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-355040 | UCC CampusConnect App campusconnect.ucc BuildConfig.java hard-coded key",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/vuln/355040"
},
{
"name": "VDB-355040 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/355040/cti"
},
{
"name": "Submit #781757 | CampusConnect\u2122 UCC CampusConnect(campusconnect.ucc) 14.3.5 Uploadcare Private Key Exposure",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/781757"
},
{
"tags": [
"exploit"
],
"url": "https://www.notion.so/Uploadcare-Private-Key-Exposure-Leading-to-Unauthorized-File-Operations-and-Potential-RCE-in-campusc-3262de3f97fb8057bc67ec4320672d99?source=copy_link"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-02T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-04-03T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-04-03T00:13:57.000Z",
"value": "VulDB entry last update"
}
],
"title": "UCC CampusConnect App campusconnect.ucc BuildConfig.java hard-coded key"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-5452",
"datePublished": "2026-04-03T02:45:09.544Z",
"dateReserved": "2026-04-02T22:08:50.188Z",
"dateUpdated": "2026-04-03T14:45:11.495Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phase: Architecture and Design
Description:
- Prevention schemes mirror that of hard-coded password storage.
No CAPEC attack patterns related to this CWE.