BIT-KIBANA-2026-33463 Operation on a Resource after Expiration or Termination in Kibana Leading to Unauthorized File Access

Operation on a Resource after Expiration or Termination CWE-672 in Kibana can lead to unauthorized information disclosure. A logic error in how expiration timestamps were validated allowed a time-bounded access token to remain usable beyond its intended validity window, enabling an unauthenticate...

EUVD-2025-209635

IKUS Rdiffweb before 2.10.5 has an improper authorization flaw that allows an attacker with any valid or stolen access token to act as other users. The API does not enforce binding between the authenticated subject and the targeted user/tenant, so crafted requests can read or modify other users...

CVE-2025-67796

IKUS Rdiffweb before 2.10.5 has an improper authorization flaw that allows an attacker with any valid or stolen access token to act as other users. The API does not enforce binding between the authenticated subject and the targeted user/tenant, so crafted requests can read or modify other users...

CLSA-2026-1774260216 Fix CVE(s): CVE-2026-1965, CVE-2026-3783, CVE-2026-3784

SECURITY UPDATE: reuse of connections using HTTP Negotiate - debian/patches/CVE-2026-1965.patch: fix reuse of connections using HTTP Negotiate and fix copy and paste urlmatchauthnego mistake. - CVE-2026-1965 Bearer token sent without checking auth is allowed - debian/patches/CVE-2026-3783.patch:...

CVE-2026-1842

HyperCloud versions 2.3.5 through 2.6.8 improperly allowed refresh tokens to be used directly for resource access and failed to invalidate previously issued access tokens when a refresh token was used. Because refresh tokens have a significantly longer lifetime default one year, an authenticated...

CVE-2026-1842 HyperCloud Improper Refresh Token Validation and Access Token Invalidation Allows Long-Term Unauthorized Access

HyperCloud versions 2.3.5 through 2.6.8 improperly allowed refresh tokens to be used directly for resource access and failed to invalidate previously issued access tokens when a refresh token was used. Because refresh tokens have a significantly longer lifetime default one year, an authenticated...

PT-2026-21250

HyperCloud versions 2.3.5 through 2.6.8 improperly allowed refresh tokens to be used directly for resource access and failed to invalidate previously issued access tokens when a refresh token was used. Because refresh tokens have a significantly longer lifetime default one year, an authenticated...

CVE-2025-52661

HCL AION version 2 is affected by a JWT Token Expiry Too Long vulnerability. This may increase the risk of token misuse, potentially resulting in unauthorized access if the token is compromised...

CVE-2025-52661

HCL AION version 2 is affected by a JWT Token Expiry Too Long vulnerability. This may increase the risk of token misuse, potentially resulting in unauthorized access if the token is compromised...

CVE-2025-52661

HCL AION version 2 is affected by a JWT Token Expiry Too Long vulnerability. This may increase the risk of token misuse, potentially resulting in unauthorized access if the token is compromised...

CVE-2025-52661

Technical details about CVE-2025-52661 are not publicly disclosed in the provided documents. No affected versions, root cause, or remediation are specified. Monitor for updates from vendors and security advisories.

CVE-2025-52661

HCL AION version 2 is affected by a JWT Token Expiry Too Long vulnerability. This may increase the risk of token misuse, potentially resulting in unauthorized access if the token is compromised...

CVE-2025-12421

Mattermost versions 11.0.x = 11.0.2, 10.12.x = 10.12.1, 10.11.x = 10.11.4, 10.5.x = 10.5.12 fail to to verify that the token used during the code exchange originates from the same authentication flow, which allows an authenticated user to perform account takeover via a specially crafted email...

PT-2025-47979

Name of the Vulnerable Software and Affected Versions lunary-ai/lunary versions prior to 1.9.35 Description The application is susceptible to account takeover due to flawed authentication within the Google OAuth integration. Specifically, the application does not validate the aud audience field...

CVE-2025-62610

Hono is a Web application framework that provides support for any JavaScript runtime. In versions from 1.1.0 to before 4.10.2, Hono’s JWT Auth Middleware does not provide a built-in aud Audience verification option, which can cause confused-deputy / token-mix-up issues: an API may accept a valid...

CVE-2025-62610 Hono Improperly Authorizes JWT Audience Validation

Hono is a Web application framework that provides support for any JavaScript runtime. In versions from 1.1.0 to before 4.10.2, Hono’s JWT Auth Middleware does not provide a built-in aud Audience verification option, which can cause confused-deputy / token-mix-up issues: an API may accept a valid...

EUVD-2020-3139

Malware in sbrugna...

EUVD-2023-54312

Malicious code in bioql PyPI...

EUVD-2022-53113

Malicious code in bioql PyPI...

EUVD-2022-34787

Malicious code in bioql PyPI...