Cyber Resilience

CVE-2026-6580

Medium

Published: 19 April 2026

Published
19 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0005 17.3th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-6580 is a medium-severity Use of Hard-coded Cryptographic Key (CWE-321) vulnerability. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-12 (Cryptographic Key Establishment and Management) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-6580 affects liangliangyy DjangoBlog versions up to 2.1.0.0, specifically an unknown function in the file owntracks/views.py within the Amap API Call Handler component. The vulnerability stems from the use of a hard-coded cryptographic key, which is exposed through manipulation of the 'key' argument.

The vulnerability is remotely exploitable with low attack complexity, requiring no privileges or user interaction, per its CVSS 3.1 score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). Remote attackers can trigger the issue to access the hard-coded key, potentially leading to limited impacts on confidentiality, integrity, and availability. It is linked to CWEs 320 (Missing Cryptographic Key Management) and 321 (Use of Hard-coded Cryptographic Key).

Advisories on VulDB and a GitHub repository detail the vulnerability, including proof-of-concept exploit information. The vendor was contacted early but provided no response, and no patches or official mitigations have been issued. The exploit has been publicly disclosed and may be used by attackers.

EU & UK References

Vulnerability details

A security vulnerability has been detected in liangliangyy DjangoBlog up to 2.1.0.0. Affected is an unknown function of the file owntracks/views.py of the component Amap API Call Handler. Such manipulation of the argument key leads to use of hard-coded cryptographic…

more

key . The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is a remotely exploitable flaw in a public-facing Django web application (Amap API handler) requiring no authentication, directly enabling T1190 for initial access and key disclosure.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-15016Shared CWE-321
CVE-2026-26335Shared CWE-321
CVE-2025-62581Shared CWE-321
CVE-2026-22586Shared CWE-321
CVE-2025-11899Shared CWE-321
CVE-2025-57174Shared CWE-321
CVE-2025-11609Shared CWE-320, CWE-321
CVE-2025-34215Shared CWE-321
CVE-2026-25505Shared CWE-321
CVE-2026-25894Shared CWE-321

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires proper cryptographic key establishment and management, preventing the use of hard-coded keys as exploited in this CVE.

prevent

Mandates identification, reporting, prioritization, and remediation of flaws like the hard-coded key vulnerability in DjangoBlog.

prevent

Enforces validation of information inputs such as the manipulable 'key' argument to block exposure of the hard-coded cryptographic key.

References