Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionCVE.org
A security flaw has been discovered in liangliangyy DjangoBlog up to 2.1.0.0. This affects an unknown function of the file djangoblog/settings.py of the component Setting Handler. The manipulation of the argument SECRET_KEY results in hard-coded credentials. The attack can be launched remotely. The attack requires a high level of complexity. The exploitability is reported as difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Liangliangyy DjangoBlog up to version 2.1.0.0 contains hard-coded credentials in the SECRET_KEY parameter within djangoblog/settings.py, allowing remote unauthenticated attackers to bypass authentication and encrypt/decrypt sensitive session data. The vulnerability has been publicly disclosed with exploit code available on GitHub, though the vendor did not respond to early disclosure notification. With a CVSS score of 5.6 and AC:H rating, practical exploitation requires moderate technical effort but affects confidentiality, integrity, and availability.
Technical ContextAI
DjangoBlog is a Django-based blogging platform that relies on Django's SECRET_KEY setting, a cryptographic key used to sign session cookies, CSRF tokens, and other security-sensitive data. The vulnerability stems from CWE-798 (Use of Hard-coded Credentials), where the SECRET_KEY is not properly randomized or protected during application deployment. When an attacker obtains or reconstructs the hard-coded SECRET_KEY from djangoblog/settings.py, they can forge valid session tokens, bypass CSRF protections, and manipulate signed data structures. This breaks the fundamental trust mechanism Django uses to protect authenticated sessions. The affected component is the Setting Handler that processes configuration in djangoblog/settings.py across all versions up to 2.1.0.0.
RemediationAI
Immediately regenerate and randomize the SECRET_KEY in djangoblog/settings.py to a cryptographically strong, unique value (Django provides a key generation utility via django-admin shell or the django.core.management.utils.get_random_secret_key() function). This should be environment-specific and never committed to version control; use environment variables or secure configuration management (e.g., .env files excluded from Git, or HashiCorp Vault). Upgrade DjangoBlog to a patched version once the vendor releases one; the provided references do not confirm a fix version, so contact the vendor or monitor the GitHub repository at https://github.com/liangliangyy/DjangoBlog for updates. As a compensating control pending a vendor patch, isolate DjangoBlog instances behind authentication proxies or VPNs to restrict network access, and scan production deployments for exposed settings files or source code disclosure via directory traversal, backup archives, or Git repositories left accessible. Invalidate all existing sessions after rotating the SECRET_KEY by flushing the session store to prevent attackers from using pre-generated tokens. Optionally, implement additional session hardening via Django's SESSION_COOKIE_SECURE, SESSION_COOKIE_HTTPONLY, and SESSION_COOKIE_SAMESITE settings.
More in Djangoblog
View allDjangoBlog up to version 2.1.0.0 contains an authentication bypass vulnerability in the blog/views.py Clean Endpoint tha
Missing authentication in DjangoBlog 2.1.0.0 and prior allows remote unauthenticated attackers to inject GPS tracking da
Hard-coded Amap API key exposure in DjangoBlog allows remote attackers to abuse geolocation services without authenticat
Cross-site Scripting (XSS) - Stored in GitHub repository liangliangyy/djangoblog prior to master. Rated medium severity
DjangoBlog up to version 2.1.0.0 contains hard-coded credentials in djangoblog/settings.py that can be exploited remotel
Command injection in DjangoBlog WeChat Bot Interface allows authenticated remote attackers to execute arbitrary system c
Improper authorization in liangliangyy DjangoBlog versions up to 2.1.0.0 allows authenticated remote attackers to manipu
DjangoBlog versions up to 2.1.0.0 use a hard-coded cryptographic key in djangoblog/settings.py when the SECRET_KEY argum
Same weakness CWE-798 – Use of Hard-coded Credentials
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23710
GHSA-jf35-jg3h-pwmh