CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

592 matches found

FortiOS - Insecure LDAP Configuration Detection

The FortiGate LDAP configuration was detected to be insecure due to missing ca-cert, secure LDAPS, or server-identity-check, potentially exposing LDAP communications to credential interception or man-in-the-middle attacks under specific network conditions. id: CVE-2019-5591 info: name: FortiOS -...

6.5CVSS6.9AI score0.18566EPSS

Exploits1References2

CVE•added 5 days ago•25 views

CVE-2026-47203

CVE-2026-47203 (Authelia) affects Authelia 4.38.0–4.39.19 where using Basic Auth on the authz verification endpoint exposes a bug: the username extracted from the Authorization header is passed to the ban/attempt regulation as-is, while LDAP binds are case-insensitive but regulation SQL lookups c...

6.3CVSS6AI score0.00308EPSS

Exploits0References2

AstraLinux•added 5 days ago•3 views

Astra Linux – Vulnerability in Apache Log4j1.2

The JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration, or when the configuration references an LDAP service to which the attacker has access. The attacker can provide a...

8.8CVSS7.9AI score0.61785EPSS

Exploits0References1

OSV•added 5 days ago•4 views

UBUNTU-CVE-2026-49268

A remote attacker can inject LDAP special characters into the Distingu...

9.1CVSS5.9AI score0.00494EPSS

Exploits0References2

CVE•added last week•15 views

CVE-2026-49268

The CVE-2026-49268 issue affects Apache Shiro’s DefaultLdapRealm where user input is concatenated into the LDAP DN template without escaping RFC 2253 characters. This LDAP DN injection can alter the bind DN, potentially bypassing authentication or impersonating other users. Technical details conf...

9.1CVSS5.4AI score0.00494EPSS

Exploits0References2Affected Software1

RedHat Linux•added 2026/06/17 1:52 a.m.•7 views

389-ds-base: 389-ds-base: unbounded LDAP controls count in get_ldapmessage_controls_ext() causes CPU and heap amplification (remote DoS)

A flaw was found in 389-ds-base. The getldapmessagecontrolsext function in the LDAP server does not enforce an upper bound on the number of controls per LDAP message. A remote, unauthenticated attacker can send a specially crafted LDAP request containing hundreds of thousands of minimal controls...

7.5CVSS5.2AI score0.00815EPSS

Exploits0References4

RedhatCVE•added 2026/06/11 2:59 p.m.•11 views

CVE-2026-45559

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, getldapemail app/modules/roxywi/user.py:120-157 builds the LDAP search filter via f-string concatenation. The username URL path parameter is taken verbatim — no checkAjaxInput, no...

4.9CVSS5.5AI score0.00234EPSS

Exploits0References1

CVE•added 2026/06/10 10:15 p.m.•30 views

CVE-2026-42568

CVE-2026-42568 affects YAMCS when LdapAuthModule is configured. The root cause is that the username parameter is inserted directly into LDAP search filters without RFC 4515 escaping, enabling an authentication bypass (e.g., username=*) and potentially granting access to tokens for first matching ...

4.3CVSS5.4AI score0.01027EPSS

Exploits3References3

NVD•added 2026/06/10 3:16 p.m.•13 views

CVE-2026-45559

4.9CVSS0.00234EPSS

Exploits0References1

EUVD•added 2026/06/10 2:2 p.m.•8 views

EUVD-2026-36040

4.9CVSS5.5AI score0.00234EPSS

Exploits0References1

Veracode•added 2026/06/10 7:20 a.m.•11 views

Denial Of Service

Keycloak is vulnerable to Denial of Service DoS. The vulnerability is due to improper handling of LDAP password policy responses, where a malformed response from a configured LDAP server can trigger an OutOfMemoryError during password authentication processing, causing the Keycloak JVM to termina...

4.9CVSS5.5AI score0.00442EPSS

Exploits0References6Affected Software1

Packet Storm News•added 2026/06/10 12:0 a.m.•4 views

CLDAP Analyzer with ASN.1 BER Encoding and Basic TLV Response Parser

This Python script implements a CLDAP Connectionless LDAP analyzer that builds and sends LDAP CLDAP discovery requests and parses responses using ASN.1 BER encoding and a basic TLV parser. It constructs a structured LDAP search request including DnsDomain, User, and NtVer filters, sends it over U...

5.5AI score

Exploits0

CNNVD•added 2026/06/10 12:0 a.m.•9 views

Roxy-WI 注入漏洞

Roxy-WI is an open-source web interface designed for managing Haproxy, Nginx, and Keepalived servers. Versions of Roxy-WI 8.2.6.4 and earlier have a vulnerability that stems from the getldapemail function, which constructs LDAP search filters using f-string concatenation. The username URL path...

4.9CVSS5.4AI score0.00234EPSS

Exploits0References2

CVE•added 2026/06/09 10:24 p.m.•25 views

CVE-2026-9751

The vulnerability CVE-2026-9751 affects MongoDB’s mongod process: when ldapQueryPassword is set via the runtime setParameter command, the new password is logged in plain text to mongod.log. The issue is caused by logging sensitive parameter data, leading to potential exposure of credentials on th...

6.8CVSS5.5AI score0.00109EPSS

Exploits0References1Affected Software1

OSV•added 2026/06/09 2:16 p.m.•3 views

UBUNTU-CVE-2026-11787

A flaw was found in 389 Directory Server. The ldaputf8prev function reads bytes before the start of a buffer without bounds checking, causing a heap buffer over-read in string filter parsing that may influence internal filter processing behavior...

6.3CVSS5.6AI score0.0021EPSS

Exploits0References5

CVE•added 2026/06/09 1:2 p.m.•20 views

CVE-2026-11788

The vulnerability CVE-2026-11788 affects 389 Directory Server (389-ds-base) in the dereference control plugin BER parser. The root cause is that the plugin does not check for BER allocation failures before using structures, enabling a null pointer/dereference scenario that can crash the LDAP serv...

7.5CVSS5.5AI score0.00421EPSS

Exploits0References3Affected Software3

Positive Technologies•added 2026/06/05 12:0 a.m.•8 views

PT-2026-47014

Name of the Vulnerable Software and Affected Versions NetMan 204 affected versions not specified Description Authentication is not enforced on administrative pages and command endpoints. A remote, unauthenticated attacker can directly request pages such as 'administration.html',...

9.8CVSS5.4AI score0.00533EPSS

Exploits0References7

Vulnrichment•added 2026/06/02 12:48 p.m.•8 views

CVE-2026-10611 OTP bypass via plugin-based LDAP authentication in MISP when LDAP mixed authentication is enabled

An authentication bypass vulnerability exists in MISP when LDAP mixed authentication is enabled with OTP enforcement. In deployments configured with LdapAuth.mixedAuth=true and Security.requireotp=true, users authenticated through an authentication plugin, such as LDAP, may have their authenticat...

8.2CVSS5.8AI score0.00353EPSS

Exploits0References1

NVD•added 2026/06/01 7:16 p.m.•10 views

CVE-2026-45284

Nextcloud is an open source content collaboration platform. From version 1.3.6 to before version 8.4.0, an improper check allowed users that where provided by LDAP to still authenticate towards user OIDC after they where deleted. This issue has been patched in version 8.4.0...

8.8CVSS0.00193EPSS

Exploits0References3

Cvelist•added 2026/06/01 4:57 p.m.•28 views

CVE-2026-45284 Nextcloud: Wrong condition in the User OIDC app's LdapService allowed deleted LDAP users to authenticate

4.6CVSS0.00193EPSS

Exploits0References3

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by