CVE-2026-3963
Received Received - Intake
Hard-Coded Key Vulnerability in go-fastdfs-web RememberMeManager

Publication date: 2026-03-11

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security flaw has been discovered in perfree go-fastdfs-web up to 1.3.7. This affects the function rememberMeManager of the file src/main/java/com/perfree/config/ShiroConfig.java of the component Apache Shiro RememberMe. Performing a manipulation results in use of hard-coded cryptographic key . The attack can be initiated remotely. The complexity of an attack is rather high. The exploitability is reported as difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-12
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3963
EUVD
EUVD-2026-11485
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
perfree go-fastdfs-web to 1.3.7 (inc)
apache shiro *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-321 The product uses a hard-coded, unchangeable cryptographic key.
CWE-320 Key Management Errors
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a security flaw found in the perfree go-fastdfs-web software up to version 1.3.7, specifically in the rememberMeManager function within the Apache Shiro RememberMe component. The issue arises because the code uses a hard-coded cryptographic key, which can be manipulated remotely by an attacker.

Exploiting this vulnerability requires a rather high level of complexity and is considered difficult, but the exploit code has been publicly released, making it potentially usable by attackers.

Impact Analysis

The vulnerability allows an attacker to remotely manipulate the rememberMeManager function due to the use of a hard-coded cryptographic key. This could lead to partial compromise of confidentiality, as indicated by the CVSS impact on confidentiality.

However, the overall impact is limited since the integrity and availability are not affected, and the attack complexity is high, making exploitation difficult.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3963. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart