Lucene search
K

10 matches found

ATTACKERKB
ATTACKERKB
added yesterday4 views

CVE-2026-52830

fast-mcp-telegram is a Telegram MCP Server. Prior to 0.19.1, fast-mcp-telegram validates HTTP Bearer tokens by joining the raw token string into a session-file path. The verifier rejects the exact reserved token telegram, but it does not reject path separators or normalize the path before checkin...

9.4CVSS5.8AI score
Exploits0References3Affected Software1
Cvelist
Cvelist
added 2026/04/08 2:20 a.m.22 views

CVE-2026-1163 Insufficient Session Expiration in parisneo/lollms

An insufficient session expiration vulnerability exists in the latest version of parisneo/lollms. The application fails to invalidate active sessions after a password reset, allowing an attacker to continue using an old session token. This issue arises due to the absence of logic to reject reques...

4.1CVSS0.0021EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/02/17 4:43 p.m.22 views

OpenClaw Hook Session Key Override Enables Targeted Cross-Session Routing

Summary The issue is not deterministic session keys by itself. The exploitable path was accepting externally supplied sessionKey values on authenticated hook ingress, allowing a hook token holder to route messages into chosen sessions. Affected Behavior - POST /hooks/agent accepted payload...

5.5AI score
Exploits0References4Affected Software1
CNNVD
CNNVD
added 2026/01/21 12:0 a.m.7 views

Everest-core security vulnerabilities

Everest-core is a major component of the open-source electric vehicle charging software stack developed by EVerest. Versions of Everest-core prior to 2025.9.0 contained security vulnerabilities. These vulnerabilities stemmed from validation flaws when the default value of the session ID was 0,...

4.3CVSS5.8AI score0.00136EPSS
Exploits0References2
Huntr
Huntr
added 2023/06/10 5:5 p.m.18 views

Stored XSS via Default session expiration time

Description The Default session expiration time feature when submitted HTML/JS tags executes the code in the login page. Proof of Concept Login to Teampass and go to Settings = Options. http://127.0.0.1/index.php?page=options In theDefault session expiration time input field insert an XSS payload...

4.9CVSS6.4AI score0.00526EPSS
Exploits1References1
SUSE CVE
SUSE CVE
added 2023/02/15 6:10 a.m.6 views

SUSE CVE-2007-6077

The session fixation protection mechanism in cgiprocess.rb in Rails 1.2.4, as used in Ruby on Rails, removes the :cookieonly attribute from the DEFAULTSESSIONOPTIONS constant, which effectively causes cookieonly to be applied only to the first instantiation of CgiRequest, which allows remote...

6.8CVSS7AI score0.02512EPSS
Exploits0References3
OSV
OSV
added 2020/05/19 12:0 a.m.1 views

UBUNTU-CVE-2020-8617

Using a specially-crafted message, an attacker may potentially cause a BIND server to reach an inconsistent state if the attacker knows or successfully guesses the name of a TSIG key used by the server. Since BIND, by default, configures a local session key even on servers whose configuration doe...

7.5CVSS6.8AI score0.93422EPSS
Exploits5References5
Cvelist
Cvelist
added 2019/03/07 7:0 p.m.20 views

CVE-2019-3783 Cloud Foundry Stratos Deploys With Public Default Session Store Secret

Cloud Foundry Stratos, versions prior to 2.3.0, deploys with a public default session store secret. A malicious user with default session store secret can brute force another user's current Stratos session, and act on behalf of that user...

8.7CVSS8.6AI score0.00899EPSS
Exploits0References1
Exploit DB
Exploit DB
added 2017/03/27 12:0 a.m.51 views

Github Enterprise - Default Session Secret and Deserialization (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class MetasploitModule "Github Enterprise Default Session Secret And Deserialization Vulnerability", 'Description' = %q This module exploits two securi...

7.4AI score
Exploits0
Tenable Nessus
Tenable Nessus
added 2017/02/15 12:0 a.m.297 views

F5 TLS Session Ticket Implementation Remote Memory Disclosure (Ticketbleed) (uncredentialed check)

Based on its response to a resumed TLS connection, the remote service appears to be affected by an information disclosure vulnerability, known as Ticketbeed, in the TLS Session Ticket implementation. The issue is due to the server incorrectly echoing back 32 bytes of memory, even if the Session I...

7.5CVSS7AI score0.74EPSS
Exploits7References4
Rows per page
Query Builder