CVE-2026-11347 | THREATINT

Description

The linqi application contains hardcoded cryptographic keys. Additionally, the application uses a weak algorithm with a limited ASCII charset to dynamically generate Initialization Vectors (IVs) for AES/CBC encryption, making known-plaintext attacks feasible. An attacker with local access can leverage these vulnerabilities to decrypt sensitive obfuscated strings, including ConnectionString values containing database credentials from appsettings.json.

PUBLISHED Reserved 2026-06-05 | Published 2026-06-05 | Updated 2026-06-05 | Assigner linqi

HIGH: 8.5CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-321: Use of Hard-coded Cryptographic Key

CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

Product status

Any version
affected

Credits

Ianis BERNARD from NATO Cyber Security Centre (NCSC) finder

References

linqi.help/en/reference/security/security-advisories/ vendor-advisory third-party-advisory

cve.org (CVE-2026-11347)

nvd.nist.gov (CVE-2026-11347)

Download JSON