Lucene search
K

88 matches found

Nuclei
Nuclei
added 4 hours ago93 views

Keycloak - Open Redirect

A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially...

6.1CVSS6AI score0.01959EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 4 days ago6 views

CVE-2026-59713 Leantime - OIDC Login CSRF via Unconditional State Verification Stub

Leantime contains an OIDC login CSRF vulnerability in the verifyState method that unconditionally returns true without validating state parameters. Attackers can craft malicious callback URLs with attacker-controlled authorization codes to perform session fixation, logging victims in as the...

8.6CVSS6AI score0.00153EPSS
Exploits0References4
Snyk
Snyk
added last week5 views

Replay Attack

Overview Affected versions of this package are vulnerable to Replay Attack due to improper enforcement of OAuth2 authorization code expiry and single-use requirements in the authorization code process. An attacker can gain unauthorized access by reusing valid authorization codes during the token...

9.1CVSS6AI score0.00379EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/22 11:16 p.m.6 views

Open Redirect

Overview Affected versions of this package are vulnerable to Open Redirect via the reloadNuxtApp function. An attacker can redirect users to attacker-controlled hosts by injecting protocol-relative paths such as //evil.com, potentially enabling phishing attacks or theft of OAuth authorization...

9.6CVSS5.9AI score0.00191EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/05/21 12:0 a.m.9 views

Concrete CMS 安全漏洞

Concrete CMS is an open-source content management system designed for teams. Concrete CMS versions 9.5.0 and earlier have security vulnerabilities. These vulnerabilities stem from an oversight in the handling of OAuth 2.0 authorization codes, which bypasses account status checks. This could...

6.4CVSS5.8AI score0.00172EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/04/23 6:33 p.m.34 views

CVE-2026-41213 @node-oauth/oauth2-server: PKCE code_verifier ABNF not enforced in token exchange allows brute-force redemption of intercepted authorization codes

@node-oauth/oauth2-server is a module for implementing an OAuth2 server in Node.js. The token exchange path accepts RFC7636-invalid codeverifier values including one-character strings for S256 PKCE flows. Because short/weak verifiers are accepted and failed verifier attempts do not consume the...

5.9CVSS0.00259EPSS
Exploits1References1
CVE
CVE
added 2026/04/23 6:33 p.m.35 views

CVE-2026-41213

The CVE concerns @node-oauth/oauth2-server, a Node.js OAuth2 server module. The token exchange path accepts RFC7636-invalid code_verifier values for S256 PKCE flows (including one-character verifiers). The underlying cause is that ABNF enforcement for code_verifier is not performed during token e...

5.9CVSS5.8AI score0.00259EPSS
Exploits1References1Affected Software1
Snyk
Snyk
added 2026/04/02 3:31 p.m.1 views

Improper Isolation or Compartmentalization

Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization due to improper type and namespace isolation in the...

9.1CVSS5.9AI score0.00424EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/04/02 3:31 p.m.10 views

Keycloak: Privilege escalation via forged authorization codes due to SingleUseObjectProvider isolation flaw

A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an unauthenticated attacker to forge authorization codes. Successful exploitation can lead to the creation of admin-capable access tokens,...

7.4CVSS5.9AI score0.00424EPSS
Exploits0References10Affected Software1
Snyk
Snyk
added 2026/04/02 3:31 p.m.3 views

Improper Isolation or Compartmentalization

Overview Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization due to improper type and namespace isolation in the SingleUseObjectProvider. An attacker can obtain unauthorized access by forging authorization codes, which may result in the creation of...

9.1CVSS5.9AI score0.00424EPSS
Exploits0References2
EUVD
EUVD
added 2026/04/02 3:31 p.m.4 views

EUVD-2026-18208

A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an unauthenticated attacker to forge authorization codes. Successful exploitation can lead to the creation of admin-capable access tokens,...

7.4CVSS5.8AI score0.00424EPSS
Exploits0References5
OSV
OSV
added 2026/04/02 3:31 p.m.6 views

GHSA-HJ93-H7PG-FH6V Keycloak: Privilege escalation via forged authorization codes due to SingleUseObjectProvider isolation flaw

A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an unauthenticated attacker to forge authorization codes. Successful exploitation can lead to the creation of admin-capable access tokens,...

7.4CVSS5.8AI score0.00424EPSS
Exploits0References10
RedHat Linux
RedHat Linux
added 2026/04/02 1:54 p.m.367 views

keycloak: Keycloak: Privilege escalation via forged authorization codes due to SingleUseObjectProvider isolation flaw

A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an unauthenticated attacker to forge authorization codes. Successful exploitation can lead to the creation of admin-capable access tokens,...

7.4CVSS5.8AI score0.00424EPSS
Exploits0References4
RedHat Linux
RedHat Linux
added 2026/04/02 1:53 p.m.13 views

keycloak: Keycloak: Privilege escalation via forged authorization codes due to SingleUseObjectProvider isolation flaw

A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an unauthenticated attacker to forge authorization codes. Successful exploitation can lead to the creation of admin-capable access tokens,...

7.4CVSS5.8AI score0.00424EPSS
Exploits0References4
NVD
NVD
added 2026/04/02 1:16 p.m.8 views

CVE-2026-4282

A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an unauthenticated attacker to forge authorization codes. Successful exploitation can lead to the creation of admin-capable access tokens,...

7.4CVSS0.00424EPSS
Exploits0References7
Vulnrichment
Vulnrichment
added 2026/04/02 12:44 p.m.2 views

CVE-2026-4282 Keycloak: keycloak: privilege escalation via forged authorization codes due to singleuseobjectprovider isolation flaw

A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an unauthenticated attacker to forge authorization codes. Successful exploitation can lead to the creation of admin-capable access tokens,...

7.4CVSS5.8AI score0.00424EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/04/02 12:44 p.m.22 views

CVE-2026-4282 Keycloak: keycloak: privilege escalation via forged authorization codes due to singleuseobjectprovider isolation flaw

A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an unauthenticated attacker to forge authorization codes. Successful exploitation can lead to the creation of admin-capable access tokens,...

7.4CVSS0.00424EPSS
Exploits0References6
ATTACKERKB
ATTACKERKB
added 2026/04/02 12:44 p.m.62 views

CVE-2026-4282

A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an unauthenticated attacker to forge authorization codes. Successful exploitation can lead to the creation of admin-capable access tokens,...

7.4CVSS5.8AI score0.00424EPSS
Exploits0References7
CVE
CVE
added 2026/04/02 12:44 p.m.515 views

CVE-2026-4282

CVE-2026-4282 describes a flaw in Keycloak where the SingleUseObjectProvider is not properly isolated by type and namespace. An unauthenticated attacker can forge authorization codes, potentially leading to creation of admin-capable access tokens and privilege escalation. The available documents ...

7.4CVSS5.8AI score0.00424EPSS
Exploits0References7Affected Software1
CNNVD
CNNVD
added 2026/04/02 12:0 a.m.11 views

Keycloak 安全漏洞

Keycloak is an open-source identity and access management solution developed by Keycloak. Keycloak has a security vulnerability, which stems from the lack of proper type and namespace isolation in SingleUseObjectProvider. This vulnerability could allow unverified attackers to forge authorization...

7.4CVSS5.8AI score0.00424EPSS
Exploits0References6
Rows per page
Query Builder