| Title | rachelos WeRSS WeRSS<=1.4.8 Weak Authentication |
|---|
| Description | WeRSS(https://github.com/rachelos/we-mp-rss/) uses hardcoded weak default JWT secret keys, and the default key in the configuration file is also predictable (project name). Attackers can use these default keys to forge valid administrator tokens, completely bypassing authentication
detail:https://www.notion.so/WeRSS-Weak-JWT-Key-Leading-to-Authentication-Bypass-2feea92a3c41803faadae58327facd7b |
|---|
| Source | ⚠️ https://www.notion.so/WeRSS-Weak-JWT-Key-Leading-to-Authentication-Bypass-2feea92a3c41803faadae58327facd7b |
|---|
| User | din4 (UID 50867) |
|---|
| Submission | 02/05/2026 08:57 (2 months ago) |
|---|
| Moderation | 02/08/2026 09:30 (3 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 344932 [rachelos WeRSS we-mp-rss up to 1.4.8 JWT core/auth.py SECRET_KEY default key] |
|---|
| Points | 16 |
|---|