Lucene search
+L

11429 matches found

Cvelist
Cvelist
added yesterday14 views

CVE-2026-16072 Keycloak-services: keycloak-services: organization invitation link exposure allows unauthorized member creation

A flaw was found in the organization management component of Keycloak. A delegated administrator with permission to manage organizations can create an invitation for a non-existent email address and then retrieve the secret registration link directly through the application programming interface...

4.9CVSS
Exploits0References2
RedhatCVE
RedhatCVE
added yesterday5 views

CVE-2026-16072

A flaw was found in the organization management component of Keycloak. A delegated administrator with permission to manage organizations can create an invitation for a non-existent email address and then retrieve the secret registration link directly through the application programming interface...

4.9CVSS5.3AI score
Exploits0References3
CVE
CVE
added yesterday7 views

CVE-2026-16072

CVE-2026-16072 affects Keycloak’s organization management component. A delegated administrator with org-management permissions can create an invitation for a non-existent email address and then fetch the secret registration link via the API, enabling creation of new user accounts and their additi...

4.9CVSS5.3AI score
Exploits0References2
NVD
NVD
added yesterday5 views

CVE-2026-15943

A flaw was found in the Keycloak keycloak-services component, which handles the management of identity providers. The issue occurs when a delegated administrator updates an OIDC identity provider using a masked client secret sentinel value. Due to improper validation, Keycloak reuses the existing...

5.5CVSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added yesterday3 views

CVE-2026-15943

A flaw was found in the Keycloak keycloak-services component, which handles the management of identity providers. The issue occurs when a delegated administrator updates an OIDC identity provider using a masked client secret sentinel value. Due to improper validation, Keycloak reuses the existing...

5.5CVSS5.3AI score
Exploits0References3
CVE
CVE
added yesterday8 views

CVE-2026-15943

A vulnerability in Keycloak's keycloak-services component affects identity provider management. When a delegated administrator updates an OIDC identity provider using a masked client secret sentinel value, the system performs improper validation and reuses the existing real secret even if fields ...

5.5CVSS5.4AI score
Exploits0References2
Cvelist
Cvelist
added yesterday19 views

CVE-2026-15943 Keycloak-services: keycloak-services: oidc idp update reuses masked client secret after token url change

A flaw was found in the Keycloak keycloak-services component, which handles the management of identity providers. The issue occurs when a delegated administrator updates an OIDC identity provider using a masked client secret sentinel value. Due to improper validation, Keycloak reuses the existing...

5.5CVSS
Exploits0References2
EUVD
EUVD
added yesterday7 views

EUVD-2026-45164

A flaw was found in the Keycloak keycloak-services component, which handles the management of identity providers. The issue occurs when a delegated administrator updates an OIDC identity provider using a masked client secret sentinel value. Due to improper validation, Keycloak reuses the existing...

5.5CVSS5.4AI score
Exploits0References2
RedhatCVE
RedhatCVE
added yesterday6 views

CVE-2026-15943

A flaw was found in the Keycloak keycloak-services component, which handles the management of identity providers. The issue occurs when a delegated administrator updates an OIDC identity provider using a masked client secret sentinel value. Due to improper validation, Keycloak reuses the existing...

5.5CVSS5.3AI score
Exploits0References3
NVD
NVD
added yesterday4 views

CVE-2026-11575

The PhonePe Payment Solutions WordPress plugin before 3.1.0 does not properly verify the authenticity of incoming payment callbacks: the secret used to validate the callback signature is empty on sites configured through the current setup flow, so the expected signature reduces to an unkeyed hash...

7.5CVSS0.00137EPSS
Exploits0References1
Cvelist
Cvelist
added yesterday16 views

CVE-2026-11575 PhonePe Payment Solutions < 3.1.0 - Unauthenticated Payment Bypass via Forged Callback

The PhonePe Payment Solutions WordPress plugin before 3.1.0 does not properly verify the authenticity of incoming payment callbacks: the secret used to validate the callback signature is empty on sites configured through the current setup flow, so the expected signature reduces to an unkeyed hash...

0.00137EPSS
Exploits0References1
CVE
CVE
added yesterday10 views

CVE-2026-11575

The vulnerability affects the PhonePe Payment Solutions WordPress plugin prior to 3.1.0. The issue is that the secret used to validate the callback signature is empty on sites configured through the current setup flow, causing the expected signature to be an unkeyed hash of the request body. This...

7.5CVSS6.1AI score0.00137EPSS
Exploits0References1
EUVD
EUVD
added yesterday6 views

EUVD-2026-45145

The PhonePe Payment Solutions WordPress plugin before 3.1.0 does not properly verify the authenticity of incoming payment callbacks: the secret used to validate the callback signature is empty on sites configured through the current setup flow, so the expected signature reduces to an unkeyed hash...

7.5CVSS5.4AI score0.00137EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added yesterday3 views

CVE-2026-11575

The PhonePe Payment Solutions WordPress plugin before 3.1.0 does not properly verify the authenticity of incoming payment callbacks: the secret used to validate the callback signature is empty on sites configured through the current setup flow, so the expected signature reduces to an unkeyed hash...

5.4AI score0.00137EPSS
Exploits0References1
Nuclei
Nuclei
added yesterday17 views

MagicMirror <= 2.35.0 - Server-Side Request Forgery

An unauthenticated Server-Side Request Forgery SSRF vulnerability in the /cors endpoint allows any remote attacker to force the MagicMirror² server to perform arbitrary HTTP requests to internal networks, cloud metadata services, and localhost services. The endpoint also expands environment...

9.2CVSS5.5AI score0.01623EPSS
Exploits1References4
Nuclei
Nuclei
added yesterday45 views

Ingress-Nginx Controller - Configuration Injection via Unsanitized `auth-tls-match-cn` Annotation

A security issue was discovered in ingress-nginx https-//github.com/kubernetes/ingress-nginx where the auth-tls-match-cn Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of...

8.8CVSS7.2AI score0.34677EPSS
Exploits7References3
ATTACKERKB
ATTACKERKB
added yesterday4 views

CVE-2026-14503

The pCloud WP Backup plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0.3 via the wp2pclajaxprocessrequestinner. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract force generation of a...

6.5CVSS6.1AI score0.00287EPSS
Exploits0References8
NVD
NVD
added yesterday5 views

CVE-2026-62236

grav-plugin-login before 3.8.11 contains a cross-site request forgery CSRF vulnerability in the login.regenerate2FASecret frontend task, which regenerates and persists a new TOTP secret for the authenticated session user without any anti-CSRF nonce or Origin/Referer check. Because Grav core...

5.4CVSS0.00099EPSS
Exploits0References2
NVD
NVD
added yesterday7 views

CVE-2026-62241

clawvet self-hosted API server apps/api before 0.7.5 hard-codes a fallback JWT secret 'clawvet-dev-secret-change-me' in auth.ts and ships it as the default in .env.example. Because GET /api/v1/scans returns scan records containing userId values without authentication, a remote unauthenticated...

9.3CVSS0.00389EPSS
Exploits0References2
NVD
NVD
added yesterday3 views

CVE-2026-62232

Grav before 2.0.4 contains a two-factor authentication bypass vulnerability in the login plugin where the regenerate2FASecret task checks only user existence, not authorization, during the pending TOTP challenge window. Attackers who know the victim's password can call this task without a CSRF...

9.1CVSS0.0028EPSS
Exploits0References2
Rows per page
Query Builder