Lucene search
+L

1711 matches found

osv
osv
added 2026/07/07 3:26 p.m.6 views

GO-2026-5897 Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder

Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent in github.com/coder/coder...

8.8CVSS5.9AI score0.02642EPSS
Exploits0References7
nvd
nvd
added 2026/07/04 1:16 p.m.9 views

CVE-2025-13475

In multi-tenanted deployments, the application consent management mechanism fails to correctly isolate consent scopes between tenants. Consent granted by a user for a specific SaaS application within one tenant can be incorrectly applied to SaaS applications with the same name in other tenants,...

7.3CVSS0.00158EPSS
Exploits0References1
cve
cve
added 2026/07/04 12:49 p.m.20 views

CVE-2025-13475

Technical details about CVE-2025-13475 are not publicly available in the provided documents. Monitor for updates.

7.3CVSS5.9AI score0.00158EPSS
Exploits0References1Affected Software1
cvelist
cvelist
added 2026/07/04 12:49 p.m.42 views

CVE-2025-13475 Cross-Tenant Access via Application Consent Mismanagement in Multiple WSO2 Products Allows Unauthorized Data Exposure

In multi-tenanted deployments, the application consent management mechanism fails to correctly isolate consent scopes between tenants. Consent granted by a user for a specific SaaS application within one tenant can be incorrectly applied to SaaS applications with the same name in other tenants,...

3.5CVSS0.00158EPSS
Exploits0References1
attackerkb
attackerkb
added 2026/07/04 12:49 p.m.9 views

CVE-2025-13475

In multi-tenanted deployments, the application consent management mechanism fails to correctly isolate consent scopes between tenants. Consent granted by a user for a specific SaaS application within one tenant can be incorrectly applied to SaaS applications with the same name in other tenants,...

3.5CVSS5.9AI score0.00158EPSS
Exploits0References2Affected Software2
euvd
euvd
added 2026/07/04 12:49 p.m.8 views

EUVD-2025-210427

In multi-tenanted deployments, the application consent management mechanism fails to correctly isolate consent scopes between tenants. Consent granted by a user for a specific SaaS application within one tenant can be incorrectly applied to SaaS applications with the same name in other tenants,...

3.5CVSS5.9AI score0.00158EPSS
Exploits0References1
ptsecurity
ptsecurity
added 2026/07/04 12:0 a.m.16 views

PT-2026-55701

Name of the Vulnerable Software and Affected Versions The product name cannot be determined affected versions not specified Description In multi-tenanted deployments, the application consent management mechanism fails to correctly isolate consent scopes between tenants. This occurs when consent...

7.3CVSS5.9AI score0.00158EPSS
Exploits0References10
euvd
euvd
added 2026/07/03 1:28 a.m.12 views

EUVD-2026-41469

The Cookie Banner for GDPR / CCPA – WPLP Cookie Consent plugin for WordPress is vulnerable to generic SQL Injection via the 's' parameter in all versions up to, and including, 4.3.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL...

4.9CVSS5.8AI score0.00301EPSS
Exploits0References6
attackerkb
attackerkb
added 2026/07/03 1:28 a.m.9 views

CVE-2026-12920

The Cookie Banner for GDPR / CCPA – WPLP Cookie Consent plugin for WordPress is vulnerable to generic SQL Injection via the 's' parameter in all versions up to, and including, 4.3.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL...

4.9CVSS5.8AI score0.00301EPSS
Exploits0References7
nvd
nvd
added 2026/06/30 9:16 p.m.7 views

CVE-2026-9106

A UI misrepresentation vulnerability was identified in GitHub Enterprise Server that allowed an OAuth application to gain unintended access to an organization's runner management. An attacker could exploit this by creating an OAuth application requesting the managerunners:org scope and directing ...

5.5CVSS0.00176EPSS
Exploits0References6
cve
cve
added 2026/06/30 8:21 p.m.18 views

CVE-2026-9106

The CVE-2026-9106 issue concerns GitHub Enterprise Server where a UI misrepresentation allowed an OAuth app to gain unauthorized access to an organization’s runner management. A victim could be tricked into authorizing an app requesting the manage_runners:org scope because the scope was not shown...

5.5CVSS5.8AI score0.00176EPSS
Exploits0References6Affected Software1
ptsecurity
ptsecurity
added 2026/06/30 12:0 a.m.10 views

PT-2026-53988

Name of the Vulnerable Software and Affected Versions GitHub Enterprise Server versions prior to 3.22 Description A UI misrepresentation issue allows an OAuth application to obtain unauthorized access to organization runner management. An attacker can exploit this by creating an OAuth application...

5.5CVSS5.8AI score0.00176EPSS
Exploits0References14
nvd
nvd
added 2026/06/26 9:16 p.m.10 views

CVE-2026-50132

Budibase is an open-source low-code platform. Prior to 3.39.0, GET /api/chat-links/:instance/:token/handoff is a public endpoint no auth required that performs a permanent, state-changing operation: it binds an external chat identity Slack/Discord/MS Teams to an authenticated Budibase user accoun...

7.3CVSS0.00192EPSS
Exploits1References1
attackerkb
attackerkb
added 2026/06/26 8:34 p.m.8 views

CVE-2026-50132

Budibase is an open-source low-code platform. Prior to 3.39.0, GET /api/chat-links/:instance/:token/handoff is a public endpoint no auth required that performs a permanent, state-changing operation: it binds an external chat identity Slack/Discord/MS Teams to an authenticated Budibase user accoun...

7.3CVSS5.8AI score0.00192EPSS
Exploits1References2Affected Software1
cvelist
cvelist
added 2026/06/26 8:34 p.m.28 views

CVE-2026-50132 Budibase: Chat Identity Link Hijacking via Missing Consent & CSRF — Account Impersonation in Budibase

Budibase is an open-source low-code platform. Prior to 3.39.0, GET /api/chat-links/:instance/:token/handoff is a public endpoint no auth required that performs a permanent, state-changing operation: it binds an external chat identity Slack/Discord/MS Teams to an authenticated Budibase user accoun...

7.3CVSS0.00192EPSS
Exploits1References1
cve
cve
added 2026/06/26 8:34 p.m.34 views

CVE-2026-50132

Summary (CVE-2026-50132) Budibase exposes a public GET endpoint GET /api/chat-links/:instance/:token/handoff that, before version 3.39.0, can silently link an attacker’s external chat identity (Slack/Discord/MS Teams) to a victim’s Budibase account without consent or CSRF protection. The flow: an...

7.3CVSS5.8AI score0.00192EPSS
Exploits1References1Affected Software1
osv
osv
added 2026/06/26 8:34 p.m.7 views

CVE-2026-50132 Budibase: Chat Identity Link Hijacking via Missing Consent & CSRF — Account Impersonation in Budibase

Budibase is an open-source low-code platform. Prior to 3.39.0, GET /api/chat-links/:instance/:token/handoff is a public endpoint no auth required that performs a permanent, state-changing operation: it binds an external chat identity Slack/Discord/MS Teams to an authenticated Budibase user accoun...

7.3CVSS5.9AI score0.00192EPSS
Exploits1References3
astralinux
astralinux
added 2026/06/24 3:11 p.m.7 views

Astra Linux – Vulnerability in Chromium

Insufficient policy enforcement in PWA implementations in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to install a PWA without user consent, through a crafted HTML page. Chromium security severity: Medium...

6.6CVSS6.9AI score0.0017EPSS
Exploits0References3
github
github
added 2026/06/22 11:8 p.m.10 views

Budibase has an Account Impersonation Issue — Chat Identity Link Hijacking via Missing Consent & CSRF

Title Chat Identity Link Hijacking — Attacker Can Silently Map Their Slack/Discord Identity to Any Authenticated Budibase User's Account Severity High — CVSS 3.1: AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N = 7.3 Affected Product - Product: Budibase - Version: 3.37.2 introduced in this version - Componen...

7.3CVSS5.9AI score0.00192EPSS
Exploits1References4Affected Software1
snyk
snyk
added 2026/06/19 9:41 p.m.5 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the data-mw-iframeconfig attribute when handling malformed URLs or IDs containing single quotes. An attacker can execute arbitrary JavaScript in the context of the affected site by injecting malicious payloa...

8.7CVSS5.9AI score
Exploits0References3
Rows per page
Query Builder