CVE-2025-56749CRITICAL 9.4EPSS p35.8%

CVE-2025-56749CVE-2025-56749

Description

Creativeitem Academy LMS up to and including 6.14 uses a hardcoded default JWT secret for token signing. This predictable secret allows attackers to forge valid JWT tokens, leading to authentication bypass and unauthorized access to any user account.

Scoring

CVSS 3.19.4 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
EPSS0.45% probability of exploitation · percentile 35.8% · 2026-06-18T12:00:27Z
Published2025-10-15
Last modified2025-10-21

Underlying weaknesses· 1

CWE-798

References

  1. https://suryadina.com/academy-lms-jwt-secret-7k9m2x4p8q/

1

TypeTargetConfidenceTier
WeaknessUse of Hard-coded Credentialscwe-7980%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-51606
CVE
CVE-2025-11290
CVE
CVE-2025-3177
CVE
CVE-2025-35940
CVE
CVE-2025-69971
CVE
CVE-2025-65730
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.