PT-2026-46003

Mercusys AC12G EU V1 with firmware AC12GEU V1 200909 contains hardcoded WiFi driver credentials including a RADIUS shared secret, WPS test key, and default PSK embedded in the production firmware binary...

CVE-2026-40293

A flaw was found in OpenFGA, an authorization/permission engine. When OpenFGA is configured to use preshared-key authentication and the built-in playground is enabled and accessible beyond localhost or trusted networks, a remote attacker can exploit this vulnerability. The local server includes t...

CVE-2026-40293

OpenFGA is an authorization/permission engine built for developers. In versions 0.1.4 through 1.13.1, when OpenFGA is configured to use preshared-key authentication with the built-in playground enabled, the local server includes the preshared API key in the HTML response of the /playground...

CVE-2026-40293 OpenFGA Playground Preshared Key Exposure

OpenFGA is an authorization/permission engine built for developers. In versions 0.1.4 through 1.13.1, when OpenFGA is configured to use preshared-key authentication with the built-in playground enabled, the local server includes the preshared API key in the HTML response of the /playground...

CVE-2026-40293 OpenFGA Playground Preshared Key Exposure

OpenFGA is an authorization/permission engine built for developers. In versions 0.1.4 through 1.13.1, when OpenFGA is configured to use preshared-key authentication with the built-in playground enabled, the local server includes the preshared API key in the HTML response of the /playground...

CVE-2026-40293

OpenFGA OpenID/OpenFGA Playground vulnerability (CVE-2026-40293) affects OpenFGA 0.1.4–1.13.1 when preshared authentication is used and the built‑in playground is enabled with the endpoint accessible beyond localhost. The local HTML response from /playground reveals the preshared API key, enablin...

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure via the runPlaygroundServer process in cmd/run/run.go and the playground configuration in pkg/server/config/config.go. An attacker can recover the preshared API key by sending an unauthenticated request to the...

GHSA-68M9-983M-F3V5 OpenFGA: Unauthenticated playground endpoint discloses preshared API key in HTML response

Description When OpenFGA is configured to use preshared-key authentication with the built-in playground enabled, the local server includes the preshared API key in the HTML response of the /playground endpoint. The /playground endpoint is enabled by default and does not require authentication. It...

OPENSUSE-SU-2026:20446-1 Security update for gnutls

This update for gnutls fixes the following issues: - CVE-2025-14831: Fixed DoS via excessive resource consumption during certificate verification. bsc1257960 - CVE-2025-9820: Fixed a buffer overflow in gnutlspkcs11tokeninit. bsc1254132 - Add the functionality to allow to specify the hash algorith...

nodejs: Nodejs denial of service

A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when pskCallback or ALPNCallback are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths tlsClientError and error, causing either immediate...

nodejs: Nodejs denial of service

A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when pskCallback or ALPNCallback are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths tlsClientError and error, causing either immediate...

CVE-2026-21637

A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when pskCallback or ALPNCallback are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths tlsClientError and error, causing either immediate...

MiracleLinux 9 : libreswan-4.12-2.el9.ML.1 (AXSA:2024-8105:03)

The remote MiracleLinux 9 host has a package installed that is affected by a vulnerability as referenced in the AXSA:2024-8105:03 advisory. libreswan: Missing PreSharedKey for connection can cause crash CVE-2024-2357 Tenable has extracted the preceding description block directly from the...

Node.js: TLS PSK/ALPN Callback Exceptions Bypass Error Handlers, Causing DoS and FD Leak

A flaw was discovered in Node.js TLS error handling that allowed remote attackers to crash or exhaust resources of a TLS server when pskCallback or ALPNCallback were in use. Synchronous exceptions thrown during these callbacks bypassed standard TLS error handling paths, causing either immediate...

EUVD-2005-3668

Malware in sbrugna...

CVE-2023-29193

SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions. The spicedb serve command contains a flag named --grpc-preshared-key which is used to protect the gRPC API from being accessed by unauthorized requests. The...

libreswan: Missing PreSharedKey for connection can cause crash

A flaw was found in Libreswan. This issue causes Libreswan to restart under some IKEv2 retransmit scenarios when a connection is configured to use PreSharedKeys authby=secret, and the connection cannot find a matching configured secret. When automatically added on startup using the auto= keyword,...

The vulnerability of the SpiceDB database, related to deficiencies in the error reporting mechanism, allows an intruder to gain unauthorized access to protected information.

The vulnerability of the SpiceDB database is related to deficiencies in the mechanism for generating error reports when processing the /debug/pprof/cmdline command with the --grpc-preshared-key parameter. Exploiting this vulnerability can allow an attacker to gain unauthorized access to protected...

Information Disclosure

github.com/authzed/spicedb is vulnerable to Information Disclosure. The vulnerability exists in the MetricsHandler function in defaults.go because it exposes the --grpc-preshared-key flag in the spicedb serve command which allows an attacker to gain access to the secret key and preform unauthoriz...

Spoofing

SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions. The spicedb serve command contains a flag named --grpc-preshared-key which is used to protect the gRPC API from being accessed by unauthorized requests. The...