Lucene search
K

120 matches found

CNNVD
CNNVD
added 2026/03/18 12:0 a.m.5 views

Parse Server 安全漏洞

Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that runs Node.js. There were security vulnerabilities in versions of Parse Server prior to 9.6.0-alpha.17 and 8.6.42. These vulnerabilities stemmed from the ability to override fields...

4.3CVSS5.8AI score0.00306EPSS
Exploits0References3
OSV
OSV
added 2026/03/17 6:37 p.m.4 views

GHSA-5V7G-9H8F-8PGG Parse Server session creation endpoint allows overwriting server-generated session fields

Impact An authenticated user can overwrite server-generated session fields sessionToken, expiresAt, createdWith when creating a session object via POST /classes/Session. This allows bypassing the server's session expiration policy by setting an arbitrary far-future expiration date. It also allows...

4.3CVSS5.9AI score0.00306EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/03/17 6:37 p.m.7 views

Parse Server session creation endpoint allows overwriting server-generated session fields

Impact An authenticated user can overwrite server-generated session fields sessionToken, expiresAt, createdWith when creating a session object via POST /classes/Session. This allows bypassing the server's session expiration policy by setting an arbitrary far-future expiration date. It also allows...

4.3CVSS5.9AI score0.00306EPSS
Exploits0References5Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/10 5:30 p.m.2 views

CVE-2026-30970 Session authentication bypass in Coral Server session creation endpoint

Coral Server is open collaboration infrastructure that enables communication, coordination, trust and payments for The Internet of Agents. Prior to 1.1.0, Coral Server allowed the creation of agent sessions through the /api/v1/sessions endpoint without strong authentication. This endpoint perform...

8.8CVSS5.8AI score0.00319EPSS
Exploits0References2
EUVD
EUVD
added 2026/03/10 5:30 p.m.13 views

EUVD-2026-10708

Coral Server is open collaboration infrastructure that enables communication, coordination, trust and payments for The Internet of Agents. Prior to 1.1.0, Coral Server allowed the creation of agent sessions through the /api/v1/sessions endpoint without strong authentication. This endpoint perform...

8.8CVSS5.8AI score0.00319EPSS
Exploits0References2
CVE
CVE
added 2026/03/10 5:30 p.m.12 views

CVE-2026-30970

CVE-2026-30970 affects Coral Server. Before version 1.1.0, the /api/v1/sessions endpoint allowed session creation without strong authentication, performing resource-intensive operations (container spawning and memory context creation). An attacker with access to this endpoint could create session...

9.1CVSS5.8AI score0.00319EPSS
Exploits0References2Affected Software1
RedhatCVE
RedhatCVE
added 2026/03/07 7:59 a.m.5 views

CVE-2026-29084

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, the login flow accepts credential-bearing requests without CSRF protection mechanisms tied to the browser session context. The handler parses form values directly and creates a...

4.6CVSS5.7AI score0.00076EPSS
Exploits0References1
OSV
OSV
added 2026/03/06 4:45 a.m.3 views

CVE-2026-29084 Gokapi: CSRF in Login Endpoint

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, the login flow accepts credential-bearing requests without CSRF protection mechanisms tied to the browser session context. The handler parses form values directly and creates a...

4.6CVSS5.7AI score0.00076EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/03/05 8:43 p.m.6 views

Gokapi has CSRF in Login Endpoint

Summary The login flow accepts credential-bearing requests without CSRF protection mechanisms tied to the browser session context. The handler parses form values directly and creates a session on successful credential validation. Issue found by aisafe.io Impact An attacker can force a victim...

4.6CVSS5.9AI score0.00076EPSS
Exploits0References4Affected Software1
Positive Technologies
Positive Technologies
added 2026/03/05 12:0 a.m.14 views

PT-2026-23606

Name of the Vulnerable Software and Affected Versions Gokapi versions prior to 2.2.3 Description Gokapi, a self-hosted file sharing server, had a flaw in its login process. Before version 2.2.3, the login flow lacked CSRF protection, meaning credential-bearing requests weren’t properly linked to...

9.9CVSS5.9AI score0.22162EPSS
Exploits70References137
RedhatCVE
RedhatCVE
added 2026/03/04 1:57 a.m.3 views

CVE-2026-0023

In createSessionInternal of PackageInstallerService.java, there is a possible way for an app to update its ownership due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

7.8CVSS6.1AI score0.00084EPSS
Exploits0References1
SUSE CVE
SUSE CVE
added 2026/03/04 12:27 a.m.3 views

SUSE CVE-2026-25791

Sliver is a command and control framework that uses a custom Wireguard netstack. Prior to 1.7.0, the DNS C2 listener accepts unauthenticated TOTP bootstrap messages and allocates server-side DNS sessions without validating OTP values, even when EnforceOTP is enabled. Because sessions are stored...

7.5CVSS5.9AI score0.00407EPSS
Exploits1References3
CVE
CVE
added 2026/03/02 11:14 a.m.9 views

CVE-2025-30042

The CVE-2025-30042 entry concerns the CGM CLININET system, where smart card authentication is effectively bypassed because access verification uses only the certificate number on the client, not the presence of a smart card or private key. This allows authentication if the certificate number is k...

9CVSS6AI score0.00086EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/03/02 11:14 a.m.25 views

CVE-2025-30035 Lack of API authentication allowing session generation for any user

The vulnerability enables an attacker to fully bypass authentication in CGM CLININET and gain access to any active user account by supplying only the username, without requiring a password or any other credentials. Obtaining a session ID is sufficient for session takeover and grants access to the...

9CVSS0.00207EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/03/02 11:14 a.m.3 views

CVE-2025-30035 Lack of API authentication allowing session generation for any user

The vulnerability enables an attacker to fully bypass authentication in CGM CLININET and gain access to any active user account by supplying only the username, without requiring a password or any other credentials. Obtaining a session ID is sufficient for session takeover and grants access to the...

9CVSS5.9AI score0.00207EPSS
Exploits0References2
OSV
OSV
added 2026/02/09 8:34 p.m.6 views

CVE-2026-25791 Sliver has a DNS C2 OTP Bypass Allows Unauthenticated Session Flooding and Denial of Service

Sliver is a command and control framework that uses a custom Wireguard netstack. Prior to 1.7.0, the DNS C2 listener accepts unauthenticated TOTP bootstrap messages and allocates server-side DNS sessions without validating OTP values, even when EnforceOTP is enabled. Because sessions are stored...

7.5CVSS5.7AI score0.00407EPSS
Exploits1References4
RedhatCVE
RedhatCVE
added 2026/01/22 7:22 p.m.7 views

CVE-2025-68136

EVerest is an EV charging software stack. Prior to version 2025.10.0, once the module receives a SDP request, it creates a whole new set of objects like Session, IConnection which open new TCP socket for the ISO15118-20 communications and registers callbacks for the created file descriptor, witho...

7.4CVSS5.5AI score0.00266EPSS
Exploits1References1
NVD
NVD
added 2026/01/21 8:16 p.m.6 views

CVE-2025-68136

EVerest is an EV charging software stack. Prior to version 2025.10.0, once the module receives a SDP request, it creates a whole new set of objects like Session, IConnection which open new TCP socket for the ISO15118-20 communications and registers callbacks for the created file descriptor, witho...

7.4CVSS0.00266EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/01/21 7:18 p.m.4 views

CVE-2025-68136

EVerest is an EV charging software stack. Prior to version 2025.10.0, once the module receives a SDP request, it creates a whole new set of objects like Session, IConnection which open new TCP socket for the ISO15118-20 communications and registers callbacks for the created file descriptor, witho...

7.4CVSS5.3AI score0.00266EPSS
Exploits1References2Affected Software1
Cvelist
Cvelist
added 2026/01/21 7:18 p.m.23 views

CVE-2025-68136 EVerest's inadequate session handling can lead to memory-related errors or exhaustion of the operating system’s file descriptors, resulting in a denial of service

EVerest is an EV charging software stack. Prior to version 2025.10.0, once the module receives a SDP request, it creates a whole new set of objects like Session, IConnection which open new TCP socket for the ISO15118-20 communications and registers callbacks for the created file descriptor, witho...

7.4CVSS0.00266EPSS
Exploits1References1
Rows per page
Query Builder