Home

Description

A security flaw has been discovered in perfree go-fastdfs-web up to 1.3.7. This affects the function rememberMeManager of the file src/main/java/com/perfree/config/ShiroConfig.java of the component Apache Shiro RememberMe. Performing a manipulation results in use of hard-coded cryptographic key . The attack can be initiated remotely. The complexity of an attack is rather high. The exploitability is reported as difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

PUBLISHED Reserved 2026-03-11 | Published 2026-03-11 | Updated 2026-03-11 | Assigner VulDB




MEDIUM: 6.3CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
LOW: 3.7CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R
LOW: 3.7CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R
2.6AV:N/AC:H/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR

Problem types

Use of Hard-coded Cryptographic Key

Key Management Error

Product status

1.3.0
affected

1.3.1
affected

1.3.2
affected

1.3.3
affected

1.3.4
affected

1.3.5
affected

1.3.6
affected

1.3.7
affected

Timeline

2026-03-11:Advisory disclosed
2026-03-11:VulDB entry created
2026-03-11:VulDB entry last update

Credits

din4 (VulDB User) reporter

VulDB coordinator

References

vuldb.com/?id.350392 (VDB-350392 | perfree go-fastdfs-web Apache Shiro RememberMe ShiroConfig.java rememberMeManager hard-coded key) vdb-entry technical-description

vuldb.com/?ctiid.350392 (VDB-350392 | CTI Indicators (IOB, IOC, TTP, IOA)) signature permissions-required

vuldb.com/?submit.768282 (Submit #768282 | perfree go-fastdfs-web ≤1.3.7 Hardcoded Apache Shiro Cipher Key) third-party-advisory

www.notion.so/...-reach-RCE-313ea92a3c41806fae44dffe53e69751 exploit

cve.org (CVE-2026-3963)

nvd.nist.gov (CVE-2026-3963)

Download JSON