96 matches found
CVE-2026-53963
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, a malicious second factor name on an attacker-controlled account was not escaped in the delete confirmation dialog, allowing stored cross-site scripting when an administrator impersonated that...
CVE-2026-50132 Budibase: Chat Identity Link Hijacking via Missing Consent & CSRF — Account Impersonation in Budibase
Budibase is an open-source low-code platform. Prior to 3.39.0, GET /api/chat-links/:instance/:token/handoff is a public endpoint no auth required that performs a permanent, state-changing operation: it binds an external chat identity Slack/Discord/MS Teams to an authenticated Budibase user accoun...
CVE-2026-50132
Summary (CVE-2026-50132) Budibase exposes a public GET endpoint GET /api/chat-links/:instance/:token/handoff that, before version 3.39.0, can silently link an attacker’s external chat identity (Slack/Discord/MS Teams) to a victim’s Budibase account without consent or CSRF protection. The flow: an...
CVE-2026-31387 Apache OFBiz: Cookie Manipulation Allows Authenticated JWT Forgery and Account Impersonation
Improper Authentication vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue...
CVE-2026-31387
CVE-2026-31387 concerns Apache OFBiz with an Improper Authentication issue affecting versions prior to 24.09.06. The CVE list entry emphasizes a cookie manipulation flaw that enables authenticated JWT forgery and account impersonation. The recommended remediation is upgrading to OFBiz 24.09.06. T...
CVE-2026-31387 Apache OFBiz: Cookie Manipulation Allows Authenticated JWT Forgery and Account Impersonation
Improper Authentication vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue...
CVE-2026-41050
Fleet's Helm deployer did not fully apply ServiceAccount impersonation in two code paths, allowing a tenant with git push access to a Fleet-monitored repository to read secrets from any namespace on every downstream cluster targeted by their GitRepo...
CVE-2026-41050 Helm impersonation bypass of `RESTClientGetter` retains `cluster-admin` during template rendering
Fleet's Helm deployer did not fully apply ServiceAccount impersonation in two code paths, allowing a tenant with git push access to a Fleet-monitored repository to read secrets from any namespace on every downstream cluster targeted by their GitRepo...
CVE-2026-42876 External Secrets Operator: Priviledge escalation with secret overwriting
External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Prior to 2.4.1, a user who only has permission to create ExternalSecret resources can cause the operator to create a Secret that Kubernetes will automatically populat...
CVE-2026-42876 External Secrets Operator: Priviledge escalation with secret overwriting
External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Prior to 2.4.1, a user who only has permission to create ExternalSecret resources can cause the operator to create a Secret that Kubernetes will automatically populat...
External Secrets 授权问题漏洞
External Secrets is an open-source Kubernetes-related application developed by External Secrets. Versions of the External Secrets Operator prior to 2.4.1 had an authorization issue vulnerability. This vulnerability stemmed from the ability for users to create ExternalSecret resources, allowing...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization via ExternalSecret resource handling for Service Account tokens. A user can impersonate service accounts by crafting ExternalSecret resources that cause the operator to create Secrets populated with long-lived...
auth: Patreon provider assigns the same local user ID to every authenticated Patreon account, enabling cross‑user impersonation
Summary The Patreon OAuth provider maps every authenticated Patreon account to the same local user.ID, instead of deriving a unique ID from the Patreon account returned by Patreon. In practice, this means all Patreon-authenticated users of an application using this library are collapsed into a...
prompts.chat 安全漏洞
prompts.chat is an open-source AI prompt library developed by Fatih Kadir Akın. The version 1464475 of prompts.chat had a security vulnerability; this vulnerability stemmed from inconsistent handling of usernames, which could lead to identity confusion and account impersonation...
CVE-2023-43326
A reflected cross-site scripting XSS vulnerability exisits in multiple url of mooSocial v3.1.8 allows attackers to steal user's session cookies and impersonate their account via a crafted URL...
A Browser Extension Risk Guide After the ShadyPanda Campaign
In early December 2025, security researchers exposed a cybercrime campaign that had quietly hijacked popular Chrome and Edge browser extensions on a massive scale. A threat group dubbed ShadyPanda spent seven years playing the long game, publishing or acquiring harmless extensions, letting them r...
CVE-2025-34256
Advantech WISE-DeviceOn Server versions prior to 5.4 contain a hard-coded cryptographic key vulnerability. The product uses a static HS512 HMAC secret for signing EIRMMToken JWTs across all installations. The server accepts forged JWTs that need only contain a valid email claim, allowing a remote...
CVE-2025-41346
Faulty authorization control in software WinPlus v24.11.27 by Informática del Este that allows another user to be impersonated simply by knowing their 'numerical ID', meaning that an attacker could compromise another user's account, thereby affecting the confidentiality, integrity, and availabili...
CVE-2025-12485
Improper privilege management during pre-MFA cookie handling in Devolutions Server allows a low-privileged authenticated user to impersonate another account by replaying the pre-MFA cookie.This does not bypass the target account MFA verification step. This issue affects the following versions :...
CVE-2025-12485
Improper privilege management during pre-MFA cookie handling in Devolutions Server allows a low-privileged authenticated user to impersonate another account by replaying the pre-MFA cookie.This does not bypass the target account MFA verification step. This issue affects the following versions :...