CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Nuclei•added yesterday•14 views

Shibboleth OIDC OP <3.0.4 - Server-Side Request Forgery

The Shibboleth Identity Provider OIDC OP plugin before 3.0.4 is vulnerable to server-side request forgery SSRF due to insufficient restriction of the requesturi parameter, which allows attackers to interact with arbitrary third-party HTTP services. id: CVE-2022-24129 info: name: Shibboleth OIDC O...

8.2CVSS7.4AI score0.22831EPSS

Exploits1References5

NVD•added 3 days ago•6 views

CVE-2026-45156

8.1CVSS0.00028EPSS

Cvelist•added 3 days ago•23 views

CVE-2026-45278 Nextcloud: Open Redirect in user_oidc login flow via protocol-relative URL bypass

Nextcloud is an open source content collaboration platform. From version 6.1.0 to before version 8.2.2, an attacker can craft links that would redirect users to another website, when the victim uses the attackers link to log in via user OIDC. This issue has been patched in version 8.2.2...

3.3CVSS0.00011EPSS

Vulnrichment•added 3 days ago•4 views

CVE-2026-45278 Nextcloud: Open Redirect in user_oidc login flow via protocol-relative URL bypass

3.3CVSS5.7AI score0.00011EPSS

OSV•added 3 days ago•3 views

MAL-2026-5138 Malicious code in @redhat-cloud-services/frontend-components-utilities (npm)

Part of the "Mini Shai-Hulud" supply chain worm campaign that compromised the GitHub Actions OIDC trusted publisher shared by Red Hat Cloud Services npm packages. The attacker injected a preinstall hook into this and 31 other packages in the @redhat-cloud-services scope. The hook delivers a...

OSSF Malicious Packages•added 3 days ago•9 views

Malicious code in @redhat-cloud-services/config-manager-client (npm)

CNNVD•added 3 days ago•5 views

Nextcloud user_oidc: Input validation error vulnerability

Nextcloud useroidc is an application developed by the German company Nextcloud. In versions 6.1.0 to 8.2.2, there was a vulnerability related to input validation errors. This vulnerability stemmed from improper redirection handling, which could allow attackers to create links that redirect users ...

3.3CVSS5.8AI score0.00011EPSS

OSV•added 3 days ago•8 views

MAL-2026-5144 Malicious code in @redhat-cloud-services/notifications-client (npm)

OSV•added 3 days ago•4 views

MAL-2026-5145 Malicious code in @redhat-cloud-services/patch-client (npm)

Cvelist•added 2026/05/28 3:27 a.m.•23 views

CVE-2026-9791 Keycloak-rhel9: organization data leak after feature disabled in keycloak

A flaw was found in Keycloak. An authenticated user with existing organization membership can exploit this flaw by accessing user-facing APIs, such as the account API or by requesting an OpenID Connect OIDC token with the 'organization' scope. This allows organization metadata to be disclosed in...

4.3CVSS0.00028EPSS

Exploits0References2

Github Security Blog•added 2026/05/27 9:3 p.m.•8 views

Symfony's OidcTokenHandler Accepts JWTs Missing aud/iss/exp Claims

Description OidcTokenHandler is Symfony's built-in access-token handler for OpenID Connect: it validates a bearer JWT and returns the authenticated user identity. It delegates claim validation to the web-token/jwt-checker library's ClaimCheckerManager. OidcTokenHandler::verifyClaims registers...

5.8AI score

Exploits0References6Affected Software2

RedhatCVE•added 2026/05/27 8:13 p.m.•29 views

CVE-2026-45321

On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/ packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself...

9.6CVSS7.5AI score0.17051EPSS

Exploits3References1

IBM Security Bulletins•added 2026/05/21 4:12 a.m.•4 views

Security Bulletin: Security vulnerabilities have been found in IBM Verify Identity Access OIDC Provider

Summary Security vulnerabilities have been addresed in IBM Verify Identity Access OIDC Provider Vulnerability Details CVEID:CVE-2026-39883 DESCRIPTION: OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to...

9.8CVSS5.8AI score0.00022EPSS

Exploits1Affected Software1

RedHat Linux•added 2026/05/20 11:23 a.m.•7 views

Important: Red Hat Security Advisory: Red Hat build of Keycloak 26.4.12 Security Update

New Red Hat build of Keycloak 26.4.12 packages are available from the Customer Portal Red Hat build of Keycloak 26.4.12 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. Security...

8.1CVSS5.8AI score0.00053EPSS

GithubExploit•added 2026/05/19 12:13 p.m.•59 views

Exploit for Improper Authentication in Litellm

CVE-2026-35030 — LiteLLM Authentication Bypass via OIDC Userin...

9.4CVSS5.8AI score0.00048EPSS

Exploits1

ATTACKERKB•added 2026/05/19 6:27 a.m.•5 views

CVE-2026-8922

A flaw was found in Keycloak. When both realm-level and client-level notBefore revocation policies are configured, Keycloak's OpenID Connect OIDC Introspection feature fails to properly honor the realm-level policy. This allows tokens that should have been revoked to remain active, potentially...

5.4CVSS5.8AI score0.00011EPSS

GithubExploit•added 2026/05/18 9:16 a.m.•117 views

Exploit for Embedded Malicious Code in Tanstack Tanstack\/Arktype-Adapter

TanStack Supply Chain Compromise - IOC Checker bash curl -...

9.6CVSS7.6AI score0.17051EPSS

Exploits3

Cvelist•added 2026/05/14 9:9 p.m.•26 views

CVE-2026-44428 MCP Registry: GitHub OIDC tokens replayable across registry deployments due to shared audience

The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers. Prior to 1.7.6, the client-side and server-side GitHub OIDC flow is bound only to a global audience string, not to the specific registry instance being targeted. On the client side, the publisher...

2.1CVSS0.00012EPSS

EUVD•added 2026/05/14 9:9 p.m.•3 views

EUVD-2026-30493

2.1CVSS5.9AI score0.00012EPSS