Lucene search
K

4096 matches found

Cvelist
Cvelist
added 2026/06/08 2:51 p.m.41 views

CVE-2026-46656 Bludit CMS has improper authorization and mediation failure leading to persistent ghost sessions

Bludit is a content management system. Versions prior to 3.22.0 have a Broken Access Control flaw where active sessions remain valid even after the corresponding user account has been physically deleted from the database. This "Ghost Session" allows revoked users to maintain full unauthorized...

8.8CVSS0.00294EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/06/08 2:51 p.m.9 views

CVE-2026-46656 Bludit CMS has improper authorization and mediation failure leading to persistent ghost sessions

Bludit is a content management system. Versions prior to 3.22.0 have a Broken Access Control flaw where active sessions remain valid even after the corresponding user account has been physically deleted from the database. This "Ghost Session" allows revoked users to maintain full unauthorized...

8.8CVSS5.4AI score0.00294EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/08 12:0 a.m.22 views

PT-2026-47328

Bludit is a content management system. Versions prior to 3.22.0 have a Broken Access Control flaw where active sessions remain valid even after the corresponding user account has been physically deleted from the database. This "Ghost Session" allows revoked users to maintain full unauthorized...

8.8CVSS5.4AI score0.00294EPSS
Exploits0References4
Spring Security Advisories
Spring Security Advisories
added 2026/06/08 12:0 a.m.5 views

CVE-2026-41838: Spring Framework Predictable Session ID in WebSocket Module

IDs for WebSocket sessions in the spring-websocket module are not cryptographically unpredictable, which may be possible to exploit in combination with inadequate authorization rules...

4.8CVSS5.7AI score0.00171EPSS
Exploits0References1Affected Software1
CNNVD
CNNVD
added 2026/06/08 12:0 a.m.13 views

Bludit 授权问题漏洞

Bludit is an open-source, lightweight blog content management system developed by Bludit. Versions of Bludit prior to 3.22.0 had an authorization issue vulnerability. This vulnerability stemmed from the fact that active sessions remained valid even after user accounts were deleted, potentially...

8.8CVSS5.3AI score0.00294EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/06/05 7:46 p.m.11 views

CVE-2026-33585

Improper management of the idle timeout parameter in the Keycloak interface of the Arqit SKA-Platform enables an attacker to impersonate an authenticated tenant user via an unexpired browser session. This issue affects Symmetric Key Agreement Platform: before 26.03...

3.8CVSS5.5AI score0.00134EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:36 p.m.10 views

CVE-2026-41469

Beghelli Sicuro24 SicuroWeb does not enforce a Content Security Policy, allowing unrestricted loading of external JavaScript resources from attacker-controlled origins. When chained with the template injection and sandbox escape vulnerabilities present in the same application, the absence of CSP...

5.2CVSS5.7AI score0.00204EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:31 p.m.14 views

CVE-2026-33569

Anviz CX2 Lite and CX7 administrative sessions occur over HTTP, enabling on‑path attackers to sniff credentials and session data, which can be used to compromise the device...

6.5CVSS5.4AI score0.00186EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:27 p.m.11 views

CVE-2026-40939

The Data Sharing Framework DSF implements a distributed process engine based on the BPMN 2.0 and FHIR R4 standards. Prior to 2.1.0, OIDC-authenticated sessions had no configured maximum inactivity timeout. Sessions persisted indefinitely after login, even after the OIDC access token expired. This...

6.8CVSS5.5AI score0.00154EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:26 p.m.10 views

CVE-2026-40136

SAP Financial Consolidation allows an authenticated attacker to disconnect other users by terminating their sessions temporarily preventing access. However, the application itself cannot be compromised resulting in a low impact on availability. There is no impact on confidentiality and integrity ...

4.3CVSS5.4AI score0.0029EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:26 p.m.10 views

CVE-2026-39381

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.7 and 8.6.75, the GET /sessions/me endpoint returns Session fields that the server operator explicitly configured as protected via the protectedFields server option. Any...

5.3CVSS5.4AI score0.00193EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:25 p.m.8 views

CVE-2026-44423

ShellHub is a centralized SSH gateway. Prior to 0.24.2, GET /api/sessions/:uid returns the full session object for any authenticated caller, without scoping by the caller's tenant. An authenticated user can read session records SSH username, device UID, remote IP, terminal type, authenticated fla...

6.5CVSS5.5AI score0.00246EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:23 p.m.11 views

CVE-2026-35491

FTLDNS pihole-FTL provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, Pi-hole FTL supports a CLI password feature webserver.api.clipw that creates “CLI” API sessions intended to be read-only for configuration changes. While /api/config...

6.1CVSS5.4AI score0.00156EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:18 p.m.10 views

CVE-2026-45322

Microsoft UFO open-source framework for intelligent automation across devices and platforms. Microsoft UFO tagged releases up to and including v3.0.0 contain an OS command injection vulnerability in the shell action replay path. In affected releases, ShellReceiver.runshell passes a command string...

7.8CVSS5.5AI score0.01722EPSS
Exploits0References1
Fedora
Fedora
added 2026/06/05 4:27 a.m.14 views

[SECURITY] Fedora 44 Update: python-starlette-0.52.1-2.fc44

Starlette is a lightweight ASGI framework/toolkit, which is ideal for building async web services in Python. It is production-ready, and gives you the following: =E2=80=A2 A lightweight, low-complexity HTTP web framework. =E2=80=A2 WebSocket support. =E2=80=A2 In-process background tasks. =E2=80=...

6.5CVSS5.8AI score0.01438EPSS
Exploits2
CNNVD
CNNVD
added 2026/06/05 12:0 a.m.11 views

Arista EOS和Arista CloudVision eXchange 安全漏洞

Arista EOS and Arista CloudVision eXchange are both products of the American company Arista. Arista EOS is a fully programmable, highly modular Linux-based network operating system. Arista CloudVision eXchange is a control plane switching platform designed for data centers and enterprise networks...

8.7CVSS5.5AI score0.00323EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/05 12:0 a.m.18 views

PT-2026-47017

Name of the Vulnerable Software and Affected Versions Termix versions prior to 2.3.2 Description Termix is a web-based server management platform providing SSH terminal, tunneling, and file editing capabilities. An OS command injection exists in the "/ssh/file manager/ssh/resolvePath" endpoint. T...

9.9CVSS6AI score0.02008EPSS
Exploits1References8
CVE
CVE
added 2026/06/04 1:22 p.m.18 views

CVE-2019-25741

Mobatek MobaXterm 12.1 is affected by a SEH-based buffer overflow in the username field of session files. An attacker can craft a malicious sessions file that overflows the username, triggering code execution when imported, potentially enabling a reverse shell with the user’s privileges. The CVE ...

9.8CVSS6.4AI score0.00638EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/06/04 6:30 a.m.8 views

CVE-2026-49202

Internal multimedia session archives are accessible without authentication, exacerbated by loose Cross-Origin Resource Sharing CORS rules that allow cross-site theft...

8.8CVSS5.7AI score0.00257EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/04 12:0 a.m.18 views

PT-2026-46153

Internal multimedia session archives are accessible without authentication, exacerbated by loose Cross-Origin Resource Sharing CORS rules that allow cross-site theft...

8.8CVSS5.7AI score0.00257EPSS
Exploits0References2
Rows per page
Query Builder