CWE-321
Use of Hard-coded Cryptographic Key
The product uses a hard-coded, unchangeable cryptographic key.
CVE-2026-7018 (GCVE-0-2026-7018)
Vulnerability from cvelistv5 – Published: 2026-04-26 03:30 – Updated: 2026-04-27 17:02
VLAI
Title
Datavane Datavines JWT Token TokenManager.java hard-coded key
Summary
A vulnerability was determined in Datavane Datavines up to 13607645e14a4982468cfdbcf75c85cde63bae71. The affected element is an unknown function of the file datavines-core/src/main/java/io/datavines/core/utils/TokenManager.java of the component JWT Token Handler. Executing a manipulation of the argument tokenSecret can lead to use of hard-coded cryptographic key
. The attack can be executed remotely. The attack requires a high level of complexity. The exploitability is described as difficult. The exploit has been publicly disclosed and may be utilized. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. This patch is called e540d6dc04e2e6ad11907fb655f3728a13e7b939. It is advisable to implement a patch to correct this issue. The project was informed of the problem early through a pull request but has not reacted yet.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/359597 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/359597/cti | signaturepermissions-required |
| https://vuldb.com/submit/797305 | third-party-advisory |
| https://github.com/datavane/datavines/issues/580 | issue-tracking |
| https://github.com/datavane/datavines/pull/579 | issue-trackingpatch |
| https://github.com/datavane/datavines/issues/580#… | exploitissue-tracking |
| https://github.com/datavane/datavines/pull/579/ch… | issue-trackingpatch |
| https://github.com/datavane/datavines/ | product |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7018",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-27T17:02:13.330526Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T17:02:44.468Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"JWT Token Handler"
],
"product": "Datavines",
"vendor": "Datavane",
"versions": [
{
"status": "affected",
"version": "13607645e14a4982468cfdbcf75c85cde63bae71"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "anch0r (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was determined in Datavane Datavines up to 13607645e14a4982468cfdbcf75c85cde63bae71. The affected element is an unknown function of the file datavines-core/src/main/java/io/datavines/core/utils/TokenManager.java of the component JWT Token Handler. Executing a manipulation of the argument tokenSecret can lead to use of hard-coded cryptographic key\r . The attack can be executed remotely. The attack requires a high level of complexity. The exploitability is described as difficult. The exploit has been publicly disclosed and may be utilized. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. This patch is called e540d6dc04e2e6ad11907fb655f3728a13e7b939. It is advisable to implement a patch to correct this issue. The project was informed of the problem early through a pull request but has not reacted yet."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5.1,
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "Use of Hard-coded Cryptographic Key",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-320",
"description": "Key Management Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-26T03:30:20.576Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-359597 | Datavane Datavines JWT Token TokenManager.java hard-coded key",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/359597"
},
{
"name": "VDB-359597 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/359597/cti"
},
{
"name": "Submit #797305 | datavane datavanes \u003c= 1.0.0-SNAPSHOT Improper Authentication",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/797305"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/datavane/datavines/issues/580"
},
{
"tags": [
"issue-tracking",
"patch"
],
"url": "https://github.com/datavane/datavines/pull/579"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/datavane/datavines/issues/580#issue-4206839649"
},
{
"tags": [
"issue-tracking",
"patch"
],
"url": "https://github.com/datavane/datavines/pull/579/changes/e540d6dc04e2e6ad11907fb655f3728a13e7b939"
},
{
"tags": [
"product"
],
"url": "https://github.com/datavane/datavines/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-25T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-04-25T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-04-25T12:37:25.000Z",
"value": "VulDB entry last update"
}
],
"title": "Datavane Datavines JWT Token TokenManager.java hard-coded key"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-7018",
"datePublished": "2026-04-26T03:30:20.576Z",
"dateReserved": "2026-04-25T10:32:08.296Z",
"dateUpdated": "2026-04-27T17:02:44.468Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7306 (GCVE-0-2026-7306)
Vulnerability from cvelistv5 – Published: 2026-04-28 19:30 – Updated: 2026-04-30 12:58
VLAI
Title
Xuxueli xxl-job OpenAPI Endpoint OpenApiController.java hard-coded key
Summary
A security vulnerability has been detected in Xuxueli xxl-job up to 3.3.2. The impacted element is an unknown function of the file xxl-job-admin/src/main/java/com/xxl/job/admin/scheduler/openapi/OpenApiController.java of the component OpenAPI Endpoint. Such manipulation of the argument default_token leads to use of hard-coded cryptographic key
. It is possible to launch the attack remotely. A high complexity level is associated with this attack. The exploitability is regarded as difficult. The exploit has been disclosed publicly and may be used.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/359961 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/359961/cti | signaturepermissions-required |
| https://vuldb.com/submit/803077 | third-party-advisory |
| https://github.com/xuxueli/xxl-job/issues/3938 | exploitissue-tracking |
| https://github.com/xuxueli/xxl-job/issues/3938#is… | issue-tracking |
| https://github.com/xuxueli/xxl-job/ | product |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7306",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-30T12:57:53.118222Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-30T12:58:07.137Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:xuxueli:xxl-job:*:*:*:*:*:*:*:*"
],
"modules": [
"OpenAPI Endpoint"
],
"product": "xxl-job",
"vendor": "Xuxueli",
"versions": [
{
"status": "affected",
"version": "3.3.0"
},
{
"status": "affected",
"version": "3.3.1"
},
{
"status": "affected",
"version": "3.3.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "larlarua (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security vulnerability has been detected in Xuxueli xxl-job up to 3.3.2. The impacted element is an unknown function of the file xxl-job-admin/src/main/java/com/xxl/job/admin/scheduler/openapi/OpenApiController.java of the component OpenAPI Endpoint. Such manipulation of the argument default_token leads to use of hard-coded cryptographic key\r . It is possible to launch the attack remotely. A high complexity level is associated with this attack. The exploitability is regarded as difficult. The exploit has been disclosed publicly and may be used."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5.1,
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "Use of Hard-coded Cryptographic Key",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-320",
"description": "Key Management Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T19:30:13.749Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-359961 | Xuxueli xxl-job OpenAPI Endpoint OpenApiController.java hard-coded key",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/359961"
},
{
"name": "VDB-359961 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/359961/cti"
},
{
"name": "Submit #803077 | xuxueli https://github.com/xuxueli/xxl-job v3.3.2 Authorization Bypass",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/803077"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/xuxueli/xxl-job/issues/3938"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/xuxueli/xxl-job/issues/3938#issuecomment-4149938881"
},
{
"tags": [
"product"
],
"url": "https://github.com/xuxueli/xxl-job/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-28T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-04-28T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-04-28T13:50:29.000Z",
"value": "VulDB entry last update"
}
],
"title": "Xuxueli xxl-job OpenAPI Endpoint OpenApiController.java hard-coded key"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-7306",
"datePublished": "2026-04-28T19:30:13.749Z",
"dateReserved": "2026-04-28T11:45:16.427Z",
"dateUpdated": "2026-04-30T12:58:07.137Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8243 (GCVE-0-2026-8243)
Vulnerability from cvelistv5 – Published: 2026-05-10 09:00 – Updated: 2026-05-18 13:50
VLAI
Title
Industrial Application Software IAS Canias ERP JNLP Deployment Endpoint hard-coded key
Summary
A vulnerability was determined in Industrial Application Software IAS Canias ERP 8.03. This affects an unknown function of the component JNLP Deployment Endpoint. Executing a manipulation can lead to use of hard-coded cryptographic key
. The attack may be performed from remote. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/362459 | vdb-entry |
| https://vuldb.com/vuln/362459/cti | signaturepermissions-required |
| https://vuldb.com/submit/808296 | third-party-advisory |
| https://hawktrace.com/blog/caniaserp | related |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Industrial Application Software IAS | Canias ERP |
Affected:
8.03
cpe:2.3:a:industrial_application_software_ias:canias_erp:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8243",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T15:08:45.556151Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T15:08:54.692Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:industrial_application_software_ias:canias_erp:*:*:*:*:*:*:*:*"
],
"modules": [
"JNLP Deployment Endpoint"
],
"product": "Canias ERP",
"vendor": "Industrial Application Software IAS",
"versions": [
{
"status": "affected",
"version": "8.03"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bilal G\u00fcne\u015f (HawkTrace)"
},
{
"lang": "en",
"type": "reporter",
"value": "b1lal (VulDB User)"
},
{
"lang": "en",
"type": "analyst",
"value": "b1lal (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was determined in Industrial Application Software IAS Canias ERP 8.03. This affects an unknown function of the component JNLP Deployment Endpoint. Executing a manipulation can lead to use of hard-coded cryptographic key\r . The attack may be performed from remote. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:X/RL:X/RC:X",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:X/RL:X/RC:X",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N/E:ND/RL:ND/RC:ND",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "Use of Hard-coded Cryptographic Key",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-320",
"description": "Key Management Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-18T13:50:11.265Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-362459 | Industrial Application Software IAS Canias ERP JNLP Deployment Endpoint hard-coded key",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/vuln/362459"
},
{
"name": "VDB-362459 | CTI Indicators (IOB, IOC, TTP)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/362459/cti"
},
{
"name": "Submit #808296 | Industrial Application Software - IAS Canias ERP 8.03-- Use of Hard-coded Cryptographic Key (CWE-321)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/808296"
},
{
"tags": [
"related"
],
"url": "https://hawktrace.com/blog/caniaserp"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-09T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-05-09T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-05-18T15:52:15.000Z",
"value": "VulDB entry last update"
}
],
"title": "Industrial Application Software IAS Canias ERP JNLP Deployment Endpoint hard-coded key"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-8243",
"datePublished": "2026-05-10T09:00:12.301Z",
"dateReserved": "2026-05-09T16:33:15.982Z",
"dateUpdated": "2026-05-18T13:50:11.265Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8739 (GCVE-0-2026-8739)
Vulnerability from cvelistv5 – Published: 2026-05-17 07:45 – Updated: 2026-05-18 20:09
VLAI
Title
Sanluan PublicCMS SafeConfigComponent.java getSignKey hard-coded key
Summary
A vulnerability was detected in Sanluan PublicCMS 5.202506.d. The affected element is the function getSignKey of the file publiccms-core/src/main/java/com/publiccms/logic/component/config/SafeConfigComponent.java. The manipulation of the argument privatefile_key results in use of hard-coded cryptographic key
. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/364327 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/364327/cti | signaturepermissions-required |
| https://vuldb.com/submit/809917 | third-party-advisory |
| https://vulnplus-note.wetolink.com/share/PCVUlOncmwTC | exploit |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8739",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-18T20:08:32.296671Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-18T20:09:22.101Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:publiccms:publiccms:*:*:*:*:*:*:*:*"
],
"product": "PublicCMS",
"vendor": "Sanluan",
"versions": [
{
"status": "affected",
"version": "5.202506.d"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "vulnplusbot (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was detected in Sanluan PublicCMS 5.202506.d. The affected element is the function getSignKey of the file publiccms-core/src/main/java/com/publiccms/logic/component/config/SafeConfigComponent.java. The manipulation of the argument privatefile_key results in use of hard-coded cryptographic key\r . The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "Use of Hard-coded Cryptographic Key",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-320",
"description": "Key Management Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-17T07:45:12.075Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-364327 | Sanluan PublicCMS SafeConfigComponent.java getSignKey hard-coded key",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/364327"
},
{
"name": "VDB-364327 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/364327/cti"
},
{
"name": "Submit #809917 | PublicCMS V5.202506.d Anonymous Private File Download",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/809917"
},
{
"tags": [
"exploit"
],
"url": "https://vulnplus-note.wetolink.com/share/PCVUlOncmwTC"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-16T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-05-16T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-05-16T12:41:41.000Z",
"value": "VulDB entry last update"
}
],
"title": "Sanluan PublicCMS SafeConfigComponent.java getSignKey hard-coded key"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-8739",
"datePublished": "2026-05-17T07:45:12.075Z",
"dateReserved": "2026-05-16T10:36:27.832Z",
"dateUpdated": "2026-05-18T20:09:22.101Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9642 (GCVE-0-2026-9642)
Vulnerability from cvelistv5 – Published: 2026-05-26 19:36 – Updated: 2026-06-03 14:52
VLAI
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Show details on NVD website{
"containers": {
"cna": {
"providerMetadata": {
"dateUpdated": "2026-06-03T14:52:28.257Z",
"orgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
"shortName": "tenable"
},
"rejectedReasons": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."
}
],
"value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."
}
],
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
"assignerShortName": "tenable",
"cveId": "CVE-2026-9642",
"datePublished": "2026-05-26T19:36:56.398Z",
"dateRejected": "2026-06-03T14:52:28.257Z",
"dateReserved": "2026-05-26T18:53:00.748Z",
"dateUpdated": "2026-06-03T14:52:28.257Z",
"state": "REJECTED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phase: Architecture and Design
Description:
- Prevention schemes mirror that of hard-coded password storage.
No CAPEC attack patterns related to this CWE.