CVE-2025-15107
LOWActiontech SQLE <=4.2511.0 - Use of Hard-coded Cryptographic Key
Title source: llmDescription
A security vulnerability has been detected in actiontech sqle up to 4.2511.0. The impacted element is an unknown function of the file sqle/utils/jwt.go of the component JWT Secret Handler. The manipulation of the argument JWTSecretKey leads to use of hard-coded cryptographic key . The attack is possible to be carried out remotely. The attack's complexity is rated as high. The exploitability is regarded as difficult. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report and is planning to fix this flaw in an upcoming release.
References (5)
Core 5
Core References
Third Party Advisory, VDB Entry vdb-entry
technical-description
https://vuldb.com/?id.338478
Permissions Required, VDB Entry signature
permissions-required
https://vuldb.com/?ctiid.338478
Third Party Advisory, VDB Entry third-party-advisory
https://vuldb.com/?submit.710380
Exploit, Third Party Advisory exploit
issue-tracking
https://github.com/actiontech/sqle/issues/3186
Exploit related
https://github.com/actiontech/sqle/milestone/53
Scores
CVSS v3
3.7
EPSS
0.0056
EPSS Percentile
42.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-320
CWE-321
CWE-798
Status
published
Products (2)
actionsky/sqle
< 4.2511.0
actiontech/sqle
0Go
Published
Dec 27, 2025
Tracked Since
Feb 18, 2026