CVE-2026-3963
Hard-Coded Key Vulnerability in go-fastdfs-web RememberMeManager
Publication date: 2026-03-11
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| perfree | go-fastdfs-web | to 1.3.7 (inc) |
| apache | shiro | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-320 | Key Management Errors |
| CWE-321 | The product uses a hard-coded, unchangeable cryptographic key. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a security flaw found in the perfree go-fastdfs-web software up to version 1.3.7, specifically in the rememberMeManager function within the Apache Shiro RememberMe component. The issue arises because the code uses a hard-coded cryptographic key, which can be manipulated remotely by an attacker.
Exploiting this vulnerability requires a rather high level of complexity and is considered difficult, but the exploit code has been publicly released, making it potentially usable by attackers.
How can this vulnerability impact me? :
The vulnerability allows an attacker to remotely manipulate the rememberMeManager function due to the use of a hard-coded cryptographic key. This could lead to partial compromise of confidentiality, as indicated by the CVSS impact on confidentiality.
However, the overall impact is limited since the integrity and availability are not affected, and the attack complexity is high, making exploitation difficult.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know