Search

Find a vulnerability

Search criteria

    6 vulnerabilities by getmaxun

    CVE-2026-56767 (GCVE-0-2026-56767)

    Vulnerability from nvd – Published: 2026-06-25 18:03 – Updated: 2026-06-25 20:28 X_Open Source
    VLAI
    Title
    Maxun < 0.0.42 - Cross-Tenant IDOR in Storage and Webhook API Handlers
    Summary
    Maxun before 0.0.42 contains a cross-tenant insecure direct object reference vulnerability in storage and webhook API handlers that allows authenticated users to access other users' robots and OAuth tokens. Attackers can read plaintext Google and Airtable access tokens, modify, delete, or execute other users' robots by bypassing ownership checks in API endpoints.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    getmaxun maxun Affected: 0 , < 0.0.42 (semver)
    Unaffected: 0.0.42 (semver)
    Create a notification for this product.
    Date Public
    2026-06-04 00:00
    Credits
    George Chen
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-56767",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T20:27:10.895773Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T20:28:18.697Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "maxun",
              "repo": "https://github.com/getmaxun/maxun",
              "vendor": "getmaxun",
              "versions": [
                {
                  "lessThan": "0.0.42",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "0.0.42",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "George Chen"
            }
          ],
          "datePublic": "2026-06-04T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Maxun before 0.0.42 contains a cross-tenant insecure direct object reference vulnerability in storage and webhook API handlers that allows authenticated users to access other users\u0027 robots and OAuth tokens. Attackers can read plaintext Google and Airtable access tokens, modify, delete, or execute other users\u0027 robots by bypassing ownership checks in API endpoints."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-25T18:03:33.720Z",
            "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
            "shortName": "VulnCheck"
          },
          "references": [
            {
              "name": "GitHub Issue",
              "tags": [
                "technical-description"
              ],
              "url": "https://github.com/getmaxun/maxun/issues/1079"
            },
            {
              "name": "Pull Request",
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/getmaxun/maxun/pull/1088"
            },
            {
              "name": "Patch Commit",
              "tags": [
                "patch"
              ],
              "url": "https://github.com/getmaxun/maxun/commit/11db0257531f1c23dec94727793c9444ee2873cf"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.vulncheck.com/advisories/maxun-cross-tenant-idor-in-storage-and-webhook-api-handlers"
            }
          ],
          "tags": [
            "x_open-source"
          ],
          "title": "Maxun \u003c 0.0.42 - Cross-Tenant IDOR in Storage and Webhook API Handlers",
          "x_generator": {
            "engine": "vulncheck"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "assignerShortName": "VulnCheck",
        "cveId": "CVE-2026-56767",
        "datePublished": "2026-06-25T18:03:33.720Z",
        "dateReserved": "2026-06-22T21:55:17.942Z",
        "dateUpdated": "2026-06-25T20:28:18.697Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-15106 (GCVE-0-2025-15106)

    Vulnerability from nvd – Published: 2025-12-27 10:32 – Updated: 2025-12-29 15:56
    VLAI
    Title
    getmaxun Authentication Endpoint auth.ts router.get improper authorization
    Summary
    A weakness has been identified in getmaxun maxun up to 0.0.28. The affected element is the function router.get of the file server/src/routes/auth.ts of the component Authentication Endpoint. Executing manipulation can lead to improper authorization. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-285 - Improper Authorization
    • CWE-266 - Incorrect Privilege Assignment
    Assigner
    References
    URL Tags
    https://vuldb.com/?id.338477 vdb-entrytechnical-description
    https://vuldb.com/?ctiid.338477 signaturepermissions-required
    https://vuldb.com/?submit.710268 third-party-advisory
    https://gist.github.com/H2u8s/1a0bdb19d5c8c8f4dc7… exploit
    Impacted products
    Vendor Product Version
    getmaxun maxun Affected: 0.0.1
    Affected: 0.0.2
    Affected: 0.0.3
    Affected: 0.0.4
    Affected: 0.0.5
    Affected: 0.0.6
    Affected: 0.0.7
    Affected: 0.0.8
    Affected: 0.0.9
    Affected: 0.0.10
    Affected: 0.0.11
    Affected: 0.0.12
    Affected: 0.0.13
    Affected: 0.0.14
    Affected: 0.0.15
    Affected: 0.0.16
    Affected: 0.0.17
    Affected: 0.0.18
    Affected: 0.0.19
    Affected: 0.0.20
    Affected: 0.0.21
    Affected: 0.0.22
    Affected: 0.0.23
    Affected: 0.0.24
    Affected: 0.0.25
    Affected: 0.0.26
    Affected: 0.0.27
    Affected: 0.0.28
    Create a notification for this product.
    Credits
    28Hus (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-15106",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-29T15:56:07.291523Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-29T15:56:17.889Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "modules": [
                "Authentication Endpoint"
              ],
              "product": "maxun",
              "vendor": "getmaxun",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.0.1"
                },
                {
                  "status": "affected",
                  "version": "0.0.2"
                },
                {
                  "status": "affected",
                  "version": "0.0.3"
                },
                {
                  "status": "affected",
                  "version": "0.0.4"
                },
                {
                  "status": "affected",
                  "version": "0.0.5"
                },
                {
                  "status": "affected",
                  "version": "0.0.6"
                },
                {
                  "status": "affected",
                  "version": "0.0.7"
                },
                {
                  "status": "affected",
                  "version": "0.0.8"
                },
                {
                  "status": "affected",
                  "version": "0.0.9"
                },
                {
                  "status": "affected",
                  "version": "0.0.10"
                },
                {
                  "status": "affected",
                  "version": "0.0.11"
                },
                {
                  "status": "affected",
                  "version": "0.0.12"
                },
                {
                  "status": "affected",
                  "version": "0.0.13"
                },
                {
                  "status": "affected",
                  "version": "0.0.14"
                },
                {
                  "status": "affected",
                  "version": "0.0.15"
                },
                {
                  "status": "affected",
                  "version": "0.0.16"
                },
                {
                  "status": "affected",
                  "version": "0.0.17"
                },
                {
                  "status": "affected",
                  "version": "0.0.18"
                },
                {
                  "status": "affected",
                  "version": "0.0.19"
                },
                {
                  "status": "affected",
                  "version": "0.0.20"
                },
                {
                  "status": "affected",
                  "version": "0.0.21"
                },
                {
                  "status": "affected",
                  "version": "0.0.22"
                },
                {
                  "status": "affected",
                  "version": "0.0.23"
                },
                {
                  "status": "affected",
                  "version": "0.0.24"
                },
                {
                  "status": "affected",
                  "version": "0.0.25"
                },
                {
                  "status": "affected",
                  "version": "0.0.26"
                },
                {
                  "status": "affected",
                  "version": "0.0.27"
                },
                {
                  "status": "affected",
                  "version": "0.0.28"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "28Hus (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A weakness has been identified in getmaxun maxun up to 0.0.28. The affected element is the function router.get of the file server/src/routes/auth.ts of the component Authentication Endpoint. Executing manipulation can lead to improper authorization. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 6.5,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "Improper Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-266",
                  "description": "Incorrect Privilege Assignment",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-27T10:32:05.218Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-338477 | getmaxun Authentication Endpoint auth.ts router.get improper authorization",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/?id.338477"
            },
            {
              "name": "VDB-338477 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.338477"
            },
            {
              "name": "Submit #710268 | https://github.com/getmaxun https://github.com/getmaxun/maxun  \u2264 v0.0.28 Authentication Bypass Issues",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/?submit.710268"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://gist.github.com/H2u8s/1a0bdb19d5c8c8f4dc72cb49ffe9a22b"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-12-26T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2025-12-26T01:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2025-12-26T19:16:07.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "getmaxun Authentication Endpoint auth.ts router.get improper authorization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2025-15106",
        "datePublished": "2025-12-27T10:32:05.218Z",
        "dateReserved": "2025-12-26T18:10:58.997Z",
        "dateUpdated": "2025-12-29T15:56:17.889Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-15105 (GCVE-0-2025-15105)

    Vulnerability from nvd – Published: 2025-12-27 09:02 – Updated: 2025-12-29 15:55
    VLAI
    Title
    getmaxun auth.ts hard-coded key
    Summary
    A security flaw has been discovered in getmaxun maxun up to 0.0.28. Impacted is an unknown function of the file /getmaxun/maxun/blob/develop/server/src/routes/auth.ts. Performing manipulation of the argument api_key results in use of hard-coded cryptographic key . Remote exploitation of the attack is possible. The attack is considered to have high complexity. The exploitability is considered difficult. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-321 - Use of Hard-coded Cryptographic Key
    • CWE-320 - Key Management Error
    Assigner
    References
    URL Tags
    https://vuldb.com/?id.338476 vdb-entrytechnical-description
    https://vuldb.com/?ctiid.338476 signaturepermissions-required
    https://vuldb.com/?submit.710256 third-party-advisory
    https://gist.github.com/H2u8s/40be31987e52fc81076… exploit
    Impacted products
    Vendor Product Version
    getmaxun maxun Affected: 0.0.1
    Affected: 0.0.2
    Affected: 0.0.3
    Affected: 0.0.4
    Affected: 0.0.5
    Affected: 0.0.6
    Affected: 0.0.7
    Affected: 0.0.8
    Affected: 0.0.9
    Affected: 0.0.10
    Affected: 0.0.11
    Affected: 0.0.12
    Affected: 0.0.13
    Affected: 0.0.14
    Affected: 0.0.15
    Affected: 0.0.16
    Affected: 0.0.17
    Affected: 0.0.18
    Affected: 0.0.19
    Affected: 0.0.20
    Affected: 0.0.21
    Affected: 0.0.22
    Affected: 0.0.23
    Affected: 0.0.24
    Affected: 0.0.25
    Affected: 0.0.26
    Affected: 0.0.27
    Affected: 0.0.28
    Create a notification for this product.
    Credits
    28Hus (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-15105",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-29T15:54:53.991053Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-29T15:55:05.915Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "maxun",
              "vendor": "getmaxun",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.0.1"
                },
                {
                  "status": "affected",
                  "version": "0.0.2"
                },
                {
                  "status": "affected",
                  "version": "0.0.3"
                },
                {
                  "status": "affected",
                  "version": "0.0.4"
                },
                {
                  "status": "affected",
                  "version": "0.0.5"
                },
                {
                  "status": "affected",
                  "version": "0.0.6"
                },
                {
                  "status": "affected",
                  "version": "0.0.7"
                },
                {
                  "status": "affected",
                  "version": "0.0.8"
                },
                {
                  "status": "affected",
                  "version": "0.0.9"
                },
                {
                  "status": "affected",
                  "version": "0.0.10"
                },
                {
                  "status": "affected",
                  "version": "0.0.11"
                },
                {
                  "status": "affected",
                  "version": "0.0.12"
                },
                {
                  "status": "affected",
                  "version": "0.0.13"
                },
                {
                  "status": "affected",
                  "version": "0.0.14"
                },
                {
                  "status": "affected",
                  "version": "0.0.15"
                },
                {
                  "status": "affected",
                  "version": "0.0.16"
                },
                {
                  "status": "affected",
                  "version": "0.0.17"
                },
                {
                  "status": "affected",
                  "version": "0.0.18"
                },
                {
                  "status": "affected",
                  "version": "0.0.19"
                },
                {
                  "status": "affected",
                  "version": "0.0.20"
                },
                {
                  "status": "affected",
                  "version": "0.0.21"
                },
                {
                  "status": "affected",
                  "version": "0.0.22"
                },
                {
                  "status": "affected",
                  "version": "0.0.23"
                },
                {
                  "status": "affected",
                  "version": "0.0.24"
                },
                {
                  "status": "affected",
                  "version": "0.0.25"
                },
                {
                  "status": "affected",
                  "version": "0.0.26"
                },
                {
                  "status": "affected",
                  "version": "0.0.27"
                },
                {
                  "status": "affected",
                  "version": "0.0.28"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "28Hus (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A security flaw has been discovered in getmaxun maxun up to 0.0.28. Impacted is an unknown function of the file /getmaxun/maxun/blob/develop/server/src/routes/auth.ts. Performing manipulation of the argument api_key results in use of hard-coded cryptographic key\r . Remote exploitation of the attack is possible. The attack is considered to have high complexity. The exploitability is considered difficult. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 3.7,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 3.7,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 2.6,
                "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-321",
                  "description": "Use of Hard-coded Cryptographic Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-320",
                  "description": "Key Management Error",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-27T09:02:06.124Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-338476 | getmaxun auth.ts hard-coded key",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/?id.338476"
            },
            {
              "name": "VDB-338476 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.338476"
            },
            {
              "name": "Submit #710256 | https://github.com/getmaxun https://github.com/getmaxun/maxun  \u2264 v0.0.28 Authentication Bypass by Primary Weakness",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/?submit.710256"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://gist.github.com/H2u8s/40be31987e52fc81076b6bfcfbdf3cd6"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-12-26T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2025-12-26T01:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2025-12-26T19:16:05.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "getmaxun auth.ts hard-coded key"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2025-15105",
        "datePublished": "2025-12-27T09:02:06.124Z",
        "dateReserved": "2025-12-26T18:10:50.723Z",
        "dateUpdated": "2025-12-29T15:55:05.915Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-56767 (GCVE-0-2026-56767)

    Vulnerability from cvelistv5 – Published: 2026-06-25 18:03 – Updated: 2026-06-25 20:28 X_Open Source
    VLAI
    Title
    Maxun < 0.0.42 - Cross-Tenant IDOR in Storage and Webhook API Handlers
    Summary
    Maxun before 0.0.42 contains a cross-tenant insecure direct object reference vulnerability in storage and webhook API handlers that allows authenticated users to access other users' robots and OAuth tokens. Attackers can read plaintext Google and Airtable access tokens, modify, delete, or execute other users' robots by bypassing ownership checks in API endpoints.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    getmaxun maxun Affected: 0 , < 0.0.42 (semver)
    Unaffected: 0.0.42 (semver)
    Create a notification for this product.
    Date Public
    2026-06-04 00:00
    Credits
    George Chen
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-56767",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T20:27:10.895773Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T20:28:18.697Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "maxun",
              "repo": "https://github.com/getmaxun/maxun",
              "vendor": "getmaxun",
              "versions": [
                {
                  "lessThan": "0.0.42",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "0.0.42",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "George Chen"
            }
          ],
          "datePublic": "2026-06-04T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Maxun before 0.0.42 contains a cross-tenant insecure direct object reference vulnerability in storage and webhook API handlers that allows authenticated users to access other users\u0027 robots and OAuth tokens. Attackers can read plaintext Google and Airtable access tokens, modify, delete, or execute other users\u0027 robots by bypassing ownership checks in API endpoints."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-25T18:03:33.720Z",
            "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
            "shortName": "VulnCheck"
          },
          "references": [
            {
              "name": "GitHub Issue",
              "tags": [
                "technical-description"
              ],
              "url": "https://github.com/getmaxun/maxun/issues/1079"
            },
            {
              "name": "Pull Request",
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/getmaxun/maxun/pull/1088"
            },
            {
              "name": "Patch Commit",
              "tags": [
                "patch"
              ],
              "url": "https://github.com/getmaxun/maxun/commit/11db0257531f1c23dec94727793c9444ee2873cf"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.vulncheck.com/advisories/maxun-cross-tenant-idor-in-storage-and-webhook-api-handlers"
            }
          ],
          "tags": [
            "x_open-source"
          ],
          "title": "Maxun \u003c 0.0.42 - Cross-Tenant IDOR in Storage and Webhook API Handlers",
          "x_generator": {
            "engine": "vulncheck"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "assignerShortName": "VulnCheck",
        "cveId": "CVE-2026-56767",
        "datePublished": "2026-06-25T18:03:33.720Z",
        "dateReserved": "2026-06-22T21:55:17.942Z",
        "dateUpdated": "2026-06-25T20:28:18.697Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-15106 (GCVE-0-2025-15106)

    Vulnerability from cvelistv5 – Published: 2025-12-27 10:32 – Updated: 2025-12-29 15:56
    VLAI
    Title
    getmaxun Authentication Endpoint auth.ts router.get improper authorization
    Summary
    A weakness has been identified in getmaxun maxun up to 0.0.28. The affected element is the function router.get of the file server/src/routes/auth.ts of the component Authentication Endpoint. Executing manipulation can lead to improper authorization. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-285 - Improper Authorization
    • CWE-266 - Incorrect Privilege Assignment
    Assigner
    References
    URL Tags
    https://vuldb.com/?id.338477 vdb-entrytechnical-description
    https://vuldb.com/?ctiid.338477 signaturepermissions-required
    https://vuldb.com/?submit.710268 third-party-advisory
    https://gist.github.com/H2u8s/1a0bdb19d5c8c8f4dc7… exploit
    Impacted products
    Vendor Product Version
    getmaxun maxun Affected: 0.0.1
    Affected: 0.0.2
    Affected: 0.0.3
    Affected: 0.0.4
    Affected: 0.0.5
    Affected: 0.0.6
    Affected: 0.0.7
    Affected: 0.0.8
    Affected: 0.0.9
    Affected: 0.0.10
    Affected: 0.0.11
    Affected: 0.0.12
    Affected: 0.0.13
    Affected: 0.0.14
    Affected: 0.0.15
    Affected: 0.0.16
    Affected: 0.0.17
    Affected: 0.0.18
    Affected: 0.0.19
    Affected: 0.0.20
    Affected: 0.0.21
    Affected: 0.0.22
    Affected: 0.0.23
    Affected: 0.0.24
    Affected: 0.0.25
    Affected: 0.0.26
    Affected: 0.0.27
    Affected: 0.0.28
    Create a notification for this product.
    Credits
    28Hus (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-15106",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-29T15:56:07.291523Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-29T15:56:17.889Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "modules": [
                "Authentication Endpoint"
              ],
              "product": "maxun",
              "vendor": "getmaxun",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.0.1"
                },
                {
                  "status": "affected",
                  "version": "0.0.2"
                },
                {
                  "status": "affected",
                  "version": "0.0.3"
                },
                {
                  "status": "affected",
                  "version": "0.0.4"
                },
                {
                  "status": "affected",
                  "version": "0.0.5"
                },
                {
                  "status": "affected",
                  "version": "0.0.6"
                },
                {
                  "status": "affected",
                  "version": "0.0.7"
                },
                {
                  "status": "affected",
                  "version": "0.0.8"
                },
                {
                  "status": "affected",
                  "version": "0.0.9"
                },
                {
                  "status": "affected",
                  "version": "0.0.10"
                },
                {
                  "status": "affected",
                  "version": "0.0.11"
                },
                {
                  "status": "affected",
                  "version": "0.0.12"
                },
                {
                  "status": "affected",
                  "version": "0.0.13"
                },
                {
                  "status": "affected",
                  "version": "0.0.14"
                },
                {
                  "status": "affected",
                  "version": "0.0.15"
                },
                {
                  "status": "affected",
                  "version": "0.0.16"
                },
                {
                  "status": "affected",
                  "version": "0.0.17"
                },
                {
                  "status": "affected",
                  "version": "0.0.18"
                },
                {
                  "status": "affected",
                  "version": "0.0.19"
                },
                {
                  "status": "affected",
                  "version": "0.0.20"
                },
                {
                  "status": "affected",
                  "version": "0.0.21"
                },
                {
                  "status": "affected",
                  "version": "0.0.22"
                },
                {
                  "status": "affected",
                  "version": "0.0.23"
                },
                {
                  "status": "affected",
                  "version": "0.0.24"
                },
                {
                  "status": "affected",
                  "version": "0.0.25"
                },
                {
                  "status": "affected",
                  "version": "0.0.26"
                },
                {
                  "status": "affected",
                  "version": "0.0.27"
                },
                {
                  "status": "affected",
                  "version": "0.0.28"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "28Hus (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A weakness has been identified in getmaxun maxun up to 0.0.28. The affected element is the function router.get of the file server/src/routes/auth.ts of the component Authentication Endpoint. Executing manipulation can lead to improper authorization. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 6.5,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "Improper Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-266",
                  "description": "Incorrect Privilege Assignment",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-27T10:32:05.218Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-338477 | getmaxun Authentication Endpoint auth.ts router.get improper authorization",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/?id.338477"
            },
            {
              "name": "VDB-338477 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.338477"
            },
            {
              "name": "Submit #710268 | https://github.com/getmaxun https://github.com/getmaxun/maxun  \u2264 v0.0.28 Authentication Bypass Issues",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/?submit.710268"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://gist.github.com/H2u8s/1a0bdb19d5c8c8f4dc72cb49ffe9a22b"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-12-26T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2025-12-26T01:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2025-12-26T19:16:07.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "getmaxun Authentication Endpoint auth.ts router.get improper authorization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2025-15106",
        "datePublished": "2025-12-27T10:32:05.218Z",
        "dateReserved": "2025-12-26T18:10:58.997Z",
        "dateUpdated": "2025-12-29T15:56:17.889Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-15105 (GCVE-0-2025-15105)

    Vulnerability from cvelistv5 – Published: 2025-12-27 09:02 – Updated: 2025-12-29 15:55
    VLAI
    Title
    getmaxun auth.ts hard-coded key
    Summary
    A security flaw has been discovered in getmaxun maxun up to 0.0.28. Impacted is an unknown function of the file /getmaxun/maxun/blob/develop/server/src/routes/auth.ts. Performing manipulation of the argument api_key results in use of hard-coded cryptographic key . Remote exploitation of the attack is possible. The attack is considered to have high complexity. The exploitability is considered difficult. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-321 - Use of Hard-coded Cryptographic Key
    • CWE-320 - Key Management Error
    Assigner
    References
    URL Tags
    https://vuldb.com/?id.338476 vdb-entrytechnical-description
    https://vuldb.com/?ctiid.338476 signaturepermissions-required
    https://vuldb.com/?submit.710256 third-party-advisory
    https://gist.github.com/H2u8s/40be31987e52fc81076… exploit
    Impacted products
    Vendor Product Version
    getmaxun maxun Affected: 0.0.1
    Affected: 0.0.2
    Affected: 0.0.3
    Affected: 0.0.4
    Affected: 0.0.5
    Affected: 0.0.6
    Affected: 0.0.7
    Affected: 0.0.8
    Affected: 0.0.9
    Affected: 0.0.10
    Affected: 0.0.11
    Affected: 0.0.12
    Affected: 0.0.13
    Affected: 0.0.14
    Affected: 0.0.15
    Affected: 0.0.16
    Affected: 0.0.17
    Affected: 0.0.18
    Affected: 0.0.19
    Affected: 0.0.20
    Affected: 0.0.21
    Affected: 0.0.22
    Affected: 0.0.23
    Affected: 0.0.24
    Affected: 0.0.25
    Affected: 0.0.26
    Affected: 0.0.27
    Affected: 0.0.28
    Create a notification for this product.
    Credits
    28Hus (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-15105",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-29T15:54:53.991053Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-29T15:55:05.915Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "maxun",
              "vendor": "getmaxun",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.0.1"
                },
                {
                  "status": "affected",
                  "version": "0.0.2"
                },
                {
                  "status": "affected",
                  "version": "0.0.3"
                },
                {
                  "status": "affected",
                  "version": "0.0.4"
                },
                {
                  "status": "affected",
                  "version": "0.0.5"
                },
                {
                  "status": "affected",
                  "version": "0.0.6"
                },
                {
                  "status": "affected",
                  "version": "0.0.7"
                },
                {
                  "status": "affected",
                  "version": "0.0.8"
                },
                {
                  "status": "affected",
                  "version": "0.0.9"
                },
                {
                  "status": "affected",
                  "version": "0.0.10"
                },
                {
                  "status": "affected",
                  "version": "0.0.11"
                },
                {
                  "status": "affected",
                  "version": "0.0.12"
                },
                {
                  "status": "affected",
                  "version": "0.0.13"
                },
                {
                  "status": "affected",
                  "version": "0.0.14"
                },
                {
                  "status": "affected",
                  "version": "0.0.15"
                },
                {
                  "status": "affected",
                  "version": "0.0.16"
                },
                {
                  "status": "affected",
                  "version": "0.0.17"
                },
                {
                  "status": "affected",
                  "version": "0.0.18"
                },
                {
                  "status": "affected",
                  "version": "0.0.19"
                },
                {
                  "status": "affected",
                  "version": "0.0.20"
                },
                {
                  "status": "affected",
                  "version": "0.0.21"
                },
                {
                  "status": "affected",
                  "version": "0.0.22"
                },
                {
                  "status": "affected",
                  "version": "0.0.23"
                },
                {
                  "status": "affected",
                  "version": "0.0.24"
                },
                {
                  "status": "affected",
                  "version": "0.0.25"
                },
                {
                  "status": "affected",
                  "version": "0.0.26"
                },
                {
                  "status": "affected",
                  "version": "0.0.27"
                },
                {
                  "status": "affected",
                  "version": "0.0.28"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "28Hus (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A security flaw has been discovered in getmaxun maxun up to 0.0.28. Impacted is an unknown function of the file /getmaxun/maxun/blob/develop/server/src/routes/auth.ts. Performing manipulation of the argument api_key results in use of hard-coded cryptographic key\r . Remote exploitation of the attack is possible. The attack is considered to have high complexity. The exploitability is considered difficult. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 3.7,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 3.7,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 2.6,
                "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-321",
                  "description": "Use of Hard-coded Cryptographic Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-320",
                  "description": "Key Management Error",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-27T09:02:06.124Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-338476 | getmaxun auth.ts hard-coded key",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/?id.338476"
            },
            {
              "name": "VDB-338476 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.338476"
            },
            {
              "name": "Submit #710256 | https://github.com/getmaxun https://github.com/getmaxun/maxun  \u2264 v0.0.28 Authentication Bypass by Primary Weakness",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/?submit.710256"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://gist.github.com/H2u8s/40be31987e52fc81076b6bfcfbdf3cd6"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-12-26T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2025-12-26T01:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2025-12-26T19:16:05.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "getmaxun auth.ts hard-coded key"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2025-15105",
        "datePublished": "2025-12-27T09:02:06.124Z",
        "dateReserved": "2025-12-26T18:10:50.723Z",
        "dateUpdated": "2025-12-29T15:55:05.915Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }