CWE-326 in BOSH allows a local attacker to steal Basic-auth credentials or redirect UAA token requests via MITM. HttpRequestHelper#create_async_endpoint and #send_http_get_request_synchronous hard-code OpenSSL::SSL::VERIFY_NONE, enabling an attacker to intercept traffic between bosh-monitor and the BOSH director or UAA and steal credentials. Affected versions: - BOSH: all versions prior to v282.1

CVE-2026-41860 是 BOSH 组件中的安全漏洞，源于不安全的 TLS 证书验证。在 HttpRequestHelper 类的 create_async_endpoint 和 send_http_get_request_synchronous 方法中，硬编码了 OpenSSL::SSL::VERIFY_NONE 选项，导致 bosh-monitor 与 BOSH director 或 UAA 之间的通信不进行证书校验。这使得具备本地网络访问权限的攻击者能够执行中间人攻击 (MITM)，拦截并窃取 Basic-auth 凭据，或重定向 UAA 令牌请求。漏洞影响所有低于 v282.1.9 的 BOSH 版本，且已在 v282.1.9 及更高版本中修复。CVSS 评分为 8.8（高），攻击向量为本地（AV:L），攻击复杂度低，需要低权限，影响范围变更，对机密性、完整性和可用性均造成高影响。目前未发现该漏洞被在野利用，也未列入已知利用漏洞列表。建议用户立即升级至 BOSH v282.1.9 或更高版本；同时应限制 bosh-monitor 的网络暴露范围，并监控异常流量，以降低被利用风险。由于漏洞允许窃取凭据，可能进一步导致横向移动和权限提升，因此应优先修复。

electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to 3.9.5, deterministic AES-192-CBC with a fixed zero IV, constant KDF salt, and no MAC leads to confidentiality and integrity failures for synced bookmark/profile data. Attackers can crack common passwords across installs and perform undetected ciphertext bit-flips to alter config/bookmarks. This vulne

`JWT.decode(token, '', true, algorithm: 'HS256')` accepts an attacker-forged token. `OpenSSL::HMAC.digest('SHA256', '', payload)` returns a valid digest under an empty key, and no `raise InvalidKeyError if key.empty?` precondition exists in the HMAC algorithm. ``` JWT.decode(token, "", true, algorithm: 'HS256') -> JWA::Hmac.verify(verification_key: "", ...) -> OpenSSL::HMAC.digest('SHA256',

```go func NewSecretsVerifier(header http.Header, secret string) (SecretsVerifier, error) { hash := hmac.New(sha256.New, []byte(secret)) // raw secret, no precondition } ```

### Impact _Insecure sync encryption: deterministic AES-192-CBC with a fixed zero IV, constant KDF salt, and no MAC leads to confidentiality and integrity failures for synced bookmark/profile data. Attackers can crack common passwords across installs and perform undetected ciphertext bit-flips to alter config/bookmarks._ ### Patches - https://github.com/electerm/electerm/commit/9dd8295e37d53396b

Note Mark is an open-source note-taking application. Prior to 0.19.4, no minimum length or entropy is enforced on the JWT_SECRET configuration value. The application accepts any base64-decodable secret regardless of size, including secrets as short as 1 byte. This vulnerability is fixed in 0.19.4.

fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 6.2.4, a critical authentication-bypass vulnerability in fast-jwt's async key-resolver flow allows any unauthenticated attacker to forge arbitrary JWTs that are accepted as authentic. When the application's key resolver returns an empty string (''), for example via the common keys[decoded.header.kid] || '' JWKS-style fallback, fa

In Meari IoT SDK image handling (libmrplayer.so) as observed in CloudEdge 5.5.0 (build 220), Arenti 1.8.1 (build 220), and related white-label apps (<= 1.8.x), baby monitor ".jpgx3" files use reversible XOR over only the first 1024 bytes with a predictable key derivation model.

#### Summary No minimum length or entropy is enforced on the `JWT_SECRET` configuration value. The application accepts any base64-decodable secret regardless of size, including secrets as short as 1 byte. HS256 secrets below 32 bytes are brute-forceable offline, allowing attackers to recover the signing key and forge valid JWTs for arbitrary users. --- #### Impact An attacker who captures a s