Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    2 vulnerabilities by bambuddy

    CVE-2026-25505 (GCVE-0-2026-25505)

    Vulnerability from nvd – Published: 2026-02-04 20:06 – Updated: 2026-02-06 18:41
    VLAI
    Title
    Bambuddy Uses Hardcoded Secret Key + Many API Endpoints do not Require Authentication
    Summary
    Bambuddy is a self-hosted print archive and management system for Bambu Lab 3D printers. Prior to version 0.1.7, a hardcoded secret key used for signing JWTs is checked into source code and ManyAPI routes do not check authentication. This issue has been patched in version 0.1.7.
    Severity
    9.8 (Critical)
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-306 - Missing Authentication for Critical Function
    • CWE-321 - Use of Hard-coded Cryptographic Key
    Assigner
    References
    Impacted products
    Vendor Product Version
    maziggy bambuddy Affected: < 0.1.7
    		Create a notification for this product.
    Show details on NVD website
    To clipboard 

    {
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-25505",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-04T20:35:19.621359Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-04T20:35:30.607Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "bambuddy",
          "vendor": "maziggy",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.1.7"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Bambuddy is a self-hosted print archive and management system for Bambu Lab 3D printers. Prior to version 0.1.7, a hardcoded secret key used for signing JWTs is checked into source code and ManyAPI routes do not check authentication. This issue has been patched in version 0.1.7."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-306",
              "description": "CWE-306: Missing Authentication for Critical Function",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-321",
              "description": "CWE-321: Use of Hard-coded Cryptographic Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-06T18:41:07.205Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/maziggy/bambuddy/security/advisories/GHSA-gc24-px2r-5qmf",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/maziggy/bambuddy/security/advisories/GHSA-gc24-px2r-5qmf"
        },
        {
          "name": "https://github.com/maziggy/bambuddy/pull/225",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/maziggy/bambuddy/pull/225"
        },
        {
          "name": "https://github.com/maziggy/bambuddy/commit/a82f9278d2d587b7042a0858aab79fd8b6e3add9",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/maziggy/bambuddy/commit/a82f9278d2d587b7042a0858aab79fd8b6e3add9"
        },
        {
          "name": "https://github.com/maziggy/bambuddy/commit/c31f2968889c855f1ffacb700c2c9970deb2a6fb",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/maziggy/bambuddy/commit/c31f2968889c855f1ffacb700c2c9970deb2a6fb"
        },
        {
          "name": "https://github.com/maziggy/bambuddy/blob/a9bb8ed8239602bf08a9914f85a09eeb2bf13d15/backend/app/core/auth.py#L28",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/maziggy/bambuddy/blob/a9bb8ed8239602bf08a9914f85a09eeb2bf13d15/backend/app/core/auth.py#L28"
        },
        {
          "name": "https://github.com/maziggy/bambuddy/blob/main/CHANGELOG.md",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/maziggy/bambuddy/blob/main/CHANGELOG.md"
        },
        {
          "name": "https://github.com/maziggy/bambuddy/releases/tag/v0.1.7",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/maziggy/bambuddy/releases/tag/v0.1.7"
        }
      ],
      "source": {
        "advisory": "GHSA-gc24-px2r-5qmf",
        "discovery": "UNKNOWN"
      },
      "title": "Bambuddy Uses Hardcoded Secret Key + Many API Endpoints do not Require Authentication"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-25505",
    "datePublished": "2026-02-04T20:06:30.538Z",
    "dateReserved": "2026-02-02T18:21:42.486Z",
    "dateUpdated": "2026-02-06T18:41:07.205Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

    CVE-2026-25505 (GCVE-0-2026-25505)

    Vulnerability from cvelistv5 – Published: 2026-02-04 20:06 – Updated: 2026-02-06 18:41
    VLAI
    Title
    Bambuddy Uses Hardcoded Secret Key + Many API Endpoints do not Require Authentication
    Summary
    Bambuddy is a self-hosted print archive and management system for Bambu Lab 3D printers. Prior to version 0.1.7, a hardcoded secret key used for signing JWTs is checked into source code and ManyAPI routes do not check authentication. This issue has been patched in version 0.1.7.
    Severity
    9.8 (Critical)
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-306 - Missing Authentication for Critical Function
    • CWE-321 - Use of Hard-coded Cryptographic Key
    Assigner
    References
    Impacted products
    Vendor Product Version
    maziggy bambuddy Affected: < 0.1.7
    		Create a notification for this product.
    Show details on NVD website
    To clipboard 

    {
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-25505",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-04T20:35:19.621359Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-04T20:35:30.607Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "bambuddy",
          "vendor": "maziggy",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.1.7"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Bambuddy is a self-hosted print archive and management system for Bambu Lab 3D printers. Prior to version 0.1.7, a hardcoded secret key used for signing JWTs is checked into source code and ManyAPI routes do not check authentication. This issue has been patched in version 0.1.7."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-306",
              "description": "CWE-306: Missing Authentication for Critical Function",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-321",
              "description": "CWE-321: Use of Hard-coded Cryptographic Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-06T18:41:07.205Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/maziggy/bambuddy/security/advisories/GHSA-gc24-px2r-5qmf",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/maziggy/bambuddy/security/advisories/GHSA-gc24-px2r-5qmf"
        },
        {
          "name": "https://github.com/maziggy/bambuddy/pull/225",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/maziggy/bambuddy/pull/225"
        },
        {
          "name": "https://github.com/maziggy/bambuddy/commit/a82f9278d2d587b7042a0858aab79fd8b6e3add9",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/maziggy/bambuddy/commit/a82f9278d2d587b7042a0858aab79fd8b6e3add9"
        },
        {
          "name": "https://github.com/maziggy/bambuddy/commit/c31f2968889c855f1ffacb700c2c9970deb2a6fb",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/maziggy/bambuddy/commit/c31f2968889c855f1ffacb700c2c9970deb2a6fb"
        },
        {
          "name": "https://github.com/maziggy/bambuddy/blob/a9bb8ed8239602bf08a9914f85a09eeb2bf13d15/backend/app/core/auth.py#L28",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/maziggy/bambuddy/blob/a9bb8ed8239602bf08a9914f85a09eeb2bf13d15/backend/app/core/auth.py#L28"
        },
        {
          "name": "https://github.com/maziggy/bambuddy/blob/main/CHANGELOG.md",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/maziggy/bambuddy/blob/main/CHANGELOG.md"
        },
        {
          "name": "https://github.com/maziggy/bambuddy/releases/tag/v0.1.7",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/maziggy/bambuddy/releases/tag/v0.1.7"
        }
      ],
      "source": {
        "advisory": "GHSA-gc24-px2r-5qmf",
        "discovery": "UNKNOWN"
      },
      "title": "Bambuddy Uses Hardcoded Secret Key + Many API Endpoints do not Require Authentication"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-25505",
    "datePublished": "2026-02-04T20:06:30.538Z",
    "dateReserved": "2026-02-02T18:21:42.486Z",
    "dateUpdated": "2026-02-06T18:41:07.205Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}