GHSA-R95X-QFJJ-FJJ2 Authlib OIDC Implicit/Hybrid Authorization Vulnerable to Open Redirect

Summary An unauthenticated open redirect in Authlib's OpenIDImplicitGrant and OpenIDHybridGrant authorization endpoint lets a remote attacker cause the authorization server to issue an HTTP 302 to an attacker-chosen URL by submitting an authorization request that omits the openid scope. Details...

Authlib OIDC Implicit/Hybrid Authorization Vulnerable to Open Redirect

Summary An unauthenticated open redirect in Authlib's OpenIDImplicitGrant and OpenIDHybridGrant authorization endpoint lets a remote attacker cause the authorization server to issue an HTTP 302 to an attacker-chosen URL by submitting an authorization request that omits the openid scope. Details...

PT-2026-40589

Name of the Vulnerable Software and Affected Versions Authlib versions prior to 1.6.12 Authlib versions prior to 1.7.1 Description An unauthenticated open redirect exists in the authorization endpoint of the OpenIDImplicitGrant and OpenIDHybridGrant components. A remote attacker can cause the...

Ech0's Missing Authorization on System Logs Allows Non-Admin Information Disclosure

Summary The system log endpoints GET /api/system/logs, GET /api/system/logs/stream, WS /ws/system/logs lack authorization checks, allowing any authenticated non-admin user to read and stream all server logs. These logs contain error stack traces, internal file paths, module names, and arbitrary...

Missing Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Missing Authorization due to missing enforcement of the operator.admin scope in mutating internal ACP chat commands. An attacker can perform unauthorized mutating control-plane actions by...

CVE-2026-3582

An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user with a classic personal access token PAT lacking the repo scope to retrieve issues and commits from private and internal repositories via the search REST API endpoints. The user...

CVE-2026-28225

Manyfold is an open source, self-hosted web application for managing a collection of 3d models, particularly focused on 3d printing. Prior to version 0.133.1, the getmodel method in ModelFilesController line 158-160 loads models using Model.findparamparams:modelid without policyscope, bypassing...

CVE-2025-62176

Summary : The Mastodon streaming server vulnerability CVE-2025-62176 allows OAuth clients lacking the read:statuses scope to subscribe to public timelines by using any valid authentication token. Affected versions : prior to 4.4.6, 4.3.14, and 4.2.27. Root cause : streaming server accepts events ...

Exposure of Data Element to Wrong Session

Overview Affected versions of this package are vulnerable to Exposure of Data Element to Wrong Session due to the shared instance used in field injection without a CDI scope. An attacker can manipulate request data, impersonate users, or access sensitive information by exploiting the leakage of...

PT-2022-23123 · Pypi · Py-Cord

Name of the Vulnerable Software and Affected Versions: py-cord version 2.0.0 Description: The issue affects py-cord, a Python API wrapper for Discord, allowing remote shutdown of bots if they are added to a server with the application.commands scope without the bot scope. It appears that all publ...