50 matches found
CVE-2026-50629
The 'clientId' parameter from incoming HTTP requests is directly concatenated into OAuth2 server log warning messages without sanitizing control characters. This allows an attacker to inject arbitrary content, including fake log entries, into the server's log files. Users are recommended to upgra...
@appwise/oauth2-server (>=0.0.19 <=0.2.2), @dyne/slangroom-chain (>=1.4.0 <=1.16.10) +8 more potentially affected by CVE-2026-41213 via @node-oauth/oauth2-server (>=5.0.0-rc.3 <=5.2.1)
@node-oauth/oauth2-server NPM version =5.0.0-rc.3, =0.0.19, =1.4.0, =1.3.0, =4.0.0, =1.16.0, =1.0.0, =1.0.0, =1.0.0, =1.0.1 Source cves: CVE-2026-41213 Source advisory: SNYK:JS-NODEOAUTHOAUTH2SERVER-16420261...
CVE-2026-41213
creationtimestamp| type| source ---|---|--- 2026-04-15 08:02:45+00:00| published-proof-of-concept| https://github.com/node-oauth/node-oauth2-server/security/advisories/GHSA-jhm7-29pj-4xvf...
CVE-2026-39976
Laravel Passport provides OAuth2 server support to Laravel. From 13.0.0 to before 13.7.1, there is an Authentication Bypass for clientcredentials tokens. the league/oauth2-server library sets the JWT sub claim to the client identifier since there's no user. The token guard then passes this value ...
CVE-2017-18924
oauth2-server aka node-oauth2-server through 3.1.1 implements OAuth 2.0 without PKCE. It does not prevent authorization code injection. This is similar to CVE-2020-7692. NOTE: the vendor states 'As RFC7636 is an extension, I think the claim in the Readme of "RFC 6749 compliant" is valid and not...
EUVD-2021-0921
Malware in sbrugna...
EUVD-2022-6482
Malicious code in bioql PyPI...
EUVD-2025-9026
Malicious code in bioql PyPI...
EUVD-2022-37745
Malicious code in bioql PyPI...
CVE-2020-5300
In Hydra an OAuth2 Server and OpenID Certified™ OpenID Connect Provider written in Go, before version 1.4.0+oryOS.17, when using client authentication method 'privatekeyjwt' 1, OpenId specification says the following about assertion jti: "A unique identifier for the token, which can be used to...
CVE-2025-31691
Missing Authorization vulnerability in Drupal OAuth2 Server allows Forceful Browsing.This issue affects OAuth2 Server: from 0.0.0 before 2.1.0...
GHSA-4F8Q-MWGC-3MWC Drupal OAuth2 Server Missing Authorization vulnerability
Missing Authorization vulnerability in Drupal OAuth2 Server allows Forceful Browsing. This issue affects OAuth2 Server: from 0.0.0 before 2.1.0...
Drupal OAuth2 Server Missing Authorization vulnerability
Missing Authorization vulnerability in Drupal OAuth2 Server allows Forceful Browsing. This issue affects OAuth2 Server: from 0.0.0 before 2.1.0...
CVE-2025-31691
Missing Authorization vulnerability in Drupal OAuth2 Server allows Forceful Browsing.This issue affects OAuth2 Server: from 0.0.0 before 2.1.0...
CVE-2025-31691
Missing Authorization vulnerability in Drupal OAuth2 Server allows Forceful Browsing.This issue affects OAuth2 Server: from 0.0.0 before 2.1.0...
CVE-2025-31691
The CVE-2025-31691 issue affects Drupal OAuth2 Server, with vulnerable versions 0.0.0 through 2.0.x. The root cause is a Missing Authorization flaw that enables Forceful Browsing, effectively bypassing access controls. Impact is described as a high-severity access bypass affecting authentication ...
CVE-2025-31691 OAuth2 Server - Moderately critical - Access bypass - SA-CONTRIB-2025-020
Missing Authorization vulnerability in Drupal OAuth2 Server allows Forceful Browsing.This issue affects OAuth2 Server: from 0.0.0 before 2.1.0...
CVE-2025-31691 OAuth2 Server - Moderately critical - Access bypass - SA-CONTRIB-2025-020
Missing Authorization vulnerability in Drupal OAuth2 Server allows Forceful Browsing.This issue affects OAuth2 Server: from 0.0.0 before 2.1.0...
PT-2025-13855 · Drupal · Drupal Oauth2 Server
Name of the Vulnerable Software and Affected Versions: Drupal OAuth2 Server versions 0.0.0 through 2.0.x Description: The issue is related to a Missing Authorization vulnerability in the Drupal OAuth2 Server, which allows Forceful Browsing. Recommendations: For versions 0.0.0 through 2.0.x, updat...
OAuth2 Server - Moderately critical - Access bypass - SA-CONTRIB-2025-020
Provides OAuth2 server functionality based on the oauth2-server-php library. The module does not consistently enforce admin configurations allowing users on a disabled server to still authenticate...