CVE-2026-46407

Vvveb CMS contains an IDOR in the backend/admin/auth-token endpoint. An authenticated administrator can load another admin's REST API token list by supplying that user’s admin_id, leading to disclosure of sensitive tokens. The issue is fixed in version 1.0.8.3. No exploitation details are provide...

GHSA-CQP4-QQVG-3787 Open WebUI has Stored XSS in Banner Component via Improper Sanitization Order

Summary A Stored Cross-Site Scripting XSS vulnerability exists in the Banner component due to an improper sanitization order specifically, DOMPurify is executed before the marked library. This vulnerability allows a compromised or malicious administrator to plant a malicious payload in the global...

Default kuma-cp leaks admin token cross-origin via CORS wildcard + LocalhostIsAdmin

Summary Default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is reachable from their browser. CorsAllowedDomains: "." reflects any Origin, and LocalhostIsAdmin: true promotes requests from 127.0.0.1 to mesh-system:admin...

GHSA-3VCP-CHFH-F6R2 Default kuma-cp leaks admin token cross-origin via CORS wildcard + LocalhostIsAdmin

Summary Default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is reachable from their browser. CorsAllowedDomains: "." reflects any Origin, and LocalhostIsAdmin: true promotes requests from 127.0.0.1 to mesh-system:admin...

Unauthenticated Credential Disclosure

github.com/dgraph-io/dgraph is vulnerable to an unauthenticated credential disclosure. The vulnerability is due to the /debug/pprof/cmdline endpoint being accessible without authentication, which exposes the full process command line including the admin token, allowing an attacker to retrieve the...

CVE-2026-42300

DevGuard provides vulnerability management for the full software supply chain. Prior to 1.2.2, the SessionMiddleware accepts a client-supplied X-Admin-Token HTTP request header and uses its raw string value as the authenticated userID when no Kratos session cookie is present. An unauthenticated...

CVE-2026-42300

DevGuard provides vulnerability management for the full software supply chain. Prior to 1.2.2, the SessionMiddleware accepts a client-supplied X-Admin-Token HTTP request header and uses its raw string value as the authenticated userID when no Kratos session cookie is present. An unauthenticated...

CVE-2026-42300 DevGuard: Unauthenticated identity assertion via `X-Admin-Token` header

DevGuard provides vulnerability management for the full software supply chain. Prior to 1.2.2, the SessionMiddleware accepts a client-supplied X-Admin-Token HTTP request header and uses its raw string value as the authenticated userID when no Kratos session cookie is present. An unauthenticated...

CVE-2026-42300

CVE-2026-42300 affects DevGuard’s SessionMiddleware and related components prior to version 1.2.2. The vulnerability arises because a client-supplied header, X-Admin-Token , is accepted and its raw value is used as the authenticated userID when no Kratos session cookie is present. An attacker who...

CVE-2026-42300 DevGuard: Unauthenticated identity assertion via `X-Admin-Token` header

DevGuard provides vulnerability management for the full software supply chain. Prior to 1.2.2, the SessionMiddleware accepts a client-supplied X-Admin-Token HTTP request header and uses its raw string value as the authenticated userID when no Kratos session cookie is present. An unauthenticated...

Exploit for CVE-2026-29000

🚀 CVE-2026-29000 - pac4j-jwt Authentication Bypass Exploit !...

devguard 安全漏洞

Devguard is a software supply chain vulnerability management platform developed by L3montree. Versions prior to 1.2.2 of Devguard contained security vulnerabilities. These vulnerabilities stemmed from SessionMiddleware accepting the X-Admin-Token HTTP request header provided by clients. When no...

CVE-2026-45223

Crabbox prior to 0.9.0 contains an authentication bypass in the coordinator’s user-token verification path. The verifyUserToken() function fails to reject payloads with an admin: true claim, enabling an attacker with access to a non-admin token to craft a user-token payload, sign it with HMAC-SHA...

CVE-2026-42176

Scoold is a Q&A and a knowledge sharing platform for teams. Prior to version 1.67.0, Scoold allows the admins configuration value to be modified through /api/config/set/admins with a forged Bearer token that is accepted as an admin API token. Once that setting is changed, the target email address...

CVE-2026-42176

Scoold is a Q&A and a knowledge sharing platform for teams. Prior to version 1.67.0, Scoold allows the admins configuration value to be modified through /api/config/set/admins with a forged Bearer token that is accepted as an admin API token. Once that setting is changed, the target email address...

PT-2026-39187

Name of the Vulnerable Software and Affected Versions Scoold versions prior to 1.67.0 Description Scoold allows the modification of the admins configuration value via the "/api/config/set/admins" endpoint using a forged Bearer token that is accepted as an admin API token. This action writes a...

📄 ThingsBoard IoT Platform 4.2.0 Server-Side Request Forgery

ThingsBoard IoT Platform version 4.2.0 suffers from a server-side request forgery vulnerability. Exploit Title: ThingsBoard IoT Platform 4.2.0 - Server-Side Request Forgery SSRF Date: 2026-03-25 Exploit Author: Tamil Mathi T. Vendor Homepage: https://thingsboard.io Software Link:...

ThingsBoard IoT Platform 4.2.0 - Server-Side Request Forgery (SSRF)

Exploit Title: ThingsBoard IoT Platform 4.2.0 - Server-Side Request Forgery SSRF Date: 2026-03-25 Exploit Author: Tamil Mathi T. Vendor Homepage: https://thingsboard.io Software Link: https://github.com/thingsboard/thingsboard Version: . When ThingsBoard processes the uploaded SVG server-side, it...

Authentication Bypass Using an Alternate Path or Channel

Overview Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel in the SessionMiddleware process when the X-Admin-Token HTTP header is accepted from the client and its raw value is used as the authenticated user ID if no Kratos session cookie ...

Authentication Bypass Using an Alternate Path or Channel

Overview Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel in the SessionMiddleware process when the X-Admin-Token HTTP header is accepted from the client and its raw value is used as the authenticated user ID if no Kratos session cookie ...