Description
A security vulnerability has been detected in liangliangyy DjangoBlog up to 2.1.0.0. Affected is an unknown function of the file owntracks/views.py of the component Amap API Call Handler. Such manipulation of the argument key leads to use of hard-coded cryptographic key
. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-19
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: Confidentiality Compromise by exposure of a hard-coded cryptographic key
Action: Immediate Patch
AI Analysis

Impact

A hard-coded cryptographic key in the Amap API Call handler of liangliangyy DjangoBlog (owntracks/views.py) can be manipulated via an argument key, allowing an attacker to force the application to use the fixed key. This weakness permits the decryption of data encrypted with that key, resulting in a confidentiality compromise. The official description notes that the attack can be launched remotely and that exploitation has already been disclosed publicly.

Affected Systems

The vulnerability affects version 2.1.0.0 and earlier of the liangliangyy DjangoBlog project. The affected component is the unknown function in owntracks/views.py responsible for handling Amap API calls. No other vendors or product lines are listed.

Risk and Exploitability

The CVSS score of 6.9 indicates a medium severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a remote HTTP request that supplies a crafted key argument to the affected endpoint, enabling exploitation without local code execution. Given the public disclosure, the risk remains elevated until a secured key implementation or a patched release is applied.

Generated by OpenCVE AI on April 19, 2026 at 23:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patched release of DjangoBlog that removes the hard-coded Amap API key (or any later version beyond 2.1.0.0).
  • Replace the embedded key with a securely stored key, such as one retrieved from an environment variable or a dedicated secrets manager, ensuring the key never resides in source code.
  • Validate and sanitize the key parameter in the API handler to prevent manipulation of the encryption key by external users.

Generated by OpenCVE AI on April 19, 2026 at 23:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 19 Apr 2026 22:30:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in liangliangyy DjangoBlog up to 2.1.0.0. Affected is an unknown function of the file owntracks/views.py of the component Amap API Call Handler. Such manipulation of the argument key leads to use of hard-coded cryptographic key . The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title liangliangyy DjangoBlog Amap API Call views.py hard-coded key
Weaknesses CWE-320
CWE-321
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-19T22:15:12.387Z

Reserved: 2026-04-19T05:11:05.496Z

Link: CVE-2026-6580

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-19T23:16:33.697

Modified: 2026-04-19T23:16:33.697

Link: CVE-2026-6580

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T00:00:10Z

Weaknesses