Lucene search
+L

77 matches found

euvd
euvd
added last week9 views

EUVD-2026-42630

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, channel thread parent and reply handling did not bind parentid to the channel in the URL, allowing an authenticated user to reference a message from another private or DM channel and disclose...

3.1CVSS5.9AI score0.00255EPSS
Exploits0References4
cvelist
cvelist
added last week32 views

CVE-2026-59215 Open WebUI: Private channel messages can be disclosed through cross-channel thread parent_id binding

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, channel thread parent and reply handling did not bind parentid to the channel in the URL, allowing an authenticated user to reference a message from another private or DM channel and disclose...

3.1CVSS0.00255EPSS
Exploits0References4
nessus
nessus
added 2026/07/07 12:0 a.m.13 views

Linux Distros Unpatched Vulnerability : CVE-2026-54291

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - pgjdbc is an open source postgresql JDBC Driver. In releases 42.7.4 through 42.7.11, channelBinding=require connections can be silently downgraded from...

8.2CVSS6.1AI score0.00236EPSS
Exploits0References3
snyk
snyk
added 2026/07/06 8:42 p.m.5 views

Incorrect Implementation of Authentication Algorithm

Overview org.postgresql:postgresql is a Java JDBC 4.2 JRE 8+ driver for PostgreSQL database. Affected versions of this package are vulnerable to Incorrect Implementation of Authentication Algorithm in the ScramAuthenticator class, which fails open by confirming only that the server advertised a...

8.2CVSS6AI score0.00236EPSS
Exploits0References2
nvd
nvd
added 2026/07/06 7:17 p.m.12 views

CVE-2026-54291

pgjdbc is an open source postgresql JDBC Driver. In releases 42.7.4 through 42.7.11, channelBinding=require connections can be silently downgraded from SCRAM-SHA-256-PLUS with channel binding to plain SCRAM-SHA-256 without it, losing the man-in-the-middle protection the setting is meant to...

8.2CVSS0.00236EPSS
Exploits0References3
attackerkb
attackerkb
added 2026/07/06 6:55 p.m.5 views

CVE-2026-54291

pgjdbc is an open source postgresql JDBC Driver. In releases 42.7.4 through 42.7.11, channelBinding=require connections can be silently downgraded from SCRAM-SHA-256-PLUS with channel binding to plain SCRAM-SHA-256 without it, losing the man-in-the-middle protection the setting is meant to...

8.2CVSS5.9AI score0.00236EPSS
Exploits0References4Affected Software1
cvelist
cvelist
added 2026/07/06 6:55 p.m.33 views

CVE-2026-54291 Silent channel-binding authentication downgrade via unsupported certificate algorithms

pgjdbc is an open source postgresql JDBC Driver. In releases 42.7.4 through 42.7.11, channelBinding=require connections can be silently downgraded from SCRAM-SHA-256-PLUS with channel binding to plain SCRAM-SHA-256 without it, losing the man-in-the-middle protection the setting is meant to...

8.2CVSS0.00236EPSS
Exploits0References3
osv
osv
added 2026/07/06 6:55 p.m.4 views

CVE-2026-54291 Silent channel-binding authentication downgrade via unsupported certificate algorithms

pgjdbc is an open source postgresql JDBC Driver. In releases 42.7.4 through 42.7.11, channelBinding=require connections can be silently downgraded from SCRAM-SHA-256-PLUS with channel binding to plain SCRAM-SHA-256 without it, losing the man-in-the-middle protection the setting is meant to...

8.2CVSS5.9AI score0.00236EPSS
Exploits0References5
euvd
euvd
added 2026/07/06 6:55 p.m.10 views

EUVD-2026-41903

pgjdbc is an open source postgresql JDBC Driver. In releases 42.7.4 through 42.7.11, channelBinding=require connections can be silently downgraded from SCRAM-SHA-256-PLUS with channel binding to plain SCRAM-SHA-256 without it, losing the man-in-the-middle protection the setting is meant to...

8.2CVSS5.9AI score0.00236EPSS
Exploits0References3
cve
cve
added 2026/07/06 6:55 p.m.113 views

CVE-2026-54291

CVE-2026-54291 affects pgjdbc (OpenJDK PostgreSQL JDBC Driver) in versions 42.7.4–42.7.11. The issue allows a silent downgrade of channelBinding from SCRAM-SHA-256-PLUS to plain SCRAM-SHA-256 when an attacker can intercept TLS and presents a certificate whose signature algorithm lacks a tls-serve...

8.2CVSS5.9AI score0.00236EPSS
Exploits0References3Affected Software1
ptsecurity
ptsecurity
added 2026/07/02 12:0 a.m.12 views

PT-2026-54841

Name of the Vulnerable Software and Affected Versions pgjdbc versions 42.7.4 through 42.7.11 Description Connections using channelBinding=require can be silently downgraded from SCRAM-SHA-256-PLUS with channel binding to plain SCRAM-SHA-256. This results in the loss of man-in-the-middle protectio...

8.2CVSS6AI score0.00236EPSS
Exploits0References10
freebsd
freebsd
added 2026/06/30 12:0 a.m.6 views

PostgresSQL JDBC -- Silent channel-binding authentication downgrade via unsupported certificate algorithms

PostgreSQL project reports: channelBinding=require connections can be silently downgraded from SCRAM-SHA-256-PLUS with channel binding to plain SCRAM-SHA-256 without it, losing the man-in-the-middle protection the setting is meant to guarantee. An attacker who can intercept the TLS connection...

8.2CVSS5.8AI score0.00236EPSS
Exploits0References1
nessus
nessus
added 2026/06/30 12:0 a.m.7 views

FreeBSD : PostgresSQL JDBC -- Silent channel-binding authentication downgrade via unsupported certificate algorithms (7701f760-745c-11f1-bc50-6cc21735f730)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 7701f760-745c-11f1-bc50-6cc21735f730 advisory. PostgreSQL project reports: channelBinding=require connections can be silently downgraded from...

8.2CVSS6.2AI score0.00236EPSS
Exploits0References3
osv
osv
added 2026/06/24 1:12 p.m.5 views

OESA-2026-2722 dovecot security update

Dovecot is an IMAP server for Linux/UNIX-like systems, written with security primarily in mind. It also contains a small POP3 server. It supports mail in either of maildir or mbox formats. Security Fixes: Attacker can use a specially crafted base64 exchange between Dovecot and Client to fake SCRA...

7.5CVSS5.8AI score0.00454EPSS
Exploits0References5
susecve
susecve
added 2026/06/23 2:20 a.m.8 views

SUSE CVE-2026-52911

In the Linux kernel, the following vulnerability has been resolved: ksmbd: scope conn-binding slowpath to bound sessions only When the binding SESSIONSETUP sets conn-binding = true, the flag stays set after the call so that the global session lookup in ksmbdsessionlookupall can find the session,...

5.8AI score0.00362EPSS
Exploits0References3
nessus
nessus
added 2026/06/03 12:0 a.m.9 views

Fedora 43 : dovecot (2026-693373747f)

The remote Fedora 43 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-693373747f advisory. CVE-2026-27851: lib-var-expand: Safe filter marks all following pipelines safe. CVE-2026-33603: auth: CRAM-SHA--PLUS channel binding could be faked...

9.1CVSS5.8AI score0.00667EPSS
Exploits1References7
nessus
nessus
added 2026/06/02 12:0 a.m.16 views

Fedora 44 : dovecot (2026-96eeb03b88)

The remote Fedora 44 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-96eeb03b88 advisory. CVE-2026-27851: lib-var-expand: Safe filter marks all following pipelines safe. CVE-2026-33603: auth: CRAM-SHA--PLUS channel binding could be faked...

9.1CVSS5.8AI score0.00667EPSS
Exploits1References7
redhatcve
redhatcve
added 2026/05/18 2:57 p.m.16 views

CVE-2026-33603

A flaw was found in Dovecot. An attacker, positioned as a Man-in-the-Middle MITM between Dovecot and a client, can exploit a specially crafted base64 exchange to fake SCRAM TLS channel binding. This allows the attacker to eavesdrop on communications between Dovecot and the client, leading to...

6.8CVSS5.7AI score0.00222EPSS
Exploits0References4
euvd
euvd
added 2026/05/12 3:31 p.m.12 views

EUVD-2026-29468

Attacker can use a specially crafted base64 exchange between Dovecot and Client to fake SCRAM TLS channel binding. This requires that the attacker is able to position itself between Dovecot and the client connection. If successful, the attacker can eavesdrop communications between Dovecot and...

6.8CVSS5.8AI score0.00222EPSS
Exploits0References2
nvd
nvd
added 2026/05/12 2:17 p.m.18 views

CVE-2026-33603

Attacker can use a specially crafted base64 exchange between Dovecot and Client to fake SCRAM TLS channel binding. This requires that the attacker is able to position itself between Dovecot and the client connection. If successful, the attacker can eavesdrop communications between Dovecot and...

6.8CVSS0.00222EPSS
Exploits0References1
Rows per page
Query Builder