135459 matches found
CVE-2026-58660
Kanboard through 1.2.52, fixed in commit 564cc30, BoardAjaxController save method used by the kanban board drag-and-drop endpoint validates the caller's role on the attacker-supplied projectid but never verifies that the supplied taskid actually belongs to that project. Because task identifiers a...
CVE-2026-53515
Better Auth is an authentication and authorization library for TypeScript. From 1.2.10 until 1.6.11, the @better-auth/sso plugin's POST /sso/register endpoint lets any organization member attach a new SSO provider to that organization because registerSSOProvider checks only for a membership row a...
CVE-2026-20298
In Splunk Enterprise versions below 10.4.1, 10.2.5, 10.0.8, and 9.4.13, and Splunk Cloud Platform versions below 10.5.2605.0, 10.4.2604.6, 10.3.2512.15, 10.2.2510.18, and 10.1.2507.24, a low-privileged user that does not hold the 'admin' or 'power' Splunk roles could view stored credential hashes...
GHSA-6QVR-WJMV-V8MM Koel: Incomplete fix for CVE-2026-47260 — systemic SSRF in podcast & radio fetch paths
Summary The fix for CVE-2026-47260 v9.3.5 added an initial isSafeUrl check to several fetchers synchronizeEpisodes, getStreamableUrl, AddRadioStation, EpisodePlayable, but the redirect-target validation — the per-hop Guzzle onredirect callback added in follow-up commit be1e867 — was applied to on...
Koel: Incomplete fix for CVE-2026-47260 — systemic SSRF in podcast & radio fetch paths
Summary The fix for CVE-2026-47260 v9.3.5 added an initial isSafeUrl check to several fetchers synchronizeEpisodes, getStreamableUrl, AddRadioStation, EpisodePlayable, but the redirect-target validation — the per-hop Guzzle onredirect callback added in follow-up commit be1e867 — was applied to on...
GHSA-RV48-QQJ5-CRXG Protobuf: Unbounded recursion depth in embedded-message decoding
Summary Unbounded recursion depth in Protobuf.Decoder Hex package protobuf, versions = 0.8.0, 0.16.1 lets an unauthenticated attacker crash any service that decodes untrusted protobuf messages whose schema contains a self-referential or cyclic message type. A small request body a few KB to a few ...
Protobuf: Unbounded recursion depth in embedded-message decoding
Summary Unbounded recursion depth in Protobuf.Decoder Hex package protobuf, versions = 0.8.0, 0.16.1 lets an unauthenticated attacker crash any service that decodes untrusted protobuf messages whose schema contains a self-referential or cyclic message type. A small request body a few KB to a few ...
CVE-2026-53517 Better Auth OAuth Provider: Refresh Token Rotation Race Condition Allows Concurrent Replay and Token Family Forking
Better Auth is an authentication and authorization library for TypeScript. From 1.4.8-beta.7 until 1.6.11, the @better-auth/oauth-provider POST /oauth2/token endpoint on the refreshtoken grant performs a non-atomic read, validate, revoke, and mint sequence on the oauthRefreshToken row, allowing...
CVE-2026-53517 Better Auth OAuth Provider: Refresh Token Rotation Race Condition Allows Concurrent Replay and Token Family Forking
Better Auth is an authentication and authorization library for TypeScript. From 1.4.8-beta.7 until 1.6.11, the @better-auth/oauth-provider POST /oauth2/token endpoint on the refreshtoken grant performs a non-atomic read, validate, revoke, and mint sequence on the oauthRefreshToken row, allowing...
EUVD-2026-44745
Better Auth is an authentication and authorization library for TypeScript. From 1.4.8-beta.7 until 1.6.11, the @better-auth/oauth-provider POST /oauth2/token endpoint on the refreshtoken grant performs a non-atomic read, validate, revoke, and mint sequence on the oauthRefreshToken row, allowing...
CVE-2026-53517
CVE-2026-53517 affects Better Auth’s oauth-provider (and related memory adapter) prior to version 1.6.11. The POST /oauth2/token refresh_token flow performs a non-atomic read–validate–revoke–mint sequence on the oauthRefreshToken row, allowing concurrent requests with the same parent refresh toke...
CVE-2026-53517
Better Auth is an authentication and authorization library for TypeScript. From 1.4.8-beta.7 until 1.6.11, the @better-auth/oauth-provider POST /oauth2/token endpoint on the refreshtoken grant performs a non-atomic read, validate, revoke, and mint sequence on the oauthRefreshToken row, allowing...
CVE-2026-53517 Better Auth OAuth Provider: Refresh Token Rotation Race Condition Allows Concurrent Replay and Token Family Forking
Better Auth is an authentication and authorization library for TypeScript. From 1.4.8-beta.7 until 1.6.11, the @better-auth/oauth-provider POST /oauth2/token endpoint on the refreshtoken grant performs a non-atomic read, validate, revoke, and mint sequence on the oauthRefreshToken row, allowing...
GHSA-WJHR-76VG-2HVC garminconnect Has Insecure Permission Assignment for Garmin OAuth Token Store
Insecure Permission Assignment for Garmin OAuth Token Store Summary garminconnect ≤ 0.3.4 wrote its OAuth token store to disk without restricting file-system permissions. Under the default Linux umask 022 the token file garmintokens.json was created world-readable 0o644. The file contains the DI...
garminconnect Has Insecure Permission Assignment for Garmin OAuth Token Store
Insecure Permission Assignment for Garmin OAuth Token Store Summary garminconnect ≤ 0.3.4 wrote its OAuth token store to disk without restricting file-system permissions. Under the default Linux umask 022 the token file garmintokens.json was created world-readable 0o644. The file contains the DI...
GHSA-8Q6Q-M837-FV64 Koel has SSRF through Authenticated Subsonic podcast feed URLs
Summary Koel's Subsonic createPodcastChannel.view endpoint accepts a user supplied podcast feed URL and fetches it server-side before applying the safe URL checks that are used for podcast episode enclosure URLs. An authenticated Subsonic API user can provide a loopback or internal URL as the fee...
Koel has SSRF through Authenticated Subsonic podcast feed URLs
Summary Koel's Subsonic createPodcastChannel.view endpoint accepts a user supplied podcast feed URL and fetches it server-side before applying the safe URL checks that are used for podcast episode enclosure URLs. An authenticated Subsonic API user can provide a loopback or internal URL as the fee...
CVE-2026-53515 Better Auth: Privilege escalation via SSO provider registration: missing admin role check in @better-auth/sso
Better Auth is an authentication and authorization library for TypeScript. From 1.2.10 until 1.6.11, the @better-auth/sso plugin's POST /sso/register endpoint lets any organization member attach a new SSO provider to that organization because registerSSOProvider checks only for a membership row a...
EUVD-2026-44740
Better Auth is an authentication and authorization library for TypeScript. From 1.2.10 until 1.6.11, the @better-auth/sso plugin's POST /sso/register endpoint lets any organization member attach a new SSO provider to that organization because registerSSOProvider checks only for a membership row a...
CVE-2026-53515
CVE-2026-53515 : The Better Auth library, specifically the @better-auth/sso plugin, contains a privilege escalation in versions 1.2.10 through 1.6.11. The POST /sso/register endpoint incorrectly allows any organization member to attach a new SSO provider because registerSSOProvider checks only fo...