CVE-2026-44329 free5GC: SMF UPI management interface lacks auth middleware; unauthenticated topology read/write requests reach handlers

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's SMF mounts the UPI management route group without OAuth2/bearer-token authorization middleware. A network attacker who can reach SMF on the SBI can hit UPI endpoints with no Authorization header at all, and...

PT-2026-42379

free5GC's SMF UPI management interface lacks auth middleware; unauthenticated topology read/write requests reach handlers in github.com/free5gc/smf...

EUVD-2026-28862

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.1.0, /users/login issues a temporary JWT temptoken for TOTP-enabled accounts. That token carries a pendingTOTP state and should only be valid for the second-factor flow...

CVE-2025-15598

CVE-2025-15598 affects Dataease SQLBot up to 1.5.1. The flaw is in JWT Token Handler’s validateEmbedded (backend/apps/system/middleware/auth.py); manipulation leads to improper cryptographic signature verification. It can be triggered remotely with high attack complexity; an exploit has been publ...

Duplicate Advisory: Nest has a Fastify URL Encoding Middleware Bypass

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-r4wm-x892-vjmx. This link is maintained to preserve external references. Original Description A NestJS application using @nestjs/platform-fastify can allow bypass of authentication/authorization middleware when...

CVE-2025-54305

An issue was discovered in the Thermo Fisher Torrent Suite Django application 5.18.1. One of the middlewares included in this application, LocalhostAuthMiddleware, authenticates users as ionadmin if the REMOTEADDR property in request.META is set to 127.0.0.1, to 127.0.1.1, or to ::1. Any user wit...

EUVD-2025-116378

Malicious code in auth-middleware-phoebe-bootstrap npm...

Malicious code in auth-middleware-phoebe-bootstrap (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5e3e51978571ca4dfff349d756ffbe01b1a5025c948ec27206dac4551be7b695 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

PT-2025-41335

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 5.18.0 Description A security flaw exists in ChurchCRM impacting the AuthMiddleware function within the src/ChurchCRM/Slim/Middleware/AuthMiddleware.php file of the API Endpoint component. This allows for missing...

CVE-2024-47178

A flaw was found in the basic-auth-connect package. Affected versions use a timing-unsafe equality comparison that can potentially leak timing information. Mitigation Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security...

MAL-2022-4487 Malicious code in mason-auth-middleware (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 7a7e13ffcc348e9c23720985748eb11d9c351ea990d48320c82ea6beac425536 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in mason-auth-middleware (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 7a7e13ffcc348e9c23720985748eb11d9c351ea990d48320c82ea6beac425536 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

UBUNTU-CVE-2021-38562

Best Practical Request Tracker RT 4.2 before 4.2.17, 4.4 before 4.4.5, and 5.0 before 5.0.2 allows sensitive information disclosure via a timing attack against lib/RT/REST2/Middleware/Auth.pm...