GHSA-246W-JGMQ-88FG openvpn-auth-oauth2 returns FUNC_SUCCESS on client-deny, allowing unauthenticated VPN access

Summary When openvpn-auth-oauth2 is deployed in the experimental plugin mode shared library loaded by OpenVPN via the plugin directive, clients that do not support WebAuth/SSO e.g., the openvpn CLI on Linux are incorrectly admitted to the VPN despite being denied by the authentication logic. The...

PT-2026-34452

Name of the Vulnerable Software and Affected Versions openvpn-auth-oauth2 versions 1.26.3 through 1.27.2 Description An authentication bypass exists when the software is deployed in experimental plugin mode. Clients that do not support WebAuth/SSO are incorrectly granted full network access witho...

OCSP result bypass in stream

OCSP result bypass in stream Severity: medium CVE-2026-28755 Not vulnerable: 1.29.7+, 1.28.3+ Vulnerable: 1.27.2-1.29.6...

CVE-2025-68402

FreshRSS is a free, self-hostable RSS aggregator. From 57e1a37 - 00f2f04, the lengths of the nonce was changed from 40 chars to 64. passwordverify is currently being called with a constructed string SHA-256 nonce + part of a bcrypt hash instead of the raw user password. Due to bcrypt’s 72-byte...

PT-2026-24102

Name of the Vulnerable Software and Affected Versions FreshRSS versions prior to 1.27.2-dev Description FreshRSS, a self-hostable RSS aggregator, contains a flaw related to password verification. A change in the length of the nonce, from 40 to 64 characters between commits 57e1a37 and 00f2f04,...

@voiceflow/runtime-client-js (>=1.6.1 <=1.17.4) potentially affected by unknown CVE via @voiceflow/runtime (>=1.27.2 <=1.28.0)

@voiceflow/runtime NPM version =1.27.2, =1.6.1, =1.17.4 Source cves: unknown CVE Source advisory: OSV:MAL-2025-191368...

@voiceflow/runtime-client-js (>=1.6.1 <=1.17.4) potentially affected by unknown CVE via @voiceflow/runtime (>=1.27.2 <=1.28.0)

@voiceflow/runtime NPM version =1.27.2, =1.6.1, =1.17.4 Source cves: unknown CVE Source advisory: SNYK:JS-VOICEFLOWRUNTIME-14103430...

TeslaMate 安全漏洞

TeslaMate is an open source project, a self-hosted data logger for Tesla. A security vulnerability exists in versions of TeslaMate prior to 1.27.2. After accessing the IP address of a TeslaMate instance, an attacker could switch port to 3000 and enter Grafana to perform remote operations...

PT-2024-12286 · Teslamate +1 · Teslamate +1

Name of the Vulnerable Software and Affected Versions: TeslaMate versions prior to 1.27.2 Description: The issue allows unauthorized access to port 4000 for remote viewing and operation of user data. An attacker can access the IP address for the TeslaMate instance, switch the port to 3000 to ente...

PT-2024-40337 · Armeria +1 · Armeria +1

Name of the Vulnerable Software and Affected Versions: Central Dogma versions prior to 0.64.3 Description: The issue arises when SAML is used for authentication, as Central Dogma accepts unsigned SAML messages by default, instead of rejecting them. This allows an attacker to forge SAML messages f...

Armeria Security Breach

Armeria is an open source library for building asynchronous microservers that use HTTP/2 as the session layer protocol. A security vulnerability exists in versions of Armeria prior to 1.27.2 that stems from allowing authentication to be bypassed using malicious SAML messages...

MediaWiki 1.24.x < 1.27.2 Wiki Visitor IP Leakage

According to its self-reported version number, the instance of MediaWiki hosted on the remote web server is prior to 1.23.16, 1.24.x prior to 1.27.2 or 1.28.x prior to 1.28.1 . It is, therefore, affected by a flaw which may allow remote attackers to discover the IP addresses of Wiki Visitors via ...

SUSE CVE-2017-15874

archival/libarchive/decompressunlzma.c in BusyBox 1.27.2 has an Integer Underflow that leads to a read access violation...

WordPress Name Directory Plugin <= 1.27.1 is vulnerable to Cross Site Request Forgery (CSRF)

Software Name Directory Type Plugin Vulnerable versions = 1.27.1 Fixed in 1.27.2 OWASP Top 10 A6: Security Misconfiguration Classification Cross Site Request Forgery CSRF CVE CVE-2023-22692 Patch priority Low CVSS severity Low 4.3 Developer Jeroen Peters PSID 97cd32d13c24 Credits NeginNrb Require...

Mediawiki security bypass vulnerability (CNVD-2018-10133)

MediaWiki is a free and free web-based Wiki engine developed and maintained by the Wikimedia Foundation and MediaWiki volunteers, which can be used to deploy in-house knowledge management and content management systems. A security vulnerability exists in Mediawiki versions prior to 1.28.1, prior ...

Mediawiki security bypass vulnerability (CNVD-2018-10132)

MediaWiki is a free and free web-based Wiki engine developed and maintained by the Wikimedia Foundation and MediaWiki volunteers, which can be used to deploy in-house knowledge management and content management systems. A security vulnerability exists in Mediawiki versions prior to 1.28.1, 1.27.2...

Mediawiki Arbitrary Code Execution Vulnerability

MediaWiki is a free and free web-based Wiki engine developed and maintained by the Wikimedia Foundation and MediaWiki volunteers, which can be used to deploy in-house knowledge management and content management systems. A security vulnerability exists in Mediawiki versions prior to 1.28.1 and pri...

Mediawiki redirection vulnerability (CNVD-2018-09663)

MediaWiki is a free and free web-based Wiki engine developed and maintained by the Wikimedia Foundation and MediaWiki volunteers, which can be used to deploy in-house knowledge management and content management systems. A security vulnerability exists in Mediawiki versions prior to 1.28.1, prior ...

Information disclosure

Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains an information disclosure flaw, where the api.log might contain passwords in plaintext...

Xxe

Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 has a flaw where Special:UserLogin?returnto=interwiki:foo will redirect to external sites...