Lucene search
K

6396 matches found

Cvelist
Cvelist
added 2026/06/30 10:8 p.m.30 views

CVE-2026-56278 Flowise - Session Hijacking via Weak Default Express Session Secret

Flowise before 3.1.0 affected versions 3.0.13 and earlier uses a weak hardcoded default secret 'flowise' for the express-session middleware when the EXPRESSSESSIONSECRET environment variable is not set packages/server/src/enterprise/middleware/passport/index.ts. Because this default secret is...

9.3CVSS0.0036EPSS
Exploits0References2
CVE
CVE
added 2026/06/30 10:8 p.m.13 views

CVE-2026-56278

Flowise before 3.1.0 (affected: 3.0.13 and earlier) uses a weak hardcoded default session secret ('flowise') for express-session when EXPRESS_SESSION_SECRET is not set (packages/server/src/enterprise/middleware/passport/index.ts). Because the secret is publicly visible in the source, an attacker ...

9.3CVSS5.8AI score0.0036EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/06/30 1:37 p.m.13 views

CVE-2026-35095

Technical details (affected products/components, root cause, impact, or remediation) are not publicly available in the provided documents. Monitor for updates.

4.8CVSS5.7AI score0.00145EPSS
Exploits0References2
RedHat Linux
RedHat Linux
added 2026/06/30 12:13 a.m.5 views

undertow-core: Undertow HTTP Server Fails to Reject Malformed Host Headers Leading to Potential Cache Poisoning and SSRF

A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate the Host header in incoming HTTP requests.As a result, requests containing malformed or malicious Host headers are processed without...

9.6CVSS7.4AI score0.01179EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.8 views

PT-2026-54030

Name of the Vulnerable Software and Affected Versions Capgo versions prior to 12.128.2 Description An authentication bypass exists in the account deletion endpoint. This flaw allows the deletion of user accounts without requiring password re-authentication or secondary verification. Exploitation...

8.1CVSS5.8AI score0.00353EPSS
Exploits0References4
NVD
NVD
added 2026/06/29 6:16 p.m.11 views

CVE-2026-57948

Pinpoint through version 3.1.0 contains an insecure session management vulnerability that allows attackers to access the pinpointJwt session cookie due to missing HttpOnly and Secure attributes, enabling JavaScript access via document.cookie and cleartext transmission over HTTP. Attackers can...

7.6CVSS0.00126EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/06/29 5:19 p.m.5 views

CVE-2026-57948 Pinpoint - Insecure Session Cookie Attributes in pinpointJwt

Pinpoint through version 3.1.0 contains an insecure session management vulnerability that allows attackers to access the pinpointJwt session cookie due to missing HttpOnly and Secure attributes, enabling JavaScript access via document.cookie and cleartext transmission over HTTP. Attackers can...

7.6CVSS5.6AI score0.00126EPSS
Exploits0References2
CVE
CVE
added 2026/06/29 5:19 p.m.14 views

CVE-2026-57948

Pinpoint (through version 3.1.0) has an insecure session management vulnerability where the pinpointJwt cookie lacks HttpOnly and Secure attributes. This allows JavaScript access via document.cookie and cleartext transmission over HTTP, enabling potential exfiltration of the session token via sto...

7.6CVSS5.6AI score0.00126EPSS
Exploits0References2
OSV
OSV
added 2026/06/29 11:50 a.m.6 views

PYSEC-2026-496 pyLoad vulnerable to XSS through insecure CAPTCHA

Summary An unsafe JavaScript evaluation vulnerability in pyLoad’s CAPTCHA processing code allows unauthenticated remote attackers to execute arbitrary code in the client browser and potentially the backend server. Exploitation requires no user interaction or authentication and can result in sessi...

9.8CVSS6.5AI score0.01144EPSS
Exploits0References7
PyPA
PyPA
added 2026/06/29 11:50 a.m.4 views

pyLoad vulnerable to XSS through insecure CAPTCHA

SummaryAn unsafe JavaScript evaluation vulnerability in pyLoad’s CAPTCHA processing code allows unauthenticated remote attackers to execute arbitrary code in the client browser and potentially the backend server. Exploitation requires no user interaction or authentication and can result in sessio...

9.8CVSS6.7AI score0.01144EPSS
Exploits0References7Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.13 views

PT-2026-53666

Name of the Vulnerable Software and Affected Versions Pinpoint versions prior to 3.1.1 Description Insecure session management occurs because the pinpointJwt session cookie lacks HttpOnly and Secure attributes. This allows the cookie to be accessed via JavaScript through document.cookie and...

7.6CVSS5.8AI score0.00126EPSS
Exploits0References7
Cvelist
Cvelist
added 2026/06/23 7:40 p.m.42 views

CVE-2026-12112 Foreman-mcp-server: mcp server: active session hijacking via insecure session state reuse

A flaw was found in the foreman-mcp-server. A session management vulnerability in the MCP Server allows unauthenticated attackers to hijack active administrative sessions due to an improper cache of authenticated client connections, by trusting a non-secret session ID without re-validating...

7.8CVSS0.00153EPSS
Exploits0References3
CVE
CVE
added 2026/06/23 7:40 p.m.9 views

CVE-2026-12112

CVE-2026-12112 affects the foreman-mcp-server MCP Server. The issue is a session management vulnerability where an improper cache of authenticated client connections allows an unauthenticated attacker to hijack active administrative sessions by trusting a non-secret session ID without re-validati...

7.8CVSS5.9AI score0.00153EPSS
Exploits0References4Affected Software2
EUVD
EUVD
added 2026/06/23 7:40 p.m.7 views

EUVD-2026-38599

A flaw was found in the foreman-mcp-server. A session management vulnerability in the MCP Server allows unauthenticated attackers to hijack active administrative sessions due to an improper cache of authenticated client connections, by trusting a non-secret session ID without re-validating...

7.8CVSS5.9AI score0.00153EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/06/23 7:40 p.m.8 views

CVE-2026-12112 Foreman-mcp-server: mcp server: active session hijacking via insecure session state reuse

A flaw was found in the foreman-mcp-server. A session management vulnerability in the MCP Server allows unauthenticated attackers to hijack active administrative sessions due to an improper cache of authenticated client connections, by trusting a non-secret session ID without re-validating...

7.8CVSS5.9AI score0.00153EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/06/23 7:40 p.m.7 views

CVE-2026-12112

A flaw was found in the foreman-mcp-server. A session management vulnerability in the MCP Server allows unauthenticated attackers to hijack active administrative sessions due to an improper cache of authenticated client connections, by trusting a non-secret session ID without re-validating...

7.8CVSS5.8AI score0.00153EPSS
Exploits0References3
NVD
NVD
added 2026/06/23 12:16 p.m.12 views

CVE-2026-4983

Open VSX Registry does not sanitize SVG files uploaded as extension icons prior to storage, and serves them with Content-Type: image/svg+xml without security headers such as Content-Security-Policy or Content-Disposition: attachment. This allows an attacker to publish an extension with a maliciou...

5.4CVSS0.00226EPSS
Exploits1References1
Nuclei
Nuclei
added 2026/06/23 5:8 a.m.53 views

SSL VPN Session Hijacking

An Improper Authentication vulnerability in the SSLVPN authentication mechanism allows a remote attacker to bypass authentication. id: CVE-2024-53704 info: name: SSL VPN Session Hijacking author: johnk3r severity: critical description: | An Improper Authentication vulnerability in the SSLVPN...

9.8CVSS7.6AI score0.95132EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.9 views

PT-2026-51588

Name of the Vulnerable Software and Affected Versions foreman-mcp-server affected versions not specified Red Hat Satellite affected versions not specified Description A session management issue in the MCP Server allows unauthenticated attackers to hijack active administrative sessions. This occur...

7.8CVSS5.9AI score0.00153EPSS
Exploits0References11
NVD
NVD
added 2026/06/22 4:16 p.m.13 views

CVE-2026-56104

Chainlit before 2.10.1 contains a session hijacking vulnerability that allows unauthenticated attackers to restore and inherit authenticated user sessions by presenting a valid sessionId during WebSocket session restoration without ownership verification. Attackers can exploit the...

8.8CVSS0.00256EPSS
Exploits0References4
Rows per page
Query Builder