Lucene search
+L

254 matches found

NVD
NVD
added 2026/07/04 6:16 p.m.10 views

CVE-2026-12746

Dancer2::Plugin::Auth::OAuth::Provider versions before 0.23 for Perl do not support the OAuth 2.0 state parameter. The authenticationurl method builds the provider authorization redirect without issuing a state value, and the callback method exchanges the callback code and registers the resulting...

8.1CVSS0.00186EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/07/04 5:58 p.m.7 views

CVE-2026-12740

Plack::Middleware::OAuth versions through 0.10 for Perl do not support the OAuth 2.0 state parameter. RequestTokenV2 builds the provider authorization redirect without issuing a state value, and AccessTokenV2 exchanges the callback code and registers the resulting token into the session...

5.9AI score0.00172EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/07/04 5:52 p.m.33 views

CVE-2026-12746 Dancer2::Plugin::Auth::OAuth::Provider versions before 0.23 for Perl do not support the OAuth 2.0 state parameter

Dancer2::Plugin::Auth::OAuth::Provider versions before 0.23 for Perl do not support the OAuth 2.0 state parameter. The authenticationurl method builds the provider authorization redirect without issuing a state value, and the callback method exchanges the callback code and registers the resulting...

0.00186EPSS
Exploits0References3
EUVD
EUVD
added 2026/07/04 5:52 p.m.10 views

EUVD-2026-41686

Dancer2::Plugin::Auth::OAuth::Provider versions before 0.23 for Perl do not support the OAuth 2.0 state parameter. The authenticationurl method builds the provider authorization redirect without issuing a state value, and the callback method exchanges the callback code and registers the resulting...

5.9AI score0.00186EPSS
Exploits0References3
OSV
OSV
added 2026/07/04 5:52 p.m.4 views

CVE-2026-12746 Dancer2::Plugin::Auth::OAuth::Provider versions before 0.23 for Perl do not support the OAuth 2.0 state parameter

Dancer2::Plugin::Auth::OAuth::Provider versions before 0.23 for Perl do not support the OAuth 2.0 state parameter. The authenticationurl method builds the provider authorization redirect without issuing a state value, and the callback method exchanges the callback code and registers the resulting...

8.1CVSS5.9AI score0.00186EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/07/04 12:0 a.m.18 views

PT-2026-55719

Name of the Vulnerable Software and Affected Versions Dancer2::Plugin::Auth::OAuth::Provider versions prior to 0.23 Description The software fails to support the OAuth 2.0 state parameter. The authentication url method creates a provider authorization redirect without a state value, and the...

8.1CVSS5.9AI score0.00186EPSS
Exploits0References11
OSV
OSV
added 2026/06/23 7:5 a.m.4 views

CVE-2026-9733 Mojolicious::Plugin::Web::Auth::OAuth2 versions through 0.17 for Perl have an insecure default state parameter

Mojolicious::Plugin::Web::Auth::OAuth2 versions through 0.17 for Perl have an insecure default state parameter. When no state generator is specified in the constructor, the module defaults to using a SHA-1 hash of predictable and low-entropy sources, including the epoch time which is leaked via t...

9.1CVSS5.3AI score0.00339EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.20 views

PT-2026-51481

Mojolicious::Plugin::Web::Auth::OAuth2 versions through 0.17 for Perl have an insecure default state parameter. When no state generator is specified in the constructor, the module defaults to using a SHA-1 hash of predictable and low-entropy sources, including the epoch time which is leaked via t...

9.1CVSS5.4AI score0.00339EPSS
Exploits0References6
RedhatCVE
RedhatCVE
added 2026/06/05 7:38 p.m.14 views

CVE-2026-34460

NamelessMC is website software for Minecraft servers. In versions 2.2.4 and prior, the OAuth callback handling does not validate the state parameter server-side before exchanging the authorization code. This allows an attacker to capture a valid OAuth callback URL for their own account and cause ...

5.4CVSS5.5AI score0.00114EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:24 p.m.11 views

CVE-2026-44347

Warpgate is an open source SSH, HTTPS and MySQL bastion host for Linux. Prior to 0.23.3, the SSO flow does not validate the state parameter, which makes it possible for an attacker to trick a user into logging into the attacker's account, possibly convincing them to perform sensitive actions on t...

6.5CVSS5.5AI score0.00133EPSS
Exploits1References1
OSV
OSV
added 2026/06/02 3:38 p.m.7 views

CVE-2026-42073 OpenClaude's MCP OAuth Callback: State Check Bypass via error Param Leads to DoS

OpenClaude is an open-source coding-agent command line interface for cloud and local model providers. Prior to version 0.5.1, the OpenClaude MCP authentication flow starts a temporary local HTTP server to handle OAuth callbacks. To prevent CSRF attacks, the server validates a state parameter...

6.5CVSS5.9AI score0.00219EPSS
Exploits1References5
OSV
OSV
added 2026/06/02 3:29 p.m.3 views

CVE-2026-34460 NamelessMC: OAuth callback `state` is not validated, allowing login CSRF / session swapping

NamelessMC is website software for Minecraft servers. In versions 2.2.4 and prior, the OAuth callback handling does not validate the state parameter server-side before exchanging the authorization code. This allows an attacker to capture a valid OAuth callback URL for their own account and cause ...

5.4CVSS5.9AI score0.00114EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/02 12:0 a.m.15 views

PT-2026-45774

NamelessMC is website software for Minecraft servers. In versions 2.2.4 and prior, the OAuth callback handling does not validate the state parameter server-side before exchanging the authorization code. This allows an attacker to capture a valid OAuth callback URL for their own account and cause ...

5.4CVSS5.8AI score0.00114EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/06/02 12:0 a.m.6 views

NamelessMC 安全漏洞

NamelessMC is a free, easy-to-use, and powerful website software developed by the NamelessMC team. It’s suitable for your Minecraft server and comes with numerous features. Versions of NamelessMC 2.2.4 and earlier have security vulnerabilities. These vulnerabilities stem from unvalidated state...

5.4CVSS5.4AI score0.00114EPSS
Exploits0References1
NVD
NVD
added 2026/05/12 11:16 p.m.24 views

CVE-2026-44347

Warpgate is an open source SSH, HTTPS and MySQL bastion host for Linux. Prior to 0.23.3, the SSO flow does not validate the state parameter, which makes it possible for an attacker to trick a user into logging into the attacker's account, possibly convincing them to perform sensitive actions on t...

6.5CVSS0.00133EPSS
Exploits1References1
EUVD
EUVD
added 2026/05/12 10:44 p.m.13 views

EUVD-2026-29882

Warpgate is an open source SSH, HTTPS and MySQL bastion host for Linux. Prior to 0.23.3, the SSO flow does not validate the state parameter, which makes it possible for an attacker to trick a user into logging into the attacker's account, possibly convincing them to perform sensitive actions on t...

5.8CVSS5.8AI score0.00133EPSS
Exploits1References1
OSV
OSV
added 2026/05/12 10:44 p.m.2 views

CVE-2026-44347 Warpgate: SSO CSRF -- State Token Not Validated on Return

Warpgate is an open source SSH, HTTPS and MySQL bastion host for Linux. Prior to 0.23.3, the SSO flow does not validate the state parameter, which makes it possible for an attacker to trick a user into logging into the attacker's account, possibly convincing them to perform sensitive actions on t...

5.8CVSS6AI score0.00133EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/05/12 10:44 p.m.40 views

CVE-2026-44347 Warpgate: SSO CSRF -- State Token Not Validated on Return

Warpgate is an open source SSH, HTTPS and MySQL bastion host for Linux. Prior to 0.23.3, the SSO flow does not validate the state parameter, which makes it possible for an attacker to trick a user into logging into the attacker's account, possibly convincing them to perform sensitive actions on t...

5.8CVSS0.00133EPSS
Exploits1References1
EUVD
EUVD
added 2026/05/12 6:31 a.m.15 views

EUVD-2026-29373

The Salesforce module before 1.x-1.0.1 for Backdrop CMS does not properly use a random state parameter to protect the authorization flow against CSRF attacks...

7.1CVSS5.8AI score0.00121EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/05/12 4:6 a.m.8 views

CVE-2026-45430

The Salesforce module before 1.x-1.0.1 for Backdrop CMS does not properly use a random state parameter to protect the authorization flow against CSRF attacks...

7.1CVSS5.8AI score0.00121EPSS
Exploits0References2
Rows per page
Query Builder