Lucene search
K

85 matches found

Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.10 views

PT-2026-53747

Name of the Vulnerable Software and Affected Versions Strapi users-permissions plugin affected versions not specified Description The users-permissions plugin fails to restrict JSON Web Token JWT algorithms when the plugin::users-permissions.jwt.algorithm configuration is not explicitly set. This...

6.3CVSS5.8AI score0.00147EPSS
Exploits0References8
ATTACKERKB
ATTACKERKB
added 2026/06/24 9:4 p.m.9 views

CVE-2026-49277

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, Rocket.Chat does not revoke OAuth bearer or refresh tokens when a user is deactivated. A deactivated user can continue using an existing OAuth...

2.3CVSS5.9AI score0.00215EPSS
Exploits0References2Affected Software1
RedhatCVE
RedhatCVE
added 2026/05/29 8:13 p.m.9 views

CVE-2026-45041

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, crates/appauth/src/token.rs ships a 2048-bit RSA private key as a string constant named TESTPRIVATEKEY and uses it in production via parselicense to "verify" license tokens. Because the key is embedded in every...

8.7CVSS5.9AI score0.00239EPSS
Exploits0References1
NVD
NVD
added 2026/05/28 7:16 p.m.12 views

CVE-2026-45041

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, crates/appauth/src/token.rs ships a 2048-bit RSA private key as a string constant named TESTPRIVATEKEY and uses it in production via parselicense to "verify" license tokens. Because the key is embedded in every...

8.7CVSS0.00239EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/05/25 8:40 a.m.18 views

CVE-2026-33381

A flaw was found in Grafana. When a user's access to mint tokens for a service account is revoked, the system may temporarily allow the user to continue minting tokens for a few seconds. This could lead to a temporary bypass of access control, potentially enabling unauthorized actions if the toke...

8.1CVSS5.6AI score0.00245EPSS
Exploits0References4
Tenable Nessus
Tenable Nessus
added 2026/05/22 12:0 a.m.11 views

Linux Distros Unpatched Vulnerability : CVE-2026-33381

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will...

8.1CVSS5.4AI score0.00245EPSS
Exploits0References3
OSV
OSV
added 2026/05/20 2:28 a.m.7 views

MAL-2026-4394 Malicious code in @ikyyofc/gemini-cli (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5793a1cde3de83b8c15b49a0f9981d72fbf431067a4416ce6b2bd5650ea4a4d6 @ikyyofc/[email protected] ships two heavily obfuscated modules src/gemini.js and src/utils/proxy.js wrapped in an obfuscator.io-style string-array +...

5.8AI score
Exploits0References17
OSV
OSV
added 2026/05/15 8:42 a.m.5 views

BIT-GRAFANA-2026-33381 Users can generate Service Account tokens after permissions removal

When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this...

8.1CVSS5.8AI score0.00245EPSS
Exploits0References2
SUSE CVE
SUSE CVE
added 2026/05/15 1:59 a.m.14 views

SUSE CVE-2026-33381

When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this...

5.9CVSS5.8AI score0.00245EPSS
Exploits0References3
OSV
OSV
added 2026/05/13 9:32 p.m.3 views

GHSA-WFHV-MJ62-F5XH Grafana: Users can generate Service Account tokens after permissions removal

When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this...

5.9CVSS5.2AI score0.00245EPSS
Exploits0References4
NVD
NVD
added 2026/05/13 8:16 p.m.11 views

CVE-2026-33381

When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this...

8.1CVSS0.00245EPSS
Exploits0References1
OSV
OSV
added 2026/05/13 8:16 p.m.17 views

UBUNTU-CVE-2026-33381

When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this...

8.1CVSS5.8AI score0.00245EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/05/13 7:28 p.m.7 views

CVE-2026-33381

When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this...

5.9CVSS5.8AI score0.00245EPSS
Exploits0References2Affected Software1
EUVD
EUVD
added 2026/04/28 6:10 p.m.4 views

EUVD-2026-26125

OpenClaw before 2026.4.8 contains a role bypass vulnerability in the device.token.rotate function that allows minting tokens for unapproved roles. Attackers can bypass device role-upgrade pairing to preserve or mint roles and scopes that had not undergone intended approval...

8.8CVSS5.2AI score0.00282EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/04/28 6:10 p.m.4 views

CVE-2026-42422

OpenClaw before 2026.4.8 contains a role bypass vulnerability in the device.token.rotate function that allows minting tokens for unapproved roles. Attackers can bypass device role-upgrade pairing to preserve or mint roles and scopes that had not undergone intended approval...

8.8CVSS5.2AI score0.00282EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/04/28 6:10 p.m.5 views

CVE-2026-42422 OpenClaw < 2026.4.8 - Role Bypass in device.token.rotate Function

OpenClaw before 2026.4.8 contains a role bypass vulnerability in the device.token.rotate function that allows minting tokens for unapproved roles. Attackers can bypass device role-upgrade pairing to preserve or mint roles and scopes that had not undergone intended approval...

8.8CVSS5.2AI score0.00282EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/04/28 6:10 p.m.33 views

CVE-2026-42422 OpenClaw < 2026.4.8 - Role Bypass in device.token.rotate Function

OpenClaw before 2026.4.8 contains a role bypass vulnerability in the device.token.rotate function that allows minting tokens for unapproved roles. Attackers can bypass device role-upgrade pairing to preserve or mint roles and scopes that had not undergone intended approval...

8.8CVSS0.00282EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/04/28 12:0 a.m.6 views

PT-2026-35801

OpenClaw before 2026.4.8 contains a role bypass vulnerability in the device.token.rotate function that allows minting tokens for unapproved roles. Attackers can bypass device role-upgrade pairing to preserve or mint roles and scopes that had not undergone intended approval...

8.8CVSS5.2AI score0.00282EPSS
Exploits0References6
Github Security Blog
Github Security Blog
added 2026/04/16 10:48 p.m.18 views

Paperclip: Cross-tenant agent API token minting via missing assertCompanyAccess on /api/agents/:id/keys

Isolated paperclip instance running in authenticated mode default config on a clean Docker image matching commit b649bd4 2026.411.0-canary.8, post the 2026.410.0 patch. This advisory was verified on an unmodified build. Summary POST /api/agents/:id/keys, GET /api/agents/:id/keys, and DELETE...

6AI score
Exploits0References2Affected Software1
EUVD
EUVD
added 2026/03/10 9:3 p.m.3 views

EUVD-2026-10825

Feathers has an OAuth Callback Account Takeover issue...

9.3CVSS5.8AI score0.00519EPSS
Exploits0References1
Rows per page
Query Builder