CVE-2026-3963

Name of the Vulnerable Software and Affected Versions perfree go-fastdfs-web versions through 1.3.7

Description A security issue has been identified in the rememberMeManager function within the Apache Shiro RememberMe component of perfree go-fastdfs-web. This function, located in the file src/main/java/com/perfree/config/ShiroConfig.java, utilizes a hard-coded cryptographic key. This allows for remote attacks, though the complexity is considered high and exploitability is reported as difficult. The exploit for this issue has been publicly released. The vendor was notified but did not respond.

Recommendations Versions through 1.3.7 should be updated to a newer, secure version as soon as it becomes available. As a temporary workaround, consider disabling the RememberMe functionality within the Apache Shiro configuration until a patch is available.