Lucene search
K

129 matches found

Vulnrichment
Vulnrichment
added 2026/03/16 6:3 p.m.7 views

CVE-2026-28498 Authlib: Fail-Open Cryptographic Verification in OIDC Hash Binding

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a library-level vulnerability was identified in the Authlib Python library concerning the validation of OpenID Connect OIDC ID Tokens. Specifically, the internal hash verification logic verifyhash...

8.2CVSS5.7AI score0.00226EPSS
Exploits1References3
OSV
OSV
added 2026/03/16 4:15 p.m.4 views

GHSA-M344-F55W-2M6J Authlib: Fail-Open Cryptographic Verification in OIDC Hash Binding

Executive Summary A critical library-level vulnerability was identified in the Authlib Python library concerning the validation of OpenID Connect OIDC ID Tokens. Specifically, the internal hash verification logic verifyhash responsible for validating the athash Access Token Hash and chash...

8.2CVSS6AI score0.00226EPSS
Exploits1References5
Github Security Blog
Github Security Blog
added 2026/03/16 4:15 p.m.11 views

Authlib: Fail-Open Cryptographic Verification in OIDC Hash Binding

Executive Summary A critical library-level vulnerability was identified in the Authlib Python library concerning the validation of OpenID Connect OIDC ID Tokens. Specifically, the internal hash verification logic verifyhash responsible for validating the athash Access Token Hash and chash...

9.1CVSS5.9AI score0.00226EPSS
Exploits1References5Affected Software1
CNNVD
CNNVD
added 2026/03/11 12:0 a.m.9 views

Striae 安全漏洞

Striae is an open-source firearm trace comparison analysis tool developed by Striae. Versions of Striae prior to v3.0.0 contained security vulnerabilities. These vulnerabilities stemmed from the digital confirmation workflow, where only hash verification was used for, and the list hash field coul...

8.2CVSS5.8AI score0.00118EPSS
Exploits0References2
OSV
OSV
added 2026/03/10 6:28 p.m.10 views

GO-2026-4616 Gogs: Cross-repository LFS object overwrite via missing content hash verification in gogs.io/gogs

Gogs: Cross-repository LFS object overwrite via missing content hash verification in gogs.io/gogs. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from...

9.3CVSS5.8AI score0.00327EPSS
Exploits1References5
Snyk
Snyk
added 2026/03/05 9:13 p.m.5 views

Insufficient Verification of Data Authenticity

Overview Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity in the handling of LFS object uploads. An attacker can overwrite existing LFS objects across different repositories by uploading objects with the same identifier, potentially leading to...

9.3CVSS5.8AI score0.00327EPSS
Exploits1References2
Snyk
Snyk
added 2026/03/05 9:13 p.m.4 views

Insufficient Verification of Data Authenticity

Overview Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity in the handling of LFS object uploads. An attacker can overwrite existing LFS objects across different repositories by uploading objects with the same identifier, potentially leading to...

9.3CVSS5.8AI score0.00327EPSS
Exploits1References2
Snyk
Snyk
added 2026/03/05 9:13 p.m.5 views

Insufficient Verification of Data Authenticity

Overview Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity in the handling of LFS object uploads. An attacker can overwrite existing LFS objects across different repositories by uploading objects with the same identifier, potentially leading to...

9.3CVSS5.8AI score0.00327EPSS
Exploits1References2
Snyk
Snyk
added 2026/03/05 9:13 p.m.4 views

Insufficient Verification of Data Authenticity

Overview Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity in the handling of LFS object uploads. An attacker can overwrite existing LFS objects across different repositories by uploading objects with the same identifier, potentially leading to...

9.3CVSS5.8AI score0.00327EPSS
Exploits1References2
Snyk
Snyk
added 2026/03/05 9:13 p.m.4 views

Insufficient Verification of Data Authenticity

Overview Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity in the handling of LFS object uploads. An attacker can overwrite existing LFS objects across different repositories by uploading objects with the same identifier, potentially leading to...

9.3CVSS5.8AI score0.00327EPSS
Exploits1References2
Snyk
Snyk
added 2026/03/05 9:13 p.m.7 views

Insufficient Verification of Data Authenticity

Overview Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity in the handling of LFS object uploads. An attacker can overwrite existing LFS objects across different repositories by uploading objects with the same identifier, potentially leading to...

9.3CVSS5.8AI score0.00327EPSS
Exploits1References2
Snyk
Snyk
added 2026/03/05 9:13 p.m.4 views

Insufficient Verification of Data Authenticity

Overview Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity in the handling of LFS object uploads. An attacker can overwrite existing LFS objects across different repositories by uploading objects with the same identifier, potentially leading to...

9.3CVSS5.8AI score0.00327EPSS
Exploits1References2
OSV
OSV
added 2026/03/05 7:14 p.m.6 views

GHSA-CJ4V-437J-JQ4C Gogs: Cross-repository LFS object overwrite via missing content hash verification

Summary Overwritable LFS object across different repos leads to supply-chain attack, all LFS objects are vulnerable to be maliciously overwritten by malicious attackers. Details Gogs store all LFS objects in the same place, no isolation between different repositories. repo id not concatenated to...

9.3CVSS5.8AI score0.00327EPSS
Exploits1References6
EUVD
EUVD
added 2026/03/05 7:14 p.m.6 views

EUVD-2026-9850

Gogs: Cross-repository LFS object overwrite via missing content hash verification...

9.3CVSS5.9AI score0.00327EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2026/03/05 7:14 p.m.8 views

Gogs: Cross-repository LFS object overwrite via missing content hash verification

Summary Overwritable LFS object across different repos leads to supply-chain attack, all LFS objects are vulnerable to be maliciously overwritten by malicious attackers. Details Gogs store all LFS objects in the same place, no isolation between different repositories. repo id not concatenated to...

9.3CVSS5.8AI score0.00327EPSS
Exploits1References6Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/05 6:36 p.m.2 views

CVE-2026-25921 Gogs: Cross-repository LFS object overwrite via missing content hash verification

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, overwritable LFS object across different repos leads to supply-chain attack, all LFS objects are vulnerable to be maliciously overwritten by malicious attackers. This issue has been patched in version 0.14.2...

9.3CVSS5.7AI score0.00327EPSS
Exploits1References4
OSV
OSV
added 2026/03/05 6:36 p.m.9 views

CVE-2026-25921 Gogs: Cross-repository LFS object overwrite via missing content hash verification

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, overwritable LFS object across different repos leads to supply-chain attack, all LFS objects are vulnerable to be maliciously overwritten by malicious attackers. This issue has been patched in version 0.14.2...

9.3CVSS6.8AI score0.00327EPSS
Exploits1References6
Cvelist
Cvelist
added 2026/03/05 3:49 p.m.36 views

CVE-2026-30790

...

0.00225EPSS
Exploits0
GithubExploit
GithubExploit
added 2026/02/06 5:24 p.m.212 views

Exploit for CVE-2026-25050

CVE-2026-25050 – Authentication Timing Attack This repository...

6.9CVSS5.5AI score0.00364EPSS
Exploits1
Positive Technologies
Positive Technologies
added 2026/01/01 12:0 a.m.4 views

PT-2026-25790

Authlib and Affected Versions Authlib versions prior to 1.6.9 Description Authlib, a Python library for building OAuth and OpenID Connect servers, contains a flaw in its OpenID Connect OIDC ID Token validation logic. The internal hash verification function verify hash exhibits a fail-open behavio...

9.1CVSS5.7AI score0.00226EPSS
Exploits1References41
Rows per page
Query Builder