Lucene search
K

160 matches found

NVD
NVD
added 2026/06/23 7:17 p.m.5 views

CVE-2026-55736

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in ash-project ash allows a user to set the value of a private action argument that is intended to be controlled only by trusted server-side code. Action arguments declared with public?: false are meant t...

5.9CVSS0.00152EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/06/23 6:21 p.m.6 views

CVE-2026-55736

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in ash-project ash allows a user to set the value of a private action argument that is intended to be controlled only by trusted server-side code. Action arguments declared with public?: false are meant t...

5.9CVSS5.8AI score0.00152EPSS
Exploits0References5Affected Software1
EUVD
EUVD
added 2026/06/23 6:21 p.m.8 views

EUVD-2026-38570

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in ash-project ash allows a user to set the value of a private action argument that is intended to be controlled only by trusted server-side code. Action arguments declared with public?: false are meant t...

5.9CVSS5.8AI score0.00152EPSS
Exploits0References4
CVE
CVE
added 2026/06/23 6:21 p.m.8 views

CVE-2026-55736

CVE-2026-55736 (Ash project) : A logic flaw in Ash allows end-user input to set private action arguments intended to be server-controlled. In non-atomic paths, private arguments are stripped only when the parameter key is an atom; if the key is a string, the private argument remains controllable ...

5.9CVSS5.8AI score0.00152EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.8 views

PT-2026-51581

Name of the Vulnerable Software and Affected Versions ash-project ash versions 3.0.0 through 3.29.2 Description An issue exists where users can set the value of a private action argument intended to be controlled exclusively by trusted server-side code. Action arguments declared with public?: fal...

5.9CVSS5.7AI score0.00152EPSS
Exploits0References7
NVD
NVD
added 2026/06/15 12:16 p.m.8 views

CVE-2026-49757

Authentication Bypass by Spoofing vulnerability in team-alembic AshAuthentication allows account takeover of local users via OAuth2/OIDC sign-in. AshAuthentication's OAuth2 and OIDC family strategies matched the local user by email address an upsert on the email field, or a user-defined sign-in...

9.2CVSS0.00563EPSS
Exploits1References5
EUVD
EUVD
added 2026/06/15 10:7 a.m.11 views

EUVD-2026-36714

Authentication Bypass by Spoofing vulnerability in team-alembic AshAuthentication allows account takeover of local users via OAuth2/OIDC sign-in. AshAuthentication's OAuth2 and OIDC family strategies matched the local user by email address an upsert on the email field, or a user-defined sign-in...

9.2CVSS5.4AI score0.00563EPSS
Exploits1References5
CVE
CVE
added 2026/06/15 10:7 a.m.37 views

CVE-2026-49757

AshAuthentication (versions before 4.14.0 and before 5.0.0-rc.10) is vulnerable to an authentication bypass where OAuth2/OIDC sign-in matches local users by email rather than the issuer/sub identity. An attacker able to provide a victim’s email to an OAuth provider could be signed in to the victi...

9.2CVSS5.4AI score0.00563EPSS
Exploits1References5
Positive Technologies
Positive Technologies
added 2026/06/15 12:0 a.m.10 views

PT-2026-49202

Name of the Vulnerable Software and Affected Versions ash authentication versions 0.1.0 through 4.13.x ash authentication versions 5.0.0-rc.0 through 5.0.0-rc.9 Description An authentication bypass by spoofing allows account takeover of local users during OAuth2 or OIDC sign-in. The issue occurs...

9.2CVSS5.3AI score0.00563EPSS
Exploits1References10
RedhatCVE
RedhatCVE
added 2026/04/03 11:1 p.m.3 views

CVE-2026-34593

Ash Framework is a declarative, extensible framework for building Elixir applications. Prior to version 3.22.0, Ash.Type.Module.castinput/2 unconditionally creates a new Erlang atom via Module.concatvalue for any user-supplied binary string that starts with "Elixir.", before verifying whether the...

8.2CVSS5.8AI score0.00423EPSS
Exploits1References1
NVD
NVD
added 2026/04/02 6:16 p.m.4 views

CVE-2026-34593

Ash Framework is a declarative, extensible framework for building Elixir applications. Prior to version 3.22.0, Ash.Type.Module.castinput/2 unconditionally creates a new Erlang atom via Module.concatvalue for any user-supplied binary string that starts with "Elixir.", before verifying whether the...

8.2CVSS0.00423EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/04/02 5:42 p.m.5 views

CVE-2026-34593

Ash Framework is a declarative, extensible framework for building Elixir applications. Prior to version 3.22.0, Ash.Type.Module.castinput/2 unconditionally creates a new Erlang atom via Module.concatvalue for any user-supplied binary string that starts with "Elixir.", before verifying whether the...

8.2CVSS5.8AI score0.00423EPSS
Exploits1References3Affected Software1
Cvelist
Cvelist
added 2026/04/02 5:42 p.m.17 views

CVE-2026-34593 Ash Framework: Ash.Type.Module.cast_input/2 atom exhaustion via unchecked Module.concat allows BEAM VM crash

Ash Framework is a declarative, extensible framework for building Elixir applications. Prior to version 3.22.0, Ash.Type.Module.castinput/2 unconditionally creates a new Erlang atom via Module.concatvalue for any user-supplied binary string that starts with "Elixir.", before verifying whether the...

8.2CVSS0.00423EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/04/02 5:42 p.m.2 views

CVE-2026-34593 Ash Framework: Ash.Type.Module.cast_input/2 atom exhaustion via unchecked Module.concat allows BEAM VM crash

Ash Framework is a declarative, extensible framework for building Elixir applications. Prior to version 3.22.0, Ash.Type.Module.castinput/2 unconditionally creates a new Erlang atom via Module.concatvalue for any user-supplied binary string that starts with "Elixir.", before verifying whether the...

8.2CVSS5.8AI score0.00423EPSS
Exploits1References2
CVE
CVE
added 2026/04/02 5:42 p.m.11 views

CVE-2026-34593

This CVE affects Ash Framework (Elixir) where Ash.Type.Module.cast_input/2 unconditionally creates a new Erlang atom via Module.concat([value]) for inputs starting with "Elixir." before module existence is verified. The atom creation can exhaust BEAM’s atom table (default ~1,048,576 entries) and ...

8.2CVSS5.8AI score0.00423EPSS
Exploits1References2Affected Software1
CNNVD
CNNVD
added 2026/04/02 12:0 a.m.8 views

Ash Framework 资源管理错误漏洞

Ash Framework is an open-source framework used for building Elixir applications. Versions of Ash Framework prior to 3.22.0 contained a resource management vulnerability. This vulnerability stems from Ash.Type.Module.castinput/2, which “Elixir.”, thereby creating new Erlang atoms. This could lead ...

8.2CVSS5.8AI score0.00423EPSS
Exploits1References2
OSV
OSV
added 2026/04/01 12:14 a.m.5 views

GHSA-JJF9-W5VJ-R6VP Ash.Type.Module.cast_input/2 atom exhaustion via unchecked Module.concat allows BEAM VM crash

Summary Ash.Type.Module.castinput/2 unconditionally creates a new Erlang atom via Module.concatvalue for any user-supplied binary string that starts with "Elixir.", before verifying whether the referenced module exists. Because Erlang atoms are never garbage-collected and the BEAM atom table has ...

8.2CVSS6AI score0.00423EPSS
Exploits1References5
RedhatCVE
RedhatCVE
added 2025/10/20 9:27 p.m.13 views

CVE-2025-48044

Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass. This vulnerability is associated with program files lib/ash/policy/policy.ex and program routines 'Elixir.Ash.Policy.Policy':expression/2. This issue affects ash: from pkg:hex/[email protected] before pkg:hex/[email protected]...

8.6CVSS7AI score0.0081EPSS
Exploits0References1
EUVD
EUVD
added 2025/10/17 6:3 p.m.3 views

EUVD-2025-34884

Ash has authorization bypass when bypass policy condition evaluates to true...

8.6CVSS6.5AI score0.0081EPSS
Exploits0References3
OSV
OSV
added 2025/10/17 6:3 p.m.6 views

GHSA-PCXQ-FJP3-R752 Ash has authorization bypass when bypass policy condition evaluates to true

Summary Bypass policies incorrectly authorize requests when their condition evaluates to true but their authorization checks fail and no other policies apply. Impact Resources with bypass policies can be accessed without proper authorization when: - Bypass condition evaluates to true - Bypass...

8.6CVSS7.3AI score0.0081EPSS
Exploits0References6
Rows per page
Query Builder