31985 matches found
CVE-2026-41184
In Calico, the install-cni init container logs the rendered CNI configuration to standard output. When the configuration template uses the SERVICEACCOUNTTOKEN placeholder Canal/Flannel-Calico deployments, the installer substitutes the live Kubernetes ServiceAccount bearer token before logging,...
CVE-2026-41185 ServiceAccount token disclosure via Azure IPAM CNI plugin logs
When Calico is configured with the Azure IPAM plugin, the Calico CNI binary mutates the incoming CNI configuration to attach subnet information before delegating to the IPAM plugin. After mutating, the Azure IPAM helper logs the entire unmarshaled configuration map stdinData at INFO level to...
EUVD-2026-32933
When Calico is configured with the Azure IPAM plugin, the Calico CNI binary mutates the incoming CNI configuration to attach subnet information before delegating to the IPAM plugin. After mutating, the Azure IPAM helper logs the entire unmarshaled configuration map stdinData at INFO level to...
EUVD-2026-32931
In Calico, the install-cni init container logs the rendered CNI configuration to standard output. When the configuration template uses the SERVICEACCOUNTTOKEN placeholder Canal/Flannel-Calico deployments, the installer substitutes the live Kubernetes ServiceAccount bearer token before logging,...
CVE-2026-41185
The CVE affects Calico when configured with the Azure IPAM plugin. The Calico CNI mutates the incoming CNI configuration to attach subnet info and then logs the entire unmarshaled config (stdinData) at INFO level to /var/log/calico/cni/cni.log on every CNI ADD/DEL. In token-based Kubernetes clust...
CVE-2026-35675
CVE-2026-35675 affects phpMyFAQ prior to 4.1.3. An authentication bypass exists in the /api/user/password/update password reset endpoint, allowing unauthenticated attacker to reset any user’s password without token verification or email confirmation. Impact is full account takeover with administr...
CVE-2026-35675 phpMyFAQ - Authentication Bypass via Missing Password Reset Token in /api/user/password/update
phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in the password reset endpoint that allows unauthenticated attackers to reset any user account password without token verification or email confirmation. Attackers can enumerate valid usernames, obtain plaintext passwords via...
CVE-2026-35675
phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in the password reset endpoint that allows unauthenticated attackers to reset any user account password without token verification or email confirmation. Attackers can enumerate valid usernames, obtain plaintext passwords via...
EUVD-2026-32901
A user with physical access to a smartphone can bypass authentication mechanism of Kidsview mobile application and grant himself full access to the device owner's account by interacting with application's push notification. This issue was fixed in version 4.4.3...
CVE-2026-6226
The CVE-2026-6226 issue affects the WordPress plugin Frontend Admin by DynamiApps (versions ≤ 3.29.2). Affected component is the form submission handling logic, where attacker-controlled form definitions can bypass backend validation when $_POST['_acf_form'] is an array. The validate_form() path ...
CVE-2026-4408
A flaw was found in Samba. A remote attacker can exploit a misconfiguration in Samba file servers and classic domain controllers that use the "check password script" feature. If this script is configured with the %u substitution character, the client-controlled username is passed without proper...
WordPress Frontend Admin by DynamiApps plugin <= 3.29.2 - Missing Authorization to Authenticated (Subscriber+) Account Takeover vulnerability
Missing Authorization to Authenticated Subscriber+ Account Takeover vulnerability discovered by Tiago Ventura perses in WordPress Plugin Frontend Admin by DynamiApps versions = 3.29.2...
CVE-2026-9798
A flaw was found in Keycloak, an open-source identity and access management solution. When a user account is temporarily locked due to repeated failed login attempts, an attacker with valid client credentials can exploit the Client-Initiated Backchannel Authentication CIBA flow to bypass this...
CVE-2026-7862 Eupago Gateway For Woocommerce < 4.7.2 - Unauthenticated Arbitrary Refund Initiation
The Eupago Gateway For Woocommerce WordPress plugin before 4.7.2 does not properly restrict access to its refund request handler, allowing unauthenticated attackers to initiate refunds against any WooCommerce order using the merchant's payment gateway credentials, and for applicable payment...
CVE-2026-9798
A flaw was found in Keycloak, an open-source identity and access management solution. When a user account is temporarily locked due to repeated failed login attempts, an attacker with valid client credentials can exploit the Client-Initiated Backchannel Authentication CIBA flow to bypass this...
CVE-2026-9798 Keycloak: keycloak: brute-force protection bypass in ciba flow
A flaw was found in Keycloak, an open-source identity and access management solution. When a user account is temporarily locked due to repeated failed login attempts, an attacker with valid client credentials can exploit the Client-Initiated Backchannel Authentication CIBA flow to bypass this...
CVE-2026-9798 Keycloak: keycloak: brute-force protection bypass in ciba flow
A flaw was found in Keycloak, an open-source identity and access management solution. When a user account is temporarily locked due to repeated failed login attempts, an attacker with valid client credentials can exploit the Client-Initiated Backchannel Authentication CIBA flow to bypass this...
CVE-2026-9798
Keycloak is affected by a flaw where, after a user account is temporarily locked due to repeated failed logins, an attacker with valid client credentials can abuse the Client-Initiated Backchannel Authentication (CIBA) flow to bypass the lock. This allows continued authentication attempts and tok...
CVE-2026-9798
A flaw was found in Keycloak, an open-source identity and access management solution. When a user account is temporarily locked due to repeated failed login attempts, an attacker with valid client credentials can exploit the Client-Initiated Backchannel Authentication CIBA flow to bypass this...
EUVD-2026-32717
A flaw was found in Keycloak, an open-source identity and access management solution. When a user account is temporarily locked due to repeated failed login attempts, an attacker with valid client credentials can exploit the Client-Initiated Backchannel Authentication CIBA flow to bypass this...