Lucene search
K

8 matches found

NVD
NVD
added 2026/04/06 4:16 p.m.6 views

CVE-2026-34969

Nhost is an open source Firebase alternative with GraphQL. Prior to 0.48.0, the auth service's OAuth provider callback flow places the refresh token directly into the redirect URL as a query parameter. Refresh tokens in URLs are logged in browser history, server access logs, HTTP Referer headers,...

7.5CVSS0.00267EPSS
Exploits1References1
EUVD
EUVD
added 2026/04/06 4:1 p.m.7 views

EUVD-2026-19358

Nhost is an open source Firebase alternative with GraphQL. Prior to 0.48.0, the auth service's OAuth provider callback flow places the refresh token directly into the redirect URL as a query parameter. Refresh tokens in URLs are logged in browser history, server access logs, HTTP Referer headers,...

2.3CVSS5.9AI score0.00267EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/04/06 4:1 p.m.35 views

CVE-2026-34969 Nhost Leaks the Refresh Token via URL Query Parameter in OAuth Provider Callback

Nhost is an open source Firebase alternative with GraphQL. Prior to 0.48.0, the auth service's OAuth provider callback flow places the refresh token directly into the redirect URL as a query parameter. Refresh tokens in URLs are logged in browser history, server access logs, HTTP Referer headers,...

2.3CVSS0.00267EPSS
Exploits1References1
CVE
CVE
added 2026/04/06 4:1 p.m.22 views

CVE-2026-34969

Nhost CVE-2026-34969 affects the Nhost project (auth service) where, before 0.48.0, the OAuth provider callback incorrectly appended the refresh token as a URL query parameter during redirect. This caused refresh tokens to be exposed in browser history, server logs, HTTP Referer headers, and prox...

7.5CVSS5.9AI score0.00267EPSS
Exploits1References1Affected Software1
Snyk
Snyk
added 2026/04/01 11:36 p.m.4 views

Use of GET Request Method With Sensitive Query Strings

Overview Affected versions of this package are vulnerable to Use of GET Request Method With Sensitive Query Strings in the OAuth provider callback flow. An attacker can gain unauthorized access to sensitive information by intercepting refresh tokens exposed in URL query parameters through browser...

7.5CVSS5.8AI score0.00267EPSS
Exploits1References2
SUSE CVE
SUSE CVE
added 2025/10/24 11:23 p.m.3 views

SUSE CVE-2025-59824

Omni manages Kubernetes on bare metal, virtual machines, or in a cloud. Prior to version 0.48.0, Omni Wireguard SideroLink has the potential to escape. Omni and each Talos machine establish a peer-to-peer P2P SideroLink connection using WireGuard to mutually authenticate and authorize access. The...

5.4CVSS7.1AI score0.00182EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2025/06/09 8:25 p.m.3 views

CVE-2025-49004 Hijacking Caido instance during the initial setup via DNS Rebinding to achieve RCE

Caido is a web security auditing toolkit. Prior to version 0.48.0, due to the lack of protection for DNS rebinding, Caido can be loaded on an attacker-controlled domain. This allows a malicious website to hijack the authentication flow of Caido and achieve code execution. A malicious website load...

7.5CVSS8AI score0.00515EPSS
Exploits0References1
CVE
CVE
added 2025/06/09 8:25 p.m.54 views

CVE-2025-49004

CVE-2025-49004 affects Caido prior to version 0.48.0. The issue arises from missing DNS rebinding protection, allowing a malicious site to load Caido on an attacker-controlled domain and hijack the authentication flow, potentially enabling remote command execution during the initial setup (and ev...

7.5CVSS8AI score0.00515EPSS
Exploits0References1
Rows per page
Query Builder