147 matches found
CVE-2026-34749
Payload is a free and open source headless content management system. Prior to version 3.79.1, a Cross-Site Request Forgery CSRF vulnerability exists in the authentication flow. Under certain conditions, the configured CSRF protection could be bypassed, allowing cross-site requests to be made. Th...
CVE-2026-4829
Improper authentication in the external OAuth authentication flow in Devolutions Server 2026.1.11 and earlier allows an authenticated user to authenticate as other users, including administrators, via reuse of a session code from an external authentication flow...
Devolutions Server < 2025.3.18 / 2026.1.x < 2026.1.12 Multiple Vulnerabilities (DEVO-2026-0010)
The version of Devolutions Server installed on the remote host is prior to 2025.3.18 or 2026.1.x prior to 2026.1.12. It is, therefore, affected by multiple vulnerabilities, including: - Improper authentication in the OAuth login functionality allows a remote attacker with valid credentials to...
Cross-site Request Forgery (CSRF)
Overview payload is a Node, React and MongoDB Headless CMS and Application Framework Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the authentication flow when serverURL is configured. An attacker can perform unauthorized actions on behalf of authenticate...
GHSA-P6MR-XF3R-GHQ4 Payload has a CSRF Protection Bypass in Authentication Flow
Impact A Cross-Site Request Forgery CSRF vulnerability existed in the authentication flow. Under certain conditions, the configured CSRF protection could be bypassed, allowing cross-site requests to be made. Consumers are affected if ALL of these are true: - Payload version v3.79.1 - serverURL is...
Payload has a CSRF Protection Bypass in Authentication Flow
Impact A Cross-Site Request Forgery CSRF vulnerability existed in the authentication flow. Under certain conditions, the configured CSRF protection could be bypassed, allowing cross-site requests to be made. Consumers are affected if ALL of these are true: - Payload version v3.79.1 - serverURL is...
CVE-2026-34749
Payload is a free and open source headless content management system. Prior to version 3.79.1, a Cross-Site Request Forgery CSRF vulnerability exists in the authentication flow. Under certain conditions, the configured CSRF protection could be bypassed, allowing cross-site requests to be made. Th...
CVE-2026-34456 Reviactyl: OAuth account takeover via auto-linking
Reviactyl is an open-source game server management panel built using Laravel, React, FilamentPHP, Vite, and Go. From version 26.2.0-beta.1 to before version 26.2.0-beta.5, a vulnerability in the OAuth authentication flow allowed automatic linking of social accounts based solely on matching email...
CVE-2026-34749 Payload has a CSRF Protection Bypass in Authentication Flow
Payload is a free and open source headless content management system. Prior to version 3.79.1, a Cross-Site Request Forgery CSRF vulnerability exists in the authentication flow. Under certain conditions, the configured CSRF protection could be bypassed, allowing cross-site requests to be made. Th...
CVE-2026-34749 Payload has a CSRF Protection Bypass in Authentication Flow
Payload is a free and open source headless content management system. Prior to version 3.79.1, a Cross-Site Request Forgery CSRF vulnerability exists in the authentication flow. Under certain conditions, the configured CSRF protection could be bypassed, allowing cross-site requests to be made. Th...
CVE-2026-34749
Payload is a free and open source headless content management system. Prior to version 3.79.1, a Cross-Site Request Forgery CSRF vulnerability exists in the authentication flow. Under certain conditions, the configured CSRF protection could be bypassed, allowing cross-site requests to be made. Th...
CVE-2026-4829
Improper authentication in the external OAuth authentication flow in Devolutions Server 2026.1.11 and earlier allows an authenticated user to authenticate as other users, including administrators, via reuse of a session code from an external authentication flow...
PT-2026-29537
Improper authentication in the external OAuth authentication flow in Devolutions Server 2026.1.11 and earlier allows an authenticated user to authenticate as other users, including administrators, via reuse of a session code from an external authentication flow...
PT-2026-29597
Name of the Vulnerable Software and Affected Versions Payload versions prior to 3.79.1 Description A Cross-Site Request Forgery CSRF issue existed in the authentication process. In certain scenarios, the configured CSRF protection could be bypassed, enabling unauthorized cross-site requests. The...
FastMCP: Missing Consent Verification in OAuth Proxy Callback Facilitates Confused Deputy Vulnerabilities
Summary While testing the GitHubProvider OAuth integration, which allows authentication to a FastMCP MCP server via a FastMCP OAuthProxy using GitHub OAuth, it was discovered that the FastMCP OAuthProxy does not properly validate the user's consent upon receiving the authorization code from GitHu...
Race Condition
@auth0/nextjs-auth0 is vulnerable to a race condition. The vulnerability is due to improper lookup handling in the TokenRequestCache during simultaneous requests on the same client, which allows an attacker to exploit inconsistent token responses and potentially interfere with authentication flow...
CVE-2026-33875
Gematik Authenticator securely authenticates users for login to digital health applications. Versions prior to 4.16.0 are vulnerable to authentication flow hijacking, potentially allowing attackers to authenticate with the identities of victim users who click on a malicious deep link. Update...
CVE-2026-33875 Authenticator Vulnerable to Authentication Flow Hijack
Gematik Authenticator securely authenticates users for login to digital health applications. Versions prior to 4.16.0 are vulnerable to authentication flow hijacking, potentially allowing attackers to authenticate with the identities of victim users who click on a malicious deep link. Update...
EUVD-2026-16817
Gematik Authenticator securely authenticates users for login to digital health applications. Versions prior to 4.16.0 are vulnerable to authentication flow hijacking, potentially allowing attackers to authenticate with the identities of victim users who click on a malicious deep link. Update...
CVE-2026-33875 Authenticator Vulnerable to Authentication Flow Hijack
Gematik Authenticator securely authenticates users for login to digital health applications. Versions prior to 4.16.0 are vulnerable to authentication flow hijacking, potentially allowing attackers to authenticate with the identities of victim users who click on a malicious deep link. Update...