CVE-2026-35407 Saleor has Cross-Account Email Change via Unbound Confirmation Token

Saleor is an e-commerce platform. From 2.10.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, a business-logic and authorization flaw was found in the account email change workflow, the confirmation flow did not verify that the email change confirmation token was issued for the given...

OpenClaw 访问控制错误漏洞

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw suffers from an Access Control Error vulnerability that stems from the gateway WebSocket connection handshake allowing device identity checks to be skipped when auth.token is present but not verified, which can be...

CVE-2025-12421 Account Takeover via Code Exchange Endpoint

Mattermost versions 11.0.x = 11.0.2, 10.12.x = 10.12.1, 10.11.x = 10.11.4, 10.5.x = 10.5.12 fail to to verify that the token used during the code exchange originates from the same authentication flow, which allows an authenticated user to perform account takeover via a specially crafted email...

Mattermost Mobile Apps 安全漏洞

Mattermost Mobile Apps is a messaging mobile application from Mattermost USA. A security vulnerability exists in Mattermost Mobile Apps version 2.32.0 and prior versions, which stems from an unverified SSO redirect token source that could lead to obtaining user session credentials...

EUVD-2020-0119

Malware in sbrugna...

ZKTeco ZKBio CVSecurity 信任管理问题漏洞

ZKTeco ZKBio CVSecurity is a series of biometric solutions from the Chinese company ZKTeco. A trust management issue vulnerability exists in ZKTeco ZKBio CVSecurity version 6.4.1R, which stems from a hard-coded key that could lead to unverified JWT token authentication...

CVE-2023-48238

joaquimserafim/json-web-token is a javascript library use to interact with JSON Web Tokens JWT which are a compact URL-safe means of representing claims to be transferred between two parties. Versions prior to 4.0.0 are vulnerable to a JWT algorithm confusion attack. On line 86 of the 'index.js'...

SUSE CVE-2021-22573

The vulnerability is that IDToken verifier does not verify if token is properly signed. Signature verification makes sure that the token's payload comes from valid provider, not from someone else. An attacker can provide a compromised token with custom payload. The token will pass the validation ...

CVE-2021-40108

An issue was discovered in Concrete CMS through 8.5.5. The Calendar is vulnerable to CSRF. ccmtoken is not verified on the ccm/calendar/dialogs/event/add/save endpoint...