Description
A vulnerability was found in liangliangyy DjangoBlog up to 2.1.0.0. This affects an unknown function of the file djangoblog/settings.py of the component File Upload Endpoint. Performing a manipulation of the argument SECRET_KEY results in use of hard-coded cryptographic key
. Remote exploitation of the attack is possible. The attack's complexity is rated as high. The exploitability is reported as difficult. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-20
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Hardcoded cryptographic key exposure that compromises the confidentiality and integrity of encrypted data
Action: Assess Impact
AI Analysis

Impact

A vulnerability exists in the File Upload Endpoint of DjangoBlog when the SECRET_KEY argument is manipulated, causing the application to fall back to a hard‑coded cryptographic key. This defeats the intended key management and can expose any data protected by that key, potentially granting attackers read or write access to encrypted content. The CVE description states that an attacker can perform this manipulation remotely and that the exploit, while possible, is rated high in complexity and reported as difficult.

Affected Systems

All installations of liangliangyy DjangoBlog version 2.1.0.0 or earlier are affected. The vulnerability is tied to the settings.py component within that product and is not limited to specific deployment environments or auxiliary services.

Risk and Exploitability

The CVSS score of 2.3 categorizes this issue as low severity, and the EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog. The attack vector is remote, and the exploitability is reported as difficult, meaning that while an attacker can eventually succeed, a higher level of skill or familiarity with the application would be required. This combination yields a moderate overall risk that warrants assessment of the current key management posture.

Generated by OpenCVE AI on April 20, 2026 at 08:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Identify any DjangoBlog installations running version 2.1.0.0 or earlier
  • Upgrade the application to a patched release that removes the hard‑coded key from settings.py
  • Replace the SECRET_KEY value with a unique, securely generated key and verify that the application no longer uses the default key

Generated by OpenCVE AI on April 20, 2026 at 08:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Liangliangyy
Liangliangyy djangoblog
Vendors & Products Liangliangyy
Liangliangyy djangoblog

Mon, 20 Apr 2026 07:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in liangliangyy DjangoBlog up to 2.1.0.0. This affects an unknown function of the file djangoblog/settings.py of the component File Upload Endpoint. Performing a manipulation of the argument SECRET_KEY results in use of hard-coded cryptographic key . Remote exploitation of the attack is possible. The attack's complexity is rated as high. The exploitability is reported as difficult. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title liangliangyy DjangoBlog File Upload Endpoint settings.py hard-coded key
Weaknesses CWE-320
CWE-321
References
Metrics cvssV2_0

{'score': 2.6, 'vector': 'AV:N/AC:H/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.1, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Liangliangyy Djangoblog
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-20T16:00:23.582Z

Reserved: 2026-04-19T16:06:15.273Z

Link: CVE-2026-6611

cve-icon Vulnrichment

Updated: 2026-04-20T15:59:57.886Z

cve-icon NVD

Status : Received

Published: 2026-04-20T07:16:15.650

Modified: 2026-04-20T07:16:15.650

Link: CVE-2026-6611

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T14:58:06Z

Weaknesses