Lucene search
+L

197 matches found

OSV
OSV
added 2 days ago6 views

CVE-2026-45795 Janssen Project: JWE Request Object Signature Verification Bypass in jans-auth-server

The Janssen Project is an open-source identity and access management IAM platform. Prior to 2.0.0, jans-auth-server accepts unsigned JWE request objects because JwtAuthorizationRequest skips inner signature validation when jwe.getSignedJWTPayload returns null, and...

5.3CVSS6.1AI score0.00159EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 5 days ago7 views

PT-2026-60109

Summary Apollo ConfigService may allow unauthorized access to configuration data when AccessKey / management key authentication is enabled and ConfigService accepts a non-canonical appId variant during authentication while downstream request handling resolves it to the protected app. Details...

7.5CVSS6.1AI score0.00549EPSS
Exploits0References6
CVE
CVE
added 2026/06/29 12:16 p.m.23 views

CVE-2026-13165

SzafirHost is affected by a remote code execution vulnerability (CVE-2026-13165) in the way it validates versus extracts native libraries from archives. The application verifies the downloaded native library archive using JarFile (Central Directory) but extracts libraries with JarInputStream (seq...

8.6CVSS6AI score0.00418EPSS
Exploits0References2
OSV
OSV
added 2026/06/29 11:50 a.m.12 views

PYSEC-2026-287 Authlib JWS JWK Header Injection: Signature Verification Bypass

Description Summary A JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass signature verification. When key=None is passed to any JWS deserialization function, the library extracts and uses the cryptographic...

9.1CVSS7.4AI score0.00548EPSS
Exploits1References7
Cvelist
Cvelist
added 2026/06/25 8:57 p.m.29 views

CVE-2026-11800 Org.keycloak:keycloak-services: keycloak: authentication bypass via jwt algorithm confusion

A flaw was found in Keycloak. This JWT algorithm confusion vulnerability in the JWT Authorization Grant flow allows an attacker with valid client credentials to bypass signature verification. By forging an assertion, the attacker can create unauthorized access tokens. This enables the attacker to...

8.1CVSS0.00181EPSS
Exploits0References4
RedHat Linux
RedHat Linux
added 2026/06/25 6:47 p.m.9 views

org.keycloak:keycloak-services: Keycloak: Authentication bypass via JWT algorithm confusion

A flaw was found in Keycloak. This JWT algorithm confusion vulnerability in the JWT Authorization Grant flow allows an attacker with valid client credentials to bypass signature verification. By forging an assertion, the attacker can create unauthorized access tokens. This enables the attacker to...

8.1CVSS5.8AI score0.00181EPSS
Exploits0References4
Snyk
Snyk
added 2026/06/25 6:43 p.m.7 views

Improper Verification of Cryptographic Signature

Overview Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in the PKCS7 signature verification process for Azure instance identity. An attacker can obtain agent tokens without authentication by bypassing signature validation. Remediation There is...

9.3CVSS5.8AI score0.0026EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/06/24 7:48 p.m.22 views

CVE-2026-50128

Mastodon is a free, open-source social network server based on ActivityPub. From 4.3.0 until 4.5.11 and 4.4.18, Mastodon has a feature to let websites credit authors of their articles. To prevent false attribution claims, Mastodon uses the attributionDomains JSON-LD term, however, an error in how...

5.3CVSS5.9AI score0.00129EPSS
Exploits0References2Affected Software1
CNNVD
CNNVD
added 2026/06/11 12:0 a.m.16 views

WordPress plugin UpdraftPlus: WP Backup & Migration Plugin 数据伪造问题漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. One...

8.1CVSS6.6AI score0.03578EPSS
Exploits3References1
CNNVD
CNNVD
added 2026/05/27 12:0 a.m.13 views

Northern.tech Mender Client 安全漏洞

The Northern.tech Mender Client is a device remote update and management client provided by the Northern.tech company in the United States. Versions of the Northern.tech Mender Client prior to version 5.0.4 contained security vulnerabilities, which were caused by bypassing encryption signature...

5.3CVSS5.8AI score0.00183EPSS
Exploits0References3
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.10 views

Astra Linux – Vulnerability in Perl

CPAN 2.28 allows for Signature Verification Bypass...

7.8CVSS7.5AI score0.00791EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/05/16 9:26 p.m.49 views

CVE-2026-46728

Das U-Boot before 2026.04 allows FIT Flat Image Tree signature verification bypass because hashed-nodes is omitted from a hash...

8.2CVSS0.00127EPSS
Exploits1References2
OSV
OSV
added 2026/05/16 9:26 p.m.3 views

CVE-2026-46728

Das U-Boot before 2026.04 allows FIT Flat Image Tree signature verification bypass because hashed-nodes is omitted from a hash...

8.2CVSS5.9AI score0.00127EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2026/05/16 12:0 a.m.26 views

PT-2026-41468

Name of the Vulnerable Software and Affected Versions Das U-Boot versions prior to 2026.04 Description Das U-Boot allows a Flat Image Tree FIT signature verification bypass. This occurs because hashed-nodes are omitted from a hash, which can lead to the acceptance of unsigned or modified images...

8.2CVSS5.8AI score0.00127EPSS
Exploits1References15
RedHat Linux
RedHat Linux
added 2026/05/14 4:55 p.m.15 views

bouncycastle: BC-JAVA: PKIX draft CompositeVerifier accepts empty signature sequence as valid

A flaw was found in Legion of the Bouncy Castle Inc. BC-JAVA bcpkix. The PKIX draft CompositeVerifier implementation improperly accepts an empty signature sequence as a valid cryptographic signature. This issue allows a remote attacker to bypass signature verification mechanisms, potentially...

7.5CVSS7.1AI score0.00392EPSS
Exploits0References5
CNNVD
CNNVD
added 2026/05/08 12:0 a.m.11 views

plunk 数据伪造问题漏洞

Plunk is an open-source email sending and management platform developed by Plunk. Versions of Plunk prior to 0.9.0 contained a data manipulation vulnerability. This vulnerability stems from the /webhooks/sns endpoint accepting Amazon SNS notification payloads without verifying the SNS signature,...

9.1CVSS5.7AI score0.00127EPSS
Exploits0References1
RedHat Linux
RedHat Linux
added 2026/05/06 5:59 p.m.9 views

bouncycastle: BC-JAVA: PKIX draft CompositeVerifier accepts empty signature sequence as valid

A flaw was found in Legion of the Bouncy Castle Inc. BC-JAVA bcpkix. The PKIX draft CompositeVerifier implementation improperly accepts an empty signature sequence as a valid cryptographic signature. This issue allows a remote attacker to bypass signature verification mechanisms, potentially...

7.5CVSS5.8AI score0.00392EPSS
Exploits0References5
RedHat Linux
RedHat Linux
added 2026/05/06 5:58 p.m.7 views

bouncycastle: BC-JAVA: PKIX draft CompositeVerifier accepts empty signature sequence as valid

A flaw was found in Legion of the Bouncy Castle Inc. BC-JAVA bcpkix. The PKIX draft CompositeVerifier implementation improperly accepts an empty signature sequence as a valid cryptographic signature. This issue allows a remote attacker to bypass signature verification mechanisms, potentially...

7.5CVSS5.8AI score0.00392EPSS
Exploits0References5
RedHat Linux
RedHat Linux
added 2026/05/05 7:56 a.m.28 views

bouncycastle: BC-JAVA: PKIX draft CompositeVerifier accepts empty signature sequence as valid

A flaw was found in Legion of the Bouncy Castle Inc. BC-JAVA bcpkix. The PKIX draft CompositeVerifier implementation improperly accepts an empty signature sequence as a valid cryptographic signature. This issue allows a remote attacker to bypass signature verification mechanisms, potentially...

7.5CVSS5.8AI score0.00392EPSS
Exploits0References5
Snyk
Snyk
added 2026/05/03 12:30 p.m.7 views

Insufficient Verification of Data Authenticity

Overview dolibarr/dolibarr is a modern and easy to use web software to manage your business. Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity in the dolverifyHash function of the Online Signature Module. An attacker can bypass signature verificati...

6.3CVSS5.8AI score0.00145EPSS
Exploits0References2
Rows per page
Query Builder