CVE-2025-56749

Critical CVSS: 9.4

Creativeitem Academy LMS up to and including 6.14 uses a hardcoded default JWT secret for token signing. This predictable secret allows attackers to forge valid JWT tokens, leading to authentication bypass and unauthorized access to any user account.

Vendor

Creativeitem

Product

Academy Lms

CWE

CWE-798

Yayın Tarihi

2025-10-15 15:16:04

Güncelleme

2025-10-21 19:24:31

Source Identifier

cve@mitre.org

KEV Date Added

Kategoriler

CWE-798 Academy Lms CRITICAL Creativeitem 2025

Referanslar

https://suryadina.com/academy-lms-jwt-secret-7k9m2x4p8q/

Benzer Kayıtlar

Medium

CVE-2025-71179

Creativeitem Academy LMS 7.0 contains reflected Cross-Site Scripting (XSS) vulnerabilities via the search parameter to t…

Medium

CVE-2023-53876

Academy LMS 6.1 contains a file upload vulnerability that allows authenticated users to upload malicious SVG files with…

Medium

CVE-2025-56748

Creativeitem Academy LMS up to and including 5.13 uses predictable password reset tokens based on Base64 encoded templat…

Low

CVE-2025-56746

Creativeitem Academy LMS up to and including 5.13 does not regenerate session IDs upon successful authentication, enabli…

Medium

CVE-2025-56747

Creativeitem Academy LMS up to and including 5.13 contains a privilege escalation vulnerability in the Api_instructor co…

Medium

CVE-2025-40990

Stored Cross Site Scripting vulnerability in Ekushey CRM v5.0 by Creativeitem, due to lack of proper validation of user…