Lucene search
K

54 matches found

OSV
OSV
added 2026/03/24 12:16 p.m.16 views

UBUNTU-CVE-2025-64998

Exposure of session signing secret in Checkmk 2.4.0p23, 2.3.0p45 and 2.2.0 allows an administrator of a remote site with config sync enabled to hijack sessions on the central site by forging session cookies...

7.3CVSS5.7AI score0.00334EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/03/24 11:25 a.m.4 views

CVE-2025-64998

Exposure of session signing secret in Checkmk 2.4.0p23, 2.3.0p45 and 2.2.0 allows an administrator of a remote site with config sync enabled to hijack sessions on the central site by forging session cookies...

7.3CVSS5.8AI score0.00334EPSS
Exploits0References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/24 11:25 a.m.9 views

CVE-2025-64998 Session hijacking via exposed session signing secret in distributed Checkmk setups

Exposure of session signing secret in Checkmk 2.4.0p23, 2.3.0p45 and 2.2.0 allows an administrator of a remote site with config sync enabled to hijack sessions on the central site by forging session cookies...

7.3CVSS5.8AI score0.00334EPSS
Exploits0References1
CVE
CVE
added 2026/03/24 11:25 a.m.17 views

CVE-2025-64998

CVE-2025-64998 affects Checkmk versions prior to 2.4.0p23, 2.3.0p45, and 2.2.0. The issue is the exposure of the session signing secret in distributed Checkmk deployments with config sync enabled, enabling an administrator on a remote site to forge session cookies and hijack sessions on the centr...

7.3CVSS5.8AI score0.00334EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2026/03/24 11:25 a.m.24 views

CVE-2025-64998 Session hijacking via exposed session signing secret in distributed Checkmk setups

Exposure of session signing secret in Checkmk 2.4.0p23, 2.3.0p45 and 2.2.0 allows an administrator of a remote site with config sync enabled to hijack sessions on the central site by forging session cookies...

7.3CVSS0.00334EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/03/24 12:0 a.m.9 views

PT-2026-27382

Exposure of session signing secret in Checkmk 2.4.0p23, 2.3.0p45 and 2.2.0 allows an administrator of a remote site with config sync enabled to hijack sessions on the central site by forging session cookies...

7.3CVSS5.8AI score0.00334EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/02/20 1:25 p.m.7 views

CVE-2026-1461

The Simple Membership plugin for WordPress is vulnerable to Improper Handling of Missing Values in all versions up to, and including, 4.7.0 via the Stripe webhook handler. This is due to the plugin only validating webhook signatures when the stripe-webhook-signing-secret setting is configured,...

6.5CVSS5.5AI score0.00227EPSS
Exploits0References1
NVD
NVD
added 2026/02/19 10:16 a.m.3 views

CVE-2026-1461

The Simple Membership plugin for WordPress is vulnerable to Improper Handling of Missing Values in all versions up to, and including, 4.7.0 via the Stripe webhook handler. This is due to the plugin only validating webhook signatures when the stripe-webhook-signing-secret setting is configured,...

6.5CVSS0.00227EPSS
Exploits0References4
CVE
CVE
added 2026/02/19 9:26 a.m.27 views

CVE-2026-1461

CVE-2026-1461 affects the Simple Membership WordPress plugin (all versions up to 4.7.0) via the Stripe webhook handler. The issue is improper handling of missing values caused by validating webhook signatures only when stripe-webhook-signing-secret is configured (empty by default), enabling unaut...

6.5CVSS5.5AI score0.00227EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/02/19 12:0 a.m.6 views

PT-2026-20777

The Simple Membership plugin for WordPress is vulnerable to Improper Handling of Missing Values in all versions up to, and including, 4.7.0 via the Stripe webhook handler. This is due to the plugin only validating webhook signatures when the stripe-webhook-signing-secret setting is configured,...

6.5CVSS5.5AI score0.00227EPSS
Exploits0References4
CVE
CVE
added 2026/01/22 1:42 a.m.15 views

CVE-2026-23958

DataEase (open-source data visualization tool) prior to version 2.10.19 uses the MD5 hash of the user password as the JWT signing secret. This deterministic secret derivation allows an attacker to brute-force the admin password by abusing unmonitored API endpoints that verify JWT tokens. The vuln...

9.8CVSS5.5AI score0.00475EPSS
Exploits1References2Affected Software1
RedhatCVE
RedhatCVE
added 2026/01/17 11:25 a.m.9 views

CVE-2025-59870

HCL MyXalytics is affected by improper management of a static JWT signing secret in the web application, where the secret lacks rotation , introducing a security risk...

9.8CVSS5.4AI score0.00236EPSS
Exploits0References1
CVE
CVE
added 2026/01/16 10:12 a.m.21 views

CVE-2025-59870

Summary: CVE-2025-59870 affects HCL MyXalytics web applications. The issue is improper management of a static JWT signing secret that is not rotated, creating a risk to confidentiality and integrity. The cited sources consistently describe the secret as static and non-rotated across multiple feed...

9.8CVSS5.4AI score0.00236EPSS
Exploits0References1Affected Software1
Vulnrichment
Vulnrichment
added 2026/01/16 10:12 a.m.3 views

CVE-2025-59870 Improper management of a static JWT signing secret in the web application, where the secret lacks rotation , introducing a security risk

HCL MyXalytics v6.7 is affected by improper management of a static JWT signing secret in the web application, where the secret lacks rotation , introducing a security risk...

7.4CVSS6.5AI score0.00236EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/01/16 12:0 a.m.7 views

PT-2026-3243

Name of the Vulnerable Software and Affected Versions HCL MyXalytics version 6.7 Description The web application does not rotate the JWT signing secret, resulting in improper management of a static secret. This introduces a security risk. Recommendations Rotate the JWT signing secret in the web...

9.8CVSS5.2AI score0.00236EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2026/01/10 5:40 a.m.8 views

CVE-2026-21894

n8n is an open source workflow automation platform. In versions from 0.150.0 to before 2.2.2, an authentication bypass vulnerability in the Stripe Trigger node allows unauthenticated parties to trigger workflows by sending forged Stripe webhook events. The Stripe Trigger creates and stores a Stri...

6.5CVSS7.1AI score0.00432EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/01/08 9:56 a.m.28 views

CVE-2026-21894 n8n's Missing Stripe-Signature Verification Allows Unauthenticated Forged Webhooks

n8n is an open source workflow automation platform. In versions from 0.150.0 to before 2.2.2, an authentication bypass vulnerability in the Stripe Trigger node allows unauthenticated parties to trigger workflows by sending forged Stripe webhook events. The Stripe Trigger creates and stores a Stri...

6.5CVSS0.00432EPSS
Exploits0References3
EUVD
EUVD
added 2025/12/08 9:30 p.m.5 views

EUVD-2025-201794

The Litmus platform uses JWT for authentication and authorization, but the secret being used for signing the JWT is only 6 bytes long at its core, which makes it extremely easy to crack...

7.1CVSS6.4AI score0.00273EPSS
Exploits0References3
NVD
NVD
added 2025/12/08 7:15 p.m.7 views

CVE-2025-14261

The Litmus platform uses JWT for authentication and authorization, but the secret being used for signing the JWT is only 6 bytes long at its core, which makes it extremely easy to crack...

7.1CVSS0.00273EPSS
Exploits0References2
OSV
OSV
added 2025/12/08 6:12 p.m.12 views

CVE-2025-14261 Lack of entropy allows registered low-privileged users of Litmus to crack valid JWT tokens and gain admin privileges

The Litmus platform uses JWT for authentication and authorization, but the secret being used for signing the JWT is only 6 bytes long at its core, which makes it extremely easy to crack...

7.1CVSS5.9AI score0.00273EPSS
Exploits0References4
Rows per page
Query Builder