890 matches found
CVE-2026-53518
CVE-2026-53518 affects the Better Auth ecosystem, specifically the @better-auth/oauth-provider token endpoint for the authorization_code grant (and legacy paths via oidc-provider/mcp plugins). A race condition arises from a non-atomic find-then-delete when redeeming a single-use authorization cod...
EUVD-2026-44649
The Grav API plugin getgrav/grav-plugin-api before 2.0.4 contains an improper session invalidation vulnerability where JWT access tokens are issued without a jti JWT ID claim and therefore cannot be revoked server-side. Unlike refresh tokens, access tokens remain valid for their full lifetime...
CVE-2026-58122 Hermes WebUI < 0.51.307 Authentication Bypass via X-Forwarded-For Header Spoofing
Hermes WebUI before 0.51.307 contains an authentication bypass vulnerability that allows unauthenticated remote attackers to circumvent local-origin IP restrictions on onboarding endpoints by supplying a spoofed X-Forwarded-For header with a loopback address. Attackers can exploit this bypass to...
Dormant GitHub Accounts Help Attackers Blend In While Mapping Corporate Orgs
Datadog Security Labs is warning of "several overlapping campaigns" that are systematically enumerating corporate GitHub organizations, repositories, and user accounts through the GitHub API. "Operators rely on automated scraping tooling with custom or legitimate-sounding user agents, leveraging...
CVE-2026-12002
The Smash Balloon Social Photo Feed – Easy Social Feeds Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.11.1. This is due to missing or incorrect nonce validation on the maybeconnectiondata function. This makes it possible for...
PT-2026-56552
Name of the Vulnerable Software and Affected Versions Bitwarden Server versions prior to 2026.6.0 Description An issue exists where the server fails to verify if the email address provided in the body of the 'POST /auth-requests/admin-request' endpoint belongs to the authenticated user. This allo...
EUVD-2026-40958
The payment integration pretix-oppwa provides support for the payment providers VR Payment, Hobex, and potentially others based on Oppwa's technology. The integration of Oppwa, following their official documentation, includes a step where the user is redirected from the payment provider back to o...
CVE-2026-49277 Rocket.Chat: OAuth access and refresh tokens remain valid after account deactivation
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, Rocket.Chat does not revoke OAuth bearer or refresh tokens when a user is deactivated. A deactivated user can continue using an existing OAuth...
CVE-2026-53928
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, a stolen refresh token survived a password-forgot flow and could be used to mint fresh JWTs even after the user reset their password. passwordChange and passwordReset deleted the user's refresh tokens, but passwordForg...
EUVD-2026-38598
A missing authorization vulnerability was found in the Event-Driven Ansible EDA websocket API. The /api/eda/ws/ansible-rulebook endpoint does not verify user permissions when processing Worker messages. Any authenticated user can send a forged message with an arbitrary activationid to receive...
CVE-2026-54317
Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.6.0, the Konnected integration registers an HTTP endpoint, KonnectedView homeassistant/components/konnected/init.py, that is marked as not requiring authentication requiresauth = False....
CVE-2026-12620 Access Token Exposure in URL Parameters in GridTime™ 3000 GNSS Time Server
The GridTime 3000 GNSS Time Server leaks the access token in the URL parameters of some endpoints. This issue affects GridTime 3000: from 1.0r0.03 through 1.1r0.0...
CVE-2026-12620 Access Token Exposure in URL Parameters in GridTime™ 3000 GNSS Time Server
The GridTime 3000 GNSS Time Server leaks the access token in the URL parameters of some endpoints. This issue affects GridTime 3000: from 1.0r0.03 through 1.1r0.0...
EUVD-2026-38041
The GridTime 3000 GNSS Time Server leaks the access token in the URL parameters of some endpoints. This issue affects GridTime 3000: from 1.0r0.03 through 1.1r0.0...
PT-2026-51061
Name of the Vulnerable Software and Affected Versions Home Assistant versions prior to 2026.6.0 Description The Konnected integration registers an HTTP endpoint 'KonnectedView' located in homeassistant/components/konnected/ init .py that is configured to not require authentication. While write...
PT-2026-50946
Name of the Vulnerable Software and Affected Versions GridTime 3000 versions 1.0r0.03 through 1.1r0.0 Description The GridTime 3000 GNSS Time Server leaks the access token within the URL parameters of certain endpoints. Recommendations Update GridTime 3000 versions 1.0r0.03 through 1.1r0.0 to a...
ConnectWise ScreenConnect < 26.2 Improper Input Validation (CVE-2026-11596)
According to its version, the ConnectWise ScreenConnect remote access software installed on the remote host is prior to 26.2. It is, therefore, affected by an improper input validation vulnerability: - Input validation within the Host Pass creation functionality could allow an authenticated user...
CVE-2026-44188 Ansible-lightspeed: ansible lightspeed: session hijacking and unauthorized data access due to insufficient session expiration
A flaw was found in Ansible Lightspeed. This vulnerability, related to insufficient session expiration, allows a remote attacker to maintain persistent access to the Ansible Lightspeed instance. If an attacker exfiltrates a valid OAuth Open Authorization access token before a user logs out, they...
Time-of-check Time-of-use (TOCTOU) Race Condition
Overview org.apache.cxf:cxf-rt-rs-security-oauth2 is a services framework. Affected versions of this package are vulnerable to Time-of-check Time-of-use TOCTOU Race Condition due to a race condition in the AbstractOAuthDataProvider method when handling refresh tokens if the recycleRefreshTokens...
CVE-2026-50631
A race condition in AbstractOAuthDataProvider allows concurrent requests using the same Refresh Token to bypass single-use semantics and generate multiple valid Access Tokens, when 'recycleRefreshTokens' is set to false. A leaked refresh token can be replayed concurrently by multiple attackers or...