161466 matches found
Exploit for Incorrect Implementation of Authentication Algorithm in Google Android
🔓 CVE-2026-0073: Android adbd Authentication Bypass Proof...
CVE-2026-20169
A vulnerability in the web-based management interface of Cisco IoT Field Network Director could allow an authenticated, remote attacker with low privileges to access files and execute commands on a remote router. This vulnerability is due to insufficient input validation of user-supplied data. An...
Missing Authentication for Critical Function
Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the UI server WebSocket. An attacker can gain unauthorized access to sensitive endpoints, such as streaming real-time pod logs, opening an interactive shell inside a running pod, or...
Missing Authentication for Critical Function
Overview github.com/0xJacky/Nginx-UI is a yet another Nginx Web UI, developed by 0xJacky and Hintay. Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the POST /api/install endpoint during the initial setup 10 minutes window, which is accessible...
GHSA-H27V-PH7W-M9FP Nginx-UI: Unauthenticated First-Run Installer Allows Remote Initial Admin Claim
Summary An unauthenticated network attacker can claim the initial administrator account on a fresh nginx-ui instance during the first-run setup window. The public /api/install endpoint is reachable without authentication, and the request-encryption flow only protects payload confidentiality in...
GHSA-VJR5-C9QV-HGM3 Rucio has SQL Injection in FilterEngine Oracle JSON Path via DID Search API
Summary A SQL injection vulnerability in the Oracle path of FilterEngine.createsqlaquery allows any authenticated Rucio user to execute arbitrary SQL against the backend database through the DID search endpoint GET /dids//dids/search. Attacker-controlled filter keys and values are interpolated...
Rucio has SQL Injection in FilterEngine Oracle JSON Path via DID Search API
Summary A SQL injection vulnerability in the Oracle path of FilterEngine.createsqlaquery allows any authenticated Rucio user to execute arbitrary SQL against the backend database through the DID search endpoint GET /dids//dids/search. Attacker-controlled filter keys and values are interpolated...
CVE-2026-20034 Cisco Unity Connection Remote Code Execution Vulnerability
A vulnerability in the web-based management interface of Cisco Unity Connection could allow an authenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability ...
CVE-2026-20167 Cisco IoT Field Network Director Remote Device Denial of Service Vulnerability
A vulnerability in the web-based management interface of Cisco IoT Field Network Director could allow an authenticated, remote attacker with low privileges to cause a DoS condition on a remotely managed router. This vulnerability is due to improper error handling. An attacker could exploit this...
CVE-2026-20185 Cisco SG350 and SG350X Series Managed Switches SNMP Denial of Service Vunerability
A vulnerability in the Simple Network Management Protocol SNMP subsystem of Cisco 350 Series Managed Switches SG350 and Cisco 350X Series Stackable Managed Switches SG350X firmware could allow an authenticated, remote attacker to cause a denial of service DoS condition on an affected device. This...
Cisco Identity Services Engine Authentication Bypass Vulnerabilities
Multiple vulnerabilities in Cisco Identity Services Engine ISE could allow a remote attacker to bypass authorization mechanisms or examine error messages to gain access to sensitive information on an affected device. For more information about these vulnerabilities, see the Details "details"...
CVE-2026-6691
CVE-2026-6691 affects the MongoDB C Driver Cyrus SASL integration. The issue is unsafe string copying during username canonicalization, leading to a heap buffer overflow before any authentication or network traffic. The vulnerability can be triggered by untrusted input in the username of a MongoD...
MongoDB C Driver Cyrus SASL Canonicalization Buffer Overflow
The MongoDB C Driver's Cyrus SASL integration performs unsafe string copying during username canonicalization, enabling a heap buffer overflow before any authentication or network traffic. This may be triggered by passing untrusted input in the username of a MongoDB URI with authMechanism=GSSAPI...
CVE-2026-43569
OpenClaw before 2026.4.9 contains an authentication bypass vulnerability allowing untrusted workspace plugins to be auto-enabled during non-interactive onboarding when provider auth choices are shadowed. Attackers can exploit this by crafting malicious workspace plugins that are automatically...
MuddyWater Uses Microsoft Teams to Steal Credentials in False Flag Ransomware Attack
The Iranian state-sponsored hacking group known as MuddyWater aka Mango Sandstorm, Seedworm, and Static Kitten has been attributed to a ransomware attack in what has been described as a "false flag" operation. The attack, observed by Rapid7 in early 2026, has been found to leverage social...
EUVD-2025-209663
HCL DFXAnalytics is affected by an Insufficient Transport Layer Protection vulnerability where data is transmitted over the network without encryption, which could allow an attacker to compromise the confidentiality, integrity, and authentication of sensitive information...
SUSE-SU-2026:1717-1 Security update for curl
This update for curl fixes the following issues: Security issues fixed: - CVE-2026-4873: connection reuse ignores TLS requirement bsc1262631. - CVE-2026-5545: wrong reuse of HTTP Negotiate connection bsc1262632. - CVE-2026-6253: proxy credentials leak over redirect-to proxy bsc1262635. -...
RLSA-2026:13498 Important: dovecot security update
Dovecot is an IMAP server for Linux and other UNIX-like systems, written primarily with security in mind. It also contains a small POP3 server, and supports e-mail in either the maildir or mbox format. The SQL drivers and authentication plug-ins are provided as subpackages. Security Fixes: doveco...
CLSA-2026-1778068747 Fix CVE(s): CVE-2026-0966
SECURITY UPDATE: heap buffer underflow in sshgethexa on zero-length or NULL input, remotely reachable via GSSAPI authentication logging - debian/patches/CVE-2026-0966.patch: reject NULL/zero-length input in sshgethexa in src/dh.c - CVE-2026-0966: fix heap buffer underflow in sshgethexa...
Session Fixation
Overview Affected versions of this package are vulnerable to Session Fixation due to the missing changeSessionId invocation after session binding. An attacker can hijack user sessions by exploiting the lack of session ID regeneration after authentication. Remediation Upgrade...