CVE-2025-61928 Better Auth: Unauthenticated API key creation through api-key plugin

Better Auth is an authentication and authorization library for TypeScript. In versions prior to 1.3.26, unauthenticated attackers can create or modify API keys for any user by passing that user's id in the request body to the api/auth/api-key/create route. session?.user ?? authRequired ? null : i...

CVE-2025-61928

CVE-2025-61928 affects Better Auth (TypeScript) prior to version 1.3.26. The vulnerability allows unauthenticated attackers to create or modify API keys for any user by supplying the target user’s id in the request body to api/auth/api-key/create (and similarly in the update endpoint). The issue ...

CVE-2025-61928 Better Auth: Unauthenticated API key creation through api-key plugin

Better Auth is an authentication and authorization library for TypeScript. In versions prior to 1.3.26, unauthenticated attackers can create or modify API keys for any user by passing that user's id in the request body to the api/auth/api-key/create route. session?.user ?? authRequired ? null : i...

DEBIAN-CVE-2025-61783

Python Social Auth is a social authentication/registration mechanism. In versions prior to 5.6.0, upon authentication, the user could be associated by e-mail even if the associatebyemail pipeline was not included. This could lead to account compromise when a third-party authentication service doe...

CVE-2025-61783

Python Social Auth is a social authentication/registration mechanism. In versions prior to 5.6.0, upon authentication, the user could be associated by e-mail even if the associatebyemail pipeline was not included. This could lead to account compromise when a third-party authentication service doe...

UBUNTU-CVE-2025-61783

Python Social Auth is a social authentication/registration mechanism. In versions prior to 5.6.0, upon authentication, the user could be associated by e-mail even if the associatebyemail pipeline was not included. This could lead to account compromise when a third-party authentication service doe...

CVE-2025-61783

Python Social Auth is a social authentication/registration mechanism. In versions prior to 5.6.0, upon authentication, the user could be associated by e-mail even if the associatebyemail pipeline was not included. This could lead to account compromise when a third-party authentication service doe...

CVE-2025-61783 Python Social Auth - Django has unsafe account association

Python Social Auth is a social authentication/registration mechanism. In versions prior to 5.6.0, upon authentication, the user could be associated by e-mail even if the associatebyemail pipeline was not included. This could lead to account compromise when a third-party authentication service doe...

CVE-2025-61783 Python Social Auth - Django has unsafe account association

Python Social Auth is a social authentication/registration mechanism. In versions prior to 5.6.0, upon authentication, the user could be associated by e-mail even if the associatebyemail pipeline was not included. This could lead to account compromise when a third-party authentication service doe...

CVE-2025-61783 Python Social Auth - Django has unsafe account association

Python Social Auth is a social authentication/registration mechanism. In versions prior to 5.6.0, upon authentication, the user could be associated by e-mail even if the associatebyemail pipeline was not included. This could lead to account compromise when a third-party authentication service doe...

EUVD-2025-33405

Python Social Auth is a social authentication/registration mechanism. In versions prior to 5.6.0, upon authentication, the user could be associated by e-mail even if the associatebyemail pipeline was not included. This could lead to account compromise when a third-party authentication service doe...

CVE-2025-61783

CVE-2025-61783 affects Python Social Auth (specifically the Django integration, python-social-auth/social-app-django). In versions prior to 5.6.0, during authentication a user could be associated by email even if the register/authorization pipeline did not include the associate_by_email step, ena...

CVE-2025-35058

Newforma Info Exchange (NIX) contains a vulnerable endpoint /UserWeb/Common/MarkupServices.ashx that can be triggered by a remote, unauthenticated attacker to force NIX to establish an SMB connection to an attacker‑controlled system, enabling the attacker to capture the NTLMv2 hash of the configu...

CVE-2025-35052 Newforma Info Exchange (NIX) shared hard-coded secret key

Newforma Info Exchange NIX uses a hard-coded key to encrypt certain query parameters. Some encrypted parameter values can specify paths to download files, potentially bypassing authentication and authorization, for example, the 'qs' parameter used in '/DownloadWeb/download.aspx'. This key is shar...

Python Social Auth - Django has unsafe account association

Impact Upon authentication, the user could be associated by e-mail even if the associatebyemail pipeline was not included. This could lead to account compromise when a third-party authentication service does not validate provided e-mail addresses or doesn't require unique e-mail addresses. Patche...

argus-notification-msteams (=0.5.1), argus-server (>=1.0.0 <=1.22.1) +113 more potentially affected by CVE-2025-61783 via social-auth-app-django (>=0.1.0 <=5.4.3)

social-auth-app-django PYPI version =0.1.0, =1.0.0, =1.0.0, =4.14.0, =0.15.0, =0.3.23, =0.8.7, =0.0.2a17, =1.0.0, =2.1.0, =1.0.1, =1.0.0, =1.0.8 and more Source cves: CVE-2025-61783 Source advisory: OSV:GHSA-WV4W-6QV2-QQFG...

argus-notification-msteams (=0.5.1), argus-server (>=1.0.0 <=1.22.1) +97 more potentially affected by CVE-2025-61783 via social-auth-app-django (>=5.0.0 <=5.4.3)

social-auth-app-django PYPI version =5.0.0, =1.0.0, =1.0.0, =4.14.0, =0.4.3, =0.8.7, =0.0.2a17, =1.0.0, =1.0.0, =1.2.0, =4.8.0, =0.0.2, =1.0.0, =1.1.0 and more Source cves: CVE-2025-61783 Source advisory: SNYK:PYTHON-SOCIALAUTHAPPDJANGO-13512562...

@better-auth/cli (>=0.0.1 <=1.3.25), @bgord/bun (>=0.18.0 <=0.29.10) +21 more potentially affected by CVE-2025-61928 via better-auth (>=0.4.10-beta.10 <=1.3.25)

better-auth NPM version =0.4.10-beta.10, =0.0.1, =0.18.0, =0.5.11, =0.0.0, =0.1.174, =1.0.2, =1.0.5, =1.0.0, =0.0.5, =0.0.5, =1.1.368, =1.2.13, =1.2.106 and more Source cves: CVE-2025-61928 Source advisory: OSV:GHSA-99H5-PJCV-GR6V...

EUVD-2025-33358

Better Auth: Unauthenticated API key creation through api-key plugin...

@better-auth/cli (>=1.2.0 <=1.3.25), @bgord/bun (>=0.18.0 <=0.29.10) +17 more potentially affected by CVE-2025-61928 via better-auth (>=1.2.0-beta.18 <=1.3.25)

better-auth NPM version =1.2.0-beta.18, =1.2.0, =0.18.0, =0.5.11, =0.0.0, =0.1.174, =1.0.2, =1.0.5, =1.0.0, =0.0.5, =1.2.13, =3.7.1, =1.0.12, =1.1.0 and more Source cves: CVE-2025-61928 Source advisory: SNYK:JS-BETTERAUTH-13537497...