455 matches found
CVE-2026-28396
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the password reset flow did not revoke existing refresh tokens, allowing an attacker with a previously stolen refresh token to continue minting valid JWTs after the victim resets their password. This issue has be...
CVE-2026-28396 NocoDB: Refresh Tokens Not Revoked on Password Reset
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the password reset flow did not revoke existing refresh tokens, allowing an attacker with a previously stolen refresh token to continue minting valid JWTs after the victim resets their password. This issue has be...
Security Bulletin: IBM Maximo Application Suite uses multiple third party dependencies which are vulnerable to CVEs.
Summary IBM Maximo Application Suite uses "org.apache.cxfcxf-core 3.6.7, io.nettynetty-codec-http 4.1.124.Final , github.com/golang-jwt/jwt/v4 v4.5.0" which are vulnerable to "CVE-2025-48913, CVE-2025-58056, CVE-2024-51744". This bulletin contains information regarding the vulnerabilities and how...
📄 WordPress RestroPress Online Food Ordering System 3.1.9.2 Disclosure Scanner
WordPress RestroPress Online Food Ordering System plugin version 3.1.9.2 user metadata exposure scanner. ============================================================================================================================================= | Title : WordPress RestroPress Online Food Orderi...
PT-2026-22223
Name of the Vulnerable Software and Affected Versions Initiative versions prior to 0.32.4 Description Initiative, a self-hosted project management platform, does not invalidate previously issued JWT access tokens after a user changes their password. This allows older tokens to remain valid until...
Secure-auth-api
🔐 Secure Auth API — Built → Broken → Fixed A hands-on securit...
FreePBX 安全漏洞
FreePBX formerly known as Asterisk Management Portal is a set of tools developed by the FreePBX project, designed to configure Asterisk an IP telephony system through a GUI graphical web-based interface. Versions of FreePBX prior to 17.0.5 and 16.0.17 contained security vulnerabilities. These...
CVE-2026-26010
OpenMetadata CVE-2026-26010 describes a leakage of JWTs through calls to /api/v1/ingestionPipelines from the UI, prior to version 1.11.8. Read-only users could obtain tokens used by the ingestion-bot for services such as Glue, Redshift, and Postgres, enabling access to a highly privileged Ingesti...
Insertion of Sensitive Information Into Sent Data
Overview Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data via the api/v1/ingestionPipelines endpoint, which exposes JWT tokens used by privileged bot accounts in API responses. An attacker can gain unauthorized access to sensitive data and...
[SECURITY] Fedora 42 Update: rust-jsonwebtoken-9.3.1-4.fc42
Create and decode JWTs in a strongly typed way...
Unity Linux 20.1050a / 20.1060a / 20.1070a Security Update: osbuild-composer (UTSA-2026-005329)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-005329 advisory. golang-jwt is a Go implementation of JSON Web Tokens. Prior to 5.2.2 and 4.5.2, the function parse.ParseUnverified splits via a call to strings.Split its argument...
CVE-2026-1486 Org.keycloak.protocol.oidc.grants: disabled identity providers are still accepted for jwt authorization grant
A flaw was found in Keycloak. A vulnerability exists in the jwt-authorization-grant flow where the server fails to verify if an Identity Provider IdP is enabled before issuing tokens. The issuer lookup mechanism lookupIdentityProviderFromIssuer retrieves the IdP configuration but does not filter...
CVE-2026-25538
Devtron is an open source tool integration platform for Kubernetes. In version 2.0.0 and prior, a vulnerability exists in Devtron's Attributes API interface, allowing any authenticated user including low-privileged CI/CD Developers to obtain the global API Token signing key by accessing the...
EUVD-2026-5332
Devtron is an open source tool integration platform for Kubernetes. In version 2.0.0 and prior, a vulnerability exists in Devtron's Attributes API interface, allowing any authenticated user including low-privileged CI/CD Developers to obtain the global API Token signing key by accessing the...
CVE-2026-25538
Devtron is an open source tool integration platform for Kubernetes. In version 2.0.0 and prior, a vulnerability exists in Devtron's Attributes API interface, allowing any authenticated user including low-privileged CI/CD Developers to obtain the global API Token signing key by accessing the...
EUVD-2026-5350
Bambuddy is a self-hosted print archive and management system for Bambu Lab 3D printers. Prior to version 0.1.7, a hardcoded secret key used for signing JWTs is checked into source code and ManyAPI routes do not check authentication. This issue has been patched in version 0.1.7...
CVE-2026-25505 Bambuddy Uses Hardcoded Secret Key + Many API Endpoints do not Require Authentication
Bambuddy is a self-hosted print archive and management system for Bambu Lab 3D printers. Prior to version 0.1.7, a hardcoded secret key used for signing JWTs is checked into source code and ManyAPI routes do not check authentication. This issue has been patched in version 0.1.7...
CVE-2025-69971
FUXA v1.2.7 contains a hard-coded credential vulnerability in server/api/jwt-helper.js. The application uses a hard-coded secret key to sign and verify JWT Tokens. This allows remote attackers to forge valid admin tokens and bypass authentication to gain full administrative access...
Devtron 安全漏洞
Devtron is an open-source Kubernetes cloud-native tool integration platform developed by Devtron. Versions of Devtron 2.0.0 and earlier contained security vulnerabilities. These vulnerabilities were caused by improper access control in the Attributes API interface, which could lead to the...
PT-2026-6317
Name of the Vulnerable Software and Affected Versions Devtron versions prior to 2.0.0 Description Devtron is a tool integration platform for Kubernetes. A flaw exists in the Attributes API interface that allows authenticated users to obtain the global API Token signing key by accessing the...