CVE-2025-47945CRITICAL 9.8EPSS p42.9%

CVE-2025-47945CVE-2025-47945

Description

Donetick an open-source app for managing tasks and chores. Prior to version 0.1.44, the application uses JSON Web Tokens (JWT) for authentication, but the signing secret has a weak default value. While the responsibility is left to the system administrator to change it, this approach is inadequate. The vulnerability is proven by existence of the issue in the live version as well. This issue can result in full account takeover of any user. Version 0.1.44 contains a patch.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.57% probability of exploitation · percentile 42.9% · 2026-06-18T12:00:27Z
Published2025-05-17
Last modified2025-06-12

Underlying weaknesses· 2

CWE-453CWE-1188

References

  1. https://github.com/donetick/donetick/commit/620b897bc0135f6668bb8a5562678104531108eb
  2. https://github.com/donetick/donetick/commit/b9a6e177eefdc605dedbc5320f0d93d6573d1db6
  3. https://github.com/donetick/donetick/security/advisories/GHSA-hjjg-vw4j-986x
  4. https://github.com/donetick/donetick/security/advisories/GHSA-hjjg-vw4j-986x

2

TypeTargetConfidenceTier
WeaknessInitialization of a Resource with an Insecure Defaultcwe-11880%live
WeaknessInsecure Default Variable Initializationcwe-4530%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-56749
CVE
CVE-2026-45631
CVE
CVE-2025-30206
CVE
CVE-2025-51606
CVE
CVE-2026-24359
CVE
CVE-2025-41672
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.