CVE-2026-6580
Published: 19 April 2026
Summary
CVE-2026-6580 is a medium-severity Use of Hard-coded Cryptographic Key (CWE-321) vulnerability. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-12 (Cryptographic Key Establishment and Management) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-6580 affects liangliangyy DjangoBlog versions up to 2.1.0.0, specifically an unknown function in the file owntracks/views.py within the Amap API Call Handler component. The vulnerability stems from the use of a hard-coded cryptographic key, which is exposed through manipulation of the 'key' argument.
The vulnerability is remotely exploitable with low attack complexity, requiring no privileges or user interaction, per its CVSS 3.1 score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). Remote attackers can trigger the issue to access the hard-coded key, potentially leading to limited impacts on confidentiality, integrity, and availability. It is linked to CWEs 320 (Missing Cryptographic Key Management) and 321 (Use of Hard-coded Cryptographic Key).
Advisories on VulDB and a GitHub repository detail the vulnerability, including proof-of-concept exploit information. The vendor was contacted early but provided no response, and no patches or official mitigations have been issued. The exploit has been publicly disclosed and may be used by attackers.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-23714
Vulnerability details
A security vulnerability has been detected in liangliangyy DjangoBlog up to 2.1.0.0. Affected is an unknown function of the file owntracks/views.py of the component Amap API Call Handler. Such manipulation of the argument key leads to use of hard-coded cryptographic…
more
key . The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remotely exploitable flaw in a public-facing Django web application (Amap API handler) requiring no authentication, directly enabling T1190 for initial access and key disclosure.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires proper cryptographic key establishment and management, preventing the use of hard-coded keys as exploited in this CVE.
Mandates identification, reporting, prioritization, and remediation of flaws like the hard-coded key vulnerability in DjangoBlog.
Enforces validation of information inputs such as the manipulable 'key' argument to block exposure of the hard-coded cryptographic key.