Skip to main content

CWE-320

Key Management Errors

55 CVEs Avg CVSS 5.2 MITRE
4
CRITICAL
16
HIGH
13
MEDIUM
22
LOW
12
POC
0
KEV

Monthly

CVE-2026-56254 HIGH PATCH This Week

Update-signing bypass in @capgo/capacitor-updater (capgo OTA plugin for Capacitor apps) before 12.128.2 undermines its end-to-end encryption by shipping the same private key to every device that downloads the app. Because the public verification key can be derived from that distributed private key, an attacker with a man-in-the-middle position or control of the Capgo delivery server can forge a validly signed update bundle and push attacker-controlled code to devices. Reported by VulnCheck with a CVSS 4.0 base score of 8.3; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Information Disclosure Capacitor Updater
NVD GitHub
CVSS 4.0
8.3
EPSS
0.2%
CVE-2026-8243 MEDIUM This Month

Hard-coded cryptographic key in Canias ERP 8.03 JNLP Deployment Endpoint allows unauthenticated remote attackers to obtain sensitive information through manipulation of the affected component. The vulnerability affects the Java Network Launch Protocol deployment mechanism, enabling key discovery and potential decryption of encrypted communications. No vendor patch has been released despite early disclosure notification.

Information Disclosure
NVD VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-7306 LOW Monitor

A security vulnerability has been detected in Xuxueli xxl-job up to 3.3.2. The impacted element is an unknown function of the file xxl-job-admin/src/main/java/com/xxl/job/admin/scheduler/openapi/OpenApiController.java of the component OpenAPI Endpoint. Such manipulation of the argument default_token leads to use of hard-coded cryptographic key . It is possible to launch the attack remotely. A high complexity level is associated with this attack. The exploitability is regarded as difficult. The exploit has been disclosed publicly and may be used.

Information Disclosure Java
NVD GitHub VulDB
CVSS 4.0
2.9
EPSS
0.0%
CVE-2026-32897 npm LOW POC PATCH Monitor

OpenClaw versions prior to 2026.2.22 suffer from cryptographic secret reuse where the gateway authentication token is inappropriately reused as a fallback hashing secret for owner-ID obfuscation in system prompts sent to third-party model providers. An unauthenticated attacker with visibility into system prompts (such as through model provider logs, prompt injection, or interception) can reverse-engineer the gateway authentication token from hash outputs when commands.ownerDisplay is set to hash and commands.ownerDisplaySecret is unset, directly compromising authentication security. The vulnerability has a low CVSS score of 3.7 due to high attack complexity and limited impact scope, but represents a critical cryptographic design flaw that violates separation-of-concerns principles across security domains.

Information Disclosure Openclaw
NVD GitHub VulDB
CVSS 3.1
3.7
EPSS
0.1%
CVE-2026-4477 LOW Monitor

Yi Technology YI Home Camera 2 (version 2.1.1_20171024151200) contains a hard-coded cryptographic key vulnerability in its WPA/WPS component that allows attackers to disclose sensitive information through local network access. While the exploit has been publicly disclosed and proof-of-concept code is available, the attack requires high complexity and difficult exploitability, limiting real-world risk to local network environments only. The vendor was notified early but provided no response, leaving users without an official patch.

Information Disclosure
NVD VulDB
CVSS 4.0
1.3
EPSS
0.0%
CVE-2026-4217 LOW POC Monitor

A key management error exists in the XREAL Nebula App (Android) up to version 3.2.1, specifically in the CloudStoragePlugin.java component where accessKey, secretAccessKey, and securityToken arguments are improperly handled. An attacker with local access and moderate privileges can manipulate these credentials to bypass authentication controls, resulting in unauthorized information disclosure. A proof-of-concept has been publicly disclosed, though the vulnerability requires high complexity to exploit and the vendor has not responded to early notification.

Java Google Information Disclosure
NVD VulDB
CVSS 4.0
1.1
EPSS
0.0%
CVE-2026-3963 LOW Monitor

A security flaw has been discovered in perfree go-fastdfs-web up to 1.3.7. This affects the function rememberMeManager of the file src/main/java/com/perfree/config/ShiroConfig.java of the component Apache Shiro RememberMe. Performing a manipulation results in use of hard-coded cryptographic key . The attack can be initiated remotely. The complexity of an attack is rather high. The exploitability is reported as difficult. The exploit has been released to the public and may be used for attacks...

Apache Java Information Disclosure
NVD VulDB
CVSS 4.0
2.9
EPSS
0.0%
CVE-2025-15108 LOW Monitor

PandaX JWT Secret Handler uses hard-coded cryptographic keys in the config.yml file, allowing remote attackers to bypass authentication and decrypt sensitive JWT tokens with high attack complexity. The vulnerability affects the product up to commit fb8ff40f7ce5dfebdf66306c6d85625061faf7e5, and although public exploit code exists, the extremely low EPSS score (0.05%) and high attack complexity suggest limited real-world exploitation despite network accessibility.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.9
EPSS
0.1%
CVE-2025-15107 Go LOW POC Monitor

Actiontech SQLE up to version 4.2511.0 uses a hard-coded cryptographic key in its JWT Secret Handler (sqle/utils/jwt.go), allowing remote attackers with no authentication or user interaction to gain limited information disclosure. The vulnerability results from improper handling of the JWTSecretKey argument, though exploitation is rated as difficult due to high attack complexity. Publicly available exploit code exists, and the vendor has committed to addressing this in an upcoming release.

Information Disclosure Sqle
NVD GitHub VulDB
CVSS 4.0
2.9
EPSS
0.0%
CVE-2025-15105 LOW POC Monitor

Use of hard-coded cryptographic keys in getmaxun maxun up to version 0.0.28 allows remote unauthenticated attackers to manipulate the api_key parameter in the authentication route, potentially disclosing sensitive information with high attack complexity. Publicly available exploit code exists, though EPSS scoring (0.07%) and vendor non-responsiveness suggest limited real-world exploitation pressure despite confirmed POC availability.

Information Disclosure Maxun
NVD GitHub VulDB
CVSS 4.0
2.9
EPSS
0.1%
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Update-signing bypass in @capgo/capacitor-updater (capgo OTA plugin for Capacitor apps) before 12.128.2 undermines its end-to-end encryption by shipping the same private key to every device that downloads the app. Because the public verification key can be derived from that distributed private key, an attacker with a man-in-the-middle position or control of the Capgo delivery server can forge a validly signed update bundle and push attacker-controlled code to devices. Reported by VulnCheck with a CVSS 4.0 base score of 8.3; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Information Disclosure Capacitor Updater
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM This Month

Hard-coded cryptographic key in Canias ERP 8.03 JNLP Deployment Endpoint allows unauthenticated remote attackers to obtain sensitive information through manipulation of the affected component. The vulnerability affects the Java Network Launch Protocol deployment mechanism, enabling key discovery and potential decryption of encrypted communications. No vendor patch has been released despite early disclosure notification.

Information Disclosure
NVD VulDB
EPSS 0% CVSS 2.9
LOW Monitor

A security vulnerability has been detected in Xuxueli xxl-job up to 3.3.2. The impacted element is an unknown function of the file xxl-job-admin/src/main/java/com/xxl/job/admin/scheduler/openapi/OpenApiController.java of the component OpenAPI Endpoint. Such manipulation of the argument default_token leads to use of hard-coded cryptographic key . It is possible to launch the attack remotely. A high complexity level is associated with this attack. The exploitability is regarded as difficult. The exploit has been disclosed publicly and may be used.

Information Disclosure Java
NVD GitHub VulDB
EPSS 0% CVSS 3.7
LOW POC PATCH Monitor

OpenClaw versions prior to 2026.2.22 suffer from cryptographic secret reuse where the gateway authentication token is inappropriately reused as a fallback hashing secret for owner-ID obfuscation in system prompts sent to third-party model providers. An unauthenticated attacker with visibility into system prompts (such as through model provider logs, prompt injection, or interception) can reverse-engineer the gateway authentication token from hash outputs when commands.ownerDisplay is set to hash and commands.ownerDisplaySecret is unset, directly compromising authentication security. The vulnerability has a low CVSS score of 3.7 due to high attack complexity and limited impact scope, but represents a critical cryptographic design flaw that violates separation-of-concerns principles across security domains.

Information Disclosure Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 1.3
LOW Monitor

Yi Technology YI Home Camera 2 (version 2.1.1_20171024151200) contains a hard-coded cryptographic key vulnerability in its WPA/WPS component that allows attackers to disclose sensitive information through local network access. While the exploit has been publicly disclosed and proof-of-concept code is available, the attack requires high complexity and difficult exploitability, limiting real-world risk to local network environments only. The vendor was notified early but provided no response, leaving users without an official patch.

Information Disclosure
NVD VulDB
EPSS 0% CVSS 1.1
LOW POC Monitor

A key management error exists in the XREAL Nebula App (Android) up to version 3.2.1, specifically in the CloudStoragePlugin.java component where accessKey, secretAccessKey, and securityToken arguments are improperly handled. An attacker with local access and moderate privileges can manipulate these credentials to bypass authentication controls, resulting in unauthorized information disclosure. A proof-of-concept has been publicly disclosed, though the vulnerability requires high complexity to exploit and the vendor has not responded to early notification.

Java Google Information Disclosure
NVD VulDB
EPSS 0% CVSS 2.9
LOW Monitor

A security flaw has been discovered in perfree go-fastdfs-web up to 1.3.7. This affects the function rememberMeManager of the file src/main/java/com/perfree/config/ShiroConfig.java of the component Apache Shiro RememberMe. Performing a manipulation results in use of hard-coded cryptographic key . The attack can be initiated remotely. The complexity of an attack is rather high. The exploitability is reported as difficult. The exploit has been released to the public and may be used for attacks...

Apache Java Information Disclosure
NVD VulDB
EPSS 0% CVSS 2.9
LOW Monitor

PandaX JWT Secret Handler uses hard-coded cryptographic keys in the config.yml file, allowing remote attackers to bypass authentication and decrypt sensitive JWT tokens with high attack complexity. The vulnerability affects the product up to commit fb8ff40f7ce5dfebdf66306c6d85625061faf7e5, and although public exploit code exists, the extremely low EPSS score (0.05%) and high attack complexity suggest limited real-world exploitation despite network accessibility.

Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 2.9
LOW POC Monitor

Actiontech SQLE up to version 4.2511.0 uses a hard-coded cryptographic key in its JWT Secret Handler (sqle/utils/jwt.go), allowing remote attackers with no authentication or user interaction to gain limited information disclosure. The vulnerability results from improper handling of the JWTSecretKey argument, though exploitation is rated as difficult due to high attack complexity. Publicly available exploit code exists, and the vendor has committed to addressing this in an upcoming release.

Information Disclosure Sqle
NVD GitHub VulDB
EPSS 0% CVSS 2.9
LOW POC Monitor

Use of hard-coded cryptographic keys in getmaxun maxun up to version 0.0.28 allows remote unauthenticated attackers to manipulate the api_key parameter in the authentication route, potentially disclosing sensitive information with high attack complexity. Publicly available exploit code exists, though EPSS scoring (0.07%) and vendor non-responsiveness suggest limited real-world exploitation pressure despite confirmed POC availability.

Information Disclosure Maxun
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy