12605 matches found
CVE-2026-46351
BigBlueButton (open-source virtual classroom) prior to 3.0.21 used insufficiently secure randomness to generate conference sessionToken values in bbb-common-web/src/main/java/org/bigbluebutton/api/Util.java and bigbluebutton-web/grails-app/controllers/org/bigbluebutton/web/controllers/ApiControll...
CVE-2026-38974
A flaw was found in Dulwich. The contrib/paramikovendor.py component is missing Secure Shell SSH host key verification. This vulnerability allows a remote attacker to impersonate a legitimate Git server. By doing so, the attacker could potentially intercept sensitive information or execute...
RegistrationMagic <= 5.0.1.7 - Authentication Bypass
RegistrationMagic WordPress plugin versions = 5.0.1.7 contain an authentication bypass caused by missing identity validation in socialloginusingemail, letting unauthenticated users log in as any site user, exploit requires knowing a valid username. id: CVE-2021-4073 info: name: RegistrationMagic ...
WordPress Pie Register <= 3.7.1.4 - Authentication Bypass
An authentication bypass vulnerability exists in the WordPress Pie Register plugin ≤ 3.7.1.4 that allows unauthenticated attackers to impersonate arbitrary users by submitting a crafted POST request to the login endpoint. By setting socialsite=true and manipulating the useridsocialsite parameter,...
OneDev < 4.0.3 - User Access Token Leak
OneDev before version 4.0.3 contains an insecure endpoint that allows retrieval of arbitrary user details, including access tokens, due to missing security checks on /users/id, letting attackers leak sensitive data and impersonate users, exploit requires no special conditions. id: CVE-2021-21246...
Dash Framework - Cross-site Scripting
Dash framework versions before 2.15.0 are vulnerable to Cross-site Scripting XSS via href attribute in anchor tags. This template tests for javascript:alert payload injection. id: CVE-2024-21485 info: name: Dash Framework - Cross-site Scripting author: Lee Changhyuneeche severity: medium...
Keycloak - SAML Core Package Signature Validation Flaw
A flaw exists in the SAML signature validation method within the Keycloak XMLSignatureUtil class. The method incorrectly determines whether a SAML signature is for the full document or only for specific assertions based on the position of the signature in the XML document, rather than the Referen...
WordPress Burst Statistics 3.4.0-3.4.1.1 - Authentication Bypass
Burst Statistics – Privacy-Friendly WordPress Analytics plugin 3.4.0 to 3.4.1.1 contains an authentication bypass caused by incorrect return-value handling in ismainwpauthenticated function, letting unauthenticated attackers impersonate administrators, exploit requires knowledge of an administrat...
MooSocial 3.1.8 - Cross-Site Scripting
A reflected cross-site scripting XSS vulnerability exisits in the dataredirecturl parameter on user login function of mooSocial v3.1.8 which allows attackers to steal user's session cookies and impersonate their account via a crafted URL. id: CVE-2023-43325 info: name: MooSocial 3.1.8 - Cross-Sit...
CVE-2026-12585
The Abandoned Cart Lite for WooCommerce WordPress plugin before 6.8.2 does not protect the integrity of its cart-recovery tokens or bind them to the requesting account, allowing unauthenticated attackers to forge a recovery link that logs them in as another user when the automatic-login option is...
CVE-2026-47164
Vaultwarden (Rust) prior to 1.36.0 has an authentication flaw in its SSO flow: when SSO_SIGNUPS_MATCH_EMAIL=true, an IdP identity can bind to an existing local Vaultwarden account by asserting a victim email, due to checking the IdP email_verified claim only during new-user creation. This could a...
PT-2026-60204
Name of the Vulnerable Software and Affected Versions Vaultwarden versions prior to 1.36.0 Description The SSO login flow fails to verify the email verified claim from the Identity Provider IdP when the SSO SIGNUPS MATCH EMAIL variable is set to true during the linking of an IdP identity to an...
MAL-2026-10613 Malicious code in ethereum-lib-utils (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 58bddf420dcb894a940b62fba777628f0c3a9d31dd7fa915afaea618c1914d52 Package [email protected] impersonates the widely-used ethereumjs-util library: the package name, README badge, repository, homepage, and auth...
CVE-2026-45063
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 5.4.52, 6.4.40, 7.4.12, and 8.0.12, X509Authenticator extracts the user identifier from $SERVER'SSLCLIENTSDN' with an unanchored regex that matches emailAddress= anywhere in the distinguishe...
EUVD-2026-37897
Woodpecker gRPC agentid metadata can be spoofed- cross-tenant agent impersonation...
CVE-2026-45063
Symfony X509Authenticator vulnerability (CVE-2026-45063) allows identity spoofing because an unanchored regex extracts emailAddress from the certificate Subject DN, enabling a trusted certificate with emailAddress embedded in another RDN (e.g., CN) to authenticate as another user. Impact is high ...
CVE-2026-58595 Microsoft Bing App for IOS Spoofing Vulnerability
...
CVE-2026-10714
The CVE-2026-10714 issue affects FactoryTalk Services Platform (FTSP) . It hinges on a JWT validation bypass where the application does not verify that the JWT algorithm is configured for RSA, allowing an attacker to set the algorithm to "none" and forge tokens. This could enable an authenticated...
Malicious code in ethers-core (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3959190c7c321e0d6f512b89b3c54a6399f3e6f7daecd0563ff753a6a6fed2f5 Package name typosquats the popular 'ethers' library. package.json declares a postinstall pointing at dist/index.min.js, whose sole top-level stateme...
CVE-2026-15389
A vulnerability relating to insufficient access control has been identified in the session management of the Sesame Time web application and its REST v3 API. The flaw lies in the fact that the system uses the session identifier USID as the sole validation mechanism, without verifying whether that...