Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

5758 matches found

CVE
CVEadded 2026/04/07 6:13 p.m.17 views

CVE-2026-39324

CVE-2026-39324 affects Rack::Session::Cookie. From 2.0.0 up to 2.1.1, decryption failures under secrets: allow cookies to be decoded by a default coder instead of being rejected, enabling an unauthenticated attacker to forge session data and potentially gain unauthorized access. Affected componen...

9.8CVSS5.9AI score0.00064EPSS
Exploits1References1Affected Software1
ATTACKERKB
ATTACKERKBadded 2026/04/07 6:13 p.m.2 views

CVE-2026-39324

Rack::Session is a session management implementation for Rack. From 2.0.0 to before 2.1.2, Rack::Session::Cookie incorrectly handles decryption failures when configured with secrets:. If cookie decryption fails, the implementation falls back to a default decoder instead of rejecting the cookie...

9.3CVSS5.9AI score0.00064EPSS
Exploits1References2Affected Software1
Cvelist
Cvelistadded 2026/04/07 6:13 p.m.17 views

CVE-2026-39324 Rack::Session::Cookie secrets: decrypt failure fallback enables secretless session forgery and Marshal deserialization

Rack::Session is a session management implementation for Rack. From 2.0.0 to before 2.1.2, Rack::Session::Cookie incorrectly handles decryption failures when configured with secrets:. If cookie decryption fails, the implementation falls back to a default decoder instead of rejecting the cookie...

9.3CVSS0.00064EPSS
Exploits1References1
Vulnrichment
Vulnrichmentadded 2026/04/07 6:13 p.m.2 views

CVE-2026-39324 Rack::Session::Cookie secrets: decrypt failure fallback enables secretless session forgery and Marshal deserialization

Rack::Session is a session management implementation for Rack. From 2.0.0 to before 2.1.2, Rack::Session::Cookie incorrectly handles decryption failures when configured with secrets:. If cookie decryption fails, the implementation falls back to a default decoder instead of rejecting the cookie...

9.3CVSS5.9AI score0.00064EPSS
Exploits1References1
RedhatCVE
RedhatCVEadded 2026/04/07 12:47 a.m.1 views

CVE-2026-34986

A flaw was found in Go JOSE, a library for handling JSON Web Encryption JWE objects. A remote attacker could exploit this vulnerability by providing a specially crafted JWE object. When decrypting such an object, if a key wrapping algorithm is specified but the encrypted key field is empty, the...

7.5CVSS5.8AI score0.00035EPSS
Exploits0References5
Tenable Nessus
Tenable Nessusadded 2026/04/07 12:0 a.m.3 views

Linux Distros Unpatched Vulnerability : CVE-2026-34986

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption JWE, JSON W...

7.5CVSS7AI score0.00035EPSS
Exploits0References4
CNNVD
CNNVDadded 2026/04/07 12:0 a.m.3 views

Rack::Session 安全漏洞

Rack::Session is an open-source application developed by Official Rack repositories. Versions of Rack::Session prior to 2.1.2 contained security vulnerabilities. These vulnerabilities stemmed from improper handling of Cookie decryption failures, which could lead to session manipulation and...

9.8CVSS5.7AI score0.00064EPSS
Exploits1References1
OSV
OSVadded 2026/04/06 5:17 p.m.0 views

DEBIAN-CVE-2026-34986

Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption JWE, JSON Web Signature JWS, and JSON Web Token JWT standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption JWE object will panic if t...

7.5CVSS6.2AI score0.00035EPSS
Exploits0References1
NVD
NVDadded 2026/04/06 5:17 p.m.1 views

CVE-2026-34986

Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption JWE, JSON Web Signature JWS, and JSON Web Token JWT standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption JWE object will panic if t...

7.5CVSS0.00035EPSS
Exploits0References2
UbuntuCve
UbuntuCveadded 2026/04/06 5:17 p.m.0 views

CVE-2026-34986

Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption JWE, JSON Web Signature JWS, and JSON Web Token JWT standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption JWE object will panic if t...

7.5CVSS6AI score0.00035EPSS
Exploits0References3
Cvelist
Cvelistadded 2026/04/06 4:22 p.m.18 views

CVE-2026-34986 Go JOSE affect by a panic in JWE decryption

Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption JWE, JSON Web Signature JWS, and JSON Web Token JWT standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption JWE object will panic if t...

7.5CVSS0.00035EPSS
Exploits0References2
CVE
CVEadded 2026/04/06 4:22 p.m.162 views

CVE-2026-34986

CVE-2026-34986 affects the Go JOSE library. Prior to versions 4.1.4 and 3.0.5, decrypting a JWE object can cause a panic when the alg field indicates a key-wrapping algorithm (any ending with KW, except A128GCMKW/A192GCMKW/A256GCMKW) and encrypted_key is empty. The panic occurs in cipher.KeyUnwra...

7.5CVSS6AI score0.00035EPSS
Exploits0References2Affected Software1
CNNVD
CNNVDadded 2026/04/06 12:0 a.m.3 views

Go JOSE 安全漏洞

Go JOSE is an implementation of the JOSE standard in Go, open sourced under the Go JOSE project. Versions prior to Go JOSE 4.1.4 and 3.0.5 contained security vulnerabilities. These vulnerabilities occurred when decrypting JSON Web Encryption objects. If the alg field indicated the key wrapping...

7.5CVSS6.9AI score0.00035EPSS
Exploits0References3
Github Security Blog
Github Security Blogadded 2026/04/03 3:28 a.m.9 views

Go JOSE Panics in JWE decryption

Impact Decrypting a JSON Web Encryption JWE object will panic if the alg field indicates a key wrapping algorithm one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW and the encryptedkey field is empty. The panic happens when cipher.KeyUnwrap in keywrap.go attempts to...

7.5CVSS6AI score0.00035EPSS
Exploits0References4Affected Software3
Snyk
Snykadded 2026/04/03 3:28 a.m.1 views

Uncaught Exception

Overview Affected versions of this package are vulnerable to Uncaught Exception in the cipher.KeyUnwrap function when decrypting a JSON Web Encryption JWE object with a key wrapping algorithm ending in 'KW', except for 'A128GCMKW', 'A192GCMKW', and 'A256GCMKW' and the encryptedkey field is empty...

8.7CVSS5.9AI score0.00035EPSS
Exploits0References2
OSV
OSVadded 2026/04/03 3:28 a.m.1 views

GHSA-78H2-9FRX-2JM8 Go JOSE Panics in JWE decryption

Impact Decrypting a JSON Web Encryption JWE object will panic if the alg field indicates a key wrapping algorithm one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW and the encryptedkey field is empty. The panic happens when cipher.KeyUnwrap in keywrap.go attempts to...

7.5CVSS6AI score0.00035EPSS
Exploits0References4
Tenable Nessus
Tenable Nessusadded 2026/04/03 12:0 a.m.1 views

Linux Distros Unpatched Vulnerability : CVE-2026-23414

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - tls: Purge asynchold in tlsdecryptasyncwait The asynchold queue pins encrypted input skbs while the AEAD engine references their scatterlist data. Once...

7.5CVSS6.9AI score0.00045EPSS
Exploits0References3
CNNVD
CNNVDadded 2026/04/03 12:0 a.m.4 views

Stackfield Desktop App 安全漏洞

The Stackfield Desktop App is a project management tool developed by the German company Stackfield. Versions of the Stackfield Desktop App prior to 1.10.2 contained security vulnerabilities. These vulnerabilities stemmed from specific decryption functions that allowed path traversal when handling...

9.6CVSS5.9AI score0.00089EPSS
Exploits1References3
ATTACKERKB
ATTACKERKBadded 2026/04/03 12:0 a.m.1 views

CVE-2026-28373

The Stackfield Desktop App before 1.10.2 for macOS and Windows contains a path traversal vulnerability in certain decryption functionality when processing the filePath property. A malicious export can write arbitrary content to any path on the victim's filesystem...

9.6CVSS6AI score0.00089EPSS
Exploits1References4
Redos
Redosadded 2026/04/03 12:0 a.m.3 views

ROS-20260403-73-0018

A vulnerability in the tlsdodecryption function net/tls/tlssw.c of the Linux kernel is related to the use of memory after it has been freed. Exploitation of the vulnerability allows an attacker acting remotely to increase his privileges...

7.8CVSS7AI score0.00026EPSS
Exploits0
Rows per page
Query Builder