CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Snyk•added 2026/06/05 4:43 p.m.•4 views

Insufficient Session Expiration

Overview nocodb is a NocoDB Affected versions of this package are vulnerable to Insufficient Session Expiration due to the failure to revoke OAuth tokens in the revokeAllOAuthTokensByUser process after password change, reset, or recovery. An attacker can maintain unauthorized access by continuing...

6.3CVSS5.4AI score0.00295EPSS

OSV•added 2026/06/05 4:43 p.m.•11 views

GHSA-G72G-R7M4-9X4G NocoDB: OAuth Tokens Persist Through Security Events

Summary OAuth access and refresh tokens were not revoked when the user changed, reset, or recovered their password, leaving an attacker-issued OAuth grant valid after the user believed they had locked the attacker out. Details revokeAllOAuthTokensByUser in the users service was an empty stub bein...

6.3CVSS5.5AI score0.00295EPSS

OSV•added 2026/06/05 5:40 a.m.•6 views

BIT-AIRFLOW-2026-48726 Apache Airflow: revoke_token() unreachable in FabAuthManager / KeycloakAuthManager logout path

A bug in Apache Airflow's auth manager logout handling left previously-issued JWT tokens valid after the user clicked logout in the UI: the logout flow for FabAuthManager and KeycloakAuthManager did not actually reach the underlying revoketoken call, so the JWT remained accepted by the API server...

9.1CVSS5.6AI score0.00667EPSS

Exploits0References4

Positive Technologies•added 2026/06/05 12:0 a.m.•8 views

PT-2026-49060

Name of the Vulnerable Software and Affected Versions NocoDB versions prior to 2026.05.1 Description OAuth access and refresh tokens are not revoked when a user changes, resets, or recovers their password. This occurs because the revokeAllOAuthTokensByUser function in the users service was an emp...

6.3CVSS5.9AI score0.00295EPSS

Exploits0References8

NVD•added 2026/06/01 9:16 a.m.•16 views

CVE-2026-48726

6.5CVSS0.00368EPSS

Cvelist•added 2026/06/01 7:35 a.m.•35 views

CVE-2026-48726 Apache Airflow: revoke_token() unreachable in FabAuthManager / KeycloakAuthManager logout path

0.00368EPSS

CVE•added 2026/06/01 7:35 a.m.•23 views

CVE-2026-48726

CVE-2026-48726 describes a bug in Apache Airflow where the logout flow for FabAuthManager and KeycloakAuthManager does not reach revoke_token(), leaving previously issued JWTs valid until expiry. This creates a residual gap after CVE-2025-57735 where cookie-side invalidation was addressed but pro...

6.5CVSS5.9AI score0.00368EPSS

Exploits0References3Affected Software1

Vulnrichment•added 2026/06/01 7:35 a.m.•8 views

CVE-2026-48726 Apache Airflow: revoke_token() unreachable in FabAuthManager / KeycloakAuthManager logout path

5.9AI score0.00368EPSS

EUVD•added 2026/06/01 7:35 a.m.•13 views

EUVD-2026-33581

9.1CVSS5.9AI score0.00667EPSS

CNNVD•added 2026/06/01 12:0 a.m.•9 views

Apache Airflow 代码问题漏洞

Apache Airflow is an open-source platform developed by the Apache Foundation in the United States. It allows for the creation, management, and monitoring of workflows. Versions of Apache Airflow prior to 3.2.2 contained code vulnerabilities. These vulnerabilities stemmed from the authentication...

6.5CVSS5.4AI score0.00368EPSS

Exploits0References4

CNNVD•added 2026/05/29 12:0 a.m.•9 views

SillyTavern 安全漏洞

SillyTavern is a frontend interface for the SillyTavern open-source language model. Versions of SillyTavern prior to 1.18.0 contained security vulnerabilities. These vulnerabilities stemmed from the use of cookie-session for authentication. The password update endpoint only updated the password...

7.5CVSS5.8AI score0.00394EPSS

Exploits1References1

Cvelist•added 2026/05/28 4:29 p.m.•29 views

CVE-2026-9097 CVE-2026-9097

Casdoor versions 2.362.0 and earlier do not verify that a JWT used for token exchange is still active. The GetTokenExchangeToken function in object/tokenoauth.go validates the JWT signature and parses its claims, but never queries the Token table to verify whether the subject token has been revok...

0.00405EPSS

ATTACKERKB•added 2026/05/28 4:29 p.m.•6 views

CVE-2026-9097

5.7AI score0.00405EPSS

CVE•added 2026/05/28 4:29 p.m.•26 views

CVE-2026-9097

CVE-2026-9097 affects Casdoor

9.8CVSS5.7AI score0.00405EPSS

EUVD•added 2026/05/28 4:47 a.m.•10 views

EUVD-2026-32720

A flaw was found in Keycloak. When revokeRefreshToken=true is enabled and persistent session storage is in use, a server restart can reset internal timing mechanisms. This allows a remote attacker, who has previously captured a user's refresh token, to replay that token even after it has been...

6.8CVSS5.7AI score0.00305EPSS

CNNVD•added 2026/05/28 12:0 a.m.•9 views

Casdoor 安全漏洞

Casdoor is an open-source platform developed by Casdoor that supports various authentication and authorization protocols. Versions of Casdoor prior to 2.362.0 contained security vulnerabilities. These vulnerabilities stemmed from failing to verify whether the JWT used for token exchange was still...

5.7AI score0.00405EPSS

OSV•added 2026/05/21 8:39 p.m.•5 views

GHSA-F76X-F9VJ-92JV NocoDB: Stale Auth Cache After API Token Deletion

Summary Deleted API tokens continued to authenticate requests until their cache entry expired, because the auth cache was not invalidated by token value at deletion time. Details The API token deletion path removed the database row but did not evict the token-value keyed entry from the auth cache...

2.3CVSS5.7AI score0.00197EPSS

RedhatCVE•added 2026/05/19 6:27 a.m.•12 views

CVE-2026-8922

A flaw was found in Keycloak. When both realm-level and client-level notBefore revocation policies are configured, Keycloak's OpenID Connect OIDC Introspection feature fails to properly honor the realm-level policy. This allows tokens that should have been revoked to remain active, potentially...

5.4CVSS5.7AI score0.00281EPSS