Lucene search
K

127 matches found

NVD
NVD
added 2026/07/06 11:16 p.m.10 views

CVE-2026-53644

FOSSBilling is a free, open-source billing and client management system. Versions 0.5.3 through 0.7.2 allow authenticated clients to both read and reset API key service secrets for orders that are no longer in an active state e.g., suspended, canceled. The root cause is missing order-state...

8.6CVSS0.00251EPSS
Exploits0References1
CVE
CVE
added 2026/07/06 10:51 p.m.10 views

CVE-2026-53644

CVE-2026-53644 (FOSSBilling) : Versions 0.5.3–0.7.2 allow authenticated clients to read and reset API key service secrets for orders not in an active state due to missing order-state validation in two client API endpoints, despite an isActive() helper existing in the Serviceapikey module. The iss...

8.6CVSS6AI score0.00251EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/07/06 12:0 a.m.7 views

PT-2026-56015

Name of the Vulnerable Software and Affected Versions Leantime affected versions not specified Description An OIDC login CSRF issue exists in the verifyState function, which unconditionally returns true without validating state parameters. This allows attackers to craft malicious callback URLs...

8.6CVSS6.1AI score0.00153EPSS
Exploits0References6
RedHat Linux
RedHat Linux
added 2026/06/22 3:18 p.m.6 views

nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination

A flaw was found in nghttp2. Due to missing internal state validation, the library continues to process incoming data even after a session has been terminated. A remote attacker could exploit this by sending a specially crafted HTTP/2 frame, leading to an assertion failure and a denial of service...

7.5CVSS5.8AI score0.00775EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/06/17 9:32 p.m.24 views

CVE-2026-48991 XianYuLauncher: Legacy Microsoft account OAuth sign-in flow lacks PKCE and state validation

XianYuLauncher is a Minecraft Java Edition launcher. In versions prior to 1.5.5, sensitive authentication artifacts could be exposed during a user-initiated login under certain local attack conditions. Affected versions relied on a fixed localhost redirect URI without PKCE or state validation...

5.5CVSS0.00127EPSS
Exploits0References2
OSV
OSV
added 2026/06/12 4:20 p.m.8 views

MGASA-2026-0199 Updated nghttp2 packages fix security vulnerability

Denial of service: Assertion failure due to missing state validation. CVE-2026-27135...

7.5CVSS7.4AI score0.00775EPSS
Exploits0References5
Mageia
Mageia
added 2026/06/12 4:20 p.m.13 views

Updated nghttp2 packages fix security vulnerability

Denial of service: Assertion failure due to missing state validation. CVE-2026-27135...

7.5CVSS7.4AI score0.00775EPSS
Exploits0References4
Tenable Nessus
Tenable Nessus
added 2026/06/09 12:0 a.m.11 views

EulerOS 2.0 SP11 : nghttp2 (EulerOS-SA-2026-2256)

According to the versions of the nghttp2 package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the...

7.5CVSS6.9AI score0.00775EPSS
Exploits0References2
Tenable Nessus
Tenable Nessus
added 2026/06/06 12:0 a.m.11 views

EulerOS Virtualization 2.10.0 : nghttp2 (EulerOS-SA-2026-2057)

According to the versions of the nghttp2 packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops...

7.5CVSS7.2AI score0.00775EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/06/05 7:51 p.m.13 views

CVE-2025-10908

Due to a lack of user account state validation during authentication, locked user accounts can be successfully authenticated using Magic Link or Pass Key methods. This bypasses the intended security control that should prevent access to accounts that have been locked. This vulnerability may allow...

7.3CVSS5.5AI score0.0023EPSS
Exploits0References1
NVD
NVD
added 2026/06/02 4:16 p.m.14 views

CVE-2026-34460

NamelessMC is website software for Minecraft servers. In versions 2.2.4 and prior, the OAuth callback handling does not validate the state parameter server-side before exchanging the authorization code. This allows an attacker to capture a valid OAuth callback URL for their own account and cause ...

5.4CVSS0.00114EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/02 3:38 p.m.8 views

CVE-2026-42073

OpenClaude is an open-source coding-agent command line interface for cloud and local model providers. Prior to version 0.5.1, the OpenClaude MCP authentication flow starts a temporary local HTTP server to handle OAuth callbacks. To prevent CSRF attacks, the server validates a state parameter...

6.5CVSS5.8AI score0.00219EPSS
Exploits1References4Affected Software1
Vulnrichment
Vulnrichment
added 2026/06/02 3:29 p.m.9 views

CVE-2026-34460 NamelessMC: OAuth callback `state` is not validated, allowing login CSRF / session swapping

NamelessMC is website software for Minecraft servers. In versions 2.2.4 and prior, the OAuth callback handling does not validate the state parameter server-side before exchanging the authorization code. This allows an attacker to capture a valid OAuth callback URL for their own account and cause ...

5.4CVSS5.8AI score0.00114EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/02 3:29 p.m.11 views

EUVD-2026-33960

NamelessMC is website software for Minecraft servers. In versions 2.2.4 and prior, the OAuth callback handling does not validate the state parameter server-side before exchanging the authorization code. This allows an attacker to capture a valid OAuth callback URL for their own account and cause ...

5.4CVSS5.8AI score0.00114EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/06/02 12:0 a.m.9 views

OpenClaude 安全漏洞

OpenClaude is an open-source coding assistant CLI developed by Gitlawb. Versions of OpenClaude prior to 0.5.1 contained security vulnerabilities. These vulnerabilities were due to logical flaws in the conditional order logic within the MCP authentication process, allowing attackers to completely...

6.5CVSS5.4AI score0.00219EPSS
Exploits1References3
Tenable Nessus
Tenable Nessus
added 2026/05/26 12:0 a.m.14 views

TencentOS Server 3: nghttp2 (TSSA-2026:0385)

The version of Tencent Linux installed on the remote TencentOS Server 3 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the TSSA-2026:0385 advisory. Package updates are available for TencentOS Server 3 that fix the following vulnerabilities:...

7.5CVSS6.8AI score0.00775EPSS
Exploits0References2
Tenable Nessus
Tenable Nessus
added 2026/05/13 12:0 a.m.15 views

Debian dla-4581 : libnghttp2-14 - security update

The remote Debian 11 host has packages installed that are affected by a vulnerability as referenced in the dla-4581 advisory. ------------------------------------------------------------------------- Debian LTS Advisory DLA-4581-1 [email protected] https://www.debian.org/lts/security/...

7.5CVSS6.8AI score0.00775EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/05/12 10:44 p.m.10 views

CVE-2026-44347

Warpgate is an open source SSH, HTTPS and MySQL bastion host for Linux. Prior to 0.23.3, the SSO flow does not validate the state parameter, which makes it possible for an attacker to trick a user into logging into the attacker's account, possibly convincing them to perform sensitive actions on t...

5.8CVSS5.8AI score0.00133EPSS
Exploits1References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/05/12 10:44 p.m.9 views

CVE-2026-44347 Warpgate: SSO CSRF -- State Token Not Validated on Return

Warpgate is an open source SSH, HTTPS and MySQL bastion host for Linux. Prior to 0.23.3, the SSO flow does not validate the state parameter, which makes it possible for an attacker to trick a user into logging into the attacker's account, possibly convincing them to perform sensitive actions on t...

5.8CVSS5.8AI score0.00133EPSS
Exploits1References1
EUVD
EUVD
added 2026/05/11 12:32 p.m.13 views

EUVD-2025-209756

Due to a lack of user account state validation during authentication, locked user accounts can be successfully authenticated using Magic Link or Pass Key methods. This bypasses the intended security control that should prevent access to accounts that have been locked. This vulnerability may allow...

7.3CVSS5.8AI score0.0023EPSS
Exploits0References2
Rows per page
Query Builder