EUVD-2026-23783
GHSA-gccw-6jq7-5553
Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
9DescriptionCVE.org
A vulnerability has been found in liangliangyy DjangoBlog up to 2.1.0.0. The impacted element is an unknown function of the file djangoblog/settings.py of the component Setting Handler. Such manipulation of the argument USER/PASSWORD leads to hard-coded credentials. The attack may be launched remotely. The attack requires a high level of complexity. The exploitability is regarded as difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
DjangoBlog up to version 2.1.0.0 contains hard-coded credentials in djangoblog/settings.py that can be exploited remotely to bypass authentication and gain unauthorized access. The vulnerability stems from sensitive USER/PASSWORD arguments being embedded in configuration files, allowing attackers with network access to retrieve database credentials. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The vulnerability requires that djangoblog/settings.py containing hard-coded USER/PASSWORD credentials be accessible to the attacker through one of the following specific conditions: (1) Source code exposure via publicly accessible version control repository (GitHub, GitLab, etc.) or leaked repository mirrors; (2) Misconfigured web server directory listing or path traversal allowing access to source files (e.g., Apache serving /app/djangoblog/settings.py); (3) Backup files or archives (e.g., .zip, .tar.gz) left in publicly accessible locations; (4) Source code disclosed via information disclosure vulnerabilities or security breaches; (5) Access to the application server's filesystem via prior compromise or insider access. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Despite the moderate CVSS 6.3 score, this vulnerability represents significant real-world risk for deployed DjangoBlog instances. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker performs reconnaissance and discovers a publicly available GitHub repository or misconfigured web server serving the DjangoBlog source code, including the settings.py file. The attacker extracts the hard-coded database USER and PASSWORD credentials from djangoblog/settings.py and uses them to connect directly to the backend database, bypassing the application's authentication layer. … |
| Remediation | Immediate action requires identifying and updating any hard-coded USER/PASSWORD values in djangoblog/settings.py to use environment variables or a secure secrets management system (e.g., Python-dotenv, HashiCorp Vault, AWS Secrets Manager). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today