{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5420", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-02T11:46:41.200Z", "datePublished": "2026-04-02T19:00:17.487Z", "dateUpdated": "2026-04-03T15:56:29.692Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-02T19:00:17.487Z"}, "title": "Shinrays Games Goods Triple App cats.goods.sort.sorting.games jRwTX.java hard-coded key", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-321", "lang": "en", "description": "Use of Hard-coded Cryptographic Key"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-320", "lang": "en", "description": "Key Management Error"}]}], "affected": [{"vendor": "Shinrays Games", "product": "Goods Triple App", "versions": [{"version": "1", "status": "affected"}], "modules": ["cats.goods.sort.sorting.games"]}], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in Shinrays Games Goods Triple App up to 1.200. The affected element is an unknown function of the file jRwTX.java of the component cats.goods.sort.sorting.games. Performing a manipulation of the argument AES_IV/AES_PASSWORD results in use of hard-coded cryptographic key\r . Attacking locally is a requirement. The complexity of an attack is rather high. The exploitability is described as difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 2, "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P", "baseSeverity": "LOW"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 2.5, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 2.5, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 1, "vectorString": "AV:L/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-02T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-02T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-02T13:51:50.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "fxizenta (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/354856", "name": "VDB-354856 | Shinrays Games Goods Triple App cats.goods.sort.sorting.games jRwTX.java hard-coded key", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/354856/cti", "name": "VDB-354856 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/781740", "name": "Submit #781740 | Shinrays Games Goods Triple - Cat Goods Sort(cats.goods.sort.sorting.games) 1.200 Exposed Cryptographic Key and IV", "tags": ["third-party-advisory"]}, {"url": "https://www.notion.so/Exposed-Cryptographic-Key-and-IV-in-cats-goods-sort-sorting-games-3262de3f97fb801499ebc3dfd56e232e?source=copy_link", "tags": ["exploit"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T15:46:39.316826Z", "id": "CVE-2026-5420", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T15:56:29.692Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5420", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-03T15:46:39.316826Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T15:56:04.432Z"}}], "cna": {"title": "Shinrays Games Goods Triple App cats.goods.sort.sorting.games jRwTX.java hard-coded key", "credits": [{"lang": "en", "type": "reporter", "value": "fxizenta (VulDB User)"}, {"lang": "en", "type": "coordinator", "value": "VulDB CNA Team"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 2, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 2.5, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 2.5, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 1, "vectorString": "AV:L/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "Shinrays Games", "modules": ["cats.goods.sort.sorting.games"], "product": "Goods Triple App", "versions": [{"status": "affected", "version": "1"}]}], "timeline": [{"lang": "en", "time": "2026-04-02T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-02T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-02T13:51:50.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/354856", "name": "VDB-354856 | Shinrays Games Goods Triple App cats.goods.sort.sorting.games jRwTX.java hard-coded key", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/354856/cti", "name": "VDB-354856 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/781740", "name": "Submit #781740 | Shinrays Games Goods Triple - Cat Goods Sort(cats.goods.sort.sorting.games) 1.200 Exposed Cryptographic Key and IV", "tags": ["third-party-advisory"]}, {"url": "https://www.notion.so/Exposed-Cryptographic-Key-and-IV-in-cats-goods-sort-sorting-games-3262de3f97fb801499ebc3dfd56e232e?source=copy_link", "tags": ["exploit"]}], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in Shinrays Games Goods Triple App up to 1.200. The affected element is an unknown function of the file jRwTX.java of the component cats.goods.sort.sorting.games. Performing a manipulation of the argument AES_IV/AES_PASSWORD results in use of hard-coded cryptographic key\r . Attacking locally is a requirement. The complexity of an attack is rather high. The exploitability is described as difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-321", "description": "Use of Hard-coded Cryptographic Key"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-320", "description": "Key Management Error"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-02T19:00:17.487Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5420", "state": "PUBLISHED", "dateUpdated": "2026-04-03T15:56:29.692Z", "dateReserved": "2026-04-02T11:46:41.200Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-02T19:00:17.487Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in Shinrays Games Goods Triple App up to 1.200. The affected element is an unknown function of the file jRwTX.java of the component cats.goods.sort.sorting.games. Performing a manipulation of the argument AES_IV/AES_PASSWORD results in use of hard-coded cryptographic key\r . Attacking locally is a requirement. The complexity of an attack is rather high. The exploitability is described as difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."}], "id": "CVE-2026-5420", "lastModified": "2026-04-03T16:10:23.730", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "HIGH", "accessVector": "LOCAL", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 1.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:H/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 1.5, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 2.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.0, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-02T20:16:29.763", "references": [{"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/781740"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/354856"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/354856/cti"}, {"source": "cna@vuldb.com", "url": "https://www.notion.so/Exposed-Cryptographic-Key-and-IV-in-cats-goods-sort-sorting-games-3262de3f97fb801499ebc3dfd56e232e?source=copy_link"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-320"}, {"lang": "en", "value": "CWE-321"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "1"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Goods Triple App", "source": "cna", "vendor": "Shinrays Games"}, "product": "goods_triple_app", "vendor": "shinrays_games"}], "analysis": {"en": {"generated_at": "2026-04-02T22:49:52.428325+00:00", "value": {"mitigation_remediation": ["Update to Shinrays Games Goods Triple App version 1.201 or newer where the hard\u2011coded key is removed.", "If an update is not immediately possible, isolate the application from untrusted local users or disable the cats.goods.sort.sorting.games component.", "Verify that no hard\u2011coded keys exist in the deployed configuration and enforce strong random key generation.", "Monitor application logs for failed decryption or authentication attempts that may indicate exploitation attempts.", "Contact Shinrays Games to request a security advisory or remediation guidance if a patch is not yet available."], "summary": {"action": "Apply patch", "impact": "Exposed hard\u2011coded cryptographic key enabling local decryption"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Shinrays Games Goods Triple App versions up to and including 1.200. The issue resides in the component cats.goods.sort.sorting.games, specifically the jRwTX.java source file.", "description_and_impact": "An unknown function in the file jRwTX.java of cats.goods.sort.sorting.games accepts a manipulated AES_IV/AES_PASSWORD argument, causing the application to fall back to a hard\u2011coded cryptographic key. This flaw exposes a predictable key that can be used by an attacker with local access to decrypt data or forge authentication tokens, thereby compromising confidentiality of stored assets and potentially broader system data if the key is reused elsewhere.", "risk_and_exploitability": "With a CVSS score of 2.0 the flaw is considered low severity. Exploitation requires local user privileges and is described as difficult, however publicly available code exists. The vulnerability is not listed in CISA's KEV catalog and no EPSS score is available, indicating limited automated exploitation evidence. The local attack requirement reduces the attack surface but still presents a risk for compromised or malicious local users."}}}}, "created": "2026-04-03T07:31:34.113612+00:00", "updated": "2026-04-03T09:16:30.234405+00:00", "vendors": ["shinrays_games", "shinrays_games$PRODUCT$goods_triple_app"]}