Lucene search
K

161568 matches found

GitLab Advisory Database
GitLab Advisory Database
added 2026/05/05 12:0 a.m.16 views

Nginx-UI: Authenticated settings disclosure exposes node.secret and enables trusted-node authentication abuse, backup exfiltration, and restore-based nginx-ui state rollback

An authenticated user can call GET /api/settings and retrieve sensitive configuration values, including node.secret. The same node.secret is accepted by AuthRequired through the X-Node-Secret header or nodesecret query parameter, causing the request to be treated as authenticated via the...

6.5CVSS5.8AI score0.00299EPSS
Exploits1References4Affected Software1
UbuntuCve
UbuntuCve
added 2026/05/05 12:0 a.m.9 views

CVE-2026-33006

A timing attack against modauthdigest in Apache HTTP Server 2.4.66 allows a bypass of Digest authentication by a remote attacker. Users are recommended to upgrade to version 2.4.67, which fixes this issue...

4.8CVSS5.8AI score0.00557EPSS
Exploits1References2
RedHat Linux
RedHat Linux
added 2026/05/04 11:37 p.m.7 views

crypto/tls: crypto/tls: Incorrect certificate validation during TLS session resumption

A flaw was found in the crypto/tls component. This vulnerability occurs during Transport Layer Security TLS session resumption when certificate authority CA settings are modified between the initial and resumed handshakes. An attacker could exploit this to bypass certificate validation, allowing ...

10CVSS6.8AI score0.00765EPSS
Exploits1References8
Slackware Linux
Slackware Linux
added 2026/05/04 10:47 p.m.27 views

[slackware-security] httpd

New httpd packages are available for Slackware 15.0 and -current to fix security issues. Here are the details from the Slackware 15.0 ChangeLog: patches/packages/httpd-2.4.67-i586-1slack15.0.txz: Upgraded. This release fixes bugs and the following security issues: modproxyajp: Heap Over-Read and...

9.8CVSS6AI score0.4581EPSS
Exploits18
Github Security Blog
Github Security Blog
added 2026/05/04 10:28 p.m.9 views

sequoia-git has broken hard revocation handling

Before sq-git checks if a commit can be authenticated, it first looks for hard revocations. Because parsing a policy is expensive and a project's policy rarely changes, sq-git has an optimization to only check a policy if it hasn't checked it before. It does this by maintaining a set of policies...

5.8AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/04 10:3 p.m.6 views

net-imap vulnerable to denial of service via high iteration count for `SCRAM-*` authentication

Summary When authenticating a connection with SCRAM-SHA1 or SCRAM-SHA256, a hostile server can perform a computational denial-of-service attack on the client process by sending a big iteration count value. Details A hostile IMAP server can send an arbitrarily large PBKDF2 iteration count in the...

6.5CVSS5.8AI score0.00299EPSS
Exploits0References11Affected Software1
Snyk
Snyk
added 2026/05/04 10:3 p.m.10 views

Use of Blocking Code in Single-threaded, Non-blocking Context

Overview Affected versions of this package are vulnerable to Use of Blocking Code in Single-threaded, Non-blocking Context through the OpenSSL::KDF.pbkdf2hmac function during SCRAM authentication. An attacker can cause the Ruby client VM to become unresponsive by sending a large iteration count...

8.3CVSS5.9AI score0.00299EPSS
Exploits0References3
GithubExploit
GithubExploit
added 2026/05/04 10:3 p.m.156 views

Exploit for CVE-2026-31717

CVE-2026-31717: ksmbd DHnC Durable-Handle Reconnect Access-Con...

8.8CVSS5.8AI score0.00437EPSS
Exploits1
OSV
OSV
added 2026/05/04 9:30 p.m.4 views

GHSA-3H23-7824-PJ8R ArchiveBox Vulnerable to RCE via unvalidated per-crawl config overrides in AddView

The /add/ endpoint AddView in core/views.py accepts a config JSON field that gets merged into the crawl config without validation. This config is exported as environment variables when archive plugins run, allowing injection of arbitrary tool arguments to achieve RCE. When PUBLICADDVIEW=True comm...

9.8CVSS6.3AI score0.00404EPSS
Exploits1References3
Snyk
Snyk
added 2026/05/04 9:28 p.m.7 views

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the api/install endpoint during the initial setup process. An attacker can gain unauthorized administrative access by sending a crafted installation request before the legitimate operator...

9.8CVSS5.8AI score0.00346EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/04 9:28 p.m.9 views

Missing Authentication for Critical Function

Overview github.com/0xJacky/Nginx-UI/api/system is a yet another Nginx Web UI Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the api/install endpoint during the initial setup process. An attacker can gain unauthorized administrative access by...

9.8CVSS5.8AI score0.00346EPSS
Exploits1References2
Github Security Blog
Github Security Blog
added 2026/05/04 9:24 p.m.15 views

Pelican Web UI Affected by a Privilege Escalation Attack

Background On April 2nd, 2026, a Claude coding agent alerted Pelican PI Brian Bockelman to a privilege escalation vulnerability affecting Pelican's Web User Interface WebUI for various versions between v7.21 and v7.24. Upon further investigation, the Pelican team discovered this attack allows any...

9CVSS5.7AI score0.0032EPSS
Exploits0References4Affected Software1
NVD
NVD
added 2026/05/04 9:16 p.m.32 views

CVE-2026-7779

A security flaw has been discovered in Open5GS up to 2.7.7. Affected is the function udmnudrdrhandlesubscriptionauthentication of the file /src/udm/nudr-handler.c of the component authentication-subscription Endpoint. Performing a manipulation results in denial of service. Remote exploitation of...

5.3CVSS0.00358EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/05/04 9:15 p.m.15 views

quarkus-openapi-generator has overly broad path-parameter matching that sends authentication headers to unintended operations

Summary The generated authentication filter matches OpenAPI path templates too broadly when deciding whether to attach credentials. A security scheme configured for one operation can therefore be applied to a different same-method operation whose path only partially resembles the protected...

6.3CVSS5.8AI score0.004EPSS
Exploits0References7Affected Software1
Snyk
Snyk
added 2026/05/04 9:15 p.m.11 views

Incorrect Implementation of Authentication Algorithm

Overview Affected versions of this package are vulnerable to Incorrect Implementation of Authentication Algorithm due to the too broad path-template matching in the runtime authentication layer. An attacker can cause sensitive authentication credentials to be sent to unintended endpoints that may...

6.3CVSS5.7AI score0.004EPSS
Exploits0References2
OSV
OSV
added 2026/05/04 9:15 p.m.7 views

GHSA-FR8F-RWJX-F32V quarkus-openapi-generator has overly broad path-parameter matching that sends authentication headers to unintended operations

Summary The generated authentication filter matches OpenAPI path templates too broadly when deciding whether to attach credentials. A security scheme configured for one operation can therefore be applied to a different same-method operation whose path only partially resembles the protected...

6.3CVSS5.8AI score0.004EPSS
Exploits0References7
Github Security Blog
Github Security Blog
added 2026/05/04 9:14 p.m.16 views

OpenClaw's Gateway Control UI bootstrap config required Gateway auth

Summary Gateway Control UI bootstrap config required Gateway auth. Affected Packages / Versions - Package: openclaw npm - Affected versions: = 2026.4.21 - Fixed version: 2026.4.22 Impact When Gateway authentication was enabled, the Control UI bootstrap config endpoint could still be read without ...

5.8AI score
Exploits0References3Affected Software1
Patchstack
Patchstack
added 2026/05/04 9:14 p.m.8 views

NPM: OpenClaw's Gateway Control UI bootstrap config required Gateway auth

NPM: OpenClaw's Gateway Control UI bootstrap config required Gateway auth vulnerability discovered by ? in WordPress Npm openclaw versions = 2026.4.21...

5.8AI score
Exploits0References3Affected Software1
Snyk
Snyk
added 2026/05/04 9:14 p.m.9 views

Improper Authentication

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Improper Authentication via the bootstrap config endpoint. An attacker can access sensitive configuration fields intended for authenticated sessions by sending unauthenticated requests to...

6.9CVSS5.8AI score0.00317EPSS
Exploits0References2
OSV
OSV
added 2026/05/04 9:14 p.m.5 views

GHSA-93RG-2XM5-2P9V OpenClaw's Gateway Control UI bootstrap config required Gateway auth

Summary Gateway Control UI bootstrap config required Gateway auth. Affected Packages / Versions - Package: openclaw npm - Affected versions: = 2026.4.21 - Fixed version: 2026.4.22 Impact When Gateway authentication was enabled, the Control UI bootstrap config endpoint could still be read without ...

6.9CVSS5.8AI score
Exploits0References3
Rows per page
Query Builder