PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-11347 linqi GmbH CVE debrief

CVE-2026-11347 is a HIGH-severity vulnerability in the linqi application. The application contains hardcoded cryptographic keys and uses a weak algorithm with a limited ASCII charset to dynamically generate Initialization Vectors (IVs) for AES/CBC encryption. This makes known-plaintext attacks feasible, allowing an attacker with local access to decrypt sensitive obfuscated strings, including ConnectionString values containing database credentials from appsettings.json.

Vendor
linqi GmbH
Product
linqi
CVSS
HIGH 8.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-05
Original CVE updated
2026-06-05
Advisory published
2026-06-05
Advisory updated
2026-06-05

Who should care

Users of the linqi application, especially those with local access, should be aware of this vulnerability and take immediate action to mitigate it.

Technical summary

The linqi application contains hardcoded cryptographic keys. Additionally, the application uses a weak algorithm with a limited ASCII charset to dynamically generate Initialization Vectors (IVs) for AES/CBC encryption, making known-plaintext attacks feasible. An attacker with local access can leverage these vulnerabilities to decrypt sensitive obfuscated strings, including ConnectionString values containing database credentials from appsettings.json.

Defensive priority

HIGH

Recommended defensive actions

  • Update the linqi application to use secure cryptographic practices, including randomly generated cryptographic keys and secure IV generation.
  • Implement additional security measures to protect sensitive data, such as database credentials.

Evidence notes

The CVE-2026-11347 record was obtained from the official CVE.org database and the NVD detail page.

Official resources

CVE-2026-11347 was published on 2026-06-05T11:16:34.627Z and modified on 2026-06-05T16:07:31.547Z.