Lucene search
K

454 matches found

Cvelist
Cvelist
added 2026/05/07 3:0 a.m.40 views

CVE-2026-41671 Admidio: OIDC Token Introspection Endpoint Returns Active for All Tokens Without Validation

Admidio is an open-source user management solution. Prior to version 5.0.9, the OIDC token introspection endpoint /modules/sso/index.php/oidc/introspect always returns "active": true for every request, regardless of whether a valid token is provided, whether the token is expired, revoked, or...

6.8CVSS0.00323EPSS
Exploits0References2
EUVD
EUVD
added 2026/05/07 3:0 a.m.12 views

EUVD-2026-28283

Admidio is an open-source user management solution. Prior to version 5.0.9, the OIDC token introspection endpoint /modules/sso/index.php/oidc/introspect always returns "active": true for every request, regardless of whether a valid token is provided, whether the token is expired, revoked, or...

6.8CVSS5.8AI score0.00323EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/05/07 3:0 a.m.8 views

CVE-2026-41671 Admidio: OIDC Token Introspection Endpoint Returns Active for All Tokens Without Validation

Admidio is an open-source user management solution. Prior to version 5.0.9, the OIDC token introspection endpoint /modules/sso/index.php/oidc/introspect always returns "active": true for every request, regardless of whether a valid token is provided, whether the token is expired, revoked, or...

6.8CVSS5.8AI score0.00323EPSS
Exploits0References2
CVE
CVE
added 2026/05/07 3:0 a.m.9 views

CVE-2026-41671

Admidio prior to version 5.0.9 contains a vulnerability in its OIDC token introspection (/modules/sso/index.php/oidc/introspect) and revocation (/oidc/revoke) endpoints. The introspection endpoint always returns {"active": true} and the revocation endpoint returns {"revoked": true} without authen...

6.8CVSS5.8AI score0.00323EPSS
Exploits0References2
OSV
OSV
added 2026/05/05 5:15 p.m.5 views

GHSA-9HMG-827W-9RHJ nuts-node has JWT type confusion in v1 access token introspection that allows VP replay as access token

Summary The v1 access token introspection endpoint /auth/v1/introspectaccesstoken accepts any JWT signed by a key present on the node, without validating the JWT type, issuer-to-key binding, or required claims. This allows a Verifiable Presentation VP JWT to be replayed as an access token and...

4.4CVSS5.8AI score0.00076EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/05/05 5:15 p.m.22 views

nuts-node has JWT type confusion in v1 access token introspection that allows VP replay as access token

Summary The v1 access token introspection endpoint /auth/v1/introspectaccesstoken accepts any JWT signed by a key present on the node, without validating the JWT type, issuer-to-key binding, or required claims. This allows a Verifiable Presentation VP JWT to be replayed as an access token and...

4.4CVSS5.8AI score0.00076EPSS
Exploits0References5Affected Software1
EUVD
EUVD
added 2026/05/05 12:31 p.m.7 views

EUVD-2023-60566

Frappe Framework ERPNext 13.4.0 contains a sandbox escape vulnerability in RestrictedPython that allows authenticated users with System Manager role to execute arbitrary code by exploiting frame introspection. Attackers can create a server script via the /app/server-script endpoint and access the...

8.8CVSS6.2AI score0.00609EPSS
Exploits1References9
NVD
NVD
added 2026/05/05 12:16 p.m.45 views

CVE-2023-54345

Frappe Framework ERPNext 13.4.0 contains a sandbox escape vulnerability in RestrictedPython that allows authenticated users with System Manager role to execute arbitrary code by exploiting frame introspection. Attackers can create a server script via the /app/server-script endpoint and access the...

8.8CVSS0.00609EPSS
Exploits1References8
ATTACKERKB
ATTACKERKB
added 2026/05/05 11:24 a.m.4 views

CVE-2023-54345

Frappe Framework ERPNext 13.4.0 contains a sandbox escape vulnerability in RestrictedPython that allows authenticated users with System Manager role to execute arbitrary code by exploiting frame introspection. Attackers can create a server script via the /app/server-script endpoint and access the...

8.8CVSS6.2AI score0.00609EPSS
Exploits1References8Affected Software1
Vulnrichment
Vulnrichment
added 2026/05/05 11:24 a.m.4 views

CVE-2023-54345 Frappe Framework ERPNext 13.4.0 Remote Code Execution

Frappe Framework ERPNext 13.4.0 contains a sandbox escape vulnerability in RestrictedPython that allows authenticated users with System Manager role to execute arbitrary code by exploiting frame introspection. Attackers can create a server script via the /app/server-script endpoint and access the...

8.8CVSS6.2AI score0.00609EPSS
Exploits1References8
Positive Technologies
Positive Technologies
added 2026/05/05 12:0 a.m.17 views

PT-2026-37245

Name of the Vulnerable Software and Affected Versions nuts-node versions prior to 5.4.31 nuts-node versions prior to 6.2.3 Description The v1 access token introspection endpoint '/auth/v1/introspect access token' accepts any JSON Web Token JWT signed by a key present on the node without validatin...

4.4CVSS5.8AI score0.00076EPSS
Exploits0References8
Github Security Blog
Github Security Blog
added 2026/04/29 9:58 p.m.6 views

Admidio: OIDC Token Introspection Endpoint Returns Active for All Tokens Without Validation

Summary The OIDC token introspection endpoint /modules/sso/index.php/oidc/introspect always returns "active": true for every request, regardless of whether a valid token is provided, whether the token is expired, revoked, or completely fabricated. The endpoint performs no authentication of the...

6.8CVSS5.9AI score0.00323EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/04/29 9:58 p.m.6 views

GHSA-9XX5-CV6J-X533 Admidio: OIDC Token Introspection Endpoint Returns Active for All Tokens Without Validation

Summary The OIDC token introspection endpoint /modules/sso/index.php/oidc/introspect always returns "active": true for every request, regardless of whether a valid token is provided, whether the token is expired, revoked, or completely fabricated. The endpoint performs no authentication of the...

6.8CVSS6AI score0.00323EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/04/29 12:0 a.m.14 views

PT-2026-36108

Name of the Vulnerable Software and Affected Versions Admidio versions prior to 5.0.9 Description An issue exists in the OpenID Connect OIDC implementation where the token introspection endpoint '/modules/sso/index.php/oidc/introspect' always returns a positive active status regardless of whether...

6.8CVSS5.8AI score0.00323EPSS
Exploits0References7
Fedora
Fedora
added 2026/04/16 11:42 p.m.12 views

[SECURITY] Fedora 44 Update: kf6-kservice-6.25.0-1.fc44

KDE Frameworks 6 Tier 3 solution for advanced plugin and service introspection...

5.8AI score
Exploits0
SUSE CVE
SUSE CVE
added 2026/04/15 1:42 p.m.12 views

SUSE CVE-2026-5713

The "profiling.sampling" module Python 3.15+ and "asyncio introspection capabilities" 3.14+, "python -m asyncio ps" and "python -m asyncio pstree" features could be used to read and write addresses in a privileged process if that process connected to a malicious or "infected" Python process via t...

6CVSS5.8AI score0.00132EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2026/04/14 9:25 p.m.9 views

CVE-2026-5713

A flaw was found in Python. A malicious Python process could exploit the "profiling.sampling" module and "asyncio introspection capabilities" to read and write memory addresses within a privileged process. This vulnerability occurs when the privileged process connects to the malicious process via...

6CVSS6AI score0.00132EPSS
Exploits0References6
OSV
OSV
added 2026/04/14 4:16 p.m.5 views

DEBIAN-CVE-2026-5713

The "profiling.sampling" module Python 3.15+ and "asyncio introspection capabilities" 3.14+, "python -m asyncio ps" and "python -m asyncio pstree" features could be used to read and write addresses in a privileged process if that process connected to a malicious or "infected" Python process via t...

5.3CVSS5.4AI score0.00132EPSS
Exploits0References1
NVD
NVD
added 2026/04/14 4:16 p.m.6 views

CVE-2026-5713

The "profiling.sampling" module Python 3.15+ and "asyncio introspection capabilities" 3.14+, "python -m asyncio ps" and "python -m asyncio pstree" features could be used to read and write addresses in a privileged process if that process connected to a malicious or "infected" Python process via t...

5.3CVSS0.00132EPSS
Exploits0References6
UbuntuCve
UbuntuCve
added 2026/04/14 4:16 p.m.14 views

CVE-2026-5713

The "profiling.sampling" module Python 3.15+ and "asyncio introspection capabilities" 3.14+, "python -m asyncio ps" and "python -m asyncio pstree" features could be used to read and write addresses in a privileged process if that process connected to a malicious or "infected" Python process via t...

5.3CVSS5.8AI score0.00132EPSS
Exploits0References5
Rows per page
Query Builder