Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the nnef-callback route group, which lacks inbound authentication and authorization checks. An attacker can access sensitive business logic and potentially manipulate subscription state by submitting forged...

CVE-2026-34953

PraisonAI is a multi-agent teams system. Prior to version 4.5.97, OAuthManager.validatetoken returns True for any token not found in its internal store, which is empty by default. Any HTTP request to the MCP server with an arbitrary Bearer token is treated as authenticated, granting full access t...

CVE-2026-30945

CVE-2026-30945 : StudioCMS prior to 0.4.0 exposes an authorization flaw in DELETE /studiocms_api/dashboard/api-tokens. Any authenticated user with editor privileges or above can revoke API tokens for any user (including admin/owner) because tokenID and userID are taken directly from the request w...

PT-2026-7236

Name of the Vulnerable Software and Affected Versions Agentflow versions affected versions not specified Description Agentflow, developed by Flowring, exhibits an authentication bypass condition. Unauthenticated remote attackers can exploit a specific functionality to obtain arbitrary user...

CVE-2024-32644

Summary: CVE-2024-32644 affects Evmos pre-17.0.0. A state synchronization bug in stateDB.Commit() compares dirtyStorage to originStorage and only writes when they differ, which can allow non-atomic transactions and potentially mint arbitrary tokens or drain funds through creative smart-contract i...

CVE-2024-32644 Evmos' transaction execution not accounting for all state transition after interaction with precompiles

Evmos is a scalable, high-throughput Proof-of-Stake EVM blockchain that is fully compatible and interoperable with Ethereum. Prior to 17.0.0, there is a way to mint arbitrary tokens due to the possibility to have two different states not in sync during the execution of a transaction. The exploit ...

The vulnerability of the JWT Secret Handler component in the software for remote management of mobile devices by Headwind MDM allows a perpetrator to gain access to user data.

The vulnerability of the JWT SecretHandler component in the software for remote management of mobile devices by Headwind MDM is related to the use of rigidly encrypted credentials. Exploiting this vulnerability could allow a malicious actor to gain access to these credentials and create arbitrary...

State Manipulation Attack

github.com/evmos/evmos is vulnerable to state manipulation attacks. The vulnerability is due to an inconsistency between the originStorage and dirtyStorage states during transaction execution, which allows for the potential minting of arbitrary tokens...

Permit does not revert for tokens that do not implement it.

Lines of code Vulnerability details Impact Callers should not rely on permit to revert for arbitrary tokens especially if permit is used as a security check. Tokens which do not revert on permit either do not implement it or have a non-reverting fallback function. Most notable among them is WETH...

Improper Access Control

github.com/justinas/nosurf is vulnerable to Improper Access Control. The vulnerability exists in the verification of token functions in token.go due to improper input validation which allows an attacker to provide arbitrary tokens which are marked as valid...

AssetLogic's _swapAssetOut can fail on the one step approval

Lines of code Vulnerability details swapAssetOut performs one step approval for an arbitrary assetIn before calling pool's swapExactOut. As ERC20 that do not allow approval race condition prohibit setting approval to a new positive value when allowance is positive already, this call will fail if...

Use safeTransfer/safeTransferFrom consistently instead of transfer/transferFrom

Handle 0xRajeev Vulnerability details Impact It is good to add a require statement that checks the return value of token transfers or to use something like OpenZeppelin’s safeTransfer/safeTransferFrom unless one is sure the given token reverts in case of a failure. Failure to do so will cause...

CryptoBotsBattle Integer Overflow Vulnerability

CryptoBotsBattle CBTB is an Ether-based digital currency. An integer overflow vulnerability exists in the 'batchTransfer' function in CBTB's smart contract implementation. An attacker could exploit the vulnerability to create an arbitrary number of tokens for any user...

Integer overflow

An Integer overflow vulnerability exists in the batchTransfer function of a smart contract implementation for CryptoBotsBattle CBTB, an Ethereum token. This vulnerability could be used by an attacker to create an arbitrary amount of tokens for any user...

CVE-2018-17882

An Integer overflow vulnerability exists in the batchTransfer function of a smart contract implementation for CryptoBotsBattle CBTB, an Ethereum token. This vulnerability could be used by an attacker to create an arbitrary amount of tokens for any user...

DSA-3293-1 pyjwt - security update

Bulletin has no description...

Design/Logic Flaw

The GoogleAuthUtil.getToken method in the Google Play services SDK before 2015 sets parameters in OAuth token requests upon finding a corresponding opt parameter in the Bundle extras argument, which allows attackers to bypass an intended consent dialog and retrieve tokens for arbitrary OAuth scop...