CVE-2026-34460

NamelessMC is website software for Minecraft servers. In versions 2.2.4 and prior, the OAuth callback handling does not validate the state parameter server-side before exchanging the authorization code. This allows an attacker to capture a valid OAuth callback URL for their own account and cause ...

OneUptime has broken access control in GitHub App installation flow that allows unauthorized project binding

Summary OneUptime's GitHub App callback trusts attacker-controlled state and installationid values and updates Project.gitHubAppInstallationId with isRoot: true without validating that the caller is authorized for the target project. This allows an attacker to overwrite another project's GitHub A...

CVE-2026-24408 sigstore has CSRF possibility in OIDC authentication during signing

sigstore-python is a Python tool for generating and verifying Sigstore signatures. Prior to version 4.2.0, the sigstore-python OAuth authentication flow is susceptible to Cross-Site Request Forgery. OAuthSession creates a unique "state" and sends it as a parameter in the authentication request bu...

CVE-2026-24408

The CVE-2026-24408 issue affects sigstore-python prior to version 4.2.0. The root cause is CSRF in the OAuth/OIDC authentication flow where _OAuthSession generates a unique state but the server response state is not cross-checked, enabling potential session misbinding. The affected component is t...

PT-2025-53026

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description The IMGU driver in the Linux kernel had a flaw where it attempted to dereference a NULL pointer when the sd state argument to functions like v4l2 subdev get try crop was NULL. This...

CVE-2019-15150

In the OAuth2 Client extension before 0.4 for MediaWiki, a CSRF vulnerability exists due to the OAuth2 state parameter not being checked in the callback function...