Which versions of Djangoblog are affected by CVE-2026-6580?

DjangoBlog versions up to 2.1.0.0 contain hard-coded API credentials in source code that enable attackers to abuse geolocation services at scale without authentication, potentially inflating API…

Is there a public PoC exploit available for CVE-2026-6580?

Yes, a public proof-of-concept exploit is available for CVE-2026-6580. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2026-6580?

Within 24 hours: Identify all DjangoBlog instances running versions ≤2.1.0.0 using deployment inventory and version scanning; rotate all Amap API keys immediately and monitor API usage for anomalies. Within 7 days: Implement network-level restrictions on Amap API calls (rate limiting, IP whitelisting, request signing); audit logs for unauthorized API access correlating with CVE publication date. Within 30 days: Upgrade to DjangoBlog version >2.1.0.0 if available, or migrate to an alternative blog platform; conduct code review of all hard-coded credentials across codebase.

Djangoblog CVE-2026-6580

Q: What is the CVSS score of CVE-2026-6580?

CVE-2026-6580 has a CVSS 4.0 base score of 5.5 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-23714 MEDIUM

Use of Hard-coded Cryptographic Key (CWE-321)

2026-04-19 VulDB

GHSA-xf7j-p5gh-45hr

Information Disclosure Djangoblog

5.5

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

5.5 MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

CVSS changed

Apr 29, 2026 - 01:12 NVD

6.9 (MEDIUM) 5.5 (MEDIUM)

PoC Detected

Apr 29, 2026 - 01:00 vuln.today

Public exploit code

Severity Changed

Apr 19, 2026 - 23:22 NVD

HIGH MEDIUM

CVSS changed

Apr 19, 2026 - 23:22 NVD

7.3 (HIGH) 6.9 (MEDIUM)

Analysis Generated

Apr 19, 2026 - 22:35 vuln.today

EUVD ID Assigned

Apr 19, 2026 - 22:30 euvd

EUVD-2026-23714

Analysis Generated

Apr 19, 2026 - 22:30 vuln.today

CVE Published

Apr 19, 2026 - 22:15 nvd

MEDIUM 5.5

DescriptionCVE.org

A security vulnerability has been detected in liangliangyy DjangoBlog up to 2.1.0.0. Affected is an unknown function of the file owntracks/views.py of the component Amap API Call Handler. Such manipulation of the argument key leads to use of hard-coded cryptographic key . The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Hard-coded Amap API key exposure in DjangoBlog allows remote attackers to abuse geolocation services without authentication. DjangoBlog versions up to 2.1.0.0 embed a fixed cryptographic key in owntracks/views.py for Amap API calls, enabling unauthorized API usage with low confidentiality, integrity, and availability impact. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Access public GitHub repository

Delivery

Extract hard-coded Amap key from owntracks/views.py

Exploit

Script automated API calls using stolen credential

Execution

Exhaust API quota or harvest geolocation data

Impact

Cause service disruption or privacy breach