Lucene search
K

824 matches found

ATTACKERKB
ATTACKERKB
added 2026/05/28 9:1 p.m.11 views

CVE-2026-44882

Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33., Portainer proxies requests to Kubernetes clusters through a middleware layer...

6AI score0.00335EPSS
Exploits1References2Affected Software1
CVE
CVE
added 2026/05/28 9:1 p.m.26 views

CVE-2026-44882

Portainer’s Kubernetes middleware (kubeClientMiddleware) is affected by CVE-2026-44882. The issue occurs in Portainer CE/EE from 2.33.0 up to before 2.33.8, where security.RetrieveTokenData can return an error and the middleware writes a 403 without returning, allowing execution to continue with ...

8.1CVSS6AI score0.00335EPSS
Exploits1References1Affected Software1
Cvelist
Cvelist
added 2026/05/28 9:1 p.m.34 views

CVE-2026-44882 Portainer: Kubernetes middleware continues after token validation failure, bypassing endpoint authorization

Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33., Portainer proxies requests to Kubernetes clusters through a middleware layer...

8.1CVSS0.00335EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/05/28 7:37 p.m.7 views

CVE-2026-33463 Operation on a Resource after Expiration or Termination in Kibana Leading to Unauthorized File Access

Operation on a Resource after Expiration or Termination CWE-672 in Kibana can lead to unauthorized information disclosure. A logic error in how expiration timestamps were validated allowed a time-bounded access token to remain usable beyond its intended validity window, enabling an unauthenticate...

5.3CVSS5.8AI score0.00238EPSS
Exploits0References1
OSV
OSV
added 2026/05/28 4:16 p.m.9 views

DEBIAN-CVE-2026-48522

PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient passes its uri argument directly to urllib.request.urlopen which uses Python stdlib's default OpenerDirector registering HTTPHandler, HTTPSHandler, FTPHandler, FileHandler, and DataHandler. There is currently no...

4.2CVSS6AI score0.00181EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/05/28 2:13 p.m.10 views

CVE-2026-35676 phpMyFAQ - Unauthenticated Password Reset via User Password Update Endpoint

phpMyFAQ before 4.1.3 contains an unauthenticated password reset vulnerability in the user password update API endpoint that allows attackers to change account passwords without token validation. Attackers can enumerate valid username and email pairs and force immediate password changes by sendin...

8.8CVSS5.8AI score0.00241EPSS
Exploits0References2
CVE
CVE
added 2026/05/28 2:13 p.m.25 views

CVE-2026-35676

CVE-2026-35676 affects phpMyFAQ before 4.1.3. An unauthenticated password-reset flow allows changing a user’s password via the PUT /api/index.php/user/password/update endpoint without token validation. Attackers can enumerate valid username/email pairs and force immediate password changes, potent...

8.8CVSS5.8AI score0.00241EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/28 2:13 p.m.31 views

CVE-2026-35676 phpMyFAQ - Unauthenticated Password Reset via User Password Update Endpoint

phpMyFAQ before 4.1.3 contains an unauthenticated password reset vulnerability in the user password update API endpoint that allows attackers to change account passwords without token validation. Attackers can enumerate valid username and email pairs and force immediate password changes by sendin...

8.8CVSS0.00241EPSS
Exploits0References2
RedHat Linux
RedHat Linux
added 2026/05/27 10:13 p.m.16 views

pyjwt: PyJWT accepts unknown `crit` header extensions (RFC 7515 §4.1.11 MUST violation)

A missing verification step has been discovered in PyJWT. PyJWT does not validate the crit Critical Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This...

7.5CVSS6.6AI score0.00269EPSS
Exploits1References5
OSV
OSV
added 2026/05/27 9:3 p.m.8 views

GHSA-29FC-P6C4-24CG Symfony's OidcTokenHandler Accepts JWTs Missing aud/iss/exp Claims

Description OidcTokenHandler is Symfony's built-in access-token handler for OpenID Connect: it validates a bearer JWT and returns the authenticated user identity. It delegates claim validation to the web-token/jwt-checker library's ClaimCheckerManager. OidcTokenHandler::verifyClaims registers...

7.1CVSS5.8AI score0.0005EPSS
Exploits0References6
RedhatCVE
RedhatCVE
added 2026/05/27 8:13 p.m.12 views

CVE-2026-46620

e107 is a content management system CMS. Prior to 2.3.5, e107 CMS does not properly enforce CSRF token validation on comment moderation actions. The problem comes down to how sessionhandler::check handles CSRF tokens. Instead of requiring a token on every state-changing request, it only validates...

6.5CVSS5.8AI score0.00133EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/05/27 8:13 p.m.11 views

CVE-2026-47202

Kavita is a cross platform reading server. Prior to 0.9.0.2, an Improper Token validation flaw permits a remote and unauthenticated threat actor to request a JWT for any user including admins given knowledge of their username. This vulnerability is fixed in 0.9.0.2...

9.3CVSS5.7AI score0.00171EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/27 12:0 a.m.13 views

PT-2026-44138

Description OidcTokenHandler is Symfony's built-in access-token handler for OpenID Connect: it validates a bearer JWT and returns the authenticated user identity. It delegates claim validation to the web-token/jwt-checker library's ClaimCheckerManager. OidcTokenHandler::verifyClaims registers...

7.1CVSS5.8AI score0.0005EPSS
Exploits0References7
CNNVD
CNNVD
added 2026/05/27 12:0 a.m.13 views

Himmelblau 安全漏洞

Himmelblau is an open-source Azure Entra ID authentication module developed by Himmelblau. Versions of Himmelblau from 2.0.0 to 3.1.5, as well as versions prior to 2.3.11, contained security vulnerabilities. These vulnerabilities stemmed from the tokenvalidate function, which did not verify wheth...

8.4CVSS5.8AI score0.00246EPSS
Exploits0References1
NVD
NVD
added 2026/05/26 6:16 p.m.17 views

CVE-2026-47202

Kavita is a cross platform reading server. Prior to 0.9.0.2, an Improper Token validation flaw permits a remote and unauthenticated threat actor to request a JWT for any user including admins given knowledge of their username. This vulnerability is fixed in 0.9.0.2...

9.3CVSS0.00171EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/05/26 5:30 p.m.10 views

CVE-2026-47202 Kavita: Pre-Auth Account Takeover

Kavita is a cross platform reading server. Prior to 0.9.0.2, an Improper Token validation flaw permits a remote and unauthenticated threat actor to request a JWT for any user including admins given knowledge of their username. This vulnerability is fixed in 0.9.0.2...

9.3CVSS5.7AI score0.00171EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/26 5:30 p.m.50 views

CVE-2026-47202 Kavita: Pre-Auth Account Takeover

Kavita is a cross platform reading server. Prior to 0.9.0.2, an Improper Token validation flaw permits a remote and unauthenticated threat actor to request a JWT for any user including admins given knowledge of their username. This vulnerability is fixed in 0.9.0.2...

9.3CVSS0.00171EPSS
Exploits0References2
EUVD
EUVD
added 2026/05/26 5:30 p.m.14 views

EUVD-2026-31938

Kavita is a cross platform reading server. Prior to 0.9.0.2, an Improper Token validation flaw permits a remote and unauthenticated threat actor to request a JWT for any user including admins given knowledge of their username. This vulnerability is fixed in 0.9.0.2...

9.3CVSS5.7AI score0.00171EPSS
Exploits0References2
CVE
CVE
added 2026/05/26 5:30 p.m.47 views

CVE-2026-47202

Kavita (cross‑platform reading server) before version 0.9.0.2 is affected by an improper token validation flaw that allows a remote, unauthenticated attacker to obtain a JWT for any user, including admins, given knowledge of the username. The issue stems from inadequate validation of tokens and i...

9.3CVSS5.7AI score0.00171EPSS
Exploits0References2
EUVD
EUVD
added 2026/05/26 4:45 p.m.12 views

EUVD-2026-31889

Lack of CSRF token validation lead to a CSRF attack vector in the admin activation endpoint of comusers...

4.6CVSS5.8AI score0.00104EPSS
Exploits0References1
Rows per page
Query Builder