SecuriTricks - CVE-2026-5622

Description

A vulnerability was determined in hcengineering Huly Platform 0.7.382. Affected by this issue is some unknown functionality of the file foundations/core/packages/token/src/token.ts of the component JWT Token Handler. This manipulation of the argument SERVER_SECRET with the input secret causes use of hard-coded cryptographic key . The attack can be initiated remotely. The attack is considered to have high complexity. The exploitation is known to be difficult. The vendor was contacted early about this disclosure but did not respond in any way.

Product(s) Impacted

Vendor	Product	Versions
Hcengineering	Huly Platform	0.7.382

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-320

None

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	hcengineering	huly_platform	0.7.382	/	/	/	/	/	/	/

References

https://vuldb.com/submit/785631

https://vuldb.com/vuln/355412

https://vuldb.com/vuln/355412/cti

CVSS Score

6.3 / 10

CVSS Data - 4.0

Attack Vector: NETWORK
Attack Complexity: HIGH
Attack Requirements: NONE
Privileges Required: NONE
User Interaction: NONE
Scope:
Confidentiality Impact: NONE
Integrity Impact: LOW
Availability Impact: NONE
Exploit Maturity: PROOF_OF_CONCEPT

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

View Vector String

Timeline

Published: April 6, 2026, 5:16 a.m.
Last Modified: April 7, 2026, 1:20 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

CVE-2026-5622