CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

26 matches found

Positive Technologies•added 2026/05/21 12:0 a.m.•5 views

PT-2026-42680

Summary Deleted API tokens continued to authenticate requests until their cache entry expired, because the auth cache was not invalidated by token value at deletion time. Details The API token deletion path removed the database row but did not evict the token-value keyed entry from the auth cache...

2.3CVSS5.7AI score

Exploits0References3

Positive Technologies•added 2026/05/21 12:0 a.m.•2 views

PT-2026-42622

2.3CVSS5.7AI score

Exploits0References3

OSV•added 2026/05/12 8:13 a.m.•4 views

CLSA-2026-1778573628 dovecot: Fix of 2 CVEs

CVE-2026-27855: use translated username in authcacheremove to prevent OTP authentication replay attack - CVE-2026-27856: use timing-safe credential comparison in doveadm HTTP and TCP authentication paths...

7.4CVSS5.8AI score0.00042EPSS

Exploits2References1

OSV•added 2026/05/07 2:57 a.m.•1 views

GHSA-258C-965C-P3HC Daptin's Session Management Vulnerability Leads to Insufficient Session Expiration After Password Change

Summary A session invalidation vulnerability exists in daptin's authentication system where JSON Web Tokens JWTs remain fully valid after a user changes their password. The JWT validation middleware CheckJWT only verifies token signature, expiry, issuer, and signing algorithm — it does not check...

6.5CVSS5.9AI score

Exploits0References2

SUSE CVE•added 2026/03/28 12:28 a.m.•3 views

SUSE CVE-2026-27855

Dovecot OTP authentication is vulnerable to replay attack under specific conditions. If auth cache is enabled, and username is altered in passdb, then OTP credentials can be cached so that same OTP reply is valid. An attacker able to observe an OTP exchange is able to log in as the user. If...

6.8CVSS5.9AI score0.00042EPSS

Exploits1References5

EUVD•added 2026/03/27 9:31 a.m.•3 views

EUVD-2026-16563

6.8CVSS5.9AI score0.00042EPSS

Exploits1References2

OSV•added 2026/03/27 9:16 a.m.•4 views

ALPINE-CVE-2026-27855

5.9CVSS5.9AI score0.00042EPSS

Exploits1References1

AlpineLinux•added 2026/03/27 8:10 a.m.•3 views

CVE-2026-27855

6.8CVSS5.9AI score0.00042EPSS

Exploits1References1

CVE•added 2026/03/27 8:10 a.m.•5 views

CVE-2026-27855

Dovecot OTP authentication is vulnerable to a replay attack under specific conditions: if auth cache is enabled and the username is altered in passdb, OTP credentials can be cached so that the same OTP response remains valid. An attacker who observes an OTP exchange can log in as the targeted use...

6.8CVSS5.9AI score0.00042EPSS

Exploits1References1Affected Software2

ATTACKERKB•added 2026/03/27 8:10 a.m.•6 views

CVE-2026-27855

6.8CVSS5.9AI score0.00042EPSS

Exploits1References2

Cvelist•added 2026/03/27 8:10 a.m.•24 views

CVE-2026-27855

6.8CVSS0.00042EPSS

Exploits1References1

OSV•added 2026/03/27 12:0 a.m.•4 views

UBUNTU-CVE-2026-27855

6.8CVSS5.8AI score0.00042EPSS

Exploits1References3

Tenable Nessus•added 2026/01/22 12:0 a.m.•6 views

Azure Linux 3.0 Security Update: prometheus-process-exporter (CVE-2022-46146)

The version of prometheus-process-exporter installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2022-46146 advisory. - Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions...

8.8CVSS5.7AI score0.00185EPSS

Exploits1References2

OSV•added 2025/11/27 8:19 p.m.•0 views

SUSE-SU-2025:21159-1 Security update for dovecot24

This update for dovecot24 fixes the following issues: - Update dovecot to 2.4.2: - CVE-2025-30189: Fixed users cached with same cache key when auth cache was enabled bsc1252839 - Changes - auth: Remove proxyalways field. - config: Change settings history parsing to use python3. - doveadm: Print...

7.4CVSS5.8AI score0.00012EPSS

Exploits0References3

EUVD•added 2025/11/13 3:23 a.m.•1 views

EUVD-2025-178191

Malicious code in kinetic-jovian-auth-cache npm...

6.6AI score

Exploits0

OSV•added 2025/02/27 2:15 p.m.•1 views

UBUNTU-CVE-2025-27154

Spotipy is a lightweight Python library for the Spotify Web API. The CacheHandler class creates a cache file to store the auth token. Prior to version 2.25.1, the file created has rw-r--r-- 644 permissions by default, when it could be locked down to rw------- 600 permissions. This leads to overly...

9.8CVSS5.7AI score0.00236EPSS

Exploits1References6

Tenable Nessus•added 2023/09/07 12:0 a.m.•35 views

Oracle Linux 5 : dovecot (ELSA-2008-0297)

The remote Oracle Linux 5 host has a package installed that is affected by multiple vulnerabilities as referenced in the ELSA-2008-0297 advisory. - LDAP+auth cache user login mixup CVE-2007-6598, 427575 - insecure mailextragroups option CVE-2008-1199, 436927 - update to latest upstream, fixes a f...

6.8CVSS5.6AI score0.02525EPSS

Exploits0References5

SUSE CVE•added 2023/02/15 3:22 a.m.•2 views

SUSE CVE-2022-46146

Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix...

8.8CVSS9.3AI score0.00185EPSS

Exploits1References35

OSV•added 2022/11/29 2:15 p.m.•1 views

AZL-41992 CVE-2022-46146 affecting package prometheus-process-exporter for versions less than 0.8.2-1

8.8CVSS7.2AI score0.00185EPSS

Exploits1References1

ATTACKERKB•added 2022/11/29 2:15 p.m.•1 views

CVE-2022-46146

8.8CVSS7.2AI score0.00185EPSS

Exploits1References13Affected Software1

Rows per page