Lucene search
K

449 matches found

OSV
OSV
added 2026/03/20 9:16 a.m.6 views

CVE-2026-33124 Frigate has insecure password change functionality

Frigate is a network video recorder NVR with realtime local object detection for IP cameras. Versions prior to 0.17.0-beta1 allow any authenticated user to change their own password without verifying the current password through the /users/username/password endpoint. Changing a password does not...

8.6CVSS5.8AI score0.00247EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/03/18 12:0 a.m.8 views

LibreChat 安全漏洞

LibreChat is an open-source, free, and highly customizable unified AI dialogue platform. It allows for the aggregation and running of large models from any vendor within a single interface. Version 0.8.1-rc2 of LibreChat contains a security vulnerability, which stems from the fact that logged-in...

9CVSS5.8AI score0.00232EPSS
Exploits1References2
UbuntuCve
UbuntuCve
added 2026/03/13 12:0 a.m.5 views

CVE-2026-32597

PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit Critical Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting...

7.5CVSS7.2AI score0.00269EPSS
Exploits1References2
Tenable Nessus
Tenable Nessus
added 2026/03/13 12:0 a.m.3 views

Linux Distros Unpatched Vulnerability : CVE-2026-32597

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit Critical Header Parameter defined in RFC 7515 4.1.11. When...

7.5CVSS6.8AI score0.00269EPSS
Exploits1References2
Snyk
Snyk
added 2026/03/11 10:40 p.m.4 views

Origin Validation Error

Overview Affected versions of this package are vulnerable to Origin Validation Error in the token exchange endpoint /api/1.0/unity-control/auth/tokens that processes JWTs. An attacker can gain unauthorized access and impersonate any user by supplying a JWT with a malicious issuer, as the endpoint...

9.9CVSS5.5AI score0.00183EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/03/11 7:36 p.m.2 views

CVE-2026-27478

Unity Catalog is an open, multi-modal Catalog for data and AI. In 0.4.0 and earlier, a critical authentication bypass vulnerability exists in the Unity Catalog token exchange endpoint /api/1.0/unity-control/auth/tokens. The endpoint extracts the issuer iss claim from incoming JWTs and uses it to...

9.1CVSS5.8AI score0.00183EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/03/10 6:18 p.m.6 views

DEBIAN-CVE-2026-30928

Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, the /api/4/config REST API endpoint returns the entire parsed Glances configuration file glances.conf via self.config.asdict with no filtering of sensitive values. The configuration file contains credentials for all...

7.5CVSS8.4AI score0.01657EPSS
Exploits1References1
AlpineLinux
AlpineLinux
added 2026/03/10 4:15 p.m.4 views

CVE-2026-30928

Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, the /api/4/config REST API endpoint returns the entire parsed Glances configuration file glances.conf via self.config.asdict with no filtering of sensitive values. The configuration file contains credentials for all...

8.7CVSS5.8AI score0.01657EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/03/07 4:6 p.m.32 views

CVE-2026-28678

...

0.00165EPSS
Exploits0
CVE
CVE
added 2026/03/07 4:6 p.m.11 views

CVE-2026-28678

CVE-2026-28678 pertains to the DSA Study Hub application. Prior to commit d527fba, the authentication system in server/routes/auth.js stored JWTs in HTTP cookies without cryptographic protection of the payload, exposing credential data via insufficiently protected credentials. The issue affects t...

5.7AI score0.00165EPSS
Exploits0
OSV
OSV
added 2026/03/07 4:6 p.m.5 views

CVE-2026-28678 dsa-hub-server: Clear-Text Storage of Sensitive Data

DSA Study Hub is an interactive educational web application. Prior to commit d527fba, the user authentication system in server/routes/auth.js was found to be vulnerable to Insufficiently Protected Credentials. Authentication tokens JWTs were stored in HTTP cookies without cryptographic protection...

8.1CVSS5.7AI score0.00165EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/03/07 12:0 a.m.6 views

PT-2026-23866

Name of the Vulnerable Software and Affected Versions DSA Study Hub versions prior to commit d527fba Description The user authentication system in the application’s server/routes/auth.js component had a flaw related to insufficiently protected credentials. Authentication tokens, specifically JWTs...

9.1CVSS5.8AI score0.00165EPSS
Exploits0References8
ATTACKERKB
ATTACKERKB
added 2026/03/03 10:48 p.m.5 views

CVE-2026-27932

joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption JOSE standards. In 1.6.2 and earlier, a resource exhaustion vulnerability in joserfc allows an unauthenticated attacker to cause a Denial of Service DoS via CPU exhaustion. When the library...

7.5CVSS6AI score0.00432EPSS
Exploits2References3Affected Software1
OSV
OSV
added 2026/03/02 4:18 p.m.6 views

CVE-2026-28396 NocoDB: Refresh Tokens Not Revoked on Password Reset

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the password reset flow did not revoke existing refresh tokens, allowing an attacker with a previously stolen refresh token to continue minting valid JWTs after the victim resets their password. This issue has be...

7.1CVSS5.8AI score0.00181EPSS
Exploits0References4
CVE
CVE
added 2026/03/02 4:18 p.m.20 views

CVE-2026-28396

CVE-2026-28396 concerns NocoDB, a database-as-spreadsheets platform. Prior to version 0.301.3, the password reset flow failed to revoke existing refresh tokens, allowing an attacker with a previously stolen refresh token to continue minting valid JWTs after the victim resets their password. The i...

7.1CVSS5.8AI score0.00181EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/03/02 4:18 p.m.8 views

CVE-2026-28396

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the password reset flow did not revoke existing refresh tokens, allowing an attacker with a previously stolen refresh token to continue minting valid JWTs after the victim resets their password. This issue has be...

7.1CVSS5.8AI score0.00181EPSS
Exploits0References3Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2026/02/27 9:44 a.m.10 views

Security Bulletin: IBM Maximo Application Suite uses multiple third party dependencies which are vulnerable to CVEs.

Summary IBM Maximo Application Suite uses "org.apache.cxfcxf-core 3.6.7, io.nettynetty-codec-http 4.1.124.Final , github.com/golang-jwt/jwt/v4 v4.5.0" which are vulnerable to "CVE-2025-48913, CVE-2025-58056, CVE-2024-51744". This bulletin contains information regarding the vulnerabilities and how...

9.8CVSS7AI score0.00793EPSS
Exploits1Affected Software1
Packet Storm
Packet Storm
added 2026/02/27 12:0 a.m.150 views

📄 WordPress RestroPress Online Food Ordering System 3.1.9.2 Disclosure Scanner

WordPress RestroPress Online Food Ordering System plugin version 3.1.9.2 user metadata exposure scanner. ============================================================================================================================================= | Title : WordPress RestroPress Online Food Orderi...

9.8CVSS5.9AI score0.02196EPSS
Exploits6
Positive Technologies
Positive Technologies
added 2026/02/26 12:0 a.m.10 views

PT-2026-22223

Name of the Vulnerable Software and Affected Versions Initiative versions prior to 0.32.4 Description Initiative, a self-hosted project management platform, does not invalidate previously issued JWT access tokens after a user changes their password. This allows older tokens to remain valid until...

8.1CVSS5.9AI score0.00369EPSS
Exploits1References11
GithubExploit
GithubExploit
added 2026/02/24 4:20 p.m.157 views

Secure-auth-api

🔐 Secure Auth API — Built → Broken → Fixed A hands-on securit...

5.9AI score
Exploits0
Rows per page
Query Builder