Lucene search
K

96 matches found

NVD
NVD
added 2 days ago6 views

CVE-2026-53963

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, a malicious second factor name on an attacker-controlled account was not escaped in the delete confirmation dialog, allowing stored cross-site scripting when an administrator impersonated that...

7.3CVSS0.00392EPSS
Exploits0References9
Cvelist
Cvelist
added 2026/06/26 8:34 p.m.28 views

CVE-2026-50132 Budibase: Chat Identity Link Hijacking via Missing Consent & CSRF — Account Impersonation in Budibase

Budibase is an open-source low-code platform. Prior to 3.39.0, GET /api/chat-links/:instance/:token/handoff is a public endpoint no auth required that performs a permanent, state-changing operation: it binds an external chat identity Slack/Discord/MS Teams to an authenticated Budibase user accoun...

7.3CVSS0.00192EPSS
Exploits1References1
CVE
CVE
added 2026/06/26 8:34 p.m.26 views

CVE-2026-50132

Summary (CVE-2026-50132) Budibase exposes a public GET endpoint GET /api/chat-links/:instance/:token/handoff that, before version 3.39.0, can silently link an attacker’s external chat identity (Slack/Discord/MS Teams) to a victim’s Budibase account without consent or CSRF protection. The flow: an...

7.3CVSS5.8AI score0.00192EPSS
Exploits1References1Affected Software1
Cvelist
Cvelist
added 2026/05/19 9:27 a.m.44 views

CVE-2026-31387 Apache OFBiz: Cookie Manipulation Allows Authenticated JWT Forgery and Account Impersonation

Improper Authentication vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue...

0.00515EPSS
Exploits0References1
CVE
CVE
added 2026/05/19 9:27 a.m.27 views

CVE-2026-31387

CVE-2026-31387 concerns Apache OFBiz with an Improper Authentication issue affecting versions prior to 24.09.06. The CVE list entry emphasizes a cookie manipulation flaw that enables authenticated JWT forgery and account impersonation. The recommended remediation is upgrading to OFBiz 24.09.06. T...

5.3CVSS5.8AI score0.00515EPSS
Exploits0References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/05/19 9:27 a.m.10 views

CVE-2026-31387 Apache OFBiz: Cookie Manipulation Allows Authenticated JWT Forgery and Account Impersonation

Improper Authentication vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue...

5.8AI score0.00515EPSS
Exploits0References1
NVD
NVD
added 2026/05/13 8:16 a.m.12 views

CVE-2026-41050

Fleet's Helm deployer did not fully apply ServiceAccount impersonation in two code paths, allowing a tenant with git push access to a Fleet-monitored repository to read secrets from any namespace on every downstream cluster targeted by their GitRepo...

9.9CVSS0.00379EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/13 8:4 a.m.42 views

CVE-2026-41050 Helm impersonation bypass of `RESTClientGetter` retains `cluster-admin` during template rendering

Fleet's Helm deployer did not fully apply ServiceAccount impersonation in two code paths, allowing a tenant with git push access to a Fleet-monitored repository to read secrets from any namespace on every downstream cluster targeted by their GitRepo...

9.9CVSS0.00379EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/11 6:58 p.m.46 views

CVE-2026-42876 External Secrets Operator: Priviledge escalation with secret overwriting

External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Prior to 2.4.1, a user who only has permission to create ExternalSecret resources can cause the operator to create a Secret that Kubernetes will automatically populat...

4.9CVSS0.00214EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/05/11 6:58 p.m.10 views

CVE-2026-42876 External Secrets Operator: Priviledge escalation with secret overwriting

External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Prior to 2.4.1, a user who only has permission to create ExternalSecret resources can cause the operator to create a Secret that Kubernetes will automatically populat...

4.9CVSS5.8AI score0.00214EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/05/11 12:0 a.m.9 views

External Secrets 授权问题漏洞

External Secrets is an open-source Kubernetes-related application developed by External Secrets. Versions of the External Secrets Operator prior to 2.4.1 had an authorization issue vulnerability. This vulnerability stemmed from the ability for users to create ExternalSecret resources, allowing...

4.9CVSS5.8AI score0.00214EPSS
Exploits0References1
Snyk
Snyk
added 2026/05/08 5:24 p.m.8 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization via ExternalSecret resource handling for Service Account tokens. A user can impersonate service accounts by crafting ExternalSecret resources that cause the operator to create Secrets populated with long-lived...

6.9CVSS5.9AI score0.00214EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/04/30 8:47 p.m.9 views

auth: Patreon provider assigns the same local user ID to every authenticated Patreon account, enabling cross‑user impersonation

Summary The Patreon OAuth provider maps every authenticated Patreon account to the same local user.ID, instead of deriving a unique ID from the Patreon account returned by Patreon. In practice, this means all Patreon-authenticated users of an application using this library are collapsed into a...

9.1CVSS5.8AI score0.00417EPSS
Exploits0References6Affected Software2
CNNVD
CNNVD
added 2026/04/03 12:0 a.m.9 views

prompts.chat 安全漏洞

prompts.chat is an open-source AI prompt library developed by Fatih Kadir Akın. The version 1464475 of prompts.chat had a security vulnerability; this vulnerability stemmed from inconsistent handling of usernames, which could lead to identity confusion and account impersonation...

8.6CVSS5.8AI score0.00332EPSS
Exploits1References3
RedhatCVE
RedhatCVE
added 2026/01/09 12:40 p.m.9 views

CVE-2023-43326

A reflected cross-site scripting XSS vulnerability exisits in multiple url of mooSocial v3.1.8 allows attackers to steal user's session cookies and impersonate their account via a crafted URL...

6.1CVSS5.6AI score0.01615EPSS
Exploits2References1
The Hacker News
The Hacker News
added 2025/12/15 11:55 a.m.14 views

A Browser Extension Risk Guide After the ShadyPanda Campaign

In early December 2025, security researchers exposed a cybercrime campaign that had quietly hijacked popular Chrome and Edge browser extensions on a massive scale. A threat group dubbed ShadyPanda spent seven years playing the long game, publishing or acquiring harmless extensions, letting them r...

6.6AI score
Exploits0
OSV
OSV
added 2025/12/05 6:15 p.m.5 views

CVE-2025-34256

Advantech WISE-DeviceOn Server versions prior to 5.4 contain a hard-coded cryptographic key vulnerability. The product uses a static HS512 HMAC secret for signing EIRMMToken JWTs across all installations. The server accepts forged JWTs that need only contain a valid email claim, allowing a remote...

9.8CVSS6.1AI score0.00604EPSS
Exploits0References3
NVD
NVD
added 2025/11/18 10:15 a.m.6 views

CVE-2025-41346

Faulty authorization control in software WinPlus v24.11.27 by Informática del Este that allows another user to be impersonated simply by knowing their 'numerical ID', meaning that an attacker could compromise another user's account, thereby affecting the confidentiality, integrity, and availabili...

9.8CVSS0.00285EPSS
Exploits0References1
OSV
OSV
added 2025/11/06 5:15 p.m.10 views

CVE-2025-12485

Improper privilege management during pre-MFA cookie handling in Devolutions Server allows a low-privileged authenticated user to impersonate another account by replaying the pre-MFA cookie.This does not bypass the target account MFA verification step. This issue affects the following versions :...

8.8CVSS5.8AI score0.0058EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2025/11/06 4:37 p.m.2 views

CVE-2025-12485

Improper privilege management during pre-MFA cookie handling in Devolutions Server allows a low-privileged authenticated user to impersonate another account by replaying the pre-MFA cookie.This does not bypass the target account MFA verification step. This issue affects the following versions :...

6.3AI score0.0058EPSS
Exploits0References1
Rows per page
Query Builder