Lucene search
K

12 matches found

OSV
OSV
added 2026/06/17 2:17 p.m.4 views

UBUNTU-CVE-2026-49268

A remote attacker can inject LDAP special characters into the Distinguished Name DN construction in DefaultLdapRealm class. User-supplied username input is directly concatenated into the LDAP DN template without any escaping of RFC 2253 special characters. This allows an attacker to manipulate th...

9.1CVSS5.9AI score0.00494EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/06/11 2:59 p.m.12 views

CVE-2026-45559

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, getldapemail app/modules/roxywi/user.py:120-157 builds the LDAP search filter via f-string concatenation. The username URL path parameter is taken verbatim — no checkAjaxInput, no...

4.9CVSS5.5AI score0.00234EPSS
Exploits0References1
CVE
CVE
added 2026/06/10 10:15 p.m.38 views

CVE-2026-42568

CVE-2026-42568 affects YAMCS when LdapAuthModule is configured. The root cause is that the username parameter is inserted directly into LDAP search filters without RFC 4515 escaping, enabling an authentication bypass (e.g., username=*) and potentially granting access to tokens for first matching ...

4.3CVSS5.4AI score0.01027EPSS
Exploits3References3
NVD
NVD
added 2026/06/10 3:16 p.m.17 views

CVE-2026-45559

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, getldapemail app/modules/roxywi/user.py:120-157 builds the LDAP search filter via f-string concatenation. The username URL path parameter is taken verbatim — no checkAjaxInput, no...

4.9CVSS0.00234EPSS
Exploits0References1
AlpineLinux
AlpineLinux
added 2026/05/12 1:28 p.m.11 views

CVE-2026-27851

When safe filter is used with variable expansion, all following pipelines on the same string are incorrectly interpreted as safe too, enabling unsafe data to be unescaped. This can enable SQL / LDAP injection attacks when used in authentication. Avoid using safe filter until on fixed version. No...

9.1CVSS5.8AI score0.00406EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/04/21 5:43 p.m.31 views

CVE-2026-40606 ProxyAuth Addon LDAP Injection in mitmproxy

mitmproxy is a interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers and mitmweb is a web-based interface for mitmproxy. In mitmproxy 12.2.1 and below, the builtin LDAP proxy authentication does not correctly sanitize the username when querying the LDAP...

4.8CVSS0.00166EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/01/30 1:2 p.m.37 views

CVE-2026-1498 WatchGuard Firebox LDAP Injection

An LDAP Injection vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to retrieve sensitive information from a connected LDAP authentication server through an exposed authentication or management web interface. This vulnerability may also allow a remote attacker to...

7CVSS0.0068EPSS
Exploits0References1
OSV
OSV
added 2026/01/09 7:16 a.m.7 views

CVE-2025-70974

Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an...

10CVSS7AI score
Exploits0References7
OSV
OSV
added 2024/06/10 8:15 p.m.5 views

CVE-2024-37393

Multiple LDAP injections vulnerabilities exist in SecurEnvoy MFA before 9.4.514 due to improper validation of user-supplied input. An unauthenticated remote attacker could exfiltrate data from Active Directory through blind LDAP injection attacks against the DESKTOP service exposed on the...

7.5CVSS5.9AI score0.03304EPSS
Exploits2References3
ATTACKERKB
ATTACKERKB
added 2023/10/02 1:15 p.m.5 views

CVE-2023-41580

Phpipam before v1.5.2 was discovered to contain a LDAP injection vulnerability via the dname parameter at /users/ad-search-result.php. This vulnerability allows attackers to enumerate arbitrary fields in the LDAP server and access sensitive data via a crafted POST request...

7.5CVSS7.3AI score0.0071EPSS
Exploits1References3
OSV
OSV
added 2019/07/01 3:15 p.m.2 views

CVE-2019-4297

IBM Robotic Process Automation with Automation Anywhere 11 could allow a remote authenticated attacker to conduct an LDAP injection. By using a specially crafted request, an attacker could exploit this vulnerability to make unauthorized queries or modify the LDAP content. IBM X-Force ID: 160761...

5.4CVSS6.5AI score0.01058EPSS
Exploits0References2
OSV
OSV
added 2017/05/05 6:29 p.m.4 views

CVE-2017-8790

An issue was discovered on Accellion FTA devices before FTA912180. The home/seos/courier/ldaptest.html POST parameter "filter" can be used for LDAP Injection...

9.8CVSS5.8AI score0.01373EPSS
Exploits1References1
Rows per page
Query Builder