EUVD-2026-32654

pamusb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, src/mem.c implemented out-of-memory guards for xmalloc, xrealloc, and xstrdup using assertdata != NULL. The C standard specifies that all assert expressions are compiled out when NDEBUG is defined at...

VulnCheck KEV: CVE-2018-5999

An issue was discovered in AsusWRT before 3.0.0.4.38410007. In the handlerequest function in router/httpd/httpd.c, processing of POST requests continues even if authentication fails...

libsoup: libsoup: Denial of Service via Use-After-Free in HTTP/2 server

A flaw was found in libsoup, a library for handling HTTP requests. This vulnerability, known as a Use-After-Free, occurs in the HTTP/2 server implementation. A remote attacker can exploit this by sending specially crafted HTTP/2 requests that cause authentication failures. This can lead to the...

CVE-2026-44195

OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.7, a logic flaw in the OPNsense lockouthandler allows an unauthenticated attacker to continuously reset the authentication failure counter for their IP address. By interjecting a crafted username containing a success keyword...

CVE-2026-8142

Technical details are not publicly available in the provided documents. Monitor for updates.

Information Exposure

org.springframework.grpc, spring-grpc-core is vulnerable to information exposure through error messages. The vulnerability is due to returning raw server-side AuthenticationException messages in the gRPC status description, which allows an attacker to gather authentication failure details and...

CVE-2026-40969 Spring gRPC AuthenticationException message reflected to remote client

The raw message of every server-side AuthenticationException is returned to the unauthenticated remote caller in the gRPC status description. This allows an attacker to obtain information about the authentication failure, which may be useful for further attacks. Affected versions: Spring gRPC:...

EUVD-2026-26064

The raw message of every server-side AuthenticationException is returned to the unauthenticated remote caller in the gRPC status description. This allows an attacker to obtain information about the authentication failure, which may be useful for further attacks. Affected versions: Spring gRPC:...

CVE-2026-35902

The RTSP service of MERCURY IP camera MIPC252W 1.0.5 Build 230306 has an issue handling failed Digest authentication attempts. By repeatedly sending RTSP requests with invalid authentication parameters, an unauthenticated attacker can cause the RTSP service to enter a persistent authentication...

CVE-2026-35902

The CVE covers the RTSP service of the Mercury IP camera MIPC252W (firmware 1.0.5 Build 230306). The issue arises when handling failed Digest authentication attempts: repeatedly sending RTSP requests with invalid credentials can push the RTSP service into a persistent authentication failure state...

CVE-2026-40945 Oxia: Bearer token exposed in debug log messages on authentication failure

Oxia is a metadata store and coordination system. Prior to 0.16.2, when OIDC authentication fails, the full bearer token is logged at DEBUG level in plaintext. If debug logging is enabled in production, JWT tokens are exposed in application logs and any connected log aggregation system. This...

CVE-2026-40945

Oxia (metadata store/coordination system) is affected prior to version 0.16.2. When OIDC authentication fails, the full bearer token is logged at DEBUG level in plaintext, potentially exposing JWT tokens in application logs and any connected log aggregation systems if DEBUG logging is enabled in ...

CVE-2026-40945 Oxia: Bearer token exposed in debug log messages on authentication failure

Oxia is a metadata store and coordination system. Prior to 0.16.2, when OIDC authentication fails, the full bearer token is logged at DEBUG level in plaintext. If debug logging is enabled in production, JWT tokens are exposed in application logs and any connected log aggregation system. This...

Oracle VM VirtualBox 安全漏洞

Oracle VM VirtualBox is a desktop virtualization software developed by Oracle for running multiple operating systems on a single host. An elevation of privilege vulnerability exists in Oracle VM VirtualBox. The vulnerability stems from a failure of the Core component to properly handle privilege...

Oxia exposes bearer token in debug log messages on authentication failure

Summary When OIDC authentication fails, the full bearer token is logged at DEBUG level in plaintext. If debug logging is enabled in production, JWT tokens are exposed in application logs and any connected log aggregation system. Impact An attacker with access to application logs e.g., via a...

CVE-2025-13914

A Key Exchange without Entity Authentication vulnerability in the SSH implementation of Juniper Networks Apstra allows a unauthenticated, MITM attacker to impersonate managed devices. Due to insufficient SSH host key validation an attacker can perform a machine-in-the-middle attack on the SSH...

fast-jwt 安全漏洞

fast-jwt is a JSON Web Token implementation open-sourced by Nearform. Versions of fast-jwt prior to 6.2.1 contained a security vulnerability. This vulnerability stemmed from the use of regular expression objects with state modifiers in certain options of the verify function, which could cause 50%...

CVE-2025-14243

A flaw was found in the OpenShift Mirror Registry. This vulnerability allows an unauthenticated, remote attacker to enumerate valid usernames and email addresses via different error messages during authentication failures and account creation. Mitigation Mitigation for this issue is either not...

GO-2026-4872 Ella Core Panics during NAS Authentication Response/Failure with missing IEs in github.com/ellanetworks/core

Ella Core Panics during NAS Authentication Response/Failure with missing IEs in github.com/ellanetworks/core...

OpenClaw's Nextcloud Talk webhook missing rate limiting on shared secret authentication

Summary Nextcloud Talk webhook signature failures were not throttled even though the integration relies on an operator-configured shared secret that may be weak. Impact An attacker who could reach the webhook endpoint could brute-force weak secrets online and then forge inbound webhook events...