Lucene search
K

2036 matches found

CVE
CVE
added 2026/03/26 8:6 p.m.46 views

CVE-2026-21724

Grafana OSS vulnerability CVE-2026-21724: a flaw in the Provisioning Contact Points API allows users with Editor role to bypass authorization and modify protected webhook URLs without the alert.notifications.protected:write permission. Impact is limited to unauthorized changes to protected webhoo...

5.4CVSS5.7AI score0.00238EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2026/03/26 8:6 p.m.25 views

CVE-2026-21724 Missing Protected-field Authorization in Provisioning Contact Points API

A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission...

5.4CVSS0.00238EPSS
Exploits0References1
OSV
OSV
added 2026/03/26 8:6 p.m.1 views

CVE-2026-21724 Missing Protected-field Authorization in Provisioning Contact Points API

A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission...

5.4CVSS5.8AI score0.00238EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/03/26 3:2 p.m.6 views

CVE-2026-32130

ZITADEL is an open source identity management platform. From 2.68.0 to before 3.4.8 and 4.12.2, Zitadel provides a System for Cross-domain Identity Management SCIM API to provision users from external providers into Zitadel. Request to the API with URL-encoded path values were correctly routed bu...

7.5CVSS5.8AI score0.00584EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/03/26 12:0 a.m.26 views

PT-2026-28321

Name of the Vulnerable Software and Affected Versions Grafana OSS affected versions not specified Description An authorization bypass exists in the provisioning contact points API. This allows users with the Editor role to modify protected webhook URLs without the necessary...

6.5CVSS5.9AI score0.00238EPSS
Exploits0References100
Cvelist
Cvelist
added 2026/03/25 4:2 p.m.30 views

CVE-2026-20086

A vulnerability in the processing of Control and Provisioning of Wireless Access Points CAPWAP packets of Cisco IOS XE Wireless Controller Software for the Catalyst CW9800 Family could allow an unauthenticated, remote attacker to cause a denial of service DoS condition on an affected device. This...

8.6CVSS0.00354EPSS
Exploits0References1
Cisco
Cisco
added 2026/03/25 4:0 p.m.20 views

Cisco IOS XE Wireless Controller Software for the Catalyst CW9800 Family CAPWAP Denial of Service Vulnerability

A vulnerability in the processing of Control and Provisioning of Wireless Access Points CAPWAP packets of Cisco IOS XE Wireless Controller Software for the Catalyst CW9800 Family could allow an unauthenticated, remote attacker to cause a denial of service DoS condition on an affected device. This...

8.6CVSS5.9AI score0.00354EPSS
Exploits0References1
Grafana
Grafana
added 2026/03/25 12:0 a.m.11 views

Missing Protected-field Authorization in Provisioning Contact Points API

A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission...

5.4CVSS5.7AI score0.00238EPSS
Exploits0
EUVD
EUVD
added 2026/03/17 6:30 p.m.6 views

EUVD-2026-12604

The GL-iNet Comet GL-RM1 KVM connects to a GL-iNet site during boot-up to provision client and CA certificates. The GL-RM1 does not verify certificates used for this connection, allowing an attacker-in-the-middle to serve invalid client and CA certificates. The GL-RM1 will attempt to use the...

6.3CVSS5.7AI score0.00332EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/03/17 12:0 a.m.18 views

PT-2026-25915

The GL-iNet Comet GL-RM1 KVM connects to a GL-iNet site during boot-up to provision client and CA certificates. The GL-RM1 does not verify certificates used for this connection, allowing an attacker-in-the-middle to serve invalid client and CA certificates. The GL-RM1 will attempt to use the...

6.3CVSS5.7AI score0.00332EPSS
Exploits0References6
NVD
NVD
added 2026/03/11 10:16 p.m.7 views

CVE-2026-32130

ZITADEL is an open source identity management platform. From 2.68.0 to before 3.4.8 and 4.12.2, Zitadel provides a System for Cross-domain Identity Management SCIM API to provision users from external providers into Zitadel. Request to the API with URL-encoded path values were correctly routed bu...

7.5CVSS0.00584EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/02/25 10:16 a.m.6 views

CVE-2024-1524

When the "Silent Just-In-Time Provisioning" feature is enabled for a federated identity provider IDP there is a risk that a local user store user's information may be replaced during the account provisioning process in cases where federated users share the same username as local users. There will...

8.1CVSS5.3AI score0.00261EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/02/24 8:34 p.m.9 views

Caddy: MatchHost becomes case-sensitive for large host lists (>100), enabling host-based route/auth bypass

Summary Caddy's HTTP host request matcher is documented as case-insensitive, but when configured with a large host list 100 entries it becomes case-sensitive due to an optimized matching path. An attacker can bypass host-based routing and any access controls attached to that route by changing the...

9.1CVSS5.7AI score0.0037EPSS
Exploits1References6Affected Software1
OSV
OSV
added 2026/02/24 8:22 p.m.5 views

GHSA-HFFM-G8V7-WRV7 Caddy: mTLS client authentication silently fails open when CA certificate file is missing or malformed

Summary Two swallowed errors in ClientAuthentication.provision cause mTLS client certificate authentication to silently fail open when a CA certificate file is missing, unreadable, or malformed. The server starts without error but accepts any client certificate signed by any system-trusted CA,...

9.3CVSS5.6AI score0.00267EPSS
Exploits1References7
NVD
NVD
added 2026/02/24 9:16 a.m.8 views

CVE-2024-1524

When the "Silent Just-In-Time Provisioning" feature is enabled for a federated identity provider IDP there is a risk that a local user store user's information may be replaced during the account provisioning process in cases where federated users share the same username as local users. There will...

8.1CVSS0.00261EPSS
Exploits0References1
OSV
OSV
added 2026/02/24 9:16 a.m.6 views

CVE-2024-1524

When the "Silent Just-In-Time Provisioning" feature is enabled for a federated identity provider IDP there is a risk that a local user store user's information may be replaced during the account provisioning process in cases where federated users share the same username as local users. There will...

8.1CVSS5.7AI score0.00261EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/02/24 8:51 a.m.5 views

CVE-2024-1524 A local user can be impersonated when using federated authentication with Silent JIT Provisioning.

When the "Silent Just-In-Time Provisioning" feature is enabled for a federated identity provider IDP there is a risk that a local user store user's information may be replaced during the account provisioning process in cases where federated users share the same username as local users. There will...

7.7CVSS5.2AI score0.00261EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/02/24 8:51 a.m.5 views

CVE-2024-1524

When the "Silent Just-In-Time Provisioning" feature is enabled for a federated identity provider IDP there is a risk that a local user store user's information may be replaced during the account provisioning process in cases where federated users share the same username as local users. There will...

7.7CVSS5.3AI score0.00261EPSS
Exploits0References2Affected Software2
Cvelist
Cvelist
added 2026/02/24 8:51 a.m.21 views

CVE-2024-1524 A local user can be impersonated when using federated authentication with Silent JIT Provisioning.

When the "Silent Just-In-Time Provisioning" feature is enabled for a federated identity provider IDP there is a risk that a local user store user's information may be replaced during the account provisioning process in cases where federated users share the same username as local users. There will...

7.7CVSS0.00261EPSS
Exploits0References1
CVE
CVE
added 2026/02/24 8:51 a.m.13 views

CVE-2024-1524

CVE-2024-1524 describes a risk when a federated IDP uses Silent Just-In-Time provisioning: if preconditions are met, a malicious actor could cause a targeted local user account to be linked to a federated IDP user they control, potentially replacing information in the local user store. The CVE is...

8.1CVSS5.3AI score0.00261EPSS
Exploits0References1Affected Software2
Rows per page
Query Builder