Lucene search
K

124 matches found

Positive Technologies
Positive Technologies
added 2026/06/19 12:0 a.m.3 views

PT-2026-53777

Impact ServerFilters.DigestAuth and the underlying DigestAuthProvider both defaulted their nonceVerifier parameter to true — i.e. every nonce was accepted regardless of value, age, or prior use. Any deployment using the default configuration had no replay protection on Digest authentication; a...

5.7AI score
Exploits0References7
EUVD
EUVD
added 2026/06/12 6:3 p.m.11 views

EUVD-2026-36525

Naxclow devices use a uniform request-signing scheme based on a hard-coded, platform-wide salt embedded in every firmware image. Once this salt is recovered from any device, an attacker can generate valid signatures for arbitrary device or account operations due to the absence of per-device keys,...

9.8CVSS5.4AI score0.0033EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/12 6:3 p.m.38 views

CVE-2026-28742 Naxclow IoT Platform Use of hard-coded cryptographic key

Naxclow devices use a uniform request-signing scheme based on a hard-coded, platform-wide salt embedded in every firmware image. Once this salt is recovered from any device, an attacker can generate valid signatures for arbitrary device or account operations due to the absence of per-device keys,...

9.8CVSS0.0033EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/06/11 12:0 a.m.15 views

VMware Spring Web Services 安全漏洞

VMware Spring Web Services is a SOAP Web services development framework provided by the American company VMware. There are security vulnerabilities in versions 5.0.0 to 5.0.1, 4.1.0 to 4.1.3, 4.0.0 to 4.0.18, and 3.1.0 to 3.1.8 of VMware Spring Web Services. These vulnerabilities stem from...

3.7CVSS5.4AI score0.00223EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:47 p.m.12 views

CVE-2026-9095

Casdoor versions 2.362.0 and earlier map SAML assertions to user sessions without replay protection. The ParseSamlResponse function in object/samlsp.go calls sp.RetrieveAssertionInfo and immediately maps the result to a user session. There is no assertion ID cache, OneTimeUse condition enforcemen...

8.1CVSS5.5AI score0.00298EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/02 12:0 a.m.12 views

PT-2026-45833

Name of the Vulnerable Software and Affected Versions authentik versions prior to 2025.12.5 authentik versions prior to 2026.2.3 Description The SAML source response processor ResponseProcessor.parse fails to validate the Conditions element on assertions. Specifically, NotBefore, NotOnOrAfter, an...

7.5CVSS5.5AI score0.00169EPSS
Exploits0References3
NVD
NVD
added 2026/05/28 5:16 p.m.23 views

CVE-2026-9095

Casdoor versions 2.362.0 and earlier map SAML assertions to user sessions without replay protection. The ParseSamlResponse function in object/samlsp.go calls sp.RetrieveAssertionInfo and immediately maps the result to a user session. There is no assertion ID cache, OneTimeUse condition enforcemen...

8.1CVSS0.00298EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/28 4:25 p.m.7 views

CVE-2026-9095

Casdoor versions 2.362.0 and earlier map SAML assertions to user sessions without replay protection. The ParseSamlResponse function in object/samlsp.go calls sp.RetrieveAssertionInfo and immediately maps the result to a user session. There is no assertion ID cache, OneTimeUse condition enforcemen...

5.9AI score0.00298EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/28 4:25 p.m.30 views

CVE-2026-9095 CVE-2026-9095

Casdoor versions 2.362.0 and earlier map SAML assertions to user sessions without replay protection. The ParseSamlResponse function in object/samlsp.go calls sp.RetrieveAssertionInfo and immediately maps the result to a user session. There is no assertion ID cache, OneTimeUse condition enforcemen...

0.00298EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/28 4:25 p.m.9 views

CVE-2026-9095 CVE-2026-9095

Casdoor versions 2.362.0 and earlier map SAML assertions to user sessions without replay protection. The ParseSamlResponse function in object/samlsp.go calls sp.RetrieveAssertionInfo and immediately maps the result to a user session. There is no assertion ID cache, OneTimeUse condition enforcemen...

5.9AI score0.00298EPSS
Exploits0References1
CVE
CVE
added 2026/05/28 4:25 p.m.23 views

CVE-2026-9095

Casdoor CVE-2026-9095 affects versions 2.362.0 and earlier. The ParseSamlResponse() in object/saml_sp.go maps retrieved SAML assertions directly to user sessions without replay protection, lacking an assertion ID cache, OneTimeUse enforcement, or replay detection in the SAML SP code path. This en...

8.1CVSS5.9AI score0.00298EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/05/28 12:0 a.m.12 views

Casdoor 安全漏洞

Casdoor is an open-source platform developed by Casdoor that supports various authentication and authorization protocols. Versions of Casdoor prior to 2.362.0 contained security vulnerabilities. These vulnerabilities stemmed from a lack of replay protection when mapping SAML assertions to user...

8.1CVSS6AI score0.00298EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/28 12:0 a.m.13 views

PT-2026-44424

Name of the Vulnerable Software and Affected Versions Casdoor versions prior to 2.362.1 Description Casdoor maps SAML assertions to user sessions without replay protection. The ParseSamlResponse function in object/saml sp.go calls sp.RetrieveAssertionInfo and immediately maps the result to a user...

8.1CVSS5.9AI score0.00298EPSS
Exploits0References3
Packet Storm News
Packet Storm News
added 2026/05/12 12:0 a.m.10 views

Five Attacks on X402 Agentic Payment Protocol

The x402 protocol revives the HTTP 402 Payment Required status code to enable web-native micropayments across APIs, content, and agents. It combines synchronous HTTP authorization with asynchronous blockchain settlement and introduces a cross-layer attack surface absent from conventional web and...

5.9AI score
Exploits0
OSV
OSV
added 2026/05/06 9:31 p.m.5 views

GHSA-CJG8-85GJ-V9Q2 Duplicate Advisory: OpenClaw: Feishu webhook and card-action validation now fail closed

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-xh72-v6v9-mwhc. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.15 contains an authentication bypass vulnerability in Feishu webhook and card-action validatio...

9.8CVSS6AI score0.00718EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2026/05/06 9:31 p.m.11 views

Duplicate Advisory: OpenClaw: Feishu webhook and card-action validation now fail closed

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-xh72-v6v9-mwhc. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.15 contains an authentication bypass vulnerability in Feishu webhook and card-action validatio...

9.8CVSS6AI score0.00718EPSS
Exploits1References5Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/06 7:49 p.m.4 views

CVE-2026-44109

OpenClaw before 2026.4.15 contains an authentication bypass vulnerability in Feishu webhook and card-action validation that allows unauthenticated requests to reach command dispatch. Missing encryptKey configuration and blank callback tokens fail open instead of rejecting requests, enabling...

9.8CVSS6.1AI score0.00718EPSS
Exploits1References4
Vulnrichment
Vulnrichment
added 2026/05/06 7:49 p.m.7 views

CVE-2026-44109 OpenClaw < 2026.4.15 - Authentication Bypass in Feishu Webhook and Card-Action Validation

OpenClaw before 2026.4.15 contains an authentication bypass vulnerability in Feishu webhook and card-action validation that allows unauthenticated requests to reach command dispatch. Missing encryptKey configuration and blank callback tokens fail open instead of rejecting requests, enabling...

9.8CVSS6.1AI score0.00718EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/05/06 7:49 p.m.60 views

CVE-2026-44109 OpenClaw < 2026.4.15 - Authentication Bypass in Feishu Webhook and Card-Action Validation

OpenClaw before 2026.4.15 contains an authentication bypass vulnerability in Feishu webhook and card-action validation that allows unauthenticated requests to reach command dispatch. Missing encryptKey configuration and blank callback tokens fail open instead of rejecting requests, enabling...

9.8CVSS0.00718EPSS
Exploits1References3
EUVD
EUVD
added 2026/04/30 11:47 a.m.7 views

EUVD-2026-26367

In the Linux kernel, the following vulnerability has been resolved: cifs: some missing initializations on replay In several places in the code, we have a label to signify the start of the code where a request can be replayed if necessary. However, some of these places were missing the necessary...

5.5AI score0.00129EPSS
Exploits0References5
Rows per page
Query Builder