Lucene search
+L

48329 matches found

Cvelist
Cvelist
added 2 hours ago5 views

CVE-2026-49852 joserfc: HS256/HS384/HS512 verify accepts empty/nil HMAC key (cross-language sibling of CVE-2026-45363)

joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption JOSE standards. Prior to 1.6.8, joserfc.jwt.decode accepts attacker-forged HMAC-signed tokens when the caller-supplied verification key is the empty string or None, because HMACAlgorithm.sign...

8.7CVSS
Exploits0References3
CVE
CVE
added 2 hours ago26 views

CVE-2026-49852

Summary: CVE-2026-49852 affects the Python library joserfc. Prior to version 1.6.8, joserfc.jwt.decode can accept attacker-forged HS256/HS384/HS512 tokens if the verification key is empty or None, enabling potential authentication bypass when the configured secret resolves to an empty string. The...

8.7CVSS5.3AI score
Exploits0References3
Cvelist
Cvelist
added 5 hours ago10 views

CVE-2026-9537 Mojo::JWT versions before 1.02 for Perl verify HMAC signatures with a non-constant-time string comparison

Mojo::JWT versions before 1.02 for Perl verify HMAC signatures with a non-constant-time string comparison. The decode method compares the supplied signature to the recomputed HMAC with Perl's eq operator, which stops at the first differing byte, so the comparison time varies with the number of...

Exploits0References1
NVD
NVD
added 8 hours ago5 views

CVE-2026-13410

Dancer::Plugin::Auth::Google versions through 0.07 for Perl have TLS verification disabled. The default user agent is initialised with SSLverifymode explicitly disabled. An attacker with network man-in-the-middle MITM capability between the Dancer application and googleapis.com can intercept the...

8.2CVSS
Exploits0References4
CVE
CVE
added 8 hours ago6 views

CVE-2026-13410

Dancer::Plugin::Auth::Google versions through 0.07 for Perl have TLS verification disabled. The default user agent is initialised with SSLverifymode explicitly disabled. An attacker with network man-in-the-middle MITM capability between the Dancer application and googleapis.com can intercept the...

8.2CVSS5.4AI score
Exploits0References4
EUVD
EUVD
added 8 hours ago6 views

EUVD-2026-45168

Dancer::Plugin::Auth::Google versions through 0.07 for Perl have TLS verification disabled. The default user agent is initialised with SSLverifymode explicitly disabled. An attacker with network man-in-the-middle MITM capability between the Dancer application and googleapis.com can intercept the...

8.2CVSS5.4AI score
Exploits0References3
BDU FSTEC
BDU FSTEC
added 9 hours ago14 views

The vulnerability of the software for calculating positions of individual RTLS transponders in the SIMATIC RTLS Locating Manager lies in the lack of a mechanism for verifying input data during backup scenarios. This allows a malicious actor to execute arbitrary code with SYSTEM privileges.

The vulnerability of the software for calculating positions of individual RTLS transponders in the SIMATIC RTLS Locating Manager is related to deficiencies in the mechanism for verifying input data during backup scenario execution. Exploiting this vulnerability could allow an attacker, operating...

9.1CVSS6.1AI score0.00648EPSS
Exploits0References2Affected Software1
BDU FSTEC
BDU FSTEC
added 9 hours ago19 views

The vulnerability of the Directum HR Pro system, which exists due to insufficient verification of input data, allows a perpetrator to disclose protected information.

The vulnerability of the Directum HR Pro system exists due to insufficient verification of input data. Exploiting this vulnerability can allow a malicious actor to disclose protected information by sending a specially crafted POST request...

7.7CVSS5.7AI score
Exploits0Affected Software1
NVD
NVD
added 14 hours ago5 views

CVE-2026-12393

The WPS Bookings for WooCommerce WordPress plugin before 3.11.7 does not verify that a booking order belongs to the requesting user before cancelling it, allowing any authenticated user, such as a Subscriber or Customer, to cancel and void other customers' booking orders...

5.4CVSS
Exploits0References1
Cvelist
Cvelist
added 15 hours ago14 views

CVE-2026-12393 WPS Bookings for WooCommerce < 3.11.7 - Subscriber+ Arbitrary Booking Order Cancellation via IDOR

The WPS Bookings for WooCommerce WordPress plugin before 3.11.7 does not verify that a booking order belongs to the requesting user before cancelling it, allowing any authenticated user, such as a Subscriber or Customer, to cancel and void other customers' booking orders...

Exploits0References1
EUVD
EUVD
added 15 hours ago5 views

EUVD-2026-45148

The WPS Bookings for WooCommerce WordPress plugin before 3.11.7 does not verify that a booking order belongs to the requesting user before cancelling it, allowing any authenticated user, such as a Subscriber or Customer, to cancel and void other customers' booking orders...

5.4CVSS5.3AI score
Exploits0References1
Nuclei
Nuclei
added 16 hours ago32 views

Video Conferencing with Zoom API < 4.6.6 - Unauthenticated SDK Signature Generation

Zoom WordPress plugin 4.6.6 contains a broken authentication caused by disabled nonce verification in an AJAX handler, letting unauthenticated attackers generate valid Zoom SDK signatures and retrieve the Zoom SDK key. id: CVE-2026-1368 info: name: Video Conferencing with Zoom API 4.6.6 -...

7.5CVSS5.2AI score0.01211EPSS
Exploits0References3
Nuclei
Nuclei
added 16 hours ago45 views

AVTECH DVR - Login Verification Code Bypass

AVTECH DVR products are vulnerable to verification code bypass just by entering the "login=quick" parameter to bypass verification code. id: CVE-2013-4982 info: name: AVTECH DVR - Login Verification Code Bypass author: ritikchaddha severity: low description: | AVTECH DVR products are vulnerable t...

9.8CVSS8.4AI score0.13117EPSS
Exploits6References1
Nuclei
Nuclei
added 16 hours ago83 views

DataEase v2.10.2 - JWT Signature Verification Bypass

DataEase is an open source data visualization analysis tool that helps users quickly analyze data and gain insights into business trends. In affected versions, the lack of signature verification of JWT tokens allows attackers to forge JWTs, which then allow access to any interface. The...

9.3CVSS5.3AI score0.01223EPSS
Exploits1References1
Nuclei
Nuclei
added 16 hours ago41 views

WordPress Plugin Age Verification v0.4 - Open Redirect

Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirectto parameter. id: CVE-2012-6499 info: name: WordPress Plugin Age...

5.8CVSS5.6AI score0.10557EPSS
Exploits1References3
NVD
NVD
added yesterday6 views

CVE-2026-49998

Centrifugo is an open-source scalable real-time messaging server. Prior to 6.8.1, Centrifugo dynamic JWKS endpoint verification could reuse a key for one allowed issuer to verify a JWT for another allowed issuer because the JWKS cache and singleflight lookup were keyed only by JWT header kid, not...

8.2CVSS
Exploits0References4
CVE
CVE
added yesterday8 views

CVE-2026-45795

The Janssen Project's Jans-auth-server had a JWE request object signature verification bypass prior to version 2.0.0: unsigned JWE were accepted because JwtAuthorizationRequest skipped inner signature validation when jwe.getSignedJWTPayload() was null, and AuthzRequestService.processRequestObject...

5.3CVSS6.1AI score0.00044EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added yesterday6 views

CVE-2026-38974

A flaw was found in Dulwich. The contrib/paramikovendor.py component is missing Secure Shell SSH host key verification. This vulnerability allows a remote attacker to impersonate a legitimate Git server. By doing so, the attacker could potentially intercept sensitive information or execute...

8.8CVSS6.3AI score0.00145EPSS
Exploits0References6
CVE
CVE
added yesterday9 views

CVE-2024-58360

CVE-2024-58360 affects stoatchat versions before 0.7.8. The issue: account creation restrictions (invite-only, email verification, captcha, shield verification) are not enforced, allowing attackers to create unlimited accounts with unverified emails. Impacts include higher denial-of-service risk ...

6.9CVSS6.1AI score
Exploits0References3
OSSF Malicious Packages
OSSF Malicious Packages
added yesterday6 views

Malicious code in @hibachi-xyz/config (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2012c3b3a43f28209edf1c4b6fdbb0477c7c31f7574e37293cf7dd324f7f1e2f On require of the package's main entry, top-level code enumerates process.env and collects values whose keys match a credential-shaped regex KEY,...

6.1AI score
Exploits0References1
Rows per page
Query Builder