CVE-2026-5420: Use of Hard-coded Cryptographic Key in Shinrays Games Goods Triple App
A security flaw has been discovered in Shinrays Games Goods Triple App up to 1.200. The affected element is an unknown function of the file jRwTX.java of the component cats.goods.sort.sorting.games. Performing a manipulation of the argument AES_IV/AES_PASSWORD results in use of hard-coded cryptographic key . Attacking locally is a requirement. The complexity of an attack is rather high. The exploitability is described as difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
AI Analysis
Technical Summary
This vulnerability in Shinrays Games Goods Triple App up to version 1.200 arises from the use of a hard-coded cryptographic key in the component cats.goods.sort.sorting.games, specifically within an unknown function in jRwTX.java. Manipulating the AES_IV or AES_PASSWORD arguments triggers this flaw. The attack requires local access with low privileges and has high complexity, making exploitation difficult. Although an exploit is publicly available, no official patch or vendor response has been provided.
Potential Impact
The use of a hard-coded cryptographic key can weaken the confidentiality of encrypted data within the application, potentially allowing an attacker with local access to compromise sensitive information protected by AES encryption. However, the low CVSS score (2.0) and the requirement for local access with high attack complexity limit the overall impact and exploitability of this vulnerability.
Mitigation Recommendations
No official patch or remediation is currently available from the vendor. Since the vendor has not responded and no fixes have been published, users should limit local access to trusted individuals and monitor for suspicious activity. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance if it becomes available.
CVE-2026-5420: Use of Hard-coded Cryptographic Key in Shinrays Games Goods Triple App
Description
A security flaw has been discovered in Shinrays Games Goods Triple App up to 1.200. The affected element is an unknown function of the file jRwTX.java of the component cats.goods.sort.sorting.games. Performing a manipulation of the argument AES_IV/AES_PASSWORD results in use of hard-coded cryptographic key . Attacking locally is a requirement. The complexity of an attack is rather high. The exploitability is described as difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability in Shinrays Games Goods Triple App up to version 1.200 arises from the use of a hard-coded cryptographic key in the component cats.goods.sort.sorting.games, specifically within an unknown function in jRwTX.java. Manipulating the AES_IV or AES_PASSWORD arguments triggers this flaw. The attack requires local access with low privileges and has high complexity, making exploitation difficult. Although an exploit is publicly available, no official patch or vendor response has been provided.
Potential Impact
The use of a hard-coded cryptographic key can weaken the confidentiality of encrypted data within the application, potentially allowing an attacker with local access to compromise sensitive information protected by AES encryption. However, the low CVSS score (2.0) and the requirement for local access with high attack complexity limit the overall impact and exploitability of this vulnerability.
Mitigation Recommendations
No official patch or remediation is currently available from the vendor. Since the vendor has not responded and no fixes have been published, users should limit local access to trusted individuals and monitor for suspicious activity. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance if it becomes available.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulDB
- Date Reserved
- 2026-04-02T11:46:41.200Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69cec5aae6bfc5ba1dfbd837
Added to database: 4/2/2026, 7:38:18 PM
Last enriched: 4/9/2026, 10:46:27 PM
Last updated: 5/20/2026, 8:05:38 AM
Views: 58
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.