Skip to main content

Djangoblog EUVD-2026-23787

| CVE-2026-6611 LOW
Use of Hard-coded Cryptographic Key (CWE-321)
2026-04-20 VulDB GHSA-hq9j-qh3w-qvg3
File Upload Djangoblog
1.3
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
1.3 LOW
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

7
CVSS changed
Apr 29, 2026 - 01:12 NVD
2.3 (LOW) 1.3 (LOW)
PoC Detected
Apr 29, 2026 - 01:00 vuln.today
Public exploit code
Analysis Generated
Apr 20, 2026 - 07:26 vuln.today
CVSS changed
Apr 20, 2026 - 07:22 NVD
3.1 (LOW) 2.3 (LOW)
EUVD ID Assigned
Apr 20, 2026 - 07:15 euvd
EUVD-2026-23787
Analysis Generated
Apr 20, 2026 - 07:15 vuln.today
CVE Published
Apr 20, 2026 - 06:00 nvd
LOW 1.3

DescriptionCVE.org

A vulnerability was found in liangliangyy DjangoBlog up to 2.1.0.0. This affects an unknown function of the file djangoblog/settings.py of the component File Upload Endpoint. Performing a manipulation of the argument SECRET_KEY results in use of hard-coded cryptographic key . Remote exploitation of the attack is possible. The attack's complexity is rated as high. The exploitability is reported as difficult. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

DjangoBlog versions up to 2.1.0.0 use a hard-coded cryptographic key in djangoblog/settings.py when the SECRET_KEY argument is manipulated during file upload operations, allowing remote attackers with user interaction to obtain sensitive information. The attack requires high complexity and user participation, resulting in a low confidentiality impact (CVSS 2.3). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious file upload request
Delivery
Manipulate SECRET_KEY parameter
Exploit
Submit form via social engineering
Execution
Trigger hard-coded key usage
Persist
Forge cryptographic tokens
Impact
Obtain sensitive information
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires the following specific conditions: (1) the file upload endpoint must be accessible to remote, unauthenticated users; (2) the user or attacker must interact with a file upload form or trigger a file upload action (high complexity requirement); (3) the SECRET_KEY parameter in djangoblog/settings.py must be modifiable or fallback-able through request manipulation during the upload process; (4) the application must use the supplied or manipulated SECRET_KEY for cryptographic operations without validation. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This vulnerability presents low real-world risk despite public exploit availability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious HTTP POST request to the file upload endpoint (/path/to/upload or similar) with a manipulated SECRET_KEY parameter set to a known hard-coded value or a value that triggers fallback behavior. The request includes a benign file upload to appear legitimate. …
Remediation No vendor-released patch was identified at time of analysis due to the vendor's lack of response to early disclosure. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-23787 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy