CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

ATTACKERKB•added 5 days ago•5 views

CVE-2026-44237

Exploits0References2Affected Software1

EUVD•added 5 days ago•4 views

EUVD-2026-33300

Cvelist•added 5 days ago•23 views

CVE-2026-44237 FreePBX: Authenticated Access can lead to Subsequent OAuth2 Authentication Bypass in API Module

7.6CVSS0.00031EPSS

CVE•added 5 days ago•9 views

CVE-2026-44237

Summary: CVE-2026-44237 affects FreePBX before 17.0.8. The api module’s OAuth2 flow does not validate client credentials during token issuance; validateClient() in ClientRepository.php unconditionally returns true. This allows any party with a valid client_id to obtain OAuth2 access tokens withou...

8.1CVSS5.8AI score0.00031EPSS

Exploits0References1Affected Software1

Vulnrichment•added 5 days ago•6 views

CVE-2026-44237 FreePBX: Authenticated Access can lead to Subsequent OAuth2 Authentication Bypass in API Module

Positive Technologies•added 5 days ago•3 views

PT-2026-44842

FreePBX is an open source IP PBX. Prior to 17.0.8, the FreePBX api module's OAuth2 implementation does not sufficiently validate client credentials during token issuance. Knowledge of a valid client id is required. The validateClient method in ClientRepository.php unconditionally returns true,...

CNNVD•added 5 days ago•3 views

FreePBX 安全漏洞

FreePBX is a set of tools from the FreePBX project that allow configuration of Asterisk an IP telephony system through a GUI-based web interface. Versions of FreePBX prior to 17.0.8 contained a security vulnerability. This vulnerability stemmed from the OAuth2 implementation in the API module,...

8.1CVSS5.8AI score0.00031EPSS

NVD•added 6 days ago•6 views

CVE-2026-9798

A flaw was found in Keycloak, an open-source identity and access management solution. When a user account is temporarily locked due to repeated failed login attempts, an attacker with valid client credentials can exploit the Client-Initiated Backchannel Authentication CIBA flow to bypass this...

4.3CVSS0.00053EPSS

ATTACKERKB•added 6 days ago•4 views

CVE-2026-9798

4.3CVSS5.7AI score0.00053EPSS

Exploits0References3

CVE•added 6 days ago•20 views

CVE-2026-9798

Keycloak is affected by a flaw where, after a user account is temporarily locked due to repeated failed logins, an attacker with valid client credentials can abuse the Client-Initiated Backchannel Authentication (CIBA) flow to bypass the lock. This allows continued authentication attempts and tok...

4.3CVSS5.7AI score0.00053EPSS

Exploits0References2Affected Software1

EUVD•added 6 days ago•4 views

EUVD-2026-32717

4.3CVSS5.7AI score0.00053EPSS

CNNVD•added 6 days ago•4 views

Keycloak 安全漏洞

Keycloak is an open-source identity and access management solution developed by Keycloak. There is a security vulnerability in Keycloak. This vulnerability arises when user accounts are temporarily locked due to failed login attempts. Attackers with valid client credentials can exploit the revers...

4.3CVSS5.8AI score0.00053EPSS

RedhatCVE•added 2026/05/22 3:46 p.m.•7 views

CVE-2026-43001

A flaw was found in OpenStack Keystone. An attacker holding an unrestricted application credential could exploit a vulnerability in the POST /v3/credentials endpoint where the caller-supplied projectid for an EC2-type credential was not validated against the project of the authenticating...

8CVSS5.8AI score0.00018EPSS

Exploits1References5

EUVD•added 2026/05/22 12:31 a.m.•5 views

EUVD-2026-31364

For Concrete CMS 9.5.0 and below, OAuth 2.0 Authorization-Code Handler Bypasses Account Status. A user with uIsActive=0 suspended, banned, terminated employee can still authenticate via OAuth and receive valid API tokens. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score o...

2.3CVSS5.8AI score0.00037EPSS

Cvelist•added 2026/05/21 9:20 p.m.•22 views

CVE-2026-7887 For Concrete CMS 9.5.0 and below, OAuth 2.0 Authorization-Code Handler Bypasses Account Status

2.3CVSS0.00037EPSS