1628 matches found
Nezha has cross-site GET request that can trigger stored cron commands on a victim's agents
Summary The dashboard exposes the cron manual-trigger action as an authenticated GET /api/v1/cron/:id/manual endpoint. Dashboard JWTs are sent in the nz-jwt cookie and configured with SameSite=Lax, which browsers include on top-level cross-site GET navigations. Because this state-changing GET...
CVE-2026-36721
A lack of cryptographic signature verification in the validateAccessToken function of bookcars v8.3 allows attackers to bypass authentication via a forged JWT token...
CVE-2026-36721
A lack of cryptographic signature verification in the validateAccessToken function of bookcars v8.3 allows attackers to bypass authentication via a forged JWT token...
bookcars 安全漏洞
BookCars is a car rental management platform developed by Akram El Assas. Version 8.3 of BookCars contains a security vulnerability. This vulnerability stems from an insecure authentication mechanism in the/api/social-sign-in endpoint, which could allow attackers to bypass authentication using...
bookcars 安全漏洞
Bookcars is a car rental management platform developed by Akram El Assas. Version 8.3 of Bookcars contains a security vulnerability. This vulnerability stems from the lack of encryption signature verification in the validateAccessToken function, which may allow attackers to bypass authentication...
CVE-2026-36721
A lack of cryptographic signature verification in the validateAccessToken function of bookcars v8.3 allows attackers to bypass authentication via a forged JWT token...
PT-2026-48167
Name of the Vulnerable Software and Affected Versions bookcars version 8.3 Description A lack of cryptographic signature verification in the validateAccessToken function allows attackers to bypass authentication by using a forged JSON Web Token JWT, which is a compact, URL-safe means of...
CVE-2026-36721
A lack of cryptographic signature verification in the validateAccessToken function of bookcars v8.3 allows attackers to bypass authentication via a forged JWT token...
CVE-2026-36721
CVE-2026-36721 affects bookcars v8.3. The root cause is a lack of cryptographic signature verification in the validateAccessToken function, which enables attackers to bypass authentication via a forged JWT token. The CVE is rated with a high impact metric (CVSS v3.1: 9.8, Critical) across confide...
CVE-2026-36727
CVE-2026-36727 affects bookcars version 8.3. An insecure authentication vulnerability exists in the /api/social-sign-in endpoint that allows bypassing authentication by forged JWT tokens. The issue is documented across multiple feeds (NVD, Red Hat, CVE records) with no explicit exploit details or...
CVE-2026-46481 OpenMetadata: TEST_CONNECTION workflow leaks ingestion-bot JWT and database password to regular users
OpenMetadata is a unified metadata platform. Prior to version 1.12.4, a non-admin SSO user can trigger a TESTCONNECTION workflow for a Database Service and receive, in the HTTP 201 response of POST /api/v1/automations/workflows, both the cleartext database password in...
TencentOS Server 4: python-jwt (TSSA-2026:0427)
The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2026:0427 advisory. Package updates are available for TencentOS Server 4 that fix the following vulnerabilities...
JWSVerifier uses algorithm from unprotected header, enabling algorithm confusion attacks
Summary JWSVerifier::getAlgorithm in src/Library/Signature/JWSVerifier.php line 144 merges protected and unprotected headers using PHP's spread operator: php $completeHeader = ...$signature-getProtectedHeader, ...$signature-getHeader; In PHP, when spreading arrays with duplicate string keys, the...
CVE-2026-45426
Exploitation requires the attacker to already be an authenticated Airflow worker holding a valid Log-server JWT issued for at least one Dag. Apache Airflow's Log server authorized JWT tokens against Dag IDs by applying Python's str.lstrip to the requested path segment when verifying the JWT's sub...
CVE-2026-27173
JWT tokens that were used by workers in Kubernetes Executors have been exposed to users who had read only access to Kuberentes Pods. This could allow users with just read-only access to perform actions that were only available to running tasks via Task SDK and potentially allow to modify state of...
CVE-2026-33031
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, a user who was disabled by an administrator can use previously issued API tokens for up to the token lifetime. In practice, disabling a compromised account does not actually terminate that user’s access, so an...
CVE-2026-42869
SOCFortress CoPilot focuses on providing a single pane of glass for all your security operations needs. Prior to 0.1.57, SOCFortress CoPilot ships a hardcoded JWT signing secret as a fallback value in backend/app/auth/utils.py:28 and ships it verbatim in .env.example. Any deployment where JWTSECR...
CVE-2026-42239
Budibase is an open-source low-code platform. Prior to version 3.35.10, the budibase:auth cookie containing the JWT session token is set with httpOnly: false at packages/backend-core/src/utils/utils.ts:218. JavaScript can read this cookie via document.cookie. This means every XSS becomes a full...
EUVD-2026-34890
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an attack chain utilizing Stored XSS alongside dynamic token exposure in the /system/api/connectionSettings endpoint allows an authenticated attacker to perform a complete cross-tenant account takeover...
CVE-2026-46395
HAX CMS Node.js backend (before 26.0.0) exposes a critical cryptographic flaw in the hmacBase64() function. It uses a hardcoded signing key of the string "0" and then appends the real key (this.privateKey + this.salt) to the output, producing tokens that reveal the private key when decoded. An un...