GHSA-X234-X5VQ-CC2V Nginx-UI: Disabled users retain full API access through previously issued bearer tokens

Summary A user who was disabled by an administrator can use previously issued API tokens for up to the token lifetime. In practice, disabling a compromised account does not actually terminate that user’s access, so an attacker who already stole a JWT can continue reading and modifying protected...

CVE-2026-33031

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, a user who was disabled by an administrator can use previously issued API tokens for up to the token lifetime. In practice, disabling a compromised account does not actually terminate that user’s access, so an...

Keycloak < 26.5.3 Multiple Vulnerabilities

Keycloak versions installed prior to 26.5.3 are affected by multiple vulnerabilities as referenced in the advisory. - A flaw in Keycloak where the JSON Web Token JWT authorization grant preview feature fails to validate a user's disabled status during JWT authorization grant processing. When this...

Keycloak 安全漏洞

Keycloak is an open-source identity and access management solution developed by Keycloak itself. Keycloak has a security vulnerability. This vulnerability arises when the preview feature of JWT authorization is enabled, and the user account is disabled. During the processing of JWT authorization,...

EUVD-2026-3686

A flaw was found in the keycloak-services component of Keycloak. This vulnerability allows the issuance of access and refresh tokens for disabled users, leading to unauthorized use of previously revoked privileges, via a business logic vulnerability in the Token Exchange implementation when a...

EUVD-2021-0495

Malware in sbrugna...

EUVD-2019-11437

Malware in sbrugna...

EUVD-2012-0015

Malware in sbrugna...

EUVD-2024-41424

Malicious code in bioql PyPI...

EUVD-2025-10500

Malicious code in bioql PyPI...

Flask App Builder 授权问题漏洞

Flask App Builder is a simple and fast application development framework by Daniel Vaz Gaspar Personal Developer. An authorization issue vulnerability exists in Flask App Builder versions prior to 4.8.1, which stems from not disabling the password reset feature when using a non-database...

Linux Distros Unpatched Vulnerability : CVE-2020-13230

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In Cacti before 1.2.11, disabling a user account does not immediately invalidate any permissions granted to that account e.g., permission to view logs...

CVE-2017-1000489

Mautic versions 2.0.0 - 2.11.0 with a SSO plugin installed could allow a disabled user to still login using email address...

CVE-2025-26330

Dell PowerScale OneFS, versions 9.4.0.0 through 9.10.0.1, contains an incorrect authorization vulnerability. An unauthenticated attacker with local access could potentially exploit this vulnerability to access the cluster with previous privileges of a disabled user account...

CVE-2025-26330

Dell PowerScale OneFS, versions 9.4.0.0 through 9.10.0.1, contains an incorrect authorization vulnerability. An unauthenticated attacker with local access could potentially exploit this vulnerability to access the cluster with previous privileges of a disabled user account...

CVE-2025-26330

Dell PowerScale OneFS, versions 9.4.0.0–9.10.0.1, contains an authorization logic error where an unauthenticated, locally-present attacker could access cluster resources with the historical privileges of a disabled account. Root cause described as incorrect authorization/disabled-state verificati...

CVE-2025-26330

Dell PowerScale OneFS, versions 9.4.0.0 through 9.10.0.1, contains an incorrect authorization vulnerability. An unauthenticated attacker with local access could potentially exploit this vulnerability to access the cluster with previous privileges of a disabled user account...

PT-2025-15889 · Dell · Dell Powerscale Onefs

Name of the Vulnerable Software and Affected Versions: Dell PowerScale OneFS versions 9.4.0.0 through 9.10.0.1 Description: The issue is related to an incorrect authorization vulnerability. An unauthenticated attacker with local access could potentially exploit this vulnerability to access the...

CVE-2024-45298

Wiki.js is an open source wiki app built on Node.js. A disabled user can still gain access to a wiki by abusing the password reset function. While setting up SMTP e-mail's on my server, I tested said e-mails by performing a password reset with my test user. To my shock, not only did it let me res...

CVE-2024-45298 Disabled user can bypass lockout by requesting password reset in wiki.js

Wiki.js is an open source wiki app built on Node.js. A disabled user can still gain access to a wiki by abusing the password reset function. While setting up SMTP e-mail's on my server, I tested said e-mails by performing a password reset with my test user. To my shock, not only did it let me res...