Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

1609 matches found

ATTACKERKB
ATTACKERKBadded 2026/05/12 5:11 p.m.5 views

CVE-2026-42177

linux-entra-sso is a browser plugin for Linux to SSO on Microsoft Entra ID. Prior to 1.8.1, platform/chrome/js/platform-chrome.js:69-88 registers a single declarativeNetRequest rule whose urlFilter is Platform.SSOURL + "/", i.e. "https://login.microsoftonline.com/". Chrome's urlFilter without a |...

5.3CVSS5.8AI score0.00234EPSS
Exploits0References2Affected Software1
Vulnrichment
Vulnrichmentadded 2026/05/12 5:11 p.m.5 views

CVE-2026-42177 linux-entra-sso: PRT SSO cookie can leak to attacker-controlled hosts when broad host permissions are granted

linux-entra-sso is a browser plugin for Linux to SSO on Microsoft Entra ID. Prior to 1.8.1, platform/chrome/js/platform-chrome.js:69-88 registers a single declarativeNetRequest rule whose urlFilter is Platform.SSOURL + "/", i.e. "https://login.microsoftonline.com/". Chrome's urlFilter without a |...

5.3CVSS5.8AI score0.00234EPSS
Exploits0References1
Cvelist
Cvelistadded 2026/05/12 5:11 p.m.32 views

CVE-2026-42177 linux-entra-sso: PRT SSO cookie can leak to attacker-controlled hosts when broad host permissions are granted

linux-entra-sso is a browser plugin for Linux to SSO on Microsoft Entra ID. Prior to 1.8.1, platform/chrome/js/platform-chrome.js:69-88 registers a single declarativeNetRequest rule whose urlFilter is Platform.SSOURL + "/", i.e. "https://login.microsoftonline.com/". Chrome's urlFilter without a |...

5.3CVSS0.00234EPSS
Exploits0References1
Debian CVE
Debian CVEadded 2026/05/12 5:11 p.m.10 views

CVE-2026-42177

linux-entra-sso is a browser plugin for Linux to SSO on Microsoft Entra ID. Prior to 1.8.1, platform/chrome/js/platform-chrome.js:69-88 registers a single declarativeNetRequest rule whose urlFilter is Platform.SSOURL + "/", i.e. "https://login.microsoftonline.com/". Chrome's urlFilter without a |...

5.3CVSS5.8AI score0.00234EPSS
Exploits0
NVD
NVDadded 2026/05/12 3:16 p.m.8 views

CVE-2026-43983

Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.6.0, The createTokenFromRefreshToken function oidcservice.go validates the refresh token's cryptographic integrity but does not re-validate the user's current authorization state befor...

8.5CVSS0.00247EPSS
Exploits1References1
ATTACKERKB
ATTACKERKBadded 2026/05/12 2:19 p.m.7 views

CVE-2026-43983

Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.6.0, The createTokenFromRefreshToken function oidcservice.go validates the refresh token's cryptographic integrity but does not re-validate the user's current authorization state befor...

8.5CVSS5.8AI score0.00247EPSS
Exploits1References2Affected Software1
Vulnrichment
Vulnrichmentadded 2026/05/12 2:19 p.m.10 views

CVE-2026-43983 Pocket ID: OIDC refresh token flow bypasses authorization revocation, account disabling, and group restrictions

Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.6.0, The createTokenFromRefreshToken function oidcservice.go validates the refresh token's cryptographic integrity but does not re-validate the user's current authorization state befor...

8.5CVSS5.8AI score0.00247EPSS
Exploits1References1
Cvelist
Cvelistadded 2026/05/12 2:19 p.m.32 views

CVE-2026-43983 Pocket ID: OIDC refresh token flow bypasses authorization revocation, account disabling, and group restrictions

Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.6.0, The createTokenFromRefreshToken function oidcservice.go validates the refresh token's cryptographic integrity but does not re-validate the user's current authorization state befor...

8.5CVSS0.00247EPSS
Exploits1References1
CVE
CVEadded 2026/05/12 2:19 p.m.19 views

CVE-2026-43983

Pocket ID’s OIDC refresh token flow (createTokenFromRefreshToken in oidc_service.go) fails to re-check the user’s current authorization state before issuing new tokens prior to version 2.6.0. This can allow token refresh after authorization revocation, post-account disabling, or after removal fro...

8.5CVSS5.8AI score0.00247EPSS
Exploits1References1Affected Software1
EUVD
EUVDadded 2026/05/12 2:19 p.m.9 views

EUVD-2026-29482

Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.6.0, The createTokenFromRefreshToken function oidcservice.go validates the refresh token's cryptographic integrity but does not re-validate the user's current authorization state befor...

8.5CVSS5.8AI score0.00247EPSS
Exploits1References1
Microsoft KB
Microsoft KBadded 2026/05/12 2:0 p.m.12 views

Update 28.1 for Microsoft Dynamics 365 Business Central 2026 Release Wave 1 (Application Build 28.1.49886, Platform Build 28.0.49873)

None None...

7.8CVSS5.8AI score0.00272EPSS
Exploits0
RedhatCVE
RedhatCVEadded 2026/05/12 12:42 p.m.13 views

CVE-2026-43911

A flaw was found in Vaultwarden. This vulnerability allows an attacker who has previously obtained a user's refresh token to maintain session access. This occurs because refresh tokens are not invalidated when security-sensitive operations, such as password changes or key rotations, are performed...

8.1CVSS5.7AI score0.00216EPSS
Exploits1References2
Positive Technologies
Positive Technologiesadded 2026/05/12 12:0 a.m.9 views

PT-2026-40035

Name of the Vulnerable Software and Affected Versions Pocket ID versions prior to 2.6.0 Description The createTokenFromRefreshToken function in oidc service.go validates the cryptographic integrity of refresh tokens but fails to re-verify the user's current authorization state before issuing new...

8.5CVSS5.7AI score0.00247EPSS
Exploits1References3
NVD
NVDadded 2026/05/11 11:20 p.m.16 views

CVE-2026-43911

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, refresh tokens are not invalidated when the user's securitystamp is rotated by some security-sensitive operations password change, KDF change, key rotation, email change, org admin password reset, emergency access...

8.1CVSS0.00216EPSS
Exploits1References1
AlpineLinux
AlpineLinuxadded 2026/05/11 9:54 p.m.9 views

CVE-2026-43911

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, refresh tokens are not invalidated when the user's securitystamp is rotated by some security-sensitive operations password change, KDF change, key rotation, email change, org admin password reset, emergency access...

8.1CVSS5.8AI score0.00216EPSS
Exploits1References1
CVE
CVEadded 2026/05/11 9:54 p.m.24 views

CVE-2026-43911

Vaultwarden (Rust) prior to 1.35.5 does not invalidate refresh tokens when a user’s security_stamp is rotated during security-sensitive operations (password/KDF/key rotation, email change, org admin password reset, emergency access takeover). An attacker holding a previously issued refresh token ...

8.1CVSS5.8AI score0.00216EPSS
Exploits1References1Affected Software1
Cvelist
Cvelistadded 2026/05/11 9:54 p.m.37 views

CVE-2026-43911 Vaultwarden: Refresh tokens not invalidated on security stamp rotation

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, refresh tokens are not invalidated when the user's securitystamp is rotated by some security-sensitive operations password change, KDF change, key rotation, email change, org admin password reset, emergency access...

6.8CVSS0.00216EPSS
Exploits1References1
ATTACKERKB
ATTACKERKBadded 2026/05/11 9:54 p.m.7 views

CVE-2026-43911

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, refresh tokens are not invalidated when the user's securitystamp is rotated by some security-sensitive operations password change, KDF change, key rotation, email change, org admin password reset, emergency access...

6.8CVSS5.8AI score0.00216EPSS
Exploits1References2Affected Software1
EUVD
EUVDadded 2026/05/11 9:54 p.m.9 views

EUVD-2026-29339

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, refresh tokens are not invalidated when the user's securitystamp is rotated by some security-sensitive operations password change, KDF change, key rotation, email change, org admin password reset, emergency access...

6.8CVSS5.8AI score0.00216EPSS
Exploits1References1
Positive Technologies
Positive Technologiesadded 2026/05/11 12:0 a.m.13 views

PT-2026-39861

Name of the Vulnerable Software and Affected Versions Vaultwarden versions prior to 1.35.5 Description Refresh tokens are not invalidated when a user's security stamp is rotated during security-sensitive operations, such as password changes, KDF changes, key rotation, email changes, organization...

6.8CVSS5.8AI score0.00216EPSS
Exploits1References3
Rows per page
Query Builder