4 matches found
CVE-2026-10708
CVE-2026-10708 relates to Adalo’s platform where a single request to a minimal leaderboard component can return user records (emails, UUIDs, custom fields) due to a combination of wildcard CORS, long‑lived tokens (about 20 days), and lack of token revocation. Connected documents confirm this is a...
Nginx-UI: Disabled users retain full API access through previously issued bearer tokens
Summary A user who was disabled by an administrator can use previously issued API tokens for up to the token lifetime. In practice, disabling a compromised account does not actually terminate that user’s access, so an attacker who already stole a JWT can continue reading and modifying protected...
PT-2026-31945
Name of the Vulnerable Software and Affected Versions Vikunja versions prior to 2.3.0 Description Vikunja's link share authentication constructs authorization objects entirely from JWT claims without server-side database validation. When a project owner deletes a link share or downgrades its...
Managed TLS under Migration: Authentication Authority across CDN and Hosting Transitions
Managed TLS has become a common approach for deploying HTTPS, with platforms generating and storing private keys and automating certificate issuance on behalf of domain operators. This model simplifies operational management but shifts control of authentication material from the domain owner to t...