Monthly
Hard-coded cryptographic key in Canias ERP 8.03 JNLP Deployment Endpoint allows unauthenticated remote attackers to obtain sensitive information through manipulation of the affected component. The vulnerability affects the Java Network Launch Protocol deployment mechanism, enabling key discovery and potential decryption of encrypted communications. No vendor patch has been released despite early disclosure notification.
A security vulnerability has been detected in Xuxueli xxl-job up to 3.3.2. The impacted element is an unknown function of the file xxl-job-admin/src/main/java/com/xxl/job/admin/scheduler/openapi/OpenApiController.java of the component OpenAPI Endpoint. Such manipulation of the argument default_token leads to use of hard-coded cryptographic key . It is possible to launch the attack remotely. A high complexity level is associated with this attack. The exploitability is regarded as difficult. The exploit has been disclosed publicly and may be used.
OpenClaw versions prior to 2026.2.22 suffer from cryptographic secret reuse where the gateway authentication token is inappropriately reused as a fallback hashing secret for owner-ID obfuscation in system prompts sent to third-party model providers. An unauthenticated attacker with visibility into system prompts (such as through model provider logs, prompt injection, or interception) can reverse-engineer the gateway authentication token from hash outputs when commands.ownerDisplay is set to hash and commands.ownerDisplaySecret is unset, directly compromising authentication security. The vulnerability has a low CVSS score of 3.7 due to high attack complexity and limited impact scope, but represents a critical cryptographic design flaw that violates separation-of-concerns principles across security domains.
Yi Technology YI Home Camera 2 (version 2.1.1_20171024151200) contains a hard-coded cryptographic key vulnerability in its WPA/WPS component that allows attackers to disclose sensitive information through local network access. While the exploit has been publicly disclosed and proof-of-concept code is available, the attack requires high complexity and difficult exploitability, limiting real-world risk to local network environments only. The vendor was notified early but provided no response, leaving users without an official patch.
A key management error exists in the XREAL Nebula App (Android) up to version 3.2.1, specifically in the CloudStoragePlugin.java component where accessKey, secretAccessKey, and securityToken arguments are improperly handled. An attacker with local access and moderate privileges can manipulate these credentials to bypass authentication controls, resulting in unauthorized information disclosure. A proof-of-concept has been publicly disclosed, though the vulnerability requires high complexity to exploit and the vendor has not responded to early notification.
A security flaw has been discovered in perfree go-fastdfs-web up to 1.3.7. This affects the function rememberMeManager of the file src/main/java/com/perfree/config/ShiroConfig.java of the component Apache Shiro RememberMe. Performing a manipulation results in use of hard-coded cryptographic key . The attack can be initiated remotely. The complexity of an attack is rather high. The exploitability is reported as difficult. The exploit has been released to the public and may be used for attacks...
PandaX JWT Secret Handler uses hard-coded cryptographic keys in the config.yml file, allowing remote attackers to bypass authentication and decrypt sensitive JWT tokens with high attack complexity. The vulnerability affects the product up to commit fb8ff40f7ce5dfebdf66306c6d85625061faf7e5, and although public exploit code exists, the extremely low EPSS score (0.05%) and high attack complexity suggest limited real-world exploitation despite network accessibility.
Actiontech SQLE up to version 4.2511.0 uses a hard-coded cryptographic key in its JWT Secret Handler (sqle/utils/jwt.go), allowing remote attackers with no authentication or user interaction to gain limited information disclosure. The vulnerability results from improper handling of the JWTSecretKey argument, though exploitation is rated as difficult due to high attack complexity. Publicly available exploit code exists, and the vendor has committed to addressing this in an upcoming release.
Use of hard-coded cryptographic keys in getmaxun maxun up to version 0.0.28 allows remote unauthenticated attackers to manipulate the api_key parameter in the authentication route, potentially disclosing sensitive information with high attack complexity. Publicly available exploit code exists, though EPSS scoring (0.07%) and vendor non-responsiveness suggest limited real-world exploitation pressure despite confirmed POC availability.
CouchCMS versions up to 2.4 use hard-coded cryptographic keys in the reCAPTCHA handler configuration, allowing remote attackers with high complexity to conduct information disclosure attacks against the reCAPTCHA mechanism. The vulnerability stems from improper handling of K_RECAPTCHA_SITE_KEY and K_RECAPTCHA_SECRET_KEY parameters in couch/config.example.php, and publicly available exploit code exists, though real-world exploitation probability remains low (EPSS 0.06%).
Hard-coded cryptographic key in Canias ERP 8.03 JNLP Deployment Endpoint allows unauthenticated remote attackers to obtain sensitive information through manipulation of the affected component. The vulnerability affects the Java Network Launch Protocol deployment mechanism, enabling key discovery and potential decryption of encrypted communications. No vendor patch has been released despite early disclosure notification.
A security vulnerability has been detected in Xuxueli xxl-job up to 3.3.2. The impacted element is an unknown function of the file xxl-job-admin/src/main/java/com/xxl/job/admin/scheduler/openapi/OpenApiController.java of the component OpenAPI Endpoint. Such manipulation of the argument default_token leads to use of hard-coded cryptographic key . It is possible to launch the attack remotely. A high complexity level is associated with this attack. The exploitability is regarded as difficult. The exploit has been disclosed publicly and may be used.
OpenClaw versions prior to 2026.2.22 suffer from cryptographic secret reuse where the gateway authentication token is inappropriately reused as a fallback hashing secret for owner-ID obfuscation in system prompts sent to third-party model providers. An unauthenticated attacker with visibility into system prompts (such as through model provider logs, prompt injection, or interception) can reverse-engineer the gateway authentication token from hash outputs when commands.ownerDisplay is set to hash and commands.ownerDisplaySecret is unset, directly compromising authentication security. The vulnerability has a low CVSS score of 3.7 due to high attack complexity and limited impact scope, but represents a critical cryptographic design flaw that violates separation-of-concerns principles across security domains.
Yi Technology YI Home Camera 2 (version 2.1.1_20171024151200) contains a hard-coded cryptographic key vulnerability in its WPA/WPS component that allows attackers to disclose sensitive information through local network access. While the exploit has been publicly disclosed and proof-of-concept code is available, the attack requires high complexity and difficult exploitability, limiting real-world risk to local network environments only. The vendor was notified early but provided no response, leaving users without an official patch.
A key management error exists in the XREAL Nebula App (Android) up to version 3.2.1, specifically in the CloudStoragePlugin.java component where accessKey, secretAccessKey, and securityToken arguments are improperly handled. An attacker with local access and moderate privileges can manipulate these credentials to bypass authentication controls, resulting in unauthorized information disclosure. A proof-of-concept has been publicly disclosed, though the vulnerability requires high complexity to exploit and the vendor has not responded to early notification.
A security flaw has been discovered in perfree go-fastdfs-web up to 1.3.7. This affects the function rememberMeManager of the file src/main/java/com/perfree/config/ShiroConfig.java of the component Apache Shiro RememberMe. Performing a manipulation results in use of hard-coded cryptographic key . The attack can be initiated remotely. The complexity of an attack is rather high. The exploitability is reported as difficult. The exploit has been released to the public and may be used for attacks...
PandaX JWT Secret Handler uses hard-coded cryptographic keys in the config.yml file, allowing remote attackers to bypass authentication and decrypt sensitive JWT tokens with high attack complexity. The vulnerability affects the product up to commit fb8ff40f7ce5dfebdf66306c6d85625061faf7e5, and although public exploit code exists, the extremely low EPSS score (0.05%) and high attack complexity suggest limited real-world exploitation despite network accessibility.
Actiontech SQLE up to version 4.2511.0 uses a hard-coded cryptographic key in its JWT Secret Handler (sqle/utils/jwt.go), allowing remote attackers with no authentication or user interaction to gain limited information disclosure. The vulnerability results from improper handling of the JWTSecretKey argument, though exploitation is rated as difficult due to high attack complexity. Publicly available exploit code exists, and the vendor has committed to addressing this in an upcoming release.
Use of hard-coded cryptographic keys in getmaxun maxun up to version 0.0.28 allows remote unauthenticated attackers to manipulate the api_key parameter in the authentication route, potentially disclosing sensitive information with high attack complexity. Publicly available exploit code exists, though EPSS scoring (0.07%) and vendor non-responsiveness suggest limited real-world exploitation pressure despite confirmed POC availability.
CouchCMS versions up to 2.4 use hard-coded cryptographic keys in the reCAPTCHA handler configuration, allowing remote attackers with high complexity to conduct information disclosure attacks against the reCAPTCHA mechanism. The vulnerability stems from improper handling of K_RECAPTCHA_SITE_KEY and K_RECAPTCHA_SECRET_KEY parameters in couch/config.example.php, and publicly available exploit code exists, though real-world exploitation probability remains low (EPSS 0.06%).