PT-2026-48848

The 'clientId' parameter from incoming HTTP requests is directly concatenated into OAuth2 server log warning messages without sanitizing control characters. This allows an attacker to inject arbitrary content, including fake log entries, into the server's log files. Users are recommended to upgra...

CVE-2026-41213

@node-oauth/oauth2-server is a module for implementing an OAuth2 server in Node.js. The token exchange path accepts RFC7636-invalid codeverifier values including one-character strings for S256 PKCE flows. Because short/weak verifiers are accepted and failed verifier attempts do not consume the...

PT-2026-34722

@node-oauth/oauth2-server is a module for implementing an OAuth2 server in Node.js. The token exchange path accepts RFC7636-invalid code verifier values including one-character strings for S256 PKCE flows. Because short/weak verifiers are accepted and failed verifier attempts do not consume the...

@appwise/oauth2-server (>=0.0.19 <=0.2.2), @dyne/slangroom-chain (>=1.4.0 <=1.16.10) +8 more potentially affected by CVE-2026-41213 via @node-oauth/oauth2-server (>=5.0.0-rc.3 <=5.2.1)

@node-oauth/oauth2-server NPM version =5.0.0-rc.3, =0.0.19, =1.4.0, =1.3.0, =4.0.0, =1.16.0, =1.0.0, =1.0.0, =1.0.0, =1.0.1 Source cves: CVE-2026-41213 Source advisory: SNYK:JS-NODEOAUTHOAUTH2SERVER-16420261...

CVE-2026-39976

Laravel Passport provides OAuth2 server support to Laravel. From 13.0.0 to before 13.7.1, there is an Authentication Bypass for clientcredentials tokens. the league/oauth2-server library sets the JWT sub claim to the client identifier since there's no user. The token guard then passes this value ...

br.com.consultdg:database-module (>=1.0.1 <=1.0.10), cn.herodotus.engine:oauth2-authorization-server-autoconfigure (>=3.4.0.0 <=3.4.0.1) +1068 more potentially affected by CVE-2026-22732 via org.springframework.security:spring-security-web (>=6.4.0 <=6.4.13)

org.springframework.security:spring-security-web MAVEN version =6.4.0, =1.0.1, =3.4.0.0, =3.4.0.0, =3.4.0.0, =3.4.0.0, =3.4.0.0, =3.4.0.0, =3.4.0.0, =3.4.0.0, =3.4.0.0, =4.11.3, =4.11.3, =4.11.3, =4.11.3, =4.11.3, =4.11.5 and more Source cves: CVE-2026-22732 Source advisory: OSV:GHSA-MF92-479X-33...

CVE-2026-28802

Authlib is a Python library which builds OAuth and OpenID Connect servers. From version 1.6.5 to before version 1.6.7, previous tests involving passing a malicious JWT containing alg: none and an empty signature was passing the signature verification step without any changes to the application co...

SUSE CVE-2025-68158

Authlib is a Python library which builds OAuth and OpenID Connect servers. In versions 1.0.0 through 1.6.5, cache-backed state/request-token storage is not tied to the initiating user session, so CSRF is possible for any attacker that has a valid state easily obtainable via an attacker-initiated...

CVE-2025-14204

A vulnerability has been found in TykoDev cherry-studio-TykoFork 0.1. This issue affects the function redirectToAuthorization of the file /.well-known/oauth-authorization-server of the component OAuth Server Discovery. Such manipulation of the argument authorizationUrl leads to os command...

CVE-2025-14204

A vulnerability has been found in TykoDev cherry-studio-TykoFork 0.1. This issue affects the function redirectToAuthorization of the file /.well-known/oauth-authorization-server of the component OAuth Server Discovery. Such manipulation of the argument authorizationUrl leads to os command...

CVE-2025-14204 TykoDev cherry-studio-TykoFork OAuth Server Discovery oauth-authorization-server redirectToAuthorization os command injection

A vulnerability has been found in TykoDev cherry-studio-TykoFork 0.1. This issue affects the function redirectToAuthorization of the file /.well-known/oauth-authorization-server of the component OAuth Server Discovery. Such manipulation of the argument authorizationUrl leads to os command...

CVE-2025-14204

Summary of CVE-2025-14204 : TykoDev cherry-studio-TykoFork 0.1 is affected by an OS command injection in the OAuth Server Discovery flow. The vulnerability resides in the function redirectToAuthorization of the file /.well-known/oauth-authorization-server, where improper handling of the authoriza...

TykoTech Fork 操作系统命令注入漏洞

TykoTech Fork is an AI integration tool for LionTech individual developers. An OS command injection vulnerability exists in TykoTech Fork version 0.1, which stems from misuse of the parameter authorizationUrl in the file /.well-known/oauth-authorization-server, which could lead to os command...

EUVD-2025-33768

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JOSE implementation accepts unbounded JWS/JWT header and signature segments. A remote attacker can craft a token whose base64url‑encoded header or signature spans hundreds of megabytes...

CVE-2025-61920

CVE-2025-61920 — Authlib (Python) Authlib’s JOSE implementation (prior to v1.6.5) accepts unbounded JWS/JWT header and signature segments. A remote attacker can craft a token whose base64url header or signature spans hundreds of megabytes. During verification, the library decodes and parses the f...

EUVD-2024-29149

Malicious code in bioql PyPI...

EUVD-2022-37164

Malicious code in bioql PyPI...

EUVD-2024-34323

Malicious code in bioql PyPI...

EUVD-2022-51509

Malicious code in bioql PyPI...

EUVD-2023-26504

Malicious code in bioql PyPI...