CVE-2026-5622 | hcengineering Huly Platform 0.7.382 JWT Token token.ts SERVER_SECRET hard-coded key

A vulnerability was found in hcengineering Huly Platform 0.7.382. It has been rated as problematic. Affected by this issue is some unknown functionality of the file foundations/core/packages/token/src/token.ts of the component JWT Token Handler. This manipulation of the argument SERVER_SECRET with the input secret causes use of hard-coded cryptographic key
.

This vulnerability is handled as CVE-2026-5622. The attack can be initiated remotely. Additionally, an exploit exists.

The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2026-5622 | hcengineering Huly Platform 0.7.382 JWT Token token.ts SERVER_SECRET hard-coded key

Post correlati

CVE-2024-36991 | Splunk Enterprise up to 9.0.9/9.1.4/9.2.1 on Windows /modules/messaging/ path traversal (SVD-2024-0711)

CVE-2024-10383 | GitLab VSCode Fork prior 1.89.1-1.0.0-dev-20241118094343 cross site scripting (Issue 500785)

CVE-2024-21362 | Microsoft unknown vulnerability

CVE-2024-9589 | Category and Taxonomy Meta Fields Plugin up to 1.0.0 on WordPress cross site scripting