CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Hacker One•added 2026/05/21 7:5 a.m.•20 views

curl: curl GnuTLS backend accepts a clientAuth-only certificate for HTTPS server authentication

Summary: When curl/libcurl is built with the GnuTLS backend, the current HTTPS server-certificate validation path verifies the trust chain and hostname but does not enforce TLS server Extended Key Usage semantics. As a result, a leaf certificate that chains to a trusted CA, matches the requested...

5.9AI score

Exploits0

OSV•added 2026/05/20 1:50 p.m.•5 views

OSEC-2026-06 TLS-client (with TLS 1.3) does insufficient certificate checks (missing KeyUsage and ExtendedKeyUsage validation)

The ocaml-TLS 1.3 client does not validate the KeyUsage and ExtendedKeyUsage extensions of the server certificate. This can lead to impersonation with a certificate issued to a client. Scenario Every employee at a major bank carries a smart card. The card holds a clientAuth certificate issued by...

7.4CVSS5.8AI score

Exploits1

AstraLinux•added 2026/05/20 5:53 a.m.•4 views

Astra Linux - уязвимость в freerdp2

FreeRDP is a free implementation of the Remote Desktop Protocol RDP. Prior to version 2.7.0, server-side authentication against a SAM file might succeed with invalid credentials if the server had configured an invalid SAM file path. Clients based on FreeRDP are not affected by this issue. However...

9.8CVSS7.3AI score0.01266EPSS

Positive Technologies•added 2026/05/20 12:0 a.m.•8 views

PT-2026-42202

7.4CVSS5.8AI score

Exploits1References1

Hacker One•added 2026/05/14 11:6 a.m.•13 views

curl: Schannel custom-CA path skips Extended Key Usage enforcement

Hi all, We believe the Schannel custom-CA verification path in lib/vtls/schannelverify.c may skip Extended Key Usage enforcement. In particular, a certificate that chains to the trusted custom CA but contains only id-kp-clientAuth, rather than id-kp-serverAuth, may pass peer verification on Windo...

5.9AI score

Exploits0

OSV•added 2026/05/13 4:17 p.m.•1 views

DEBIAN-CVE-2026-8367

aria2c accepts a server certificate with incorrect Extended Key Usage EKU. If the attackers compromise a certificate with the associated private key issued for a different purpose, they may be able to reuse it for TLS server authentication...

NVD•added 2026/05/13 4:17 p.m.•5 views

CVE-2026-8367

4.8CVSS0.00021EPSS

OSV•added 2026/05/13 4:17 p.m.•2 views

UBUNTU-CVE-2026-8367

UbuntuCve•added 2026/05/13 4:17 p.m.•4 views

Exploits0References4

CVE-2026-8367

ATTACKERKB•added 2026/05/13 2:55 p.m.•3 views

Exploits0References3

CVE-2026-8367

Cvelist•added 2026/05/13 2:55 p.m.•25 views

CVE-2026-8367 aria2c Improper Certificate Validation

4.8CVSS0.00021EPSS

CVE•added 2026/05/13 2:55 p.m.•7 views

CVE-2026-8367

aria2c is affected by an improper certificate validation issue where it accepts a server certificate with an incorrect Extended Key Usage (EKU). If an attacker obtains a certificate (with its private key) intended for a different purpose, they may reuse it to perform TLS server authentication aga...

Debian CVE•added 2026/05/13 2:55 p.m.•3 views

CVE-2026-8367

Positive Technologies•added 2026/05/13 12:0 a.m.•5 views

Exploits0

PT-2026-40700

CNNVD•added 2026/05/13 12:0 a.m.•4 views

aria2c 信任管理问题漏洞

aria2c is a lightweight multi-protocol command-line download tool developed by aria2. Aria2c has a trust management vulnerability that stems from accepting server certificates with incorrect extension key purposes. This vulnerability could allow attackers to reuse certificates issued for differen...

Snyk•added 2026/05/07 2:57 a.m.•4 views

Insufficient Session Expiration

Overview Affected versions of this package are vulnerable to Insufficient Session Expiration in JWT validation middleware. An attacker can maintain unauthorized access to user accounts by reusing previously issued JSON Web Tokens even after a password change, as the tokens are not invalidated or...

6.3CVSS5.8AI score