Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.3
perfree go-fastdfs-web: Unauthorized Access via Hard-Coded Key
CVE-2026-3963
Summary
A security issue in perfree go-fastdfs-web versions up to 1.3.7 allows an attacker to access sensitive information without needing permission. This is because the key used to secure certain features is not properly protected. We recommend upgrading to a fixed version of perfree go-fastdfs-web to prevent unauthorized access.
Original title
A security flaw has been discovered in perfree go-fastdfs-web up to 1.3.7. This affects the function rememberMeManager of the file src/main/java/com/perfree/config/ShiroConfig.java of the component...
Original description
A security flaw has been discovered in perfree go-fastdfs-web up to 1.3.7. This affects the function rememberMeManager of the file src/main/java/com/perfree/config/ShiroConfig.java of the component Apache Shiro RememberMe. Performing a manipulation results in use of hard-coded cryptographic key
. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitability is reported as difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitability is reported as difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
nvd CVSS2.0
2.6
nvd CVSS3.1
3.7
nvd CVSS4.0
6.3
Vulnerability type
CWE-320
CWE-321
Use of Hard-coded Cryptographic Key
Published: 11 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026