5 matches found
CVE-2026-53662 immich: One-click account takeover via XSS in login page continue redirect
immich is a high performance self-hosted photo and video management solution. From commit 4ffa26c9 until 4eb1003, a reflected cross-site scripting XSS vulnerability on the /auth/login page allows an attacker to fully compromise any authenticated user's account with a single link click. The contin...
Dify: When Your AI Platform Becomes the Attack Surface
Executive Summary We identified a couple of vulnerabilities in AI automation platform Dify resulting in cross-tenant sensitive information disclosure and one-click account takeover. These findings reinforce the pattern we documented in our previous n8n blogpost: even though AI automation platform...
PT-2026-26617
Bludit is vulnerable to Stored Cross-Site Scripting XSS in its page creating functionality. An authenticated attacker with page creation privileges such as Author, Editor, or Administrator can embed a malicious JavaScript payload in the tags field of a newly created article. This payload will be...
OPENSUSE-SU-2026:20257-1 Security update for python-Authlib
This update for python-Authlib fixes the following issues: Changes in python-Authlib: - CVE-2025-68158: Fixed 1-click account takeover in applications that use the Authlib library bsc1256414...
GHSA-VP58-J275-797X Better Auth allows bypassing the trustedOrigins Protection which leads to ATO
Summary A bypass was discovered in the trustedOrigins validation logic—affecting both absolute URL entries and wildcard domain patterns. This flaw allows an attacker to construct a malicious callbackURL that passes origin checks and triggers an open redirect. Because redirect endpoints include...