VYPR
← All advisories
High severityNVD Advisory· Published Jun 5, 2026· Updated Jun 5, 2026

CVE-2026-11347

CVE-2026-11347

Description

linqi application has hardcoded crypto keys and weak IV generation, allowing local attackers to decrypt sensitive data like database credentials.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

linqi application has hardcoded crypto keys and weak IV generation, allowing local attackers to decrypt sensitive data like database credentials.

Vulnerability

The linqi application, in all versions prior to 1.4.8.6, contains hardcoded cryptographic keys and uses a weak algorithm with a limited ASCII charset for dynamically generating Initialization Vectors (IVs) for AES/CBC encryption. This combination makes known-plaintext attacks feasible against the encryption mechanism.

Exploitation

An attacker with local access to the affected linqi application can leverage these vulnerabilities. By exploiting the weak IV generation and the hardcoded keys, an attacker can perform known-plaintext attacks to decrypt obfuscated strings stored within the application.

Impact

Successful exploitation allows an attacker to decrypt sensitive obfuscated strings, including ConnectionString values that contain database credentials stored in appsettings.json. This can lead to unauthorized access to databases and potential compromise of sensitive information.

Mitigation

The issue has been resolved in linqi version 1.4.8.6, released on June 05, 2026 [1]. Users are strongly recommended to install security updates in a timely manner. No workarounds are mentioned in the available references.

References
  1. Security Advisories | linqi GmbH Documentation

AI Insight generated on Jun 5, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

0

No linked articles in our index yet.