Description
A vulnerability has been found in liangliangyy DjangoBlog up to 2.1.0.0. The impacted element is an unknown function of the file djangoblog/settings.py of the component Setting Handler. Such manipulation of the argument USER/PASSWORD leads to hard-coded credentials. The attack may be launched remotely. The attack requires a high level of complexity. The exploitability is regarded as difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-20
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: Potential unauthorized database access via hard‑coded credentials
Action: Patch
AI Analysis

Impact

A vulnerability exists in liangliangyy DjangoBlog where the settings.py file contains hard‑coded database credentials. This flaw allows an attacker capable of influencing the settings handler to overwrite or expose valid user and password values. If successfully exploited, the attacker could gain read or write access to the underlying database, compromising confidentiality and integrity of stored data.

Affected Systems

The issue affects versions of liangliangyy DjangoBlog up to 2.1.0.0. No other products or versions are listed as impacted.

Risk and Exploitability

The CVSS score of 6.3 indicates a medium severity risk. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited public exploitation so far. The description states that attack may be launched remotely and requires a high level of complexity, implying that successful exploitation would need sophisticated techniques and likely sufficient system access. Despite the moderate scoring, the presence of hard‑coded credentials remains a significant security concern for deployments of the affected DjangoBlog version.

Generated by OpenCVE AI on April 20, 2026 at 07:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade liangliangyy DjangoBlog to a version that no longer hard‑codes credentials or apply a local patch removing the credentials from settings.py.
  • Move database credentials out of source code by storing them in environment variables or a secure secrets manager and updating settings.py accordingly.
  • Disable DEBUG mode in production and set restrictive file permissions on settings.py to prevent unauthorized modifications.

Generated by OpenCVE AI on April 20, 2026 at 07:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 06:15:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in liangliangyy DjangoBlog up to 2.1.0.0. The impacted element is an unknown function of the file djangoblog/settings.py of the component Setting Handler. Such manipulation of the argument USER/PASSWORD leads to hard-coded credentials. The attack may be launched remotely. The attack requires a high level of complexity. The exploitability is regarded as difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title liangliangyy DjangoBlog Setting settings.py hard-coded credentials
Weaknesses CWE-259
CWE-798
References
Metrics cvssV2_0

{'score': 2.6, 'vector': 'AV:N/AC:H/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.7, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-20T05:45:18.671Z

Reserved: 2026-04-19T16:06:12.146Z

Link: CVE-2026-6610

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-20T06:16:22.233

Modified: 2026-04-20T06:16:22.233

Link: CVE-2026-6610

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T07:30:45Z

Weaknesses