EUVD-2026-18546
GHSA-fw24-mh6x-62vp
Severity by source
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
A security flaw has been discovered in Shinrays Games Goods Triple App up to 1.200. The affected element is an unknown function of the file jRwTX.java of the component cats.goods.sort.sorting.games. Performing a manipulation of the argument AES_IV/AES_PASSWORD results in use of hard-coded cryptographic key . Attacking locally is a requirement. The complexity of an attack is rather high. The exploitability is described as difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Hard-coded cryptographic keys in Shinrays Games Goods Triple App up to version 1.200 allow local authenticated users to decrypt sensitive data by manipulating AES_IV and AES_PASSWORD parameters in the jRwTX.java component. The vulnerability requires local access and elevated privileges but has low complexity once exploited; publicly available exploit code exists and the vendor has not responded to disclosure attempts.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Vulnerability AssessmentAI
| Risk Assessment | Despite the CVSS 2.0 score indicating minimal severity, this vulnerability presents a meaningful cryptographic compromise signal. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local authenticated user with low-privilege access to a system running Goods Triple App 1.200 could intercept or directly access the application's encrypted data storage and, using publicly available exploit code, manipulate the AES_IV and AES_PASSWORD parameters to trigger use of the hard-coded encryption key, thereby decrypting stored sensitive information such as personal or financial data. The high attack complexity suggests successful exploitation requires understanding of the application's internal structure and cryptographic implementation, limiting exploitation to attackers with moderate technical capability or possession of detailed technical documentation. |
| Remediation | No vendor-released patch is identified at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran
Remote code execution in Spring for GraphQL versions 1.3.0-1.3.8, 1.4.0-1.4.5, and 2.0.0-2.0.3 allows unauthenticated at
NoSQL/query injection in Spring AI Vector Stores (1.0.0-1.0.8 and 1.1.0-1.1.7) allows remote unauthenticated attackers t
Origin validation failure in Spring Cloud Gateway (WebMVC and WebFlux Server variants) allows remote attackers to spoof
Server-Side Request Forgery in Spring Web Services (versions 3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, and 5.0.0-5.0.1) al
Share
External POC / Exploit Code
Leaving vuln.today