WeRSS <=1.4.8 硬编码JWT密钥导致认证绕过

漏洞关键信息 Title: rachelos WeRSS WeRSS<=1.4.8 Weak Authentication Description: WeRSS (https://github.com/rachelos/we-mp-rss/) uses hardcoded weak default JWT secret keys, and the default key in the configuration file is also predictable (project name). Attackers can use these default keys to forge valid administrator tokens, completely bypassing authentication. Reference: https://www.notion.so/WeRSS-Weak-JWT-Key-Leading-to-Authentication-Bypass-2feea92a3c41803faadae58327facd7b Source: https://www.notion.so/WeRSS-Weak-JWT-Key-Leading-to-Authentication-Bypass-2feea92a3c41803faadae58327facd7b User: din4 (UID 50867) Submission Date: 02/05/2026 08:57 AM Moderation Date: 02/08/2026 09:30 AM Status: Accepted VulDB Entry: 234932 [rachelos WeRSS we-mp-rss up to 1.4.8 JWT core/auth.py SECRET_KEY default key] Points: 16

目标达成 感谢每一位支持者 — 我们达成了 100% 目标！

WeRSS <=1.4.8 硬编码JWT密钥导致认证绕过

目标达成感谢每一位支持者 — 我们达成了 100% 目标！