EUVD-2026-28283

Admidio is an open-source user management solution. Prior to version 5.0.9, the OIDC token introspection endpoint /modules/sso/index.php/oidc/introspect always returns "active": true for every request, regardless of whether a valid token is provided, whether the token is expired, revoked, or...

CVE-2026-41671

Admidio is an open-source user management solution. Prior to version 5.0.9, the OIDC token introspection endpoint /modules/sso/index.php/oidc/introspect always returns "active": true for every request, regardless of whether a valid token is provided, whether the token is expired, revoked, or...

CVE-2026-41671 Admidio: OIDC Token Introspection Endpoint Returns Active for All Tokens Without Validation

Admidio is an open-source user management solution. Prior to version 5.0.9, the OIDC token introspection endpoint /modules/sso/index.php/oidc/introspect always returns "active": true for every request, regardless of whether a valid token is provided, whether the token is expired, revoked, or...

CVE-2026-41671

Admidio prior to version 5.0.9 contains a vulnerability in its OIDC token introspection (/modules/sso/index.php/oidc/introspect) and revocation (/oidc/revoke) endpoints. The introspection endpoint always returns {"active": true} and the revocation endpoint returns {"revoked": true} without authen...

Daptin's Session Management Vulnerability Leads to Insufficient Session Expiration After Password Change

Summary A session invalidation vulnerability exists in daptin's authentication system where JSON Web Tokens JWTs remain fully valid after a user changes their password. The JWT validation middleware CheckJWT only verifies token signature, expiry, issuer, and signing algorithm — it does not check...

Weblate 代码问题漏洞

Weblate is an open-source, copyleft, web-based free software system for continuous localization. Versions of Weblate prior to 5.17.1 had a code-related vulnerability. This vulnerability occurred when users changed their passwords, and the DRF API tokens were not revoked...

Admidio 授权问题漏洞

Admidio is a set of open-source member management systems developed by the Admidio team. This system supports features such as member lists, event management, message boards, photo albums, and downloads. Prior to Admidio 5.0.9, there was an authorization vulnerability. This vulnerability stemmed...

Duplicate Advisory: OpenClaw: Gateway HTTP endpoints re-resolve bearer auth after SecretRef rotation

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-xmxx-7p24-h892. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.15 captures resolved bearer-auth configuration at startup, allowing revoked tokens to remain...

curl: CURLOPT_PROXY_CRLFILE / CURLOPT_PROXY_ISSUERCERT / CURLOPT_PROXY_ISSUERCERT_BLOB silently ignored on backends that don't support them

From the Mythos report 2026-05-06 F1. CURLOPTPROXYCRLFILE / CURLOPTPROXYISSUERCERT / CURLOPTPROXYISSUERCERTBLOB silently ignored on backends that don't support them — severity Low https://github.com/curl/curl/blob/455bebc2c7/lib/setopt.cL1786-L1797...

CVE-2026-43585

OpenClaw before 2026.4.15 captures resolved bearer-auth configuration at startup, allowing revoked tokens to remain valid after SecretRef rotation. Gateway HTTP and WebSocket handlers fail to re-resolve authentication per-request, enabling attackers to use rotated-out bearer tokens for unauthoriz...

CLSA-2026-1778020314 openssl: Fix of CVE-2026-28388

CVE-2026-28388: fix NULL pointer dereference in checkdeltabase when delta CRL lacks CRL Number extension...

GHSA-G27R-R6PH-VF5R sequoia-git has broken hard revocation handling

Before sq-git checks if a commit can be authenticated, it first looks for hard revocations. Because parsing a policy is expensive and a project's policy rarely changes, sq-git has an optimization to only check a policy if it hasn't checked it before. It does this by maintaining a set of policies...

sequoia-git has broken hard revocation handling

Before sq-git checks if a commit can be authenticated, it first looks for hard revocations. Because parsing a policy is expensive and a project's policy rarely changes, sq-git has an optimization to only check a policy if it hasn't checked it before. It does this by maintaining a set of policies...

GHSA-5HFV-C864-QCQ9 CI4MS has a Deactivated User Session Bypass (active=0)

Summary The auth filter has the deactivated/banned user check commented out. Details CodeIgniter Shield's loggedIn re-checks the status field catching status='banned', but does not re-check the active field for existing sessions. When an admin deactivates a user active=0 after they have already...

PT-2026-37161

Name of the Vulnerable Software and Affected Versions CI4MS versions 0.26.0 through 0.31.7.0 Description The auth filter contains commented-out code for checking if a user is deactivated or banned. While the loggedIn function in CodeIgniter Shield verifies the status field to identify banned user...

Astra Linux - уязвимость в thunderbird

When importing a revoked key with “key compromise” as the revocation reason, Thunderbird did not update the existing copy of the key that was not yet revoked. As a result, the existing key remained unrevoked. Revocation statements that used another revocation reason, or those that did not specify...

Astra Linux - уязвимость в curl

Curl versions 7.41.0 through 7.73.0 are vulnerable to a flaw related to improper checks for certificate revocation, due to insufficient verification of the OCSP response...

Astra Linux - уязвимость в thunderbird

The OCSP revocation status of recipient certificates was not checked when sending S/MIME encrypted emails. As a result, revoked certificates were accepted. This bug affected Thunderbird versions from 68 to 102.9.1. This vulnerability affects Thunderbird versions earlier than 102.10...

[SECURITY] Fedora 43 Update: openbao-2.5.3-1.fc43

Openbao secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. Openbao handles leasing, key revocation, key rolling, and auditing. Through a unified API, us ers can access an encrypted Key/Value store and network...

[SECURITY] Fedora 42 Update: openbao-2.5.3-1.fc42

Openbao secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. Openbao handles leasing, key revocation, key rolling, and auditing. Through a unified API, us ers can access an encrypted Key/Value store and network...