GHSA-5F53-522J-J454 Flowise Missing Authentication on NVIDIA NIM Endpoints

Missing Authentication on NVIDIA NIM Endpoints Summary The NVIDIA NIM router /api/v1/nvidia-nim/ is whitelisted in the global authentication middleware, allowing unauthenticated access to privileged container management and token generation endpoints. Vulnerability Details | Field | Value |...

PT-2026-22726

A vulnerability was found in Dataease SQLBot up to 1.5.1. This impacts the function validateEmbedded of the file backend/apps/system/middleware/auth.py of the component JWT Token Handler. Performing a manipulation results in improper verification of cryptographic signature. The attack can be...

GHSA-XFX2-PRG5-JQ3G INSATutorat has an authorization bypass vulnerability in its /api/admin/* endpoints

Impact An authorization bypass vulnerability was discovered in the administration pages of the tutoring application. When a standard user logged in but without administrator privileges attempts to access a resource under /api/admin/, the system detects the error but does not block the request. As...

Parse Dashboard has incomplete authentication on AI Agent endpoint

Impact The AI Agent API endpoint POST /apps/:appId/agent lacks authentication. Unauthenticated remote attackers can send requests to the endpoint and perform arbitrary database operations against any connected Parse Server using the master key. Patches The fix adds authentication middleware to th...

client-certificate-auth 输入验证错误漏洞

client-certificate-auth is a middleware developed by Tony Gies for implementing client SSL certificate authentication. Versions 0.2.1 and 0.3.0 of client-certificate-auth contain vulnerabilities related to input validation errors. These vulnerabilities stem from the middleware automatically...

Signal K Server Vulnerable to Unauthenticated Information Disclosure via Exposed Endpoints

Note This is a separate issue from the RCE vulnerability State Pollution currently being patched. While related to tokensecurity.js, it involves different endpoints and risks. Summary An unauthenticated information disclosure vulnerability allows any user to retrieve sensitive system information,...

Zerobyte 安全漏洞

Zerobyte is a hosting automated backup software by Nico Personal Developers. A security vulnerability exists in Zerobyte versions prior to 0.18.5 and prior to 0.19.0, which stems from the authentication middleware not being properly applied to API endpoints, potentially leading to authentication...

GHSA-P8PF-44FF-93GF authkit-nextjs may let session cookies be cached in CDNs

In authkit-nextjs version 2.11.0 and below, authenticated responses do not defensively apply anti-caching headers. In environments where CDN caching is enabled, this can result in session tokens being included in cached responses and subsequently served to multiple users. Next.js applications...

EUVD-2025-116374

Malicious code in auth-non-blocking-ini-middleware npm...

EUVD-2025-37960

Improper authentication in the API authentication middleware of HCL DevOps Loop allows authentication tokens to be accepted without proper validation of their expiration and cryptographic signature. As a result, an attacker could potentially use expired or tampered tokens to gain unauthorized...

HCL DevOps Loop 安全漏洞

HCL DevOps Loop is a suite of code development platforms from HCL India. A security vulnerability exists in HCL DevOps Loop that stems from the API authentication middleware not properly validating token expiration times and cryptographic signatures, which could lead to the use of expired or...

CVE-2025-11529 ChurchCRM API Endpoint AuthMiddleware.php AuthMiddleware missing authentication

A security flaw has been discovered in ChurchCRM up to 5.18.0. This impacts the function AuthMiddleware of the file src/ChurchCRM/Slim/Middleware/AuthMiddleware.php of the component API Endpoint. The manipulation results in missing authentication. The attack can be executed remotely. The exploit...

CVE-2025-11529 ChurchCRM API Endpoint AuthMiddleware.php AuthMiddleware missing authentication

A security flaw has been discovered in ChurchCRM up to 5.18.0. This impacts the function AuthMiddleware of the file src/ChurchCRM/Slim/Middleware/AuthMiddleware.php of the component API Endpoint. The manipulation results in missing authentication. The attack can be executed remotely. The exploit...

Linux Distros Unpatched Vulnerability : CVE-2021-38562

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Best Practical Request Tracker RT 4.2 before 4.2.17, 4.4 before 4.4.5, and 5.0 before 5.0.2 allows sensitive information disclosure via a timing attack against...

Improper Access Control

marshmallow-packages/nova-tiptap is vulnerable to Improper Access Control. The vulnerability is due to missing authentication middleware and lack of file validation on the /nova-tiptap/api/file endpoint, which allows an attacker to upload arbitrary files e.g., PHP scripts or binaries to any...

GO-2024-3350 WhoDB Allows Unbounded Memory Consumption in Authentication Middleware Can Lead to Denial of Service in github.com/clidey/whodb/core

WhoDB Allows Unbounded Memory Consumption in Authentication Middleware Can Lead to Denial of Service in github.com/clidey/whodb/core...

WhoDB Allows Unbounded Memory Consumption in Authentication Middleware Can Lead to Denial of Service

Summary A Denial of Service DoS vulnerability in the authentication middleware allows any client to cause memory exhaustion by sending large request bodies. The server reads the entire request body into memory without size limits, creating multiple copies during processing, which can lead to Out ...

GHSA-5PF6-CQ2V-23WW WhoDB Allows Unbounded Memory Consumption in Authentication Middleware Can Lead to Denial of Service

Summary A Denial of Service DoS vulnerability in the authentication middleware allows any client to cause memory exhaustion by sending large request bodies. The server reads the entire request body into memory without size limits, creating multiple copies during processing, which can lead to Out ...

GHSA-C4CM-R9FH-JGJ9 commonground-api-common unexploitable privilege escalation in JWT authentication middleware

Impact This is a privilege escalation vulnerability. The impact is negligible and entirely theoretical. A non-exploitable weakness was found in how the client-supplied JWTs are verified. Because an explicit allow-list of known algorithms is used in the PyJWT library, user-supplied invalid...

Session Fixation

uptime-kuma is vulnerable to Session Fixation. The vulnerability is caused by a lack of session token invalidation in the server.js authentication middleware. This allows attackers with a token to maintain access even after the user's password changed...