Lucene search
K

45 matches found

RedhatCVE
RedhatCVE
added 2026/04/07 5:7 p.m.5 views

CVE-2026-34969

Nhost is an open source Firebase alternative with GraphQL. Prior to 0.48.0, the auth service's OAuth provider callback flow places the refresh token directly into the redirect URL as a query parameter. Refresh tokens in URLs are logged in browser history, server access logs, HTTP Referer headers,...

7.5CVSS5.9AI score0.00267EPSS
Exploits1References1
NVD
NVD
added 2026/04/06 4:16 p.m.6 views

CVE-2026-34969

Nhost is an open source Firebase alternative with GraphQL. Prior to 0.48.0, the auth service's OAuth provider callback flow places the refresh token directly into the redirect URL as a query parameter. Refresh tokens in URLs are logged in browser history, server access logs, HTTP Referer headers,...

7.5CVSS0.00267EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/04/06 4:1 p.m.4 views

CVE-2026-34969 Nhost Leaks the Refresh Token via URL Query Parameter in OAuth Provider Callback

Nhost is an open source Firebase alternative with GraphQL. Prior to 0.48.0, the auth service's OAuth provider callback flow places the refresh token directly into the redirect URL as a query parameter. Refresh tokens in URLs are logged in browser history, server access logs, HTTP Referer headers,...

2.3CVSS5.9AI score0.00267EPSS
Exploits1References1
EUVD
EUVD
added 2026/04/06 4:1 p.m.7 views

EUVD-2026-19358

Nhost is an open source Firebase alternative with GraphQL. Prior to 0.48.0, the auth service's OAuth provider callback flow places the refresh token directly into the redirect URL as a query parameter. Refresh tokens in URLs are logged in browser history, server access logs, HTTP Referer headers,...

2.3CVSS5.9AI score0.00267EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/04/06 4:1 p.m.42 views

CVE-2026-34969 Nhost Leaks the Refresh Token via URL Query Parameter in OAuth Provider Callback

Nhost is an open source Firebase alternative with GraphQL. Prior to 0.48.0, the auth service's OAuth provider callback flow places the refresh token directly into the redirect URL as a query parameter. Refresh tokens in URLs are logged in browser history, server access logs, HTTP Referer headers,...

2.3CVSS0.00267EPSS
Exploits1References1
CNNVD
CNNVD
added 2026/04/06 12:0 a.m.9 views

Nhost 安全漏洞

Nhost is an open-source backend service platform developed by Nhost. Versions of Nhost prior to 0.48.0 contained security vulnerabilities. These vulnerabilities stemmed from the OAuth provider’s callback process for authentication services, where the refresh token was directly placed as a query...

7.5CVSS5.8AI score0.00267EPSS
Exploits1References2
OSV
OSV
added 2026/04/01 11:36 p.m.9 views

GHSA-G2QJ-PRGH-4G9R Nhost Leaks Refresh Tokens via URL Query Parameter in OAuth Provider Callback

Refresh Token Leaked via URL Query Parameter in OAuth Provider Callback Summary The auth service's OAuth provider callback flow places the refresh token directly into the redirect URL as a query parameter. Refresh tokens in URLs are logged in browser history, server access logs, HTTP Referer...

7.5CVSS6.1AI score0.00267EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2026/04/01 11:36 p.m.8 views

Nhost Leaks Refresh Tokens via URL Query Parameter in OAuth Provider Callback

Refresh Token Leaked via URL Query Parameter in OAuth Provider Callback Summary The auth service's OAuth provider callback flow places the refresh token directly into the redirect URL as a query parameter. Refresh tokens in URLs are logged in browser history, server access logs, HTTP Referer...

7.5CVSS6.1AI score0.00267EPSS
Exploits1References4Affected Software1
RedhatCVE
RedhatCVE
added 2026/04/01 5:3 p.m.4 views

CVE-2026-34200

Nhost is an open source Firebase alternative with GraphQL. Prior to version 1.41.0, The Nhost CLI MCP server, when explicitly configured to listen on a network port, applies no inbound authentication and does not enforce strict CORS. This allows a malicious website visited on the same machine to...

7.7CVSS5.7AI score0.00361EPSS
Exploits1References1
NVD
NVD
added 2026/03/31 3:16 p.m.4 views

CVE-2026-34200

Nhost is an open source Firebase alternative with GraphQL. Prior to version 1.41.0, The Nhost CLI MCP server, when explicitly configured to listen on a network port, applies no inbound authentication and does not enforce strict CORS. This allows a malicious website visited on the same machine to...

7.7CVSS0.00361EPSS
Exploits1References3
ATTACKERKB
ATTACKERKB
added 2026/03/31 1:57 p.m.2 views

CVE-2026-34200

Nhost is an open source Firebase alternative with GraphQL. Prior to version 1.41.0, The Nhost CLI MCP server, when explicitly configured to listen on a network port, applies no inbound authentication and does not enforce strict CORS. This allows a malicious website visited on the same machine to...

7.7CVSS5.7AI score0.00361EPSS
Exploits1References4Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/31 1:57 p.m.2 views

CVE-2026-34200 Nhost CLI MCP Server: Missing Inbound Authentication on Explicitly Bound Network Port

Nhost is an open source Firebase alternative with GraphQL. Prior to version 1.41.0, The Nhost CLI MCP server, when explicitly configured to listen on a network port, applies no inbound authentication and does not enforce strict CORS. This allows a malicious website visited on the same machine to...

7.7CVSS5.7AI score0.00361EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/03/31 1:57 p.m.25 views

CVE-2026-34200 Nhost CLI MCP Server: Missing Inbound Authentication on Explicitly Bound Network Port

Nhost is an open source Firebase alternative with GraphQL. Prior to version 1.41.0, The Nhost CLI MCP server, when explicitly configured to listen on a network port, applies no inbound authentication and does not enforce strict CORS. This allows a malicious website visited on the same machine to...

7.7CVSS0.00361EPSS
Exploits1References3
EUVD
EUVD
added 2026/03/31 1:57 p.m.3 views

EUVD-2026-17452

Nhost is an open source Firebase alternative with GraphQL. Prior to version 1.41.0, The Nhost CLI MCP server, when explicitly configured to listen on a network port, applies no inbound authentication and does not enforce strict CORS. This allows a malicious website visited on the same machine to...

7.7CVSS5.7AI score0.00361EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2026/03/31 12:0 a.m.7 views

PT-2026-29264

Nhost is an open source Firebase alternative with GraphQL. Prior to version 1.41.0, The Nhost CLI MCP server, when explicitly configured to listen on a network port, applies no inbound authentication and does not enforce strict CORS. This allows a malicious website visited on the same machine to...

7.7CVSS5.7AI score0.00361EPSS
Exploits1References4
CNNVD
CNNVD
added 2026/03/31 12:0 a.m.7 views

Nhost 安全漏洞

Nhost is an open-source backend service platform developed by Nhost. Versions of Nhost prior to 1.41.0 contained security vulnerabilities. These vulnerabilities stemmed from the Nhost CLI MCP server, which, when explicitly configured to listen on network ports, did not apply inbound authenticatio...

7.7CVSS5.8AI score0.00361EPSS
Exploits1References3
SUSE CVE
SUSE CVE
added 2026/03/28 12:25 a.m.7 views

SUSE CVE-2026-33221

Nhost is an open source Firebase alternative with GraphQL. Prior to version 0.12.0, the storage service's file upload handler trusts the client-provided Content-Type header without performing server-side MIME type detection. This allows an attacker to upload files with an arbitrary MIME type,...

5.3CVSS5.8AI score0.00173EPSS
Exploits0References3
OSV
OSV
added 2026/03/23 6:14 p.m.4 views

GO-2026-4759 Nhost Storage Affected by MIME Type Spoofing via Trusted Client Content-Type Header in Storage Upload in github.com/nhost/nhost

Nhost Storage Affected by MIME Type Spoofing via Trusted Client Content-Type Header in Storage Upload in github.com/nhost/nhost...

5.3CVSS5.8AI score0.00173EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/03/20 11:0 p.m.5 views

CVE-2026-33221

Nhost is an open source Firebase alternative with GraphQL. Prior to version 0.12.0, the storage service's file upload handler trusts the client-provided Content-Type header without performing server-side MIME type detection. This allows an attacker to upload files with an arbitrary MIME type,...

2.1CVSS5.8AI score0.00173EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2026/03/20 11:0 p.m.6 views

CVE-2026-33221 Nhost Storage Affected by MIME Type Spoofing via Trusted Client Content-Type Header in Storage Upload

Nhost is an open source Firebase alternative with GraphQL. Prior to version 0.12.0, the storage service's file upload handler trusts the client-provided Content-Type header without performing server-side MIME type detection. This allows an attacker to upload files with an arbitrary MIME type,...

2.1CVSS6.3AI score0.00173EPSS
Exploits0References6
Rows per page
Query Builder