Lucene search
+L

44129 matches found

CVE
CVE
added 9 hours ago7 views

CVE-2026-62233

CVE-2026-62233 affects grav-plugin-api prior to 1.0.6. The issue: createApiKey, generate2fa, and disable2fa endpoints fail to validate super-admin status, allowing non-super api.users.write managers to escalate to super-admin. As described, attackers can mint API keys bound to super-admin account...

8.8CVSS6.1AI score
Exploits0References2
EUVD
EUVD
added 9 hours ago5 views

EUVD-2026-45121

grav-plugin-api before 1.0.6 fails to validate super-admin status in createApiKey, generate2fa, and disable2fa endpoints, allowing non-super api.users.write managers to escalate to super-admin. Attackers can mint API keys bound to super-admin accounts or strip 2FA from super-admin users to achiev...

8.8CVSS6.1AI score
Exploits0References2
CVE
CVE
added 9 hours ago6 views

CVE-2026-62231

The Grav API plugin (getgrav/grav-plugin-api) prior to version 1.0.6 has an authorization bypass in ApiKeyAuthenticator: API keys with restricted scopes are ignored, and the API key resolves to the owning user’s full account, allowing a key with limited scopes (e.g., read-only) to perform any ope...

8.6CVSS6.1AI score
Exploits0References2
EUVD
EUVD
added 9 hours ago4 views

EUVD-2026-45119

The Grav API plugin getgrav/grav-plugin-api before 1.0.6 contains an authorization bypass: API keys can be created with a restricted scopes array, but the ApiKeyAuthenticator class never reads or enforces these scopes. It loads and returns the owning user's full account object, so a key created...

8.6CVSS6.1AI score
Exploits0References2
CVE
CVE
added yesterday16 views

CVE-2026-63089

CVE-2026-63089 – WireGuard Easy : A cryptographically weak one-time link token generation in WireGuard Easy (through 15.3.0) allows unauthenticated network attackers to recover peer credentials. The token is computed as CRC32 over a random value constrained to 0-999, enabling brute-forcing a keys...

9.3CVSS6.1AI score
Exploits0References3
EUVD
EUVD
added yesterday5 views

EUVD-2026-45013

WireGuard Easy through 15.3.0, fixed in commit 66b292b, contains a cryptographically weak one-time link token generation vulnerability that allows unauthenticated network attackers to recover WireGuard peer credentials by brute-forcing a keyspace of at most 1000 candidate tokens per client ID, as...

9.3CVSS6.1AI score
Exploits0References3
ATTACKERKB
ATTACKERKB
added yesterday4 views

CVE-2026-45336

HireFlow is a web-based interview management system for managing candidates, scheduling interviews, and tracking hiring progress. In 1.2 and earlier, app.py assigns a hard-coded Flask secretkey used to sign session cookies, allowing unauthenticated attackers who know the public source value to...

10CVSS6.1AI score
Exploits0References3Affected Software1
RedHat Linux
RedHat Linux
added yesterday5 views

golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Authorization bypass due to skipped source-address validation

A flaw was found in golang.org/x/crypto/ssh. Source-address validation can be skipped when an SSH server configuration uses an authentication callback type other than public key, allowing authorization bypass in misconfigured servers. This is a follow-on to incomplete coverage from the...

10CVSS6.3AI score0.0044EPSS
Exploits0References8
RedHat Linux
RedHat Linux
added yesterday5 views

golang.org/x/crypto/ssh/agent: golang.org/x/crypto/ssh/agent: Security bypass due to improper handling of key restrictions

A flaw was found in golang.org/x/crypto/ssh/agent. When a key was added to a remote agent, security restrictions, known as constraint extensions, were not properly processed during the request. This allowed these restrictions to be silently removed when keys were forwarded, leading to the...

9.1CVSS6.1AI score0.00525EPSS
Exploits0References8
RedHat Linux
RedHat Linux
added yesterday5 views

crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages

A flaw was found in the crypto/tls package within the Go golang standard library, specifically affecting TLS 1.3 connections. A remote attacker can exploit this vulnerability by sending multiple key update messages in a single record after the handshake. This can cause the connection to deadlock,...

7.5CVSS6.9AI score0.00621EPSS
Exploits0References8
RedHat Linux
RedHat Linux
added yesterday6 views

golang.org/x/crypto/ssh/knownhosts: golang: golang.org/x/crypto/ssh/knownhosts: Revocation bypass via unchecked SignatureKey

A flaw was found in golang.org/x/crypto/ssh/knownhosts. This vulnerability occurs because the system did not correctly check for the revocation status of a SignatureKey belonging to a Certificate Authority CA. A remote attacker could potentially exploit this by presenting a revoked key, leading t...

9.1CVSS6.1AI score0.00487EPSS
Exploits0References8
RedHat Linux
RedHat Linux
added yesterday6 views

golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters

A flaw was found in golang.org/x/crypto/ssh. The RSA and DSA public key parsers in the affected component did not enforce size limits on key parameters. This vulnerability allows an unauthenticated client to provide a crafted public key with an excessively large modulus or DSA parameter during...

7.5CVSS6.3AI score0.00415EPSS
Exploits0References9
RedhatCVE
RedhatCVE
added yesterday6 views

CVE-2026-38974

A flaw was found in Dulwich. The contrib/paramikovendor.py component is missing Secure Shell SSH host key verification. This vulnerability allows a remote attacker to impersonate a legitimate Git server. By doing so, the attacker could potentially intercept sensitive information or execute...

8.8CVSS6.3AI score0.00145EPSS
Exploits0References6
RedHat Linux
RedHat Linux
added yesterday4 views

Important: Red Hat Security Advisory: external secrets operator for Red Hat OpenShift 1.0.0

external secrets operator for Red Hat OpenShift 1.0.0 The External Secrets Operator for Red Hat OpenShift builds on top of Kubernetes, which integrates external secret management systems like AWS Secrets Manager, HashiCorp Vault, Google Secrets Manager, Azure Key Vault, IBM Cloud Secrets Manager,...

10CVSS7AI score0.01945EPSS
Exploits1References4
Nuclei
Nuclei
added yesterday11 views

Zoho ManageEngine - getUserAPIKey Authentication Bypass

Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, Firewall Analyzer, and OpUtils before 2022-07-27 through 2022-07-28 125657, 126002, 126104, and 126118 allow unauthenticated attackers to obtain a user's API key, and then access external...

7.5CVSS7AI score0.08206EPSS
Exploits0References3
Nuclei
Nuclei
added yesterday33 views

SolarWinds Web Help Desk - Authentication Bypass

SolarWinds Web Help Desk 12.8.8 HF1 and earlier contains an authentication bypass vulnerability in the WebObjects session handling. By crafting a request with a manipulated path component to an internal admin page endpoint, an unauthenticated attacker can access privileged administrative function...

9.8CVSS7.1AI score0.8413EPSS
Exploits5References4
Nuclei
Nuclei
added yesterday76 views

Zoho ManageEngine OpManager - SQL Injection

Zoho ManageEngine OpManager before 12.3 Build 123196 does not require authentication for /oputilsServlet requests, as demonstrated by a /oputilsServlet?action=getAPIKey request that can be leveraged against Firewall Analyzer to add an admin user via /api/json/v2/admin/addUser or conduct a SQL...

7.5CVSS7AI score0.66347EPSS
Exploits1References2
Nuclei
Nuclei
added yesterday185 views

Netmaker - Hardcoded DNS Secret Key

Netmaker makes networks with WireGuard. Prior to versions 0.17.1 and 0.18.6, hardcoded DNS key usage has been found in Netmaker allowing unauth users to interact with DNS API endpoints. id: CVE-2023-32077 info: name: Netmaker - Hardcoded DNS Secret Key author: iamnoooob,rootxharsh,pdresearch...

7.5CVSS6.8AI score0.03147EPSS
Exploits0
Nuclei
Nuclei
added yesterday24 views

SmartSearchWP < 2.4.6 - OpenAI Key Disclosure

The plugin does not have proper authorization in one of its REST endpoint, allowing unauthenticated users to retrieve the encoded key and then decode it, thereby leaking the OpenAI API key. id: CVE-2024-6845 info: name: SmartSearchWP 2.4.6 - OpenAI Key Disclosure author: s4e-io severity: medium...

5.3CVSS6.1AI score0.01113EPSS
Exploits1References2
Nuclei
Nuclei
added yesterday7 views

Gorse < 0.5.10 - Unauthenticated Database Dump

Gorse 0.5.10 contains an authentication bypass caused by empty adminapikey in /api/dump and /api/restore endpoints, letting unauthenticated remote attackers access and modify protected data, exploit requires default empty adminapikey configuration. id: CVE-2026-56782 info: name: Gorse 0.5.10 -...

9.8CVSS6.1AI score0.03016EPSS
Exploits2References2
Rows per page
Query Builder