Lucene search
K

1623 matches found

CVE
CVE
added 2026/06/01 7:52 a.m.31 views

CVE-2026-41017

CVE-2026-41017 affects Apache Airflow where JWTRefreshMiddleware sets the JWT cookie without the Secure flag. This impacts deployments exposing the Airflow API server behind TLS-terminating proxies (e.g., nginx, Envoy, or managed load balancers) and may allow a network-positioned attacker to capt...

5.9CVSS5.9AI score0.00265EPSS
Exploits0References3Affected Software1
CVE
CVE
added 2026/06/01 7:47 a.m.31 views

CVE-2026-45426

CVE-2026-45426 describes an authenticated Airflow worker with a valid Log-server JWT for at least one Dag who can abuse Python str.lstrip() in the JWT sub verification to access logs of other Dags. The left-stripping behavior treats a set of characters as deletable, not a prefix, enabling cross-D...

3.1CVSS5.8AI score0.00344EPSS
Exploits0References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/01 12:0 a.m.12 views

PT-2026-45615

Authentication Bypass in cf-auth-proxy in Cloud Foundry Foundation all installations allows an unauthenticated remote attacker to gain read access to every log and metric for every application and platform component via minting a JWT that the cf-auth-proxy accepts as a valid logs.admin token...

7.5CVSS5.8AI score0.00393EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/01 12:0 a.m.13 views

PT-2026-45379

Name of the Vulnerable Software and Affected Versions Apache Airflow versions prior to 3.2.2 Description A bug in the authentication manager logout handling allows previously issued JSON Web Tokens JWT to remain valid after a user logs out via the user interface. In deployments configured with...

6.5CVSS5.5AI score0.00368EPSS
Exploits0References7
CNNVD
CNNVD
added 2026/06/01 12:0 a.m.12 views

Apache Airflow 安全漏洞

Apache Airflow is an open-source platform developed by the Apache Foundation in the United States. It allows for the creation, management, and monitoring of workflows. Versions of Apache Airflow prior to 3.2.2 contained security vulnerabilities. These vulnerabilities stemmed from the use of...

3.1CVSS5.3AI score0.00344EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/06/01 12:0 a.m.10 views

Apache Airflow 安全漏洞

Apache Airflow is an open-source platform developed by the Apache Foundation in the United States. It allows for the creation, management, and monitoring of workflows. This platform features scalability and dynamic monitoring capabilities. However, Apache Airflow has security vulnerabilities. One...

5.9CVSS5.4AI score0.00265EPSS
Exploits0References4
GithubExploit
GithubExploit
added 2026/05/30 7:34 a.m.105 views

Exploit for CVE-2026-29000

CVE-2026-29000: pac4j JWT Authentication Bypass PoC Proof...

9.3CVSS6.9AI score0.05856EPSS
Exploits17
GithubExploit
GithubExploit
added 2026/05/30 5:13 a.m.110 views

Exploit for Improper Input Validation in Microsoft

CVE-2025-9209 – RestroPress Unauthenticated API Key & Token Ex...

9.8CVSS7.3AI score0.9466EPSS
Exploits28
SUSE CVE
SUSE CVE
added 2026/05/30 1:59 a.m.14 views

SUSE CVE-2026-48523

PyJWT is a JSON Web Token implementation in Python. From 2.9.0 to 2.12.1, there is a verifier-side algorithm allow-list bypass when jwt.decode or jwt.decodecomplete are called with a PyJWK key. The token header alg is checked against the caller-supplied algorithms allow-list, but signature...

5.4CVSS5.8AI score0.00127EPSS
Exploits1References9
SUSE CVE
SUSE CVE
added 2026/05/30 1:59 a.m.14 views

SUSE CVE-2026-48525

PyJWT is a JSON Web Token implementation in Python. From 2.8.0 to 2.12.1, when verifying detached JWS tokens using the unencoded-payload option "b64": false, RFC 7797, PyJWT performs Base64URL decoding of the compact-serialization payload segment before enforcing the detached-payload rules. For...

7.5CVSS5.8AI score0.00288EPSS
Exploits1References9
Tenable Nessus
Tenable Nessus
added 2026/05/30 12:0 a.m.13 views

RockyLinux 9 : fence-agents (RLSA-2026:19355)

The remote RockyLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2026:19355 advisory. cryptography: cryptography Subgroup Attack Due to Missing Subgroup Validation for SECT Curves CVE-2026-26007 pyjwt: PyJWT accepts unknown crit header...

8.2CVSS6.8AI score0.0058EPSS
Exploits2References7
Github Security Blog
Github Security Blog
added 2026/05/29 10:42 p.m.28 views

praisonai-platform: JWT signing key defaults to hardcoded "dev-secret-change-me", allowing token forgery for any user when PLATFORM_ENV is unset

Summary Type: Insecure default cryptographic key. The JWT signing secret defaults to the hardcoded literal "dev-secret-change-me" when PLATFORMJWTSECRET is unset. A safety check exists but only fires when PLATFORMENV != "dev"; the default value of PLATFORMENV is "dev", so the check is silently...

6AI score0.00054EPSS
Exploits0References2Affected Software1
NVD
NVD
added 2026/05/29 8:16 p.m.15 views

CVE-2026-4387

StrongDM Desktop Application before 23.74.0 Desktop Client before 53.77.0 on Microsoft Windows stores authentication state, including a JSON Web Token and asymmetric key material, in cleartext in a per-user state file located at C:\Users\.sdm\state.kv. The file is protected only by default...

2CVSS0.00132EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/29 6:28 p.m.30 views

CVE-2026-4387 Unencrypted storage of authentication state in StrongDM Desktop Application state.kv file

StrongDM Desktop Application before 23.74.0 Desktop Client before 53.77.0 on Microsoft Windows stores authentication state, including a JSON Web Token and asymmetric key material, in cleartext in a per-user state file located at C:\Users\.sdm\state.kv. The file is protected only by default...

2CVSS0.00132EPSS
Exploits0References2
EUVD
EUVD
added 2026/05/29 6:28 p.m.19 views

EUVD-2026-33417

StrongDM Desktop Application before 23.74.0 Desktop Client before 53.77.0 on Microsoft Windows stores authentication state, including a JSON Web Token and asymmetric key material, in cleartext in a per-user state file located at C:\Users\.sdm\state.kv. The file is protected only by default...

2CVSS5.9AI score0.00132EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/29 6:28 p.m.12 views

CVE-2026-4387

StrongDM Desktop Application before 23.74.0 Desktop Client before 53.77.0 on Microsoft Windows stores authentication state, including a JSON Web Token and asymmetric key material, in cleartext in a per-user state file located at C:\Users\.sdm\state.kv. The file is protected only by default...

2CVSS5.9AI score0.00132EPSS
Exploits0References2
EUVD
EUVD
added 2026/05/29 5:8 p.m.13 views

EUVD-2026-33371

Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.0, the unauthenticated GET /api/app-images/logo endpoint reflects a user-supplied color query parameter into the body of an SVG document via strings.ReplaceAll with no escaping. The substitution...

8.2CVSS5.8AI score0.00185EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/29 4:13 p.m.12 views

EUVD-2026-33355

Dokploy is a free, self-hostable Platform as a Service PaaS. From 0.27.0 to before 0.29.3, a hardcoded BETTERAUTHSECRET fallback "better-auth-secret-123456789" lets an unauthenticated attacker forge email verification JWTs, trigger auto-sign-in as admin, and execute commands on the host via the...

10CVSS5.9AI score0.00351EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/05/29 12:0 a.m.15 views

StrongDM 安全漏洞

StrongDM is an infrastructure access management platform developed by the US company StrongDM. Versions of StrongDM prior to 23.74.0 contained security vulnerabilities. These vulnerabilities stemmed from the storage of authentication status in plaintext, including JSON Web Tokens and key material...

2CVSS5.8AI score0.00132EPSS
Exploits0References2
Tenable Nessus
Tenable Nessus
added 2026/05/29 12:0 a.m.11 views

Linux Distros Unpatched Vulnerability : CVE-2026-48526

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, when the verifier is decoding JSON Web Tokens, while supporting both asymmetric and HMAC...

7.4CVSS6AI score0.00394EPSS
Exploits1References3
Rows per page
Query Builder