Lucene search
K

52 matches found

Cvelist
Cvelist
added 3 days ago33 views

CVE-2026-50160 Mass Assignment via Onboarding Endpoint Allows Unauthenticated JWT_SECRET Overwrite

Hoppscotch is an API development ecosystem. In self-hosted deployments of hoppscotch-backend from version 2026.4.1 and earlier, the unauthenticated POST /v1/onboarding/config endpoint is vulnerable to mass assignment. The global NestJS ValidationPipe is configured without whitelist: true, so extr...

10CVSS0.0059EPSS
Exploits1References2
CVE
CVE
added 2026/06/24 11:53 a.m.7 views

CVE-2026-56244

CVE-2026-56244 (Capgo) affects Capgo prior to 12.128.2. The issue arises because non-admin API keys can read webhook signing secrets via Supabase REST due to insufficient row-level security on the webhooks table. This enables attackers to retrieve the webhook secret and forge valid X-Capgo-Signat...

7.1CVSS5.9AI score0.00194EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/06/04 12:39 p.m.13 views

CVE-2026-40934

A flaw was found in Jupyter Server. The secret used to sign authentication cookies is not rotated when a user changes their password, allowing previously issued authentication cookies to remain valid. A remote attacker who has captured a session cookie can retain full authenticated access to the...

7.6CVSS5.8AI score0.00308EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2026/05/14 8:52 p.m.20 views

slack-go `SecretsVerifier` accepts empty signing secret without precondition

SecretsVerifier in slack-go/slack before v0.23.1 accepts an empty signing secret without error. If an application is misconfigured e.g., an unset or empty SLACKSIGNINGSECRET, NewSecretsVerifier builds an HMAC-SHA256 keyed with an empty string, allowing an unauthenticated attacker to forge a valid...

5.8AI score
Exploits0References4Affected Software1
OSV
OSV
added 2026/05/14 8:52 p.m.8 views

GHSA-GXHX-2686-5H9G slack-go `SecretsVerifier` accepts empty signing secret without precondition

SecretsVerifier in slack-go/slack before v0.23.1 accepts an empty signing secret without error. If an application is misconfigured e.g., an unset or empty SLACKSIGNINGSECRET, NewSecretsVerifier builds an HMAC-SHA256 keyed with an empty string, allowing an unauthenticated attacker to forge a valid...

8.3CVSS5.8AI score
Exploits0References4
OSV
OSV
added 2026/05/05 10:16 p.m.6 views

PYSEC-2026-69

Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the secret used to sign authentication cookies is persisted to a static file at /.local/share/jupyter/runtime/jupytercookiesecret and is never rotated when a user changes their password. After a password...

6.8CVSS5.7AI score0.00308EPSS
Exploits1References1
OSV
OSV
added 2026/05/05 10:16 p.m.4 views

DEBIAN-CVE-2026-40934

Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the secret used to sign authentication cookies is persisted to a static file at /.local/share/jupyter/runtime/jupytercookiesecret and is never rotated when a user changes their password. After a password...

6.8CVSS5.8AI score0.00308EPSS
Exploits1References1
Debian CVE
Debian CVE
added 2026/05/05 9:31 p.m.6 views

CVE-2026-40934

Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the secret used to sign authentication cookies is persisted to a static file at /.local/share/jupyter/runtime/jupytercookiesecret and is never rotated when a user changes their password. After a password...

7.6CVSS5.8AI score0.00308EPSS
Exploits1
CVE
CVE
added 2026/05/05 9:31 p.m.29 views

CVE-2026-40934

CVE-2026-40934 affects Jupyter Server up to version 2.17.0, where the signing secret for authentication cookies is stored at ~/.local/share/jupyter/runtime/jupyter_cookie_secret and is never rotated on password changes. After a password reset and server restart, previously issued cookies remain c...

7.6CVSS5.8AI score0.00308EPSS
Exploits1References1Affected Software1
EUVD
EUVD
added 2026/04/07 6:31 p.m.5 views

EUVD-2026-19748

Windmill CE and EE versions 1.276.0 through 1.603.2 contain an SQL injection vulnerability in the folder ownership management functionality that allows authenticated attackers to inject SQL through the owner parameter. An attacker can use the injection to read sensitive data such as the JWT signi...

9.9CVSS6.4AI score0.05064EPSS
Exploits0References8
ATTACKERKB
ATTACKERKB
added 2026/04/07 6:19 a.m.4 views

CVE-2026-1114

In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens JWT. This vulnerability allows an attacker to perform an offline brute-force attack to recover the secret key. Once the...

9.8CVSS7.2AI score0.0054EPSS
Exploits1References3
OSV
OSV
added 2026/04/04 6:14 a.m.3 views

GHSA-MCWW-4HXQ-HFR3 LightRAG: Hardcoded JWT Signing Secret Allows Authentication Bypass

Subject: Security Vulnerability Report Hardcoded JWT Secret CVE-2026-30762 Hi HKUDS team, I'm writing to report a security vulnerability I discovered in LightRAG v1.4.10. This has been assigned CVE-2026-30762 by MITRE. Vulnerability: Hardcoded JWT signing secret Type: Improper Authentication...

7.5CVSS5.8AI score0.0012EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/03/26 3:4 p.m.3 views

CVE-2025-64998

Exposure of session signing secret in Checkmk 2.4.0p23, 2.3.0p45 and 2.2.0 allows an administrator of a remote site with config sync enabled to hijack sessions on the central site by forging session cookies...

7.3CVSS5.8AI score0.00334EPSS
Exploits0References1
EUVD
EUVD
added 2026/03/26 3:30 a.m.4 views

EUVD-2014-9820

Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution. Plack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server during deserialization of the cookie data, when...

9.8CVSS6.4AI score0.0083EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/03/26 2:4 a.m.2 views

CVE-2014-125112 Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution

Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution. Plack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server during deserialization of the cookie data, when...

6.4AI score0.0083EPSS
Exploits0References2
EUVD
EUVD
added 2026/03/24 12:30 p.m.4 views

EUVD-2025-208958

Exposure of session signing secret in Checkmk 2.4.0p23, 2.3.0p45 and 2.2.0 allows an administrator of a remote site with config sync enabled to hijack sessions on the central site by forging session cookies...

7.3CVSS5.8AI score0.00334EPSS
Exploits0References2
NVD
NVD
added 2026/03/24 12:16 p.m.5 views

CVE-2025-64998

Exposure of session signing secret in Checkmk 2.4.0p23, 2.3.0p45 and 2.2.0 allows an administrator of a remote site with config sync enabled to hijack sessions on the central site by forging session cookies...

7.3CVSS0.00334EPSS
Exploits0References1
UbuntuCve
UbuntuCve
added 2026/03/24 12:16 p.m.3 views

CVE-2025-64998

Exposure of session signing secret in Checkmk 2.4.0p23, 2.3.0p45 and 2.2.0 allows an administrator of a remote site with config sync enabled to hijack sessions on the central site by forging session cookies...

7.3CVSS5.8AI score0.00334EPSS
Exploits0References2
OSV
OSV
added 2026/03/24 12:16 p.m.9 views

UBUNTU-CVE-2025-64998

Exposure of session signing secret in Checkmk 2.4.0p23, 2.3.0p45 and 2.2.0 allows an administrator of a remote site with config sync enabled to hijack sessions on the central site by forging session cookies...

7.3CVSS5.7AI score0.00334EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/03/24 11:25 a.m.22 views

CVE-2025-64998 Session hijacking via exposed session signing secret in distributed Checkmk setups

Exposure of session signing secret in Checkmk 2.4.0p23, 2.3.0p45 and 2.2.0 allows an administrator of a remote site with config sync enabled to hijack sessions on the central site by forging session cookies...

7.3CVSS0.00334EPSS
Exploits0References1
Rows per page
Query Builder