Lucene search
K

5568 matches found

Vulnrichment
Vulnrichment
added 2026/05/20 5:51 p.m.12 views

CVE-2026-2813 Unvalidated Redirect in ArcGIS Server

ArcGIS Server contains an input validation weakness in the login redirection workflow. An Authenticated attacker could exploit this issue by sending a specially crafted request, Successful exploitation may result in the application redirecting the browser to an unintended, untrusted site, resulti...

4.7CVSS5.6AI score0.003EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/20 5:51 p.m.10 views

CVE-2026-2813

ArcGIS Server contains an input validation weakness in the login redirection workflow. An Authenticated attacker could exploit this issue by sending a specially crafted request, Successful exploitation may result in the application redirecting the browser to an unintended, untrusted site, resulti...

4.7CVSS5.6AI score0.003EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/20 12:0 a.m.18 views

PT-2026-42262

Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 contains a hard-coded credential vulnerability in the embedded web configuration interface where authentication is implemented entirely in client-side JavaScript in login.zhtml, exposing static plaintext credentials in the page source...

9.8CVSS5.8AI score0.00454EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/05/20 12:0 a.m.16 views

PT-2026-42222

ArcGIS Server contains an input validation weakness in the login redirection workflow. An Authenticated attacker could exploit this issue by sending a specially crafted request, Successful exploitation may result in the application redirecting the browser to an unintended, untrusted site, resulti...

4.7CVSS5.6AI score0.003EPSS
Exploits0References2
RedHat Linux
RedHat Linux
added 2026/05/19 6:24 p.m.22 views

tornado: Tornado: Cookie attribute injection due to improper handling of cookie arguments

A flaw was found in Tornado. A remote attacker could exploit this vulnerability by injecting specially crafted characters into the domain, path, and samesite arguments when setting cookies. This could lead to cookie attribute injection, potentially allowing for information disclosure or...

7.2CVSS5.7AI score0.00237EPSS
Exploits0References6
Github Security Blog
Github Security Blog
added 2026/05/19 3:54 p.m.19 views

Argo CD: Kubernetes Secret Extraction via ArgoCD ServerSideDiff via sensitive annotations

Summary The original fix for GHSA-3v3m-wc6v-x4x3 is incomplete. argocd app diff --server-side-diff can still expose Kubernetes Secret values embedded in the kubectl.kubernetes.io/last-applied-configuration annotation. The prior fix masks top-level Secret data in ServerSideDiff responses, but it...

5.8AI score0.00034EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/05/19 2:46 p.m.6 views

GHSA-JH3H-RPXG-FR36 Stored XSS via <iframe> in HAX CMS allows access to sensitive client-side data and account takeover

Summary A stored cross-site scripting XSS vulnerability exists in HAX CMS due to improper sanitization of elements. The application allows javascript: URIs in the src attribute, which are executed when a malicious page is viewed. This enables attackers to execute arbitrary JavaScript in the conte...

8.6CVSS5.9AI score0.0023EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/19 2:46 p.m.11 views

Cross-site Scripting (XSS)

Overview @haxtheweb/iframe-loader is an Adds a loading indicator for iframes. Affected versions of this package are vulnerable to Cross-site Scripting XSS via improper sanitization of elements that allow javascript: URIs in the src attribute. An attacker can execute arbitrary JavaScript in the...

9.3CVSS5.8AI score0.0023EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/05/19 2:46 p.m.15 views

Stored XSS via <iframe> in HAX CMS allows access to sensitive client-side data and account takeover

Summary A stored cross-site scripting XSS vulnerability exists in HAX CMS due to improper sanitization of elements. The application allows javascript: URIs in the src attribute, which are executed when a malicious page is viewed. This enables attackers to execute arbitrary JavaScript in the conte...

9.3CVSS5.9AI score0.0023EPSS
Exploits0References3Affected Software3
OSV
OSV
added 2026/05/19 9:31 a.m.7 views

GHSA-G8VR-X4QH-25QG Keycloak: Policy bypass during WebAuthn credential registration via client-side JavaScript manipulation

A flaw was found in Keycloak. An authenticated user can bypass configured WebAuthn policies during credential registration by manipulating client-side JavaScript. This occurs because the server-side processAction fails to validate that the newly created credential's parameters, such as public key...

4.3CVSS5.7AI score0.00392EPSS
Exploits0References12
Github Security Blog
Github Security Blog
added 2026/05/19 9:31 a.m.11 views

Keycloak: Policy bypass during WebAuthn credential registration via client-side JavaScript manipulation

A flaw was found in Keycloak. An authenticated user can bypass configured WebAuthn policies during credential registration by manipulating client-side JavaScript. This occurs because the server-side processAction fails to validate that the newly created credential's parameters, such as public key...

4.3CVSS5.7AI score0.00392EPSS
Exploits0References12Affected Software1
NVD
NVD
added 2026/05/19 7:16 a.m.17 views

CVE-2026-8830

A flaw was found in Keycloak. An authenticated user can bypass configured WebAuthn policies during credential registration by manipulating client-side JavaScript. This occurs because the server-side processAction fails to validate that the newly created credential's parameters, such as public key...

4.3CVSS0.00392EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/05/19 6:4 a.m.53 views

CVE-2026-8830 Keycloak: org.keycloak/keycloak-services: keycloak: policy bypass during webauthn credential registration via client-side javascript manipulation

A flaw was found in Keycloak. An authenticated user can bypass configured WebAuthn policies during credential registration by manipulating client-side JavaScript. This occurs because the server-side processAction fails to validate that the newly created credential's parameters, such as public key...

4.3CVSS0.00392EPSS
Exploits0References6
ATTACKERKB
ATTACKERKB
added 2026/05/19 6:4 a.m.12 views

CVE-2026-8830

A flaw was found in Keycloak. An authenticated user can bypass configured WebAuthn policies during credential registration by manipulating client-side JavaScript. This occurs because the server-side processAction fails to validate that the newly created credential's parameters, such as public key...

4.3CVSS5.8AI score0.00392EPSS
Exploits0References7
EUVD
EUVD
added 2026/05/19 6:4 a.m.13 views

EUVD-2026-30841

A flaw was found in Keycloak. An authenticated user can bypass configured WebAuthn policies during credential registration by manipulating client-side JavaScript. This occurs because the server-side processAction fails to validate that the newly created credential's parameters, such as public key...

4.3CVSS5.8AI score0.00392EPSS
Exploits0References2
CVE
CVE
added 2026/05/19 6:4 a.m.33 views

CVE-2026-8830

Technical details (affected product/version, root cause specifics, impact, or remediation) are not publicly available in the provided documents; monitor for updates.

4.3CVSS5.8AI score0.00392EPSS
Exploits0References6Affected Software1
RedhatCVE
RedhatCVE
added 2026/05/19 5:9 a.m.17 views

CVE-2026-8830

A flaw was found in Keycloak. An authenticated user can bypass configured WebAuthn policies during credential registration by manipulating client-side JavaScript. This occurs because the server-side processAction fails to validate that the newly created credential's parameters, such as public key...

4.3CVSS5.7AI score0.00392EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/19 5:0 a.m.11 views

Client-Side Enforcement of Server-Side Security

Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Client-Side Enforcement of Server-Side Security through the processAction registration flow in the WebAuthn...

5.3CVSS5.5AI score0.00392EPSS
Exploits0References3
OSV
OSV
added 2026/05/15 9:31 p.m.6 views

GHSA-J76W-P754-G2W7 Mattermost doesn't validate the response body of proxied images

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13, 11.4.x = 11.4.3 fail to validate the response body of proxied images, which allows a remote attacker to enact client-side DoS via an SVG file served from an attacker-controlled origin under a non-SVG Content-Type header e.g. image/png...

4.3CVSS5.8AI score0.00242EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/05/15 7:57 p.m.8 views

CVE-2026-43887

Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.6.1, the Outline comment section permits users to mention other users; however, the backend does not validate or sanitize the href attribute associated with these mentions. As a result, potentially dangerous...

7.3CVSS5.9AI score0.00245EPSS
Exploits0References1
Rows per page
Query Builder