CWE-321
Use of Hard-coded Cryptographic Key
The product uses a hard-coded, unchangeable cryptographic key.
CVE-2026-5457 (GCVE-0-2026-5457)
Vulnerability from cvelistv5 – Published: 2026-04-03 06:30 – Updated: 2026-04-03 14:44
VLAI
Title
PropertyGuru AgentNet Singapore App com.allproperty.android.agentnet BuildConfig.java hard-coded key
Summary
A security flaw has been discovered in PropertyGuru AgentNet Singapore App up to 23.7.10 on Android. This affects an unknown function of the file com/allproperty/android/agentnet/BuildConfig.java of the component com.allproperty.android.agentnet. The manipulation of the argument SEGMENT_ANDROID_WRITE_KEY/SEGMENT_TOS_WRITE_KEY results in use of hard-coded cryptographic key
. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/355045 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/355045/cti | signaturepermissions-required |
| https://vuldb.com/submit/781764 | third-party-advisory |
| https://www.notion.so/Segment-Write-Key-Exposure-… | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| PropertyGuru | AgentNet Singapore App |
Affected:
23.7.0
Affected: 23.7.1 Affected: 23.7.2 Affected: 23.7.3 Affected: 23.7.4 Affected: 23.7.5 Affected: 23.7.6 Affected: 23.7.7 Affected: 23.7.8 Affected: 23.7.9 Affected: 23.7.10 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5457",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-03T14:44:34.714888Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T14:44:45.908Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"com.allproperty.android.agentnet"
],
"product": "AgentNet Singapore App",
"vendor": "PropertyGuru",
"versions": [
{
"status": "affected",
"version": "23.7.0"
},
{
"status": "affected",
"version": "23.7.1"
},
{
"status": "affected",
"version": "23.7.2"
},
{
"status": "affected",
"version": "23.7.3"
},
{
"status": "affected",
"version": "23.7.4"
},
{
"status": "affected",
"version": "23.7.5"
},
{
"status": "affected",
"version": "23.7.6"
},
{
"status": "affected",
"version": "23.7.7"
},
{
"status": "affected",
"version": "23.7.8"
},
{
"status": "affected",
"version": "23.7.9"
},
{
"status": "affected",
"version": "23.7.10"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "fxizenta (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security flaw has been discovered in PropertyGuru AgentNet Singapore App up to 23.7.10 on Android. This affects an unknown function of the file com/allproperty/android/agentnet/BuildConfig.java of the component com.allproperty.android.agentnet. The manipulation of the argument SEGMENT_ANDROID_WRITE_KEY/SEGMENT_TOS_WRITE_KEY results in use of hard-coded cryptographic key\r . The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 1.7,
"vectorString": "AV:L/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "Use of Hard-coded Cryptographic Key",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-320",
"description": "Key Management Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T06:30:13.798Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-355045 | PropertyGuru AgentNet Singapore App com.allproperty.android.agentnet BuildConfig.java hard-coded key",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/355045"
},
{
"name": "VDB-355045 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/355045/cti"
},
{
"name": "Submit #781764 | PropertyGuru AgentNet Singapore(com.allproperty.android.agentnet) 23.7.10 Segment Write Key Exposure",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/781764"
},
{
"tags": [
"exploit"
],
"url": "https://www.notion.so/Segment-Write-Key-Exposure-Leading-to-Data-Injection-and-User-Profile-Manipulation-In-com-allpropert-3262de3f97fb80b5aa5ae52475bf155e?source=copy_link"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-02T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-04-03T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-04-03T00:27:00.000Z",
"value": "VulDB entry last update"
}
],
"title": "PropertyGuru AgentNet Singapore App com.allproperty.android.agentnet BuildConfig.java hard-coded key"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-5457",
"datePublished": "2026-04-03T06:30:13.798Z",
"dateReserved": "2026-04-02T22:21:55.784Z",
"dateUpdated": "2026-04-03T14:44:45.908Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5458 (GCVE-0-2026-5458)
Vulnerability from cvelistv5 – Published: 2026-04-03 07:00 – Updated: 2026-04-03 11:17
VLAI
Title
Noelse Individuals & Pro App com.afone.noelse BuildConfig.java hard-coded key
Summary
A weakness has been identified in Noelse Individuals & Pro App up to 2.1.7 on Android. This impacts an unknown function of the file com/reactnative/antelop/BuildConfig.java of the component com.afone.noelse. This manipulation of the argument SEGMENT_WRITE_KEY causes use of hard-coded cryptographic key
. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/355046 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/355046/cti | signaturepermissions-required |
| https://vuldb.com/submit/781766 | third-party-advisory |
| https://www.notion.so/Segment-Write-Key-Exposure-… | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Noelse | Individuals & Pro App |
Affected:
2.1.0
Affected: 2.1.1 Affected: 2.1.2 Affected: 2.1.3 Affected: 2.1.4 Affected: 2.1.5 Affected: 2.1.6 Affected: 2.1.7 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5458",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-03T11:16:58.833724Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T11:17:55.821Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"com.afone.noelse"
],
"product": "Individuals \u0026 Pro App",
"vendor": "Noelse",
"versions": [
{
"status": "affected",
"version": "2.1.0"
},
{
"status": "affected",
"version": "2.1.1"
},
{
"status": "affected",
"version": "2.1.2"
},
{
"status": "affected",
"version": "2.1.3"
},
{
"status": "affected",
"version": "2.1.4"
},
{
"status": "affected",
"version": "2.1.5"
},
{
"status": "affected",
"version": "2.1.6"
},
{
"status": "affected",
"version": "2.1.7"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "fxizenta (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A weakness has been identified in Noelse Individuals \u0026 Pro App up to 2.1.7 on Android. This impacts an unknown function of the file com/reactnative/antelop/BuildConfig.java of the component com.afone.noelse. This manipulation of the argument SEGMENT_WRITE_KEY causes use of hard-coded cryptographic key\r . The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 1.7,
"vectorString": "AV:L/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "Use of Hard-coded Cryptographic Key",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-320",
"description": "Key Management Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T07:00:16.331Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-355046 | Noelse Individuals \u0026 Pro App com.afone.noelse BuildConfig.java hard-coded key",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/355046"
},
{
"name": "VDB-355046 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/355046/cti"
},
{
"name": "Submit #781766 | Noelse Noelse - Individuals \u0026 Pro(com.afone.noelse) 2.1.7 Segment Write Key Exposure",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/781766"
},
{
"tags": [
"exploit"
],
"url": "https://www.notion.so/Segment-Write-Key-Exposure-Leading-to-Data-Injection-and-User-Profile-Manipulation-In-com-afone-noel-3262de3f97fb80549986ddd8a160ed32?source=copy_link"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-02T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-04-03T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-04-03T00:28:29.000Z",
"value": "VulDB entry last update"
}
],
"title": "Noelse Individuals \u0026 Pro App com.afone.noelse BuildConfig.java hard-coded key"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-5458",
"datePublished": "2026-04-03T07:00:16.331Z",
"dateReserved": "2026-04-02T22:23:25.416Z",
"dateUpdated": "2026-04-03T11:17:55.821Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5462 (GCVE-0-2026-5462)
Vulnerability from cvelistv5 – Published: 2026-04-03 07:15 – Updated: 2026-04-03 19:57
VLAI
Title
Wahoo Fitness SYSTM App com.WahooFitness.SYSTM BuildConfig.java hard-coded key
Summary
A vulnerability was identified in Wahoo Fitness SYSTM App up to 7.2.1 on Android. Impacted is an unknown function of the file com/WahooFitness/SYSTM/BuildConfig.java of the component com.WahooFitness.SYSTM. Such manipulation of the argument SEGMENT_WRITE_KEY leads to use of hard-coded cryptographic key
. Local access is required to approach this attack. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/355053 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/355053/cti | signaturepermissions-required |
| https://vuldb.com/submit/781767 | third-party-advisory |
| https://www.notion.so/Segment-Write-Key-Exposure-… | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Wahoo Fitness | SYSTM App |
Affected:
7.2.0
Affected: 7.2.1 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5462",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-03T19:57:41.978822Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T19:57:59.689Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"com.WahooFitness.SYSTM"
],
"product": "SYSTM App",
"vendor": "Wahoo Fitness",
"versions": [
{
"status": "affected",
"version": "7.2.0"
},
{
"status": "affected",
"version": "7.2.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "fxizenta (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was identified in Wahoo Fitness SYSTM App up to 7.2.1 on Android. Impacted is an unknown function of the file com/WahooFitness/SYSTM/BuildConfig.java of the component com.WahooFitness.SYSTM. Such manipulation of the argument SEGMENT_WRITE_KEY leads to use of hard-coded cryptographic key\r . Local access is required to approach this attack. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 1.7,
"vectorString": "AV:L/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "Use of Hard-coded Cryptographic Key",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-320",
"description": "Key Management Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T07:15:10.913Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-355053 | Wahoo Fitness SYSTM App com.WahooFitness.SYSTM BuildConfig.java hard-coded key",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/355053"
},
{
"name": "VDB-355053 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/355053/cti"
},
{
"name": "Submit #781767 | Wahoo Fitness Wahoo SYSTM(com.WahooFitness.SYSTM) 7.2.1 Segment Write Key Exposure",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/781767"
},
{
"tags": [
"exploit"
],
"url": "https://www.notion.so/Segment-Write-Key-Exposure-Leading-to-Data-Injection-and-User-Profile-Manipulation-In-com-WahooFitne-3262de3f97fb8038808eed63af1a48b8?source=copy_link"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-03T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-04-03T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-04-03T02:56:01.000Z",
"value": "VulDB entry last update"
}
],
"title": "Wahoo Fitness SYSTM App com.WahooFitness.SYSTM BuildConfig.java hard-coded key"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-5462",
"datePublished": "2026-04-03T07:15:10.913Z",
"dateReserved": "2026-04-03T00:50:55.848Z",
"dateUpdated": "2026-04-03T19:57:59.689Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5471 (GCVE-0-2026-5471)
Vulnerability from cvelistv5 – Published: 2026-04-03 15:45 – Updated: 2026-04-04 03:17
VLAI
Title
Investory Toy Planet Trouble App app.investory.toyfactory google-services-desktop.json hard-coded key
Summary
A vulnerability was detected in Investory Toy Planet Trouble App up to 1.5.5 on Android. Impacted is an unknown function of the file assets/google-services-desktop.json of the component app.investory.toyfactory. The manipulation of the argument current_key results in use of hard-coded cryptographic key
. The attack must be initiated from a local position. The exploit is now public and may be used.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/355075 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/355075/cti | signaturepermissions-required |
| https://vuldb.com/submit/781784 | third-party-advisory |
| https://www.notion.so/Firebase-API-Key-Exposure-L… | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Investory | Toy Planet Trouble App |
Affected:
1.5.0
Affected: 1.5.1 Affected: 1.5.2 Affected: 1.5.3 Affected: 1.5.4 Affected: 1.5.5 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5471",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-04T03:17:37.607495Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-04T03:17:50.783Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"app.investory.toyfactory"
],
"product": "Toy Planet Trouble App",
"vendor": "Investory",
"versions": [
{
"status": "affected",
"version": "1.5.0"
},
{
"status": "affected",
"version": "1.5.1"
},
{
"status": "affected",
"version": "1.5.2"
},
{
"status": "affected",
"version": "1.5.3"
},
{
"status": "affected",
"version": "1.5.4"
},
{
"status": "affected",
"version": "1.5.5"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "fxizenta (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was detected in Investory Toy Planet Trouble App up to 1.5.5 on Android. Impacted is an unknown function of the file assets/google-services-desktop.json of the component app.investory.toyfactory. The manipulation of the argument current_key results in use of hard-coded cryptographic key\r . The attack must be initiated from a local position. The exploit is now public and may be used."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 1.7,
"vectorString": "AV:L/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "Use of Hard-coded Cryptographic Key",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-320",
"description": "Key Management Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T15:45:10.403Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-355075 | Investory Toy Planet Trouble App app.investory.toyfactory google-services-desktop.json hard-coded key",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/355075"
},
{
"name": "VDB-355075 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/355075/cti"
},
{
"name": "Submit #781784 | INVESTORY Investory(app.investory.toyfactory) 1.5.5 Firebase API Key Exposure",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/781784"
},
{
"tags": [
"exploit"
],
"url": "https://www.notion.so/Firebase-API-Key-Exposure-Leading-to-Unauthorized-Anonymous-Authentication-and-Data-Access-in-app-in-3262de3f97fb80f1abe6fb5f3eb373bc?source=copy_link"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-03T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-04-03T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-04-03T09:42:59.000Z",
"value": "VulDB entry last update"
}
],
"title": "Investory Toy Planet Trouble App app.investory.toyfactory google-services-desktop.json hard-coded key"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-5471",
"datePublished": "2026-04-03T15:45:10.403Z",
"dateReserved": "2026-04-03T07:37:53.776Z",
"dateUpdated": "2026-04-04T03:17:50.783Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5527 (GCVE-0-2026-5527)
Vulnerability from cvelistv5 – Published: 2026-04-04 23:15 – Updated: 2026-04-06 13:25
VLAI
Title
Tenda 4G03 Pro ECDSA P-256 Private Key server.key hard-coded key
Summary
A weakness has been identified in Tenda 4G03 Pro 1.0/1.0re/01.bin/04.03.01.53. Affected by this issue is some unknown functionality of the file /etc/www/pem/server.key of the component ECDSA P-256 Private Key Handler. This manipulation causes use of hard-coded cryptographic key
. It is possible to initiate the attack remotely.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/355280 | vdb-entry |
| https://vuldb.com/vuln/355280/cti | signaturepermissions-required |
| https://vuldb.com/submit/782053 | third-party-advisory |
| https://www.tenda.com.cn/ | product |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5527",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-06T13:25:37.832426Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-06T13:25:49.224Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"ECDSA P-256 Private Key Handler"
],
"product": "4G03 Pro",
"vendor": "Tenda",
"versions": [
{
"status": "affected",
"version": "1.0"
},
{
"status": "affected",
"version": "1.0re"
},
{
"status": "affected",
"version": "01.bin"
},
{
"status": "affected",
"version": "04.03.01.53"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "CoreNode (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB Vulnerability Moderation Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A weakness has been identified in Tenda 4G03 Pro 1.0/1.0re/01.bin/04.03.01.53. Affected by this issue is some unknown functionality of the file /etc/www/pem/server.key of the component ECDSA P-256 Private Key Handler. This manipulation causes use of hard-coded cryptographic key\r . It is possible to initiate the attack remotely."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:W/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:W/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:W/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "Use of Hard-coded Cryptographic Key",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-320",
"description": "Key Management Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-04T23:15:12.490Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-355280 | Tenda 4G03 Pro ECDSA P-256 Private Key server.key hard-coded key",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/vuln/355280"
},
{
"name": "VDB-355280 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/355280/cti"
},
{
"name": "Submit #782053 | Tenda 4G03 Pro V1.0 V04.03.01.53 Cryptographic Issues",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/782053"
},
{
"tags": [
"product"
],
"url": "https://www.tenda.com.cn/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-04T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-04-04T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-04-04T08:25:13.000Z",
"value": "VulDB entry last update"
}
],
"title": "Tenda 4G03 Pro ECDSA P-256 Private Key server.key hard-coded key"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-5527",
"datePublished": "2026-04-04T23:15:12.490Z",
"dateReserved": "2026-04-04T06:20:03.869Z",
"dateUpdated": "2026-04-06T13:25:49.224Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5549 (GCVE-0-2026-5549)
Vulnerability from cvelistv5 – Published: 2026-04-05 07:45 – Updated: 2026-04-06 16:21
VLAI
Title
Tenda AC10 RSA 2048-bit Private Key privkeySrv.pem hard-coded key
Summary
A vulnerability was determined in Tenda AC10 16.03.10.10_multi_TDE01. Affected by this issue is some unknown functionality of the file /webroot_ro/pem/privkeySrv.pem of the component RSA 2048-bit Private Key Handler. Executing a manipulation can lead to use of hard-coded cryptographic key
. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/355313 | vdb-entry |
| https://vuldb.com/vuln/355313/cti | signaturepermissions-required |
| https://vuldb.com/submit/782298 | third-party-advisory |
| https://github.com/somanyerrors/tenda-ac10v4-vuln… | exploit |
| https://www.tenda.com.cn/ | product |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5549",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-06T16:20:59.428926Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-06T16:21:09.043Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:o:tenda:ac10_firmware:*:*:*:*:*:*:*:*"
],
"modules": [
"RSA 2048-bit Private Key Handler"
],
"product": "AC10",
"vendor": "Tenda",
"versions": [
{
"status": "affected",
"version": "16.03.10.10_multi_TDE01"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "CoreNode (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was determined in Tenda AC10 16.03.10.10_multi_TDE01. Affected by this issue is some unknown functionality of the file /webroot_ro/pem/privkeySrv.pem of the component RSA 2048-bit Private Key Handler. Executing a manipulation can lead to use of hard-coded cryptographic key\r . The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:W/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:W/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:W/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "Use of Hard-coded Cryptographic Key",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-320",
"description": "Key Management Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-05T07:45:14.628Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-355313 | Tenda AC10 RSA 2048-bit Private Key privkeySrv.pem hard-coded key",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/vuln/355313"
},
{
"name": "VDB-355313 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/355313/cti"
},
{
"name": "Submit #782298 | Tenda AC10 V4 US_AC10V4.0si_V16.03.10.10_multi_TDE01 Cryptographic Issues",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/782298"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/somanyerrors/tenda-ac10v4-vulnerabilities/blob/main/findings/CRITICAL-05-exposed-rsa-private-key.md"
},
{
"tags": [
"product"
],
"url": "https://www.tenda.com.cn/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-04T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-04-04T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-04-04T15:33:25.000Z",
"value": "VulDB entry last update"
}
],
"title": "Tenda AC10 RSA 2048-bit Private Key privkeySrv.pem hard-coded key"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-5549",
"datePublished": "2026-04-05T07:45:14.628Z",
"dateReserved": "2026-04-04T13:28:08.788Z",
"dateUpdated": "2026-04-06T16:21:09.043Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5622 (GCVE-0-2026-5622)
Vulnerability from cvelistv5 – Published: 2026-04-06 04:30 – Updated: 2026-04-07 03:01
VLAI
Title
hcengineering Huly Platform JWT Token token.ts hard-coded key
Summary
A vulnerability was determined in hcengineering Huly Platform 0.7.382. Affected by this issue is some unknown functionality of the file foundations/core/packages/token/src/token.ts of the component JWT Token Handler. This manipulation of the argument SERVER_SECRET with the input secret causes use of hard-coded cryptographic key
. The attack can be initiated remotely. The attack is considered to have high complexity. The exploitation is known to be difficult. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/355412 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/355412/cti | signaturepermissions-required |
| https://vuldb.com/submit/785631 | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| hcengineering | Huly Platform |
Affected:
0.7.382
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5622",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-07T03:01:20.310712Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T03:01:32.473Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"JWT Token Handler"
],
"product": "Huly Platform",
"vendor": "hcengineering",
"versions": [
{
"status": "affected",
"version": "0.7.382"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Ghufran Khan (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was determined in hcengineering Huly Platform 0.7.382. Affected by this issue is some unknown functionality of the file foundations/core/packages/token/src/token.ts of the component JWT Token Handler. This manipulation of the argument SERVER_SECRET with the input secret causes use of hard-coded cryptographic key\r . The attack can be initiated remotely. The attack is considered to have high complexity. The exploitation is known to be difficult. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 2.6,
"vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "Use of Hard-coded Cryptographic Key",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-320",
"description": "Key Management Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-06T04:30:13.576Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-355412 | hcengineering Huly Platform JWT Token token.ts hard-coded key",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/355412"
},
{
"name": "VDB-355412 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/355412/cti"
},
{
"name": "Submit #785631 | hcengineering platform v0.7.382 Authentication Bypass Issues",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/785631"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-05T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-04-05T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-04-05T18:11:21.000Z",
"value": "VulDB entry last update"
}
],
"title": "hcengineering Huly Platform JWT Token token.ts hard-coded key"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-5622",
"datePublished": "2026-04-06T04:30:13.576Z",
"dateReserved": "2026-04-05T16:06:11.825Z",
"dateUpdated": "2026-04-07T03:01:32.473Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6580 (GCVE-0-2026-6580)
Vulnerability from cvelistv5 – Published: 2026-04-19 22:15 – Updated: 2026-04-20 14:55
VLAI
Title
liangliangyy DjangoBlog Amap API Call views.py hard-coded key
Summary
A security vulnerability has been detected in liangliangyy DjangoBlog up to 2.1.0.0. Affected is an unknown function of the file owntracks/views.py of the component Amap API Call Handler. Such manipulation of the argument key leads to use of hard-coded cryptographic key
. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/358215 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/358215/cti | signaturepermissions-required |
| https://vuldb.com/submit/790287 | third-party-advisory |
| https://github.com/3em0/cve_repo/blob/main/Django… | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| liangliangyy | DjangoBlog |
Affected:
2.1.0
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6580",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-20T14:46:53.069427Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T14:55:13.830Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Amap API Call Handler"
],
"product": "DjangoBlog",
"vendor": "liangliangyy",
"versions": [
{
"status": "affected",
"version": "2.1.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Dem0 (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security vulnerability has been detected in liangliangyy DjangoBlog up to 2.1.0.0. Affected is an unknown function of the file owntracks/views.py of the component Amap API Call Handler. Such manipulation of the argument key leads to use of hard-coded cryptographic key\r . The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "Use of Hard-coded Cryptographic Key",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-320",
"description": "Key Management Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-19T22:15:12.387Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-358215 | liangliangyy DjangoBlog Amap API Call views.py hard-coded key",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/358215"
},
{
"name": "VDB-358215 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/358215/cti"
},
{
"name": "Submit #790287 | liangliangyy DjangoBlog \u003c= 2.1.0.0 Hardcoded Credentials",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/790287"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/3em0/cve_repo/blob/main/DjangoBlog/Vuln-5-Hardcoded-Amap-API-Key.md"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-19T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-04-19T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-04-19T07:16:26.000Z",
"value": "VulDB entry last update"
}
],
"title": "liangliangyy DjangoBlog Amap API Call views.py hard-coded key"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-6580",
"datePublished": "2026-04-19T22:15:12.387Z",
"dateReserved": "2026-04-19T05:11:05.496Z",
"dateUpdated": "2026-04-20T14:55:13.830Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6611 (GCVE-0-2026-6611)
Vulnerability from cvelistv5 – Published: 2026-04-20 06:00 – Updated: 2026-04-20 16:00
VLAI
Title
liangliangyy DjangoBlog File Upload Endpoint settings.py hard-coded key
Summary
A vulnerability was found in liangliangyy DjangoBlog up to 2.1.0.0. This affects an unknown function of the file djangoblog/settings.py of the component File Upload Endpoint. Performing a manipulation of the argument SECRET_KEY results in use of hard-coded cryptographic key
. Remote exploitation of the attack is possible. The attack's complexity is rated as high. The exploitability is reported as difficult. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/358246 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/358246/cti | signaturepermissions-required |
| https://vuldb.com/submit/790313 | third-party-advisory |
| https://github.com/3em0/cve_repo/blob/main/Django… | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| liangliangyy | DjangoBlog |
Affected:
2.1.0
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6611",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-20T15:59:49.180946Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T16:00:23.582Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"File Upload Endpoint"
],
"product": "DjangoBlog",
"vendor": "liangliangyy",
"versions": [
{
"status": "affected",
"version": "2.1.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Dem0 (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in liangliangyy DjangoBlog up to 2.1.0.0. This affects an unknown function of the file djangoblog/settings.py of the component File Upload Endpoint. Performing a manipulation of the argument SECRET_KEY results in use of hard-coded cryptographic key\r . Remote exploitation of the attack is possible. The attack\u0027s complexity is rated as high. The exploitability is reported as difficult. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 2.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 2.6,
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "Use of Hard-coded Cryptographic Key",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-320",
"description": "Key Management Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T06:00:18.066Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-358246 | liangliangyy DjangoBlog File Upload Endpoint settings.py hard-coded key",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/358246"
},
{
"name": "VDB-358246 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/358246/cti"
},
{
"name": "Submit #790313 | liangliangyy DjangoBlog \u003c= 2.1.0.0 Security Misconfiguration + Hardcoded Credentials",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/790313"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/3em0/cve_repo/blob/main/DjangoBlog/Vuln-11-Weak-File-Upload-Auth.md"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-19T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-04-19T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-04-19T18:11:29.000Z",
"value": "VulDB entry last update"
}
],
"title": "liangliangyy DjangoBlog File Upload Endpoint settings.py hard-coded key"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-6611",
"datePublished": "2026-04-20T06:00:18.066Z",
"dateReserved": "2026-04-19T16:06:15.273Z",
"dateUpdated": "2026-04-20T16:00:23.582Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6787 (GCVE-0-2026-6787)
Vulnerability from cvelistv5 – Published: 2026-05-06 15:46 – Updated: 2026-05-06 16:11
VLAI
Title
Usage of a hard-coded cryptographic key in WatchGuard Agent allows inclusion of code into existing process
Summary
Use of Hard-coded Cryptographic Key vulnerability in WatchGuard Agent on Windows allows Inclusion of Code in Existing Process.This issue affects WatchGuard Agent: before 1.25.03.0000.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-321 - Use of Hard-coded Cryptographic Key
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| WatchGuard | WatchGuard Agent |
Affected:
0 , < 1.25.03.0000
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6787",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-06T16:11:48.734253Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-06T16:11:58.312Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "WatchGuard Agent",
"vendor": "WatchGuard",
"versions": [
{
"lessThan": "1.25.03.0000",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:watchguard:single_watchguard_agent:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.25.03.0000",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Use of Hard-coded Cryptographic Key vulnerability in WatchGuard Agent on Windows allows Inclusion of Code in Existing Process.\u003cp\u003eThis issue affects\u0026nbsp;WatchGuard Agent: before 1.25.03.0000.\u003c/p\u003e"
}
],
"value": "Use of Hard-coded Cryptographic Key vulnerability in WatchGuard Agent on Windows allows Inclusion of Code in Existing Process.This issue affects\u00a0WatchGuard Agent: before 1.25.03.0000."
}
],
"impacts": [
{
"capecId": "CAPEC-640",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-640 Inclusion of Code in Existing Process"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "CWE-321 Use of Hard-coded Cryptographic Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-06T15:46:26.104Z",
"orgId": "5d1c2695-1a31-4499-88ae-e847036fd7e3",
"shortName": "WatchGuard"
},
"references": [
{
"url": "https://www.watchguard.com/wgrd-psirt/advisory/WGSA-2026-00013"
}
],
"source": {
"defect": [
"AETHER-11836"
],
"discovery": "EXTERNAL"
},
"title": "Usage of a hard-coded cryptographic key in WatchGuard Agent allows inclusion of code into existing process",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "5d1c2695-1a31-4499-88ae-e847036fd7e3",
"assignerShortName": "WatchGuard",
"cveId": "CVE-2026-6787",
"datePublished": "2026-05-06T15:46:26.104Z",
"dateReserved": "2026-04-21T13:21:17.555Z",
"dateUpdated": "2026-05-06T16:11:58.312Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phase: Architecture and Design
Description:
- Prevention schemes mirror that of hard-coded password storage.
No CAPEC attack patterns related to this CWE.