Skip to main content

OneBlog CVE-2026-51937

| EUVDEUVD-2026-42158 HIGH
Missing Authentication for Critical Function (CWE-306)
2026-07-07 mitre GHSA-mmvx-rq8p-h6g9
7.5
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Unauthenticated network endpoint (AV:N/AC:L/PR:N/UI:N) leaks high-value secrets giving C:H; no direct integrity/availability impact, and Scope kept Unchanged conservatively despite downstream WeChat-account risk.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jul 08, 2026 - 15:25 vuln.today
CVSS changed
Jul 08, 2026 - 15:22 NVD
7.5 (HIGH)
CVE Published
Jul 07, 2026 - 00:00 cve.org
HIGH 7.5
CVE Published
Jul 07, 2026 - 00:00 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

An issue in Oneblog V2.3.9 allows a remote attacker to obtain sensitive information via the RestApiController.java, JsApiTicketComponent.java, and the GetAccessTokenComponent.java component

AnalysisAI

Sensitive information disclosure in OneBlog V2.3.9 lets remote unauthenticated attackers retrieve WeChat Official Account secrets - the access_token and jsapi_ticket - through unprotected REST endpoints backed by RestApiController.java, JsApiTicketComponent.java, and GetAccessTokenComponent.java. Because these credentials grant control over the linked WeChat public account, disclosure enables account takeover of the integration rather than just data leakage. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Discover exposed OneBlog instance
Delivery
Send unauthenticated request to REST endpoint
Exploit
Receive access_token and jsapi_ticket
Execution
Call WeChat APIs with stolen token
Impact
Hijack official account operations

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target run OneBlog V2.3.9 with the WeChat Official Account integration configured and active (valid appid/secret so GetAccessTokenComponent and JsApiTicketComponent actually return live tokens), and that the RestApiController endpoints be network-reachable by the attacker. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, base 7.5) is internally consistent with the description: a network-reachable endpoint requiring no privileges or user interaction, yielding high confidentiality impact and no integrity/availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker discovers a public OneBlog V2.3.9 instance and sends an unauthenticated HTTP GET to the WeChat REST endpoint, which returns the account's access_token and jsapi_ticket. Using the stolen access_token, the attacker then invokes WeChat Official Account APIs to impersonate the account, push messages, or scrape user data. …
Remediation No vendor-released patch version is identified at time of analysis; tracking is via the upstream issue https://github.com/zhangyd-c/OneBlog/issues/43, so monitor that issue and the OneBlog repository for a fixed release and upgrade as soon as one is published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all OneBlog V2.3.9 deployments in production; immediately rotate WeChat access_token and jsapi_ticket credentials; restrict network access to exposed RestApiController endpoints via firewall rules. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Share

CVE-2026-51937 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy