Lucene search
K

144 matches found

Positive Technologies
Positive Technologies
added 2026/05/03 12:0 a.m.6 views

PT-2026-36726

Name of the Vulnerable Software and Affected Versions janeczku Calibre-Web versions prior to 0.6.27 Description Improper authorization occurs in the Endpoint component due to the manipulation of the user id argument within the generate auth token function located in the cps/kobo auth.py file. Thi...

6.5CVSS6.5AI score0.00219EPSS
Exploits0References8
OSV
OSV
added 2026/04/08 7:53 p.m.4 views

GHSA-4GGG-H7PH-26QR n8n-mcp has authenticated SSRF via instance-URL header in multi-tenant HTTP mode

Impact An authenticated Server-Side Request Forgery in n8n-mcp allows a caller holding a valid AUTHTOKEN to cause the server to issue HTTP requests to arbitrary URLs supplied through multi-tenant HTTP headers. Response bodies are reflected back through JSON-RPC, so an attacker can read the conten...

8.5CVSS5.8AI score0.00316EPSS
Exploits0References5
EUVD
EUVD
added 2026/03/27 3:30 p.m.6 views

EUVD-2026-16632

The Twilio integration webhook handler accepts any POST request without validating Twilio's 'X-Twilio-Signature'. When processing media messages, it fetches user-controlled URLs 'MediaUrlN' parameters using HTTP requests that include the integration's Twilio credentials in the 'Authorization'...

8.2CVSS5.9AI score0.00156EPSS
Exploits0References2
NVD
NVD
added 2026/03/27 3:17 p.m.6 views

CVE-2026-4984

The Twilio integration webhook handler accepts any POST request without validating Twilio's 'X-Twilio-Signature'. When processing media messages, it fetches user-controlled URLs 'MediaUrlN' parameters using HTTP requests that include the integration's Twilio credentials in the 'Authorization'...

8.2CVSS0.00156EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/03/27 2:13 p.m.3 views

CVE-2026-4984

The Twilio integration webhook handler accepts any POST request without validating Twilio's 'X-Twilio-Signature'. When processing media messages, it fetches user-controlled URLs 'MediaUrlN' parameters using HTTP requests that include the integration's Twilio credentials in the 'Authorization'...

8.2CVSS5.9AI score0.00156EPSS
Exploits0References2
CVE
CVE
added 2026/03/27 2:13 p.m.25 views

CVE-2026-4984

CVE-2026-4984 affects Botpress’s Twilio integration webhook handler. The vulnerability arises because the webhook accepts POST requests without validating Twilio’s X-Twilio-Signature, and when processing media messages it fetches user-controlled URLs (MediaUrlN) via HTTP requests that include the...

8.2CVSS5.9AI score0.00156EPSS
Exploits0References1
OSV
OSV
added 2026/03/27 7:14 a.m.4 views

BIT-PARSE-2026-33409 Parse Server: Auth provider validation bypass on login via partial authData

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.52 and 9.6.0, an authentication bypass vulnerability allows an attacker to log in as any user who has linked a third-party authentication provider, without knowing the...

9.1CVSS5.8AI score0.00455EPSS
Exploits0References6
Vulnrichment
Vulnrichment
added 2026/03/24 6:11 p.m.4 views

CVE-2026-33409 Parse Server: Auth provider validation bypass on login via partial authData

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.52 and 9.6.0-alpha.41, an authentication bypass vulnerability allows an attacker to log in as any user who has linked a third-party authentication provider, without knowin...

7CVSS5.7AI score0.00455EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/03/11 7:21 p.m.2 views

CVE-2026-31954

Emlog is an open source website building system. In 2.6.6 and earlier, the deleteasync action asynchronous delete lacks a call to LoginAuth::checkToken, enabling CSRF attacks...

5.8AI score0.0015EPSS
Exploits1References2Affected Software1
OSV
OSV
added 2026/03/10 6:28 p.m.5 views

GO-2026-4615 Gokapi has privilege escalation with auth token in github.com/forceu/gokapi

Gokapi has privilege escalation with auth token in github.com/forceu/gokapi. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from vulnerability scanners, please...

5CVSS5.8AI score0.00137EPSS
Exploits0References3
OSV
OSV
added 2026/03/05 9:59 p.m.6 views

CVE-2026-28472 OpenClaw < 2026.2.2 - Device Identity Check Bypass in Gateway WebSocket Connect Handshake

OpenClaw versions prior to 2026.2.2 contain a vulnerability in the gateway WebSocket connect handshake in which it allows skipping device identity checks when auth.token is present but not validated. Attackers can connect to the gateway without providing device identity or pairing by exploiting t...

9.2CVSS6AI score0.00357EPSS
Exploits0References5
OSV
OSV
added 2026/03/05 6:57 p.m.5 views

GHSA-M2HX-WJXC-9FP4 Gokapi has privilege escalation with auth token

Impact A registered user without privileges to create or modify file requests is able to create a short-lived API key that has the permission to do so. The user must be registered with Gokapi. If you do not have any other users with access to the admin/upload menu, you are not impacted. Patches...

5CVSS6AI score0.00137EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/02/17 4:37 p.m.35 views

OpenClaw's gateway connect could skip device identity checks when auth.token was present but not yet validated

Summary The gateway WebSocket connect handshake could allow skipping device identity checks when auth.token was present but not yet validated. Details In src/gateway/server/ws-connection/message-handler.ts, the device-identity requirement could be bypassed based on the presence of a non-empty...

9.8CVSS5.6AI score0.00357EPSS
Exploits0References6Affected Software1
RedhatCVE
RedhatCVE
added 2026/02/07 7:31 p.m.6 views

CVE-2026-25650

MCP Salesforce Connector is a Model Context Protocol MCP server implementation for Salesforce integration. Prior to 0.1.10, arbitrary attribute access leads to disclosure of Salesforce auth token. This vulnerability is fixed in 0.1.10...

8.7CVSS5.5AI score0.00409EPSS
Exploits0References1
CVE
CVE
added 2026/02/06 6:53 p.m.11 views

CVE-2026-25650

CVE-2026-25650 concerns MCP Salesforce Connector (Model Context Protocol) prior to version 0.1.10. An arbitrary attribute access flaw allows disclosure of Salesforce OAuth bearer tokens used by MCP-Salesforce. Multiple sources (Red Hat, NVD, CVE lists, advisories) confirm the issue and that it is...

8.7CVSS5.5AI score0.00409EPSS
Exploits0References3Affected Software1
Cvelist
Cvelist
added 2026/02/06 6:53 p.m.27 views

CVE-2026-25650 MCP Salesforce Connector has arbitrary attribute access which leads to disclosure of Salesforce auth token

MCP Salesforce Connector is a Model Context Protocol MCP server implementation for Salesforce integration. Prior to 0.1.10, arbitrary attribute access leads to disclosure of Salesforce auth token. This vulnerability is fixed in 0.1.10...

8.7CVSS0.00409EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/02/06 6:53 p.m.6 views

CVE-2026-25650

MCP Salesforce Connector is a Model Context Protocol MCP server implementation for Salesforce integration. Prior to 0.1.10, arbitrary attribute access leads to disclosure of Salesforce auth token. This vulnerability is fixed in 0.1.10...

8.7CVSS5.5AI score0.00409EPSS
Exploits0References4Affected Software1
Vulnrichment
Vulnrichment
added 2026/02/06 6:53 p.m.3 views

CVE-2026-25650 MCP Salesforce Connector has arbitrary attribute access which leads to disclosure of Salesforce auth token

MCP Salesforce Connector is a Model Context Protocol MCP server implementation for Salesforce integration. Prior to 0.1.10, arbitrary attribute access leads to disclosure of Salesforce auth token. This vulnerability is fixed in 0.1.10...

8.7CVSS5.7AI score0.00409EPSS
Exploits0References3
vulnersOsv
vulnersOsv
added 2026/02/03 3:30 p.m.9 views

aldryn-django (>=4.2.10.0 <=4.2.18.0), alertwise (=1.0.0) +114 more potentially affected by CVE-2026-1285 via django (>=4.2.0 <=4.2.27)

django PYPI version =4.2.0, =4.2.10.0, =65.10.0, =7.5.1, =1.0.2, =0.0.1, =1.3.9, =0.4.0, =0.0.1, =4.16.2, =4.8.0, =0.0.4.dev0, =8.0.0, =8.5.1 and more Source cves: CVE-2026-1285 Source advisory: OSV:GHSA-4RRR-2H4V-F3J9...

7.5CVSS7AI score0.00993EPSS
Exploits0
vulnersOsv
vulnersOsv
added 2026/02/03 3:30 p.m.5 views

aldryn-django (>=4.2.10.0 <=4.2.18.0), alertwise (=1.0.0) +114 more potentially affected by CVE-2026-1207 via django (>=4.2.0 <=4.2.27)

django PYPI version =4.2.0, =4.2.10.0, =65.10.0, =7.5.1, =1.0.2, =0.0.1, =1.3.9, =0.4.0, =0.0.1, =4.16.2, =4.8.0, =0.0.4.dev0, =8.0.0, =8.5.1 and more Source cves: CVE-2026-1207 Source advisory: OSV:GHSA-MWM9-4648-F68Q...

8.3CVSS7.2AI score0.09436EPSS
Exploits1
Rows per page
Query Builder