Common Weakness Enumeration

CWE-321

Allowed

Use of Hard-coded Cryptographic Key

Abstraction: Variant · Status: Draft

The product uses a hard-coded, unchangeable cryptographic key.

503 vulnerabilities reference this CWE, most recent first.

GHSA-5RG7-HR8V-2P3G

Vulnerability from github – Published: 2022-05-13 01:37 – Updated: 2022-05-13 01:37
VLAI
Details

A Use of Hard-coded Cryptographic Key issue was discovered in Korenix JetNet JetNet5018G version 1.4, JetNet5310G version 1.4a, JetNet5428G-2G-2FX version 1.4, JetNet5628G-R version 1.4, JetNet5628G version 1.4, JetNet5728G-24P version 1.4, JetNet5828G version 1.1d, JetNet6710G-HVDC version 1.1e, and JetNet6710G version 1.1. An attacker may gain access to hard-coded certificates and private keys allowing the attacker to perform man-in-the-middle attacks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-14021"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-321",
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-11-01T02:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "A Use of Hard-coded Cryptographic Key issue was discovered in Korenix JetNet JetNet5018G version 1.4, JetNet5310G version 1.4a, JetNet5428G-2G-2FX version 1.4, JetNet5628G-R version 1.4, JetNet5628G version 1.4, JetNet5728G-24P version 1.4, JetNet5828G version 1.1d, JetNet6710G-HVDC version 1.1e, and JetNet6710G version 1.1. An attacker may gain access to hard-coded certificates and private keys allowing the attacker to perform man-in-the-middle attacks.",
  "id": "GHSA-5rg7-hr8v-2p3g",
  "modified": "2022-05-13T01:37:40Z",
  "published": "2022-05-13T01:37:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14021"
    },
    {
      "type": "WEB",
      "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-299-01"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/101598"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5VW4-6M45-994C

Vulnerability from github – Published: 2025-11-08 06:30 – Updated: 2025-11-08 06:30
VLAI
Details

The Download Manager plugin for WordPress is vulnerable to unauthorized access due to a hardcoded Cron key used in the deleteExpired() and clearTempDataCPCron() functions in all versions up to, and including, 3.3.30. This makes it possible for unauthenticated attackers to trigger these cron jobs leading to deletion of expired posts and clearing cache.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-12177"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-321"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-08T04:15:45Z",
    "severity": "MODERATE"
  },
  "details": "The Download Manager plugin for WordPress is vulnerable to unauthorized access due to a hardcoded Cron key used in the deleteExpired() and clearTempDataCPCron() functions in all versions up to, and including, 3.3.30. This makes it possible for unauthenticated attackers to trigger these cron jobs leading to deletion of expired posts and clearing cache.",
  "id": "GHSA-5vw4-6m45-994c",
  "modified": "2025-11-08T06:30:26Z",
  "published": "2025-11-08T06:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12177"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3390068%40download-manager\u0026new=3390068%40download-manager\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/17d5253c-5000-40c7-a7fd-f75d4badfb5e?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5X8Q-JJ28-QG7W

Vulnerability from github – Published: 2023-08-09 09:30 – Updated: 2026-05-21 15:33
VLAI
Details

Use of Hard-coded Cryptographic Key vulnerability in Sifir Bes Education and Informatics Kunduz - Homework Helper App allows Authentication Abuse, Authentication Bypass.This issue affects Kunduz - Homework Helper App: before 6.2.3.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-3632"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-321"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-09T09:15:14Z",
    "severity": "CRITICAL"
  },
  "details": "Use of Hard-coded Cryptographic Key vulnerability in Sifir Bes Education and Informatics Kunduz - Homework Helper App allows Authentication Abuse, Authentication Bypass.This issue affects Kunduz - Homework Helper App: before 6.2.3.",
  "id": "GHSA-5x8q-jj28-qg7w",
  "modified": "2026-05-21T15:33:59Z",
  "published": "2023-08-09T09:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3632"
    },
    {
      "type": "WEB",
      "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-23-0446"
    },
    {
      "type": "WEB",
      "url": "https://www.usom.gov.tr/bildirim/tr-23-0446"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6498-6RJ5-P7PF

Vulnerability from github – Published: 2025-08-26 06:31 – Updated: 2025-08-26 06:31
VLAI
Details

The JWT secret key is embedded in the egOS WebGUI backend and is readable to the default user. An unauthenticated remote attacker can generate valid HS256 tokens and bypass authentication/authorization due to the use of hard-coded cryptographic key.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-41702"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-321"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-26T06:15:32Z",
    "severity": "CRITICAL"
  },
  "details": "The JWT secret key is embedded in the egOS WebGUI backend and is readable to the default user. An unauthenticated remote attacker can generate valid HS256 tokens and bypass authentication/authorization due to the use of hard-coded cryptographic key.",
  "id": "GHSA-6498-6rj5-p7pf",
  "modified": "2025-08-26T06:31:01Z",
  "published": "2025-08-26T06:31:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41702"
    },
    {
      "type": "WEB",
      "url": "https://certvde.com/de/advisories/VDE-2025-076"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-64RH-R86Q-75FF

Vulnerability from github – Published: 2021-05-18 18:28 – Updated: 2021-05-06 21:51
VLAI
Summary
Hard coded cryptographic key in Kiali
Details

A hard-coded cryptographic key vulnerability in the default configuration file was found in Kiali, all versions prior to 1.15.1. A remote attacker could abuse this flaw by creating their own JWT signed tokens and bypass Kiali authentication mechanisms, possibly gaining privileges to view and alter the Istio configuration.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/kiali/kiali"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.15.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-1764"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-321",
      "CWE-798"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-06T21:51:32Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "A hard-coded cryptographic key vulnerability in the default configuration file was found in Kiali, all versions prior to 1.15.1. A remote attacker could abuse this flaw by creating their own JWT signed tokens and bypass Kiali authentication mechanisms, possibly gaining privileges to view and alter the Istio configuration.",
  "id": "GHSA-64rh-r86q-75ff",
  "modified": "2021-05-06T21:51:32Z",
  "published": "2021-05-18T18:28:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1764"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kiali/kiali/commit/93f5cd0b6698e8fe8772afb8f35816f6c086aef1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kiali/kiali/commit/ac7bd6c7ddb2e01356e21d360dd1c718a90706ad"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kiali/kiali/commit/ce48af57113c805a25179aaab1a0fac2fb93653f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kiali/kiali/commit/faed1f5f90efae3df9fd6fb793f00ccc242b3a96"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1810383"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1764"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jpts/cve-2020-1764-poc"
    },
    {
      "type": "WEB",
      "url": "https://kiali.io/news/security-bulletins/kiali-security-001"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Hard coded cryptographic key in Kiali"
}

GHSA-6625-M396-M7CP

Vulnerability from github – Published: 2026-04-17 21:31 – Updated: 2026-04-17 21:31
VLAI
Details

Anviz CX7 Firmware is  vulnerable because the application embeds reusable certificate/key material, enabling decryption of MQTT traffic and potential interaction with device messaging channels at scale.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-32324"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-321"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-17T20:16:33Z",
    "severity": "HIGH"
  },
  "details": "Anviz CX7 Firmware\u00a0is\u00a0\nvulnerable because the application embeds reusable certificate/key \nmaterial, enabling decryption of MQTT traffic and potential interaction \nwith device messaging channels at scale.",
  "id": "GHSA-6625-m396-m7cp",
  "modified": "2026-04-17T21:31:46Z",
  "published": "2026-04-17T21:31:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32324"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-106-03.json"
    },
    {
      "type": "WEB",
      "url": "https://www.anviz.com/contact-us.html"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-106-03"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-66Q5-93C3-XQ5W

Vulnerability from github – Published: 2022-05-24 17:36 – Updated: 2022-05-24 17:36
VLAI
Details

A vulnerability has been identified in LOGO! 8 BM (incl. SIPLUS variants) (All versions < V8.3), LOGO! Soft Comfort (All versions < V8.3). The LOGO! program files generated and used by the affected components offer the possibility to save user-defined functions (UDF) in a password protected way. This protection is implemented in the software that displays the information. An attacker could reverse engineer the UDFs directly from stored program files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-25234"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-321"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-12-14T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability has been identified in LOGO! 8 BM (incl. SIPLUS variants) (All versions \u003c V8.3), LOGO! Soft Comfort (All versions \u003c V8.3). The LOGO! program files generated and used by the affected components offer the possibility to save user-defined functions (UDF) in a password protected way. This protection is implemented in the software that displays the information. An attacker could reverse engineer the UDFs directly from stored program files.",
  "id": "GHSA-66q5-93c3-xq5w",
  "modified": "2022-05-24T17:36:18Z",
  "published": "2022-05-24T17:36:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25234"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-480824.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-66RR-38W2-26RV

Vulnerability from github – Published: 2023-07-26 06:30 – Updated: 2024-04-04 06:21
VLAI
Details

The Video Conferencing with Zoom plugin for WordPress is vulnerable to Sensitive Information Exposure due to hardcoded encryption key on the 'vczapi_encrypt_decrypt' function in versions up to, and including, 4.2.1. This makes it possible for unauthenticated attackers to decrypt and view the meeting id and password.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-3947"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-321"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-26T04:15:11Z",
    "severity": "MODERATE"
  },
  "details": "The Video Conferencing with Zoom plugin for WordPress is vulnerable to Sensitive Information Exposure due to hardcoded encryption key on the \u0027vczapi_encrypt_decrypt\u0027 function in versions up to, and including, 4.2.1. This makes it possible for unauthenticated attackers to decrypt and view the meeting id and password.",
  "id": "GHSA-66rr-38w2-26rv",
  "modified": "2024-04-04T06:21:34Z",
  "published": "2023-07-26T06:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3947"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/video-conferencing-with-zoom-api/tags/4.2.1/includes/helpers.php#L546"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/video-conferencing-with-zoom-api/trunk/includes/Helpers/Encryption.php?rev=2942302"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ba2515d9-ced0-4b49-87c4-04c8391c2608?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-685X-Q473-XPPX

Vulnerability from github – Published: 2024-03-14 00:31 – Updated: 2024-03-14 00:31
VLAI
Details

Use of Hard-coded Cryptographic Key vulnerability in OpenText™ Exceed Turbo X affecting versions 12.5.1 and 12.5.2. The vulnerability could compromise the cryptographic keys.  

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-38535"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-321"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-13T22:15:08Z",
    "severity": "MODERATE"
  },
  "details": "Use of Hard-coded Cryptographic Key vulnerability in\u00a0OpenText\u2122\u00a0Exceed Turbo X affecting versions 12.5.1 and 12.5.2. The vulnerability could compromise the cryptographic keys.\u00a0\u00a0",
  "id": "GHSA-685x-q473-xppx",
  "modified": "2024-03-14T00:31:05Z",
  "published": "2024-03-14T00:31:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38535"
    },
    {
      "type": "WEB",
      "url": "https://support.opentext.com/csm?id=kb_article_view\u0026sysparm_article=KB0801267"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6C8G-9HFH-PQ5H

Vulnerability from github – Published: 2026-05-19 14:44 – Updated: 2026-06-09 11:56
VLAI
Summary
HAXcms: Private Key Disclosure via Broken HMAC Implementation
Details

Summary

The hmacBase64() function in the HAXcms Node.js backend contains two critical cryptographic implementation errors that together allow any unauthenticated attacker to extract the system’s private signing key and forge arbitrary admin-level JSON Web Tokens (JWTs) allowing them to get full admin access with a single HTTP request.

Details

Bug 1: Hardcoded HMAC Key (line 2160): The function passes the literal string "0" as the HMAC signing key instead of the key parameter, making every HAXcms instance compute identical HMACs for the same input.

Bug 2: Private Key Appended to Output (lines 2161- 2163): After computing the HMAC, the function concatenates the real key parameter which is "this.privateKey + this.salt", the system’s master signing secret is directly onto the output. The combined buffer is base64-encoded and returned as the token.

Every base64url token produced has the same structure: 32 bytes HMAC keyed with "0" and N bytes of privateKey+salt. An attacker base64-decodes any token, discards the first 32 bytes, and reads the private key directly.

The /system/api/connectionSettings endpoint is unauthenticated and returns multiple tokens generated by this function. A single GET request to this endpoint exposes the private key.

The PHP backend (HAXCMS.php:1619-1631) implements this function correctly with the actual key and returns only the hash. The PHP version produces 44-character tokens whereas the broken Node.js version produces 139+ character tokens.

PoC

  1. GET request to /system/api/connectionSettings endpoint and fetch the token.
  2. Extract the private key from the fetched token. The hmacBase64() function produces 32 bytes with HMAC-SHA256 with hardcoded key "0" and the rest of the bytes are privateKey+salt (plaintext). Decode the Base64 token, discard the first 32 bytes, read the remaining bytes as UTF-8 (this is your extracted private key).
  3. Since JWT's are signed with privateKey+salt, use this stolen private key to forge a JWT for admin using JWT.sign(payload, this.privateKey+this.salt). NOTE: the payload uses {id, user (set this as admin), iat (current timestamp), exp (expiration timestamp)}
  4. The same key can also be used to create other tokens (user_token, base_token, form_token, etc).
  5. Use these forged tokens to hit all authenticated endpoints (modify/delete/create etc) with admin privileges.

Impact

An unauthenticated attacker can perform the complete attack chain with a single HTTP request: 1. Extract private key: GET "/system/api/connectionSettings", base64-decode any token, discard first 32 bytes. 2. Forge admin JWT: sign arbitrary JWT payloads with the stolen privateKey+salt. 3. Forge all request tokens: compute valid user_token, site_token for any API call. 4. Full admin access: create/modify/delete sites, upload files, modify content.

This works even if the admin has changed the default credentials to a strong password. The forged tokens produce no login events in logs.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 25.0.0"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@haxtheweb/haxcms-nodejs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "26.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-46395"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-321",
      "CWE-327"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-19T14:44:55Z",
    "nvd_published_at": "2026-06-05T19:16:33Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\nThe `hmacBase64()` function in the HAXcms Node.js backend contains two critical cryptographic implementation errors that together allow any unauthenticated attacker to extract the system\u2019s private signing key and forge arbitrary admin-level JSON Web Tokens (JWTs) allowing them to get full admin access with a single HTTP request.\n\n### Details\nBug 1: Hardcoded HMAC Key (line 2160): The function passes the literal string \"0\" as the HMAC signing key instead of the key parameter, making every HAXcms instance compute identical HMACs for the same input.\n\nBug 2: Private Key Appended to Output (lines 2161- 2163): After computing the HMAC, the function concatenates the real key parameter which is \"this.privateKey + this.salt\", the system\u2019s master signing secret is directly onto the output. The combined buffer is base64-encoded and returned as the token.\n\nEvery base64url token produced has the same structure: 32 bytes HMAC keyed with \"0\" and N bytes of `privateKey+salt`. An attacker base64-decodes any token, discards the first 32 bytes, and reads the private key directly.\n\nThe `/system/api/connectionSettings` endpoint is unauthenticated and returns multiple tokens generated by this function. A single GET request to this endpoint exposes the private key.\n\nThe PHP backend (HAXCMS.php:1619-1631) implements this function correctly with the actual key and returns only the hash. The PHP version produces 44-character tokens whereas the broken Node.js version produces 139+ character tokens.\n\n### PoC\n1. GET request to `/system/api/connectionSettings` endpoint and fetch the token.\n2. Extract the private key from the fetched token. The `hmacBase64()` function produces 32 bytes with HMAC-SHA256 with hardcoded key \"0\" and the rest of the bytes are `privateKey+salt` (plaintext). Decode the Base64 token, discard the first 32 bytes, read the remaining bytes as UTF-8 (this is your extracted private key).\n3. Since JWT\u0027s are signed with `privateKey+salt`, use this stolen private key to forge a JWT for admin using `JWT.sign(payload, this.privateKey+this.salt)`. NOTE: the payload uses {id, user (set this as admin), iat (current timestamp), exp (expiration timestamp)}\n4. The same key can also be used to create other tokens (user_token, base_token, form_token, etc).\n5. Use these forged tokens to hit all authenticated endpoints (modify/delete/create etc) with admin privileges.\n\n### Impact\nAn unauthenticated attacker can perform the complete attack chain with a single HTTP request:\n1. Extract private key: GET \"/system/api/connectionSettings\", base64-decode any token, discard first 32 bytes.\n2. Forge admin JWT: sign arbitrary JWT payloads with the stolen privateKey+salt.\n3. Forge all request tokens: compute valid user_token, site_token for any API call.\n4. Full admin access: create/modify/delete sites, upload files, modify content.\n\nThis works even if the admin has changed the default credentials to a strong password. The forged tokens produce no login events in logs.",
  "id": "GHSA-6c8g-9hfh-pq5h",
  "modified": "2026-06-09T11:56:50Z",
  "published": "2026-05-19T14:44:55Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-6c8g-9hfh-pq5h"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46395"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/haxtheweb/issues"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "HAXcms: Private Key Disclosure via Broken HMAC Implementation"
}

Mitigation
Architecture and Design

Prevention schemes mirror that of hard-coded password storage.

No CAPEC attack patterns related to this CWE.