CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

304 matches found

EUVD•added 2026/04/16 12:31 p.m.•3 views

EUVD-2025-209495

Active access tokens are not revoked or invalidated when a user account is locked within WSO2 Identity Server. This failure to enforce revocation allows previously issued, valid tokens to remain usable, enabling continued access to protected resources by locked user accounts. The security...

6CVSS5.8AI score0.00177EPSS

Exploits0References2

NVD•added 2026/04/16 11:16 a.m.•2 views

CVE-2025-12624

6CVSS0.00177EPSS

Exploits0References1

ATTACKERKB•added 2026/04/16 10:25 a.m.•2 views

CVE-2025-12624

6CVSS5.8AI score0.00177EPSS

Exploits0References2Affected Software1

CVE•added 2026/04/16 10:25 a.m.•13 views

CVE-2025-12624

WSO2 Identity Server is affected by CVE-2025-12624, where active access tokens are not revoked when a user account is locked. The underlying issue is a failure to enforce revocation of previously issued, valid tokens, allowing locked accounts to maintain access to protected resources via unexpire...

6CVSS5.8AI score0.00177EPSS

Exploits0References1Affected Software1

CNNVD•added 2026/04/16 12:0 a.m.•10 views

WSO2 Identity Server 安全漏洞

WSO2 Identity Server is an identity authentication server developed by the American company WSO2. There is a security vulnerability in WSO2 Identity Server; this vulnerability arises from the failure to revoke active access tokens when user accounts are locked, which may lead to bypassing access...

6CVSS5.8AI score0.00177EPSS

Exploits0References1

Positive Technologies•added 2026/04/16 12:0 a.m.•3 views

PT-2026-33306

6CVSS5.8AI score0.00177EPSS

Exploits0References1

NVD•added 2026/04/15 9:16 a.m.•4 views

CVE-2026-4002

The Petje.af plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 2.1.8. This is due to missing nonce validation in the ajaxrevoketoken function which handles the 'petjeafdisconnect' AJAX action. The function performs destructive operations includin...

4.3CVSS0.00163EPSS

Exploits0References7

ATTACKERKB•added 2026/04/15 8:28 a.m.•2 views

CVE-2026-4002

4.3CVSS5.8AI score0.00163EPSS

Exploits0References8

Veracode•added 2026/04/15 6:46 a.m.•3 views

Improper Session Invalidation

github.com/usememos/memos is vulnerable to improper session invalidation. The vulnerability is due to access tokens not being revoked after a password change, which allows an attacker to retain unauthorized access using previously issued valid tokens...

7.5CVSS5.8AI score0.00248EPSS

Exploits1References5Affected Software1

RedhatCVE•added 2026/04/01 5:3 p.m.•1 views

CVE-2026-34503

OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoked. Attackers with revoked credentials can maintain unauthorized access through existing live sessions until forced reconnection...

8.6CVSS5.9AI score0.00332EPSS

Exploits0References1

Positive Technologies•added 2026/04/01 12:0 a.m.•4 views

PT-2026-29816

Name of the Vulnerable Software and Affected Versions listmonk versions 4.1.0 through 6.0.0 Description listmonk, a self-hosted newsletter and mailing list manager, has a session management issue. Previously issued authenticated sessions remain valid after sensitive account security changes, such...

7.1CVSS5.9AI score0.003EPSS

Exploits2References7

OSV•added 2026/03/31 11:52 p.m.•3 views

GHSA-2PR2-HCV6-7GWV OpenClaw's device removal and token revocation do not terminate active WebSocket sessions

Summary Removing a device or revoking its token updated stored credentials but did not disconnect already-authenticated WebSocket sessions. Impact A revoked device could continue using its existing live session until reconnect, extending access beyond credential removal. Affected Component...

8.6CVSS5.9AI score0.00332EPSS

Exploits0References5

Github Security Blog•added 2026/03/31 11:52 p.m.•6 views

OpenClaw's device removal and token revocation do not terminate active WebSocket sessions

8.6CVSS5.9AI score0.00332EPSS

Exploits0References5Affected Software1

Snyk•added 2026/03/31 4:51 p.m.•2 views

Insufficient Session Expiration

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Insufficient Session Expiration through incomplete termination of WebSocket sessions when devices are removed or tokens are revoked. An attacker can retain unauthorized access by...

8.6CVSS5.9AI score0.00332EPSS

Exploits0References2

Github Security Blog•added 2026/03/31 3:31 p.m.•8 views

Duplicate Advisory: OpenClaw's device removal and token revocation do not terminate active WebSocket sessions

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-2pr2-hcv6-7gwv. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoke...

8.6CVSS5.8AI score0.00332EPSS

Exploits0References5Affected Software1

OSV•added 2026/03/31 3:31 p.m.•2 views

GHSA-89HR-6X2P-8XJV Duplicate Advisory: OpenClaw's device removal and token revocation do not terminate active WebSocket sessions

8.6CVSS5.8AI score0.00332EPSS

Exploits0References4

NVD•added 2026/03/31 3:16 p.m.•3 views

CVE-2026-34503

8.6CVSS0.00332EPSS

Exploits0References3

CVE•added 2026/03/31 2:10 p.m.•10 views

CVE-2026-34503

OpenClaw (vulnerable: before 2026.3.28) fails to terminate active WebSocket sessions when devices are removed or tokens are revoked, enabling persistence of access for revoked credentials through existing live sessions until forced reconnection. This impacts OpenClaw deployments using the affecte...

8.6CVSS5.9AI score0.00332EPSS

Exploits0References3Affected Software1