In Airsonic 10.2.1, RecoverController.java generates passwords via org.apache.commons.lang.RandomStringUtils, which uses java.util.Random internally. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Java
Privilege Escalation
Apache
Airsonic
NVD
GitHub
CVSS 3.0
9.8
EPSS
1.6%
Airsonic 10.2.1 uses Spring's default remember-me mechanism based on MD5, with a fixed key of airsonic in GlobalSecurityConfig.java. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Java
Information Disclosure
Airsonic
NVD
GitHub
CVSS 3.0
9.8
EPSS
0.9%