Lucene search
+L

289 matches found

CVE
CVE
added 2026/03/16 5:2 a.m.24 views

CVE-2026-4217

CVE-2026-4217 affects XREAL Nebula App up to version 3.2.1 on Android. The vulnerability resides in ai.nreal.nebula.universal’s CloudStoragePlugin.java (ai/nreal/nebula/flutterPlugin/CloudStoragePlugin.java) where manipulation of accessKey/secretAccessKey/securityToken can lead to unprotected sto...

2.5CVSS5AI score0.00097EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/02/27 9:1 p.m.13 views

phpMyFAQ Allows Unauthenticated Account Creation via WebAuthn Prepare Endpoint

Summary The WebAuthn prepare endpoint /api/webauthn/prepare creates new active user accounts without any authentication, CSRF protection, CAPTCHA, or configuration checks. This allows unauthenticated attackers to create unlimited user accounts even when registration is disabled. Details File:...

7.5CVSS6AI score0.0041EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/02/25 6:59 p.m.7 views

Parse Dashboard is Missing CSRF Protection for its Agent Endpoint

Impact The AI Agent API endpoint POST /apps/:appId/agent lacks CSRF protection. An attacker can craft a malicious page that, when visited by an authenticated dashboard user, submits requests to the agent endpoint using the victim's session. Patches The fix adds CSRF middleware to the agent endpoi...

8.3CVSS5.3AI score0.00143EPSS
Exploits0References4Affected Software1
Cvelist
Cvelist
added 2026/02/18 12:28 p.m.25 views

CVE-2026-1582 WP All Export <= 1.4.14 - Unauthenticated Sensitive Information Exposure via PHP Type Juggling

The WP All Export plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.14 via the export download endpoint. This is due to a PHP type juggling vulnerability in the security token comparison which uses loose comparison == instead of strict...

3.7CVSS0.00287EPSS
Exploits0References3
CVE
CVE
added 2026/02/18 12:28 p.m.15 views

CVE-2026-1582

The vulnerability CVE-2026-1582 affects the WordPress plugin WP All Export up to version 1.4.14 . A PHP type juggling flaw in the security token comparison (loose ==) allows an unauthenticated attacker to bypass authentication via “magic hash” values when the MD5 prefix matches the pattern ^0e\d+...

3.7CVSS5.6AI score0.00287EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/02/18 12:0 a.m.9 views

PT-2026-20386

The WP All Export plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.14 via the export download endpoint. This is due to a PHP type juggling vulnerability in the security token comparison which uses loose comparison == instead of strict...

3.7CVSS5.6AI score0.00287EPSS
Exploits0References4
Snyk
Snyk
added 2026/02/09 6:59 p.m.2 views

Improper Restriction of Security Token Assignment

Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Restriction of Security Token Assignment due to improper enforcement of user disabled-state checks i...

8.6CVSS5.6AI score0.00506EPSS
Exploits0References2
EUVD
EUVD
added 2026/01/28 11:53 a.m.8 views

EUVD-2025-206493

Cross-Site request forgery CSRF vulnerability in Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18. An authenticated user could cause another user to perform unwanted actions within the application they are logged into. This vulnerability is possible due to the lack of...

8.5CVSS6AI score0.00124EPSS
Exploits0References1
CVE
CVE
added 2026/01/28 11:52 a.m.12 views

CVE-2025-59891

CVE-2025-59891 is a CSRF vulnerability affecting Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18. The root cause is lack of proper CSRF token handling, enabling an authenticated attacker to coerce other users to perform actions in the app (e.g., via POST to /setup_login?...

8.5CVSS5.9AI score0.00127EPSS
Exploits0References1Affected Software2
Redos
Redos
added 2026/01/22 12:0 a.m.5 views

ROS-20260122-73-0034

Vulnerability in apache-kafka related to security token assignment restriction errors. Exploitation of the vulnerability could allow an attacker to escalate privileges...

7.5CVSS5.5AI score0.00248EPSS
Exploits1
RedhatCVE
RedhatCVE
added 2026/01/09 10:31 a.m.8 views

CVE-2017-18179

Progress Sitefinity 9.1 uses wrapaccesstoken as a non-expiring authentication token that remains valid after a password change or a session termination. Also, it is transmitted as a GET parameter. This is fixed in 10.1...

8.8CVSS7.2AI score0.02808EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/01/09 9:56 a.m.8 views

CVE-2020-12613

An issue was discovered in BeyondTrust Privilege Management for Windows through 5.6. An attacker can spawn a process with multiple users as part of the security token prior to Avecto elevation. When Avecto elevates the process, it removes the user who is launching the process, but not the second...

8.8CVSS7AI score0.00774EPSS
Exploits0References1
vulnersOsv
vulnersOsv
added 2026/01/08 9:46 p.m.4 views

acmer (>=0.0.1 <=0.0.16), auth-proxy (>=0.0.1 <=0.1.1) +445 more potentially affected by unknown CVE via aws-sdk-sts (>=0.0.22-alpha <=0.9.0)

aws-sdk-sts CARGO version =0.0.22-alpha, =0.0.1, =0.0.1, =0.2.36, =0.0.18, =0.0.42, =0.0.1, =0.0.22-alpha, =0.0.1, =0.0.24, =0.0.1, =0.1.0, =0.4.0, =0.2.0, =0.2.0, =0.34.0 and more Source cves: unknown CVE Source advisory: OSV:GHSA-G59M-GF8J-GJF5...

5.5AI score
Exploits0
OSV
OSV
added 2025/10/30 3:2 p.m.6 views

GO-2025-4034 MinIO is Vulnerable to Privilege Escalation via Session Policy Bypass in Service Accounts and STS in github.com/minio/minio

MinIO is Vulnerable to Privilege Escalation via Session Policy Bypass in Service Accounts and STS in github.com/minio/minio...

8.1CVSS7AI score0.00515EPSS
Exploits1References7
OSV
OSV
added 2025/10/21 9:34 a.m.4 views

BIT-MINIO-2025-62506 MinIO vulnerable to privilege escalation via session policy bypass in service accounts and STS

MinIO is a high-performance object storage system. In all versions prior to RELEASE.2025-10-15T17-29-55Z, a privilege escalation vulnerability allows service accounts and STS Security Token Service accounts with restricted session policies to bypass their inline policy restrictions when performin...

8.1CVSS7.3AI score0.00515EPSS
Exploits1References7
RedhatCVE
RedhatCVE
added 2025/10/17 9:45 p.m.6 views

CVE-2025-62506

MinIO is a high-performance object storage system. In all versions prior to RELEASE.2025-10-15T17-29-55Z, a privilege escalation vulnerability allows service accounts and STS Security Token Service accounts with restricted session policies to bypass their inline policy restrictions when performin...

8.1CVSS7.2AI score0.00515EPSS
Exploits1References1
FreeBSD
FreeBSD
added 2025/10/17 12:0 a.m.14 views

minio -- Privilege Escalation via Session Policy Bypass in Service Accounts and STS

mino reports: A privilege escalation vulnerability allows service accounts and STS Security Token Service accounts with restricted session policies to bypass their inline policy restrictions when performing "own" account operations, specifically when creating new service accounts for the same use...

8.1CVSS7.2AI score0.00515EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2025/10/16 9:17 p.m.5 views

CVE-2025-62506 MinIO vulnerable to privilege escalation via session policy bypass in service accounts and STS

MinIO is a high-performance object storage system. In all versions prior to RELEASE.2025-10-15T17-29-55Z, a privilege escalation vulnerability allows service accounts and STS Security Token Service accounts with restricted session policies to bypass their inline policy restrictions when performin...

8.1CVSS6.8AI score0.00515EPSS
Exploits1References3
EUVD
EUVD
added 2025/10/16 9:17 p.m.5 views

EUVD-2025-34834

MinIO is a high-performance object storage system. In all versions prior to RELEASE.2025-10-15T17-29-55Z, a privilege escalation vulnerability allows service accounts and STS Security Token Service accounts with restricted session policies to bypass their inline policy restrictions when performin...

8.1CVSS6.7AI score0.00515EPSS
Exploits1References4
Cvelist
Cvelist
added 2025/10/16 9:17 p.m.12 views

CVE-2025-62506 MinIO vulnerable to privilege escalation via session policy bypass in service accounts and STS

MinIO is a high-performance object storage system. In all versions prior to RELEASE.2025-10-15T17-29-55Z, a privilege escalation vulnerability allows service accounts and STS Security Token Service accounts with restricted session policies to bypass their inline policy restrictions when performin...

8.1CVSS0.00515EPSS
Exploits1References3
Rows per page
Query Builder