Lucene search
K

434 matches found

CVE
CVE
added yesterday32 views

CVE-2026-28744

Gitea

8.1CVSS7.1AI score0.00039EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added yesterday4 views

CVE-2026-28744

Gitea versions up to and including 1.26.1 allow Git smart HTTP requests authenticated with bearer tokens to bypass repository token scope checks...

8.1CVSS5.9AI score0.00039EPSS
Exploits0References5
CVE
CVE
added 2 days ago13 views

CVE-2026-52830

The CVE describes a path-traversal in fast-mcp-telegram prior to 0.19.1 where HTTP Bearer tokens are joined into a session-file path. The verifier rejects only the exact reserved token, not path separators or normalized paths, enabling a remote client to authenticate as the default legacy session...

9.4CVSS5.8AI score0.00423EPSS
Exploits0References2
EUVD
EUVD
added 2 days ago5 views

EUVD-2026-41438

fast-mcp-telegram is a Telegram MCP Server. Prior to 0.19.1, fast-mcp-telegram validates HTTP Bearer tokens by joining the raw token string into a session-file path. The verifier rejects the exact reserved token telegram, but it does not reject path separators or normalize the path before checkin...

9.4CVSS5.8AI score0.00423EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2 days ago5 views

CVE-2026-52830

fast-mcp-telegram is a Telegram MCP Server. Prior to 0.19.1, fast-mcp-telegram validates HTTP Bearer tokens by joining the raw token string into a session-file path. The verifier rejects the exact reserved token telegram, but it does not reject path separators or normalize the path before checkin...

9.4CVSS5.8AI score0.00423EPSS
Exploits0References3Affected Software1
Cvelist
Cvelist
added 4 days ago32 views

CVE-2026-58169 Vibe-Trading < 0.1.10 - Loopback Trust and Missing Host Validation Enable DNS-Rebinding Authentication Bypass and Remote Code Execution

Vibe-Trading before 0.1.10 contains a DNS rebinding authentication bypass vulnerability that allows remote attackers to bypass bearer-token authentication by exploiting the server's trust of TCP peer addresses for loopback clients combined with missing Host header validation while binding to...

7.7CVSS0.00286EPSS
Exploits0References7
Cvelist
Cvelist
added 2026/06/25 8:38 p.m.20 views

CVE-2026-12473 OHIF Viewers DICOM Server-Side request forgery

Two data sources DICOMWebProxy and DICOMJSON shipped in the default configuration fetch an arbitrary URL parameter without validation. A global authentication service in OHIF automatically injects the authenticated user's OIDC Bearer token into the resulting requests, sending it to the...

8.3CVSS0.00232EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/25 12:0 a.m.8 views

PT-2026-52565

Name of the Vulnerable Software and Affected Versions OHIF affected versions not specified Description The DICOMWebProxy and DICOMJSON data sources, when used with default configurations, fetch an arbitrary URL parameter without proper validation. A global authentication service within the...

8.3CVSS6AI score0.00232EPSS
Exploits0References8
Cvelist
Cvelist
added 2026/06/24 9:5 p.m.21 views

CVE-2026-49278 Rocket.Chat: Livechat Visitor Profile Disclosure Leaks Bearer Token and Enables Visitor Impersonation

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, in the visitors.info endpoint, https://developer.rocket.chat/apidocs/get-visitor-information-by-id-1, token is returned in the response. It...

6.7CVSS0.00243EPSS
Exploits0References1
CVE
CVE
added 2026/06/24 9:5 p.m.9 views

CVE-2026-49278

Rocket.Chat vulnerable component: the visitors.info endpoint leaked a token in responses prior to versions 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12. The issue allows token exposure in visitor information responses and is fixed in the listed versions. Affected products/version...

6.7CVSS5.8AI score0.00243EPSS
Exploits0References1
IBM Security Bulletins
IBM Security Bulletins
added 2026/06/24 6:29 p.m.3 views

Security Bulletin: Vulnerabilities found in Watson Data Intelligence

Summary Multiple Vulnerabilities were addressed in Watson Data Intelligence version 5.3.1-patch3. Vulnerability Details CVEID:CVE-2025-14917 DESCRIPTION: IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.3 IBM WebSphere Application Server Liberty could provide weaker than expecte...

9.8CVSS6.6AI score0.03494EPSS
Exploits3Affected Software1
NVD
NVD
added 2026/06/24 2:17 p.m.9 views

CVE-2026-57289

Jenkins Bitbucket Push and Pull Request Plugin 3.3.8 and earlier unconditionally disables SSL/TLS certificate and hostname validation for connections sending Bearer token authenticated requests to the configured Bitbucket Server endpoint, allowing attackers able to intercept network traffic to...

4.8CVSS0.00108EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/24 1:20 p.m.31 views

CVE-2026-57289

Jenkins Bitbucket Push and Pull Request Plugin 3.3.8 and earlier unconditionally disables SSL/TLS certificate and hostname validation for connections sending Bearer token authenticated requests to the configured Bitbucket Server endpoint, allowing attackers able to intercept network traffic to...

0.00108EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/24 1:20 p.m.5 views

CVE-2026-57289

Jenkins Bitbucket Push and Pull Request Plugin 3.3.8 and earlier unconditionally disables SSL/TLS certificate and hostname validation for connections sending Bearer token authenticated requests to the configured Bitbucket Server endpoint, allowing attackers able to intercept network traffic to...

4.8CVSS5.9AI score0.00108EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/24 1:20 p.m.7 views

EUVD-2026-38770

Jenkins Bitbucket Push and Pull Request Plugin 3.3.8 and earlier unconditionally disables SSL/TLS certificate and hostname validation for connections sending Bearer token authenticated requests to the configured Bitbucket Server endpoint, allowing attackers able to intercept network traffic to...

4.8CVSS5.9AI score0.00108EPSS
Exploits0References1
CVE
CVE
added 2026/06/24 1:20 p.m.97 views

CVE-2026-57289

The vulnerability affects Jenkins Bitbucket Push and Pull Request Plugin prior to 3.3.9. The plugin unconditionally disables SSL/TLS certificate and hostname validation for connections sending Bearer token authenticated requests to the configured Bitbucket Server endpoint. This misconfiguration a...

4.8CVSS5.9AI score0.00108EPSS
Exploits0References1Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/24 12:0 a.m.9 views

PT-2026-51799

Name of the Vulnerable Software and Affected Versions Jenkins Bitbucket Push and Pull Request Plugin versions prior to 3.3.9 Description The plugin unconditionally disables SSL/TLS certificate and hostname validation when sending Bearer token authenticated requests to the configured Bitbucket...

4.8CVSS5.8AI score0.00108EPSS
Exploits0References4
NVD
NVD
added 2026/06/19 7:16 p.m.8 views

CVE-2026-49336

@microsoft/kiota-http-fetchlibrary provides TypeScript libraries for Kiota-generated API clients. In versions 1.0.0-preview.97 through 1.0.0-preview.101, @microsoft/kiota-http-fetchlibrary's RedirectHandler is documented as stripping Authorization and Cookie from cross-origin redirect targets, bu...

6.9CVSS0.0065EPSS
Exploits0References2
CVE
CVE
added 2026/06/19 6:19 p.m.27 views

CVE-2026-49336

The CVE concerns @microsoft/kiota-http-fetchlibrary (TypeScript) in versions 1.0.0-preview.97–1.0.0-preview.101, where RedirectHandler’s scrubSensitiveHeaders uses case-sensitive deletion (delete headers.Authorization, delete headers.Cookie) on a headers object already lower-cased by FetchRequest...

6.9CVSS5.9AI score0.0065EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/19 6:19 p.m.18 views

CVE-2026-49336 @microsoft/kiota-http-fetchlibrary: Bearer token and Cookie leak across origin on redirect due to case-mismatched scrub in fetchRequestAdapter

@microsoft/kiota-http-fetchlibrary provides TypeScript libraries for Kiota-generated API clients. In versions 1.0.0-preview.97 through 1.0.0-preview.101, @microsoft/kiota-http-fetchlibrary's RedirectHandler is documented as stripping Authorization and Cookie from cross-origin redirect targets, bu...

6.9CVSS0.0065EPSS
Exploits0References2
Rows per page
Query Builder