Lucene search
K

1340 matches found

NVD
NVD
added 2026/06/02 9:16 p.m.21 views

CVE-2026-49448

authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, the Source stage can be bypassed by sending an empty POST. This issue has been patched in versions 2025.12.6, 2026.2.4, and 2026.5.1...

9.8CVSS0.00405EPSS
Exploits1References1
NVD
NVD
added 2026/06/02 9:16 p.m.15 views

CVE-2026-42849

authentik is an open-source identity provider. Prior to versions 2025.12.5 and 2026.2.3, due to the implementation of stages in the SFE Simple Flow Executor in order to make the interface more compatible with legacy browsers, it was possible to use an XSS exploit in the AutosubmitStage. This issu...

9.3CVSS0.00355EPSS
Exploits0References1
CVE
CVE
added 2026/06/02 8:31 p.m.77 views

CVE-2026-49448

CVE-2026-49448 affects authentik (open-source identity provider). The issue allows bypass of the Source stage by sending an empty POST, as described in both the CVE entry and CVE list. Affected versions are prior to 2025.12.6, 2026.2.4, and 2026.5.1. The vulnerability is assessed with a high impa...

9.8CVSS5.7AI score0.00405EPSS
Exploits1References1Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/06/02 8:31 p.m.11 views

CVE-2026-49448

authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, the Source stage can be bypassed by sending an empty POST. This issue has been patched in versions 2025.12.6, 2026.2.4, and 2026.5.1...

9.8CVSS5.7AI score0.00405EPSS
Exploits1References2Affected Software1
EUVD
EUVD
added 2026/06/02 8:31 p.m.13 views

EUVD-2026-34030

authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, the Source stage can be bypassed by sending an empty POST. This issue has been patched in versions 2025.12.6, 2026.2.4, and 2026.5.1...

9.8CVSS5.7AI score0.00405EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/06/02 8:31 p.m.12 views

CVE-2026-49448 authentik: SourceStage bypass via empty POST

authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, the Source stage can be bypassed by sending an empty POST. This issue has been patched in versions 2025.12.6, 2026.2.4, and 2026.5.1...

9.8CVSS5.7AI score0.00405EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/06/02 8:30 p.m.34 views

CVE-2026-42849 authentik: Reflected XSS in SFE AutosubmitStage allows IDP account takeover

authentik is an open-source identity provider. Prior to versions 2025.12.5 and 2026.2.3, due to the implementation of stages in the SFE Simple Flow Executor in order to make the interface more compatible with legacy browsers, it was possible to use an XSS exploit in the AutosubmitStage. This issu...

9.3CVSS0.00355EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/06/02 8:30 p.m.13 views

CVE-2026-42849 authentik: Reflected XSS in SFE AutosubmitStage allows IDP account takeover

authentik is an open-source identity provider. Prior to versions 2025.12.5 and 2026.2.3, due to the implementation of stages in the SFE Simple Flow Executor in order to make the interface more compatible with legacy browsers, it was possible to use an XSS exploit in the AutosubmitStage. This issu...

9.3CVSS5.7AI score0.00355EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/02 8:30 p.m.11 views

EUVD-2026-34026

authentik is an open-source identity provider. Prior to versions 2025.12.5 and 2026.2.3, due to the implementation of stages in the SFE Simple Flow Executor in order to make the interface more compatible with legacy browsers, it was possible to use an XSS exploit in the AutosubmitStage. This issu...

9.3CVSS5.7AI score0.00355EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/02 12:31 a.m.14 views

EUVD-2026-33769

In startAnimation of StageCoordinator.java, there is a possible tapjacking issue due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

5.9AI score0.00072EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/02 12:0 a.m.15 views

PT-2026-45859

Name of the Vulnerable Software and Affected Versions authentik versions prior to 2025.12.6 authentik versions prior to 2026.2.4 authentik versions prior to 2026.5.1 Description authentik is an open-source identity provider. The Source stage can be bypassed by sending an empty POST request...

9.8CVSS5.8AI score0.00405EPSS
Exploits1References9
ATTACKERKB
ATTACKERKB
added 2026/06/01 9:14 p.m.7 views

CVE-2026-0036

In startAnimation of StageCoordinator.java, there is a possible tapjacking issue due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

5.9AI score0.00072EPSS
Exploits0References2Affected Software1
Securelist
Securelist
added 2026/06/01 10:0 a.m.21 views

Containers on fire: from container escapes to supply chain attacks

Introduction Modern infrastructures universally rely on containerization to deploy applications, scale services, and build cloud platforms. The use of Docker, Kubernetes, and similar technologies has become the corporate standard for efficient automation. However, as containers grow in popularity...

9.3CVSS7.7AI score0.9857EPSS
Exploits61
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/01 7:5 a.m.20 views

Malicious code in @emcd-vue/loans (npm)

Part of a coordinated multi-package supply-chain attack impersonating EMCD emcd.io, a legitimate Russian cryptocurrency exchange and mining pool. The attacker registered the @emcd-vue npm scope to distribute multiple malicious packages posing as internal tooling. This package was published 90...

6AI score
Exploits0References5
OSV
OSV
added 2026/06/01 7:5 a.m.17 views

MAL-2026-5165 Malicious code in @emcd-vue/loans (npm)

Part of a coordinated multi-package supply-chain attack impersonating EMCD emcd.io, a legitimate Russian cryptocurrency exchange and mining pool. The attacker registered the @emcd-vue npm scope to distribute multiple malicious packages posing as internal tooling. This package was published 90...

5.5AI score
Exploits0References2
OSV
OSV
added 2026/06/01 12:0 a.m.10 views

ASB-A-405392600

In startAnimation of StageCoordinator.java, there is a possible tapjacking issue due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

7.8CVSS5.9AI score0.00072EPSS
Exploits0References1
Snyk
Snyk
added 2026/05/31 9:0 p.m.8 views

Malicious Package

Overview @mlspace/docker-registry is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

9.8CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/05/31 9:0 p.m.10 views

Malicious Package

Overview @car-loans/safe-storage-module is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and thi...

9.8CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/05/31 9:0 p.m.11 views

Malicious Package

Overview @cloudplatform-single-spa/billing is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and...

9.8CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/05/31 9:0 p.m.9 views

Malicious Package

Overview @cloudplatform-single-spa/audit-log is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization an...

9.8CVSS5.9AI score
Exploits0References2
Rows per page
Query Builder