822 matches found
CVE-2026-8499 Helpfulcrowd Product Reviews <= 1.2.9 - Inccorect Authorization via Type Juggling in 'token' Parameter to Arbitrary Settings Update
The Helpfulcrowd Product Reviews plugin for WordPress is vulnerable to Authorization Bypass via PHP Type Juggling in versions up to, and including, 1.2.9. This is due to the helpfulcrowdvalidatetoken function using a loose comparison operator != instead of a strict comparison !== when validating...
EUVD-2026-35302
The Helpfulcrowd Product Reviews plugin for WordPress is vulnerable to Authorization Bypass via PHP Type Juggling in versions up to, and including, 1.2.9. This is due to the helpfulcrowdvalidatetoken function using a loose comparison operator != instead of a strict comparison !== when validating...
WordPress plugin Helpfulcrowd Product Reviews 安全漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...
Netty's Default QUIC token handler accepts any client-supplied token
NoQuicTokenHandler is the tokenHandler used when the application does not set one. Its writeToken returns false server will not send Retry — acceptable, but validateToken unconditionally return 0. In QuicheQuicServerCodec.handlePacket, a non-negative return from validateToken is interpreted as...
PT-2026-47566
NoQuicTokenHandler is the tokenHandler used when the application does not set one. Its writeToken returns false server will not send Retry — acceptable, but validateToken unconditionally return 0. In QuicheQuicServerCodec.handlePacket, a non-negative return from validateToken is interpreted as...
PT-2026-47605
Name of the Vulnerable Software and Affected Versions Netty ionettyincubatorcodecquic affected versions not specified Description The NoQuicTokenHandler component fails to properly validate tokens when no specific token handler is set by the application. Specifically, the validateToken function...
CVE-2026-45289
CloudburstMC Protocol is a protocol library for Minecraft Bedrock Edition. Prior to version 3.0.0.Beta12-20260420.182526-15, CloudburstMC Protocol is partially missing validation for FULL type authentication tokens Cloudburst/Protocol. This vulnerability impacts publicly accessible software...
CVE-2026-8428
Concrete CMS 9.5.0 and below emits a CSRF token in the localavailableupdate.php view $token-output'doupdate' but the corresponding doupdate method in concrete/controllers/singlepage/dashboard/system/update/update.php never calls $this-token-validate'doupdate'. The form is rendered as a POST form,...
EUVD-2026-34032
CloudburstMC Protocol is a protocol library for Minecraft Bedrock Edition. Prior to version 3.0.0.Beta12-20260420.182526-15, CloudburstMC Protocol is partially missing validation for FULL type authentication tokens Cloudburst/Protocol. This vulnerability impacts publicly accessible software...
CVE-2026-45289
CloudburstMC Protocol is a protocol library for Minecraft Bedrock Edition. Prior to version 3.0.0.Beta12-20260420.182526-15, CloudburstMC Protocol is partially missing validation for FULL type authentication tokens Cloudburst/Protocol. This vulnerability impacts publicly accessible software...
CVE-2026-45289
CloudburstMC Protocol (Minecraft Bedrock Edition) has a vulnerability in the EncryptionUtils validation for FULL type auth tokens prior to version 3.0.0.Beta12-20260420.182526-15. Exploitation affects software depending on this protocol library by potentially weakening authentication payload vali...
PT-2026-45856
Name of the Vulnerable Software and Affected Versions CloudburstMC Protocol versions prior to 3.0.0.Beta12-20260420.182526-15 Description CloudburstMC Protocol, a protocol library for Minecraft Bedrock Edition, contains a flaw where validation for FULL type authentication tokens is partially...
pyjwt: PyJWT accepts unknown `crit` header extensions (RFC 7515 §4.1.11 MUST violation)
A missing verification step has been discovered in PyJWT. PyJWT does not validate the crit Critical Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This...
CVE-2026-44882
Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33., Portainer proxies requests to Kubernetes clusters through a middleware layer...
GHSA-XH5J-XJFQ-QVVX stigmem-node's federation peer token timestamp validation may reject valid peer tokens
Impact A mismatch in federation peer-token timestamp handling could cause valid peer tokens to be treated as expired. Impacted deployments are Stigmem nodes using federation peer authentication paths from affected versions. The primary impact is availability and reliability of authenticated...
Admidio: CSRF in SSO client `enable` action toggles SAML/OIDC clients without token validation
Summary modules/sso/clients.php validates an admcsrftoken on every state-changing branch except enable. The enable case loads the SAML or OIDC client by UUID, calls $client-enable$enabled, and persists the new state with no token check. Because the action is reachable via plain GET parameters, a...
CVE-2026-44882
Portainer’s Kubernetes middleware (kubeClientMiddleware) is affected by CVE-2026-44882. The issue occurs in Portainer CE/EE from 2.33.0 up to before 2.33.8, where security.RetrieveTokenData can return an error and the middleware writes a 403 without returning, allowing execution to continue with ...
CVE-2026-44882 Portainer: Kubernetes middleware continues after token validation failure, bypassing endpoint authorization
Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33., Portainer proxies requests to Kubernetes clusters through a middleware layer...
CVE-2026-44882 Portainer: Kubernetes middleware continues after token validation failure, bypassing endpoint authorization
Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33., Portainer proxies requests to Kubernetes clusters through a middleware layer...
EUVD-2026-33060
Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33., Portainer proxies requests to Kubernetes clusters through a middleware layer...