Lucene search
K

35 matches found

Cvelist
Cvelist
added last week32 views

CVE-2026-56284 Capgo - Unauthenticated Metrics Disclosure via get_total_metrics RPC

Capgo Cap-go/capgo before 12.128.2 contains an information disclosure vulnerability in the Supabase PostgREST RPC function public.gettotalmetricsorgid, which is callable by the anon role using only the public sbpublishable key. An unauthenticated attacker can probe organization existence and leak...

6.9CVSS0.00214EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/07/06 9:11 p.m.6 views

Suspended Coder users retain access to AI Bridge LLM proxy endpoints

Summary AI Bridge proxy endpoints authenticate via Server.IsAuthorized in coderd/aibridgedserver, which validates key format, expiry, secret and deleted or system users but does not check whether the account is suspended. Because suspension does not revoke existing API keys, a suspended user's...

5.4CVSS5.9AI score0.00315EPSS
Exploits0References9Affected Software1
OSV
OSV
added 2026/07/06 9:11 p.m.4 views

GHSA-WQXV-W64V-5WH6 Suspended Coder users retain access to AI Bridge LLM proxy endpoints

Summary AI Bridge proxy endpoints authenticate via Server.IsAuthorized in coderd/aibridgedserver, which validates key format, expiry, secret and deleted or system users but does not check whether the account is suspended. Because suspension does not revoke existing API keys, a suspended user's...

5.4CVSS5.9AI score0.00315EPSS
Exploits0References9
Positive Technologies
Positive Technologies
added 2026/07/06 12:0 a.m.12 views

PT-2026-56079

Name of the Vulnerable Software and Affected Versions Coder versions 2.30.0 through 2.32.6 Coder versions 2.33.0 through 2.33.7 Coder versions 2.34.0 through 2.34.1 Description AI Bridge proxy endpoints authenticate via the Server.IsAuthorized function in coderd/aibridgedserver. This process...

5.4CVSS5.9AI score0.00315EPSS
Exploits0References16
ATTACKERKB
ATTACKERKB
added 2026/06/22 9:4 p.m.7 views

CVE-2026-56311

Capgo before 12.128.2 contains an authorization bypass vulnerability in the public.getcurrentplanmaxorg RPC function that allows unauthenticated attackers to retrieve arbitrary organization plan limits. Attackers can call the RPC endpoint with any organization UUID using only the public Supabase...

6.9CVSS6AI score0.00265EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/22 9:4 p.m.22 views

CVE-2026-56311 Capgo - Unauthenticated Cross-Tenant Disclosure via get_current_plan_max_org RPC

Capgo before 12.128.2 contains an authorization bypass vulnerability in the public.getcurrentplanmaxorg RPC function that allows unauthenticated attackers to retrieve arbitrary organization plan limits. Attackers can call the RPC endpoint with any organization UUID using only the public Supabase...

6.9CVSS0.00265EPSS
Exploits0References2
OSV
OSV
added 2026/06/22 9:4 p.m.3 views

CVE-2026-56311 Capgo - Unauthenticated Cross-Tenant Disclosure via get_current_plan_max_org RPC

Capgo before 12.128.2 contains an authorization bypass vulnerability in the public.getcurrentplanmaxorg RPC function that allows unauthenticated attackers to retrieve arbitrary organization plan limits. Attackers can call the RPC endpoint with any organization UUID using only the public Supabase...

6.9CVSS5.9AI score0.00265EPSS
Exploits0References4
OSV
OSV
added 2026/06/20 3:24 p.m.4 views

CVE-2026-56235 Capgo - Unauthenticated Cross-Tenant Metrics Disclosure via RPC Functions

Cap-go capgo before 12.128.2 contains an authorization bypass in several Supabase PostgREST RPC functions getappmetrics, getglobalmetrics, gettotalmetrics that are granted to the anon role without enforcing org membership or permission checks. An unauthenticated attacker using only the public...

6.9CVSS5.9AI score0.00274EPSS
Exploits0References4
CVE
CVE
added 2026/06/05 5:49 p.m.20 views

CVE-2025-71318

CVE-2025-71318 concerns NetMan 204, where authentication is not enforced on administrative pages and command endpoints. A remote, unauthenticated attacker can directly access pages (e.g., administration.html, administration-commands.html, configuration.html) to disclose sensitive details such as ...

9.8CVSS5.5AI score0.00533EPSS
Exploits0References3
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.6 views

Astra Linux – Vulnerability found in Linux 5.10, Linux 6.1, and Linux 5.15

In the Linux kernel, the following vulnerability has been resolved: crypto: API – Use a work queue in cryptoDestroyInstance. The function cryptoDropSpawn is expected to be called from the process context. However, when an instance is not registered while it still has active users, the last user m...

5.7AI score0.00179EPSS
Exploits0References1
Tenable Nessus
Tenable Nessus
added 2026/04/21 12:0 a.m.5 views

Unity Linux 20.1050e / 20.1070e Security Update: kernel (UTSA-2026-010848)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-010848 advisory. In the Linux kernel, the following vulnerability has been resolved: crypto: api - Use work queue in cryptodestroyinstance The function cryptodropspawn expects to be...

5.8AI score0.00179EPSS
Exploits0References4
SUSE CVE
SUSE CVE
added 2025/12/10 12:36 a.m.5 views

SUSE CVE-2023-53799

In the Linux kernel, the following vulnerability has been resolved: crypto: api - Use work queue in cryptodestroyinstance The function cryptodropspawn expects to be called in process context. However, when an instance is unregistered while it still has active users, the last user may cause the...

5.5CVSS6.4AI score0.00179EPSS
Exploits0References17
UbuntuCve
UbuntuCve
added 2025/12/09 1:16 a.m.7 views

CVE-2023-53799

In the Linux kernel, the following vulnerability has been resolved: crypto: api - Use work queue in cryptodestroyinstance The function cryptodropspawn expects to be called in process context. However, when an instance is unregistered while it still has active users, the last user may cause the...

5.8AI score0.00179EPSS
Exploits0References8
CVE
CVE
added 2025/12/09 12:0 a.m.28 views

CVE-2023-53799

CVE-2023-53799 affects the Linux kernel crypto subsystem where crypto_destroy_instance could free an instance in atomic context if the last user unregisters while active. Root cause: crypto_drop_spawn may be invoked outside process context, risking atomic-context frees. Fix: defer the freeing to ...

6AI score0.00179EPSS
Exploits0References6
Debian CVE
Debian CVE
added 2025/12/09 12:0 a.m.4 views

CVE-2023-53799

In the Linux kernel, the following vulnerability has been resolved: crypto: api - Use work queue in cryptodestroyinstance The function cryptodropspawn expects to be called in process context. However, when an instance is unregistered while it still has active users, the last user may cause the...

5.3AI score0.00179EPSS
Exploits0
The Hacker News
The Hacker News
added 2025/10/20 10:47 a.m.12 views

131 Chrome Extensions Caught Hijacking WhatsApp Web for Massive Spam Campaign

Cybersecurity researchers have uncovered a coordinated campaign that leveraged 131 rebranded clones of a WhatsApp Web automation extension for Google Chrome to spam Brazilian users at scale. The 131 spamware extensions share the same codebase, design patterns, and infrastructure, according to...

6.8AI score
Exploits0
OSV
OSV
added 2025/09/24 4:42 p.m.6 views

USN-7772-1 python-eventlet vulnerability

It was discovered that Eventlet incorrectly handled certain requests. An attacker could possibly use this issue to bypass front-end security controls, launch targeted attacks against active site users, and poison web caches...

9.1CVSS5.9AI score0.00363EPSS
Exploits0References3
NVD
NVD
added 2025/06/12 3:15 p.m.8 views

CVE-2025-49198

The Media Server’s authorization tokens have a poor quality of randomness. An attacker may be able to guess the token of an active user by computing plausible tokens...

7.5CVSS0.00318EPSS
Exploits0References6
OSV
OSV
added 2024/05/14 4:16 p.m.6 views

CVE-2024-27942

A vulnerability has been identified in RUGGEDCOM CROSSBOW All versions V5.5. The affected systems allow any unauthenticated client to disconnect any active user from the server. An attacker could use this vulnerability to prevent any user to perform actions in the system, causing a denial of...

7.5CVSS5.7AI score0.00687EPSS
Exploits0References1
CNNVD
CNNVD
added 2024/05/14 12:0 a.m.4 views

Siemens RUGGEDCOM CROSSBOW 访问控制错误漏洞

Siemens RUGGEDCOM CROSSBOW is a proven secure access management solution from Siemens, Germany. A security vulnerability exists in Siemens RUGGEDCOM CROSSBOW due to an affected system allowing any unauthenticated client to disconnect any active user from the server. An attacker could exploit this...

7.5CVSS6.7AI score0.00687EPSS
Exploits0References3
Rows per page
Query Builder